Code Review Request: TLS 1.3 Implementation

Jamil Nimeh jamil.j.nimeh at oracle.com
Sat Jun 9 06:00:34 UTC 2018


Hi Brad, just one follow-up to your CipherSuite comment, please see below.

--Jamil


On 06/08/2018 07:55 PM, Bradford Wetmore wrote:
>
> CipherSuite.java
> ----------------
> 74:  There is a mix of ciphersuite initialization styles, which I find 
> confusing.  In the *_OF_12, you pass the MAC of M_NULL, with H_* being 
> used for PRF/HASH, which is also used for the MAC value for new 
> suites, IIUC.  Would you consider specifying both in the enum 
> constructor rather than M_NULL?
>
>     KeyExchange keyExchange, SSLCipher cipher,
>     MacAlg macAlg, HashAlg hashAlg)
>
> to_12
>             0x0018, false, "SSL_DH_anon_WITH_RC4_128_MD5", "",
>             ProtocolVersion.PROTOCOLS_TO_T12,
>             K_DH_ANON, B_RC4_128, M_MD5, H_SHA256),
>
> of_12
>             0x00A2, true, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "",
>             ProtocolVersion.PROTOCOLS_OF_12,
>             K_DHE_DSS, B_AES_128_GCM, M_NULL, H_SHA256),
> ->
>             K_DHE_DSS, B_AES_128_GCM, H_SHA256, H_SHA256),
These two suites may not be the best comparison, since you have a 
non-AEAD stream cipher up against AES-GCM.  For the latter, I think 
M_MULL in the MacAlg field is the right thing because GCM doesn't have a 
separate HMAC.  The authentication is performed through GHASH.  The only 
place for SHA-256 in this suite is for the PRF, IIUC.  As a second data 
point ChaCha20-Poly1305 suites (when we eventually do them) would also 
use M_NULL for the MacAlg since Poly1305 takes care of the 
authentication internally and SHA-256 is just used with PRF and/or HKDF 
in the TLS 1.3 case.
>
> 124-287:  All of a sudden the indention style changed, and then 
> corrected itself back a little later at the "non-enabled" suites. Can 
> you remove these extra spaces here?
>
> 262:  What is the point of the aliases argument in the constructor?  
> Was the idea to provide a mapping between suites we originally created 
> with the SSL_ prefix vs the more current TLS_ prefix we used in the 
> later TLS protocols?  There is only an empty string in every 
> constructor, so this code doesn't do anything.
>
> 377:  Maybe provide the RFC numbers (e.g. 4346, 5469, 5246, etc) for 
> reference?
>
> 455:  This "other values" info is way out of date.  If anything, I 
> would suggest we simply provide a link at the top of this file to the 
> https (not http) page, and be done with it.
>
> 803/814/824/867:  I'm concerned of the performance impact of 
> repeatedly iterating over 300+ ciphersuite ids/names using values().  
> You should benchmark and see if it makes sense to switch to using a 
> HashMap (or even TreeMap) here.  For the limited number of Protocols 
> (< 10 for TLSv1.x), this approach is fine, but this has quite a bit 
> larger search space.
>
> 840:  Is this else/break needed?
>
> 863:  This @throws is incorrect.  869 returns an emptyList instead of 
> an Exception.
>
> 891:  "...with currently installed providers"?  This wording is 
> strange, since it's all part of the SunJSSE provider.  Can you just 
> say "name unsupported"?
>
> 910:  Can you please add a quick comment as to why/when you want a 
> keyExchange == null.  i.e. TLSv1.3.  It took me a while to figure out 
> when you would ever have a keyExchange==null.
>
> 995:  For readability, you can line this up using a 80 char line.
>
>     K_RSA           ("RSA",            true,  false, NAMED_GROUP_NONE),
>     ...deleted...
>
>
> SSLSessionImpl.java
> -------------------
> 90:  I think we need to revisit this decision, but not now.
>
>
> SSLServerSocketImpl.java
> ------------------------
> 160:  You should allow multiple changes between server to client, and 
> switch enabled protocols/ciphersuites accordingly.
>
>
> SSLConfiguration.java
> ---------------------
> 99:  This is a followup to the comment from last night.  tls13VN is 
> pretty much set, let's get this temporary stuff out of here.
>
> 108:  Should we reverse the two tests here?  Checking for System 
> property and then not checking for a SunTlsExtendedMasterSecret would 
> be a faster option in the false case, vs driving the JCE lookup 
> machinery and then checking whether we'll be using it or not.
>
>
> SSLSocketImpl.java
> ------------------
> 28:  I'm not a fan of unnecessarily expanding the imports. Netbeans 
> has/had a default of 5, but apparently turned it off by default in 
> favor of single class imports.
>
> 76:  Are you set on the name conContext?  I'm still not 100% sure what 
> it stands for.  Alternate transportContext or connectionContext?
>
> 92:  trustNameService could be private and all in caps.
>
> 102-269:  Any chance of combining the commonalities of these different 
> constructors into 1, and then do the constructor-specific things at 
> the end?  It will help with future maintenance to not have to make the 
> same changes in multiple places.
>
> 484:  A couple comments here would be appreciated about what these 
> App* classes do.  The old comments in App[InputStream would be 
> sufficient, plus some of the other comments stripped out inside the 
> class:
>
>      Read data if needed ... notice that the connection guarantees
>      that handshake, alert, and change cipher spec data streams are
>      handled as they arrive, so we never see them here.
>
> Nice job on this refactoring in this class, there was a heck of a lot 
> of cruft in this file after 20+ years.  I am anxious to see how the 
> rest of the code is laid out.
>
>
> TransportContext.java
> ---------------------
> 90:  Any chance of combining these 3 constructors into 1?  Almost 
> identical duplicate code here.
>
> 682-683:  These can be final.
>
>
> Thanks,
>
> Brad
>
>
>
> On 6/8/2018 10:21 AM, Xuelei Fan wrote:
>> Here is the 3rd full webrev:
>>     http://cr.openjdk.java.net/~xuelei/8196584/webrev-full.02
>>
>> and the delta update to the 1st webrev:
>>     http://cr.openjdk.java.net/~xuelei/8196584/webrev-delta.01
>>
>> Xuelei
>>
>> On 6/3/2018 9:43 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Here it the 2nd full webrev:
>>>    http://cr.openjdk.java.net/~xuelei/8196584/webrev-full.01
>>>
>>> and the delta update to the 1st webrev:
>>>    http://cr.openjdk.java.net/~xuelei/8196584/webrev-delta.00/
>>>
>>> Xuelei
>>>
>>> On 5/25/2018 4:45 PM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> I'd like to invite you to review the TLS 1.3 implementation.  I 
>>>> appreciate it if I could have compatibility and specification 
>>>> feedback before May 31, 2018, and implementation feedback before 
>>>> June 7, 2018.
>>>>
>>>> Here is the webrev:
>>>> http://cr.openjdk.java.net/~xuelei/8196584/webrev-full.00
>>>>
>>>> The formal TLS 1.3 specification is not finalized yet, although it 
>>>> had been approved to be a standard.  The implementation is based on 
>>>> the draft version 28:
>>>>      https://tools.ietf.org/html/draft-ietf-tls-tls13-28
>>>>
>>>> For the overall description of this enhancement, please refer to 
>>>> JEP 332:
>>>>      http://openjdk.java.net/jeps/332
>>>>
>>>> For the compatibility and specification update, please refer to CSR 
>>>> 8202625:
>>>>      https://bugs.openjdk.java.net/browse/JDK-8202625
>>>>
>>>> Note that we are using the sandbox for the development right now.  
>>>> For more information, please refer to Bradford's previous email:
>>>>
>>>> http://mail.openjdk.java.net/pipermail/security-dev/2018-May/017139.html 
>>>>
>>>>
>>>> Thanks & Regards,
>>>> Xuelei



More information about the security-dev mailing list