'Re: RFR: 8169229: RSAClientKeyExchange debug info is incorrect'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-security-dev
Subject:    Re: RFR: 8169229: RSAClientKeyExchange debug info is incorrect
From:       Xuelei Fan <xuelei.fan () oracle ! com>
Date:       2016-11-09 1:13:49
Message-ID: eda58a09-6c81-372d-2a95-de55e3721b88 () oracle ! com
[Download RAW message or body]

 > http://cr.openjdk.java.net/~wetmore/8169229/webrev.01
Looks fine to me.

Xuelei

On 11/9/2016 7:09 AM, Bradford Wetmore wrote:
> Xuelei/I inadvertently left off security-dev in a later discussion, so
> cc'ing here on some main points.
>
> On 11/4/2016 4:33 PM, Xuelei Fan wrote:
>> As there is a preMaster, may not need the debug-only
>> debugProtocolVersion class field.  It can be extracted from preMaster in
>> the print() implementation.
>
> On 11/6/2016 12:51 AM, Bradford Wetmore wrote:
>> What if it's not extractible?
>
> Xuelei wrote:
>
>> We know the version for the ClientKeyExchange message generation
>> (client side).  For the receiving/server side, no idea about how to
>> get the version.  Maybe, we can just dump "version is not
>> extractable"?
>
> For the client, the clientKeyExchange protocol version field for the
> message is actually set in the KeyGenerator, so
> RSAClientKeyExchange.protocolVersion may or may not be what is sent over
> the wire.  That is: RSAClientKeyExchange.protocolVersion is only a
> guess, and may not be accurate and will confuse any debug analysis.
>
> For the server side, I would expect the same: if it's not extractable we
> could output some currentVersion, but again it's only a guess and would
> confuse things.
>
> So IMHO, we should not look at this.protocolVersion for debug if the
> preMaster is not extractable:
>
>     void print(PrintStream s) throws IOException {
> +       String version = "protocol version not available";
> +
> +       byte[] ba = preMaster.getEncoded();
> +       if (ba != null && ba.length >= 2) {
> +           version = ProtocolVersion.valueOf(ba[0], ba[1]).name;
> +       }
> +
>         s.println("*** ClientKeyExchange, RSA PreMasterSecret, " +
> -                                         protocolVersion);
> +                                         version);
>
> Final update:
>
> https://bugs.openjdk.java.net/browse/JDK-8169229
> http://cr.openjdk.java.net/~wetmore/8169229/webrev.01
>
> I'll run it through JPRT, but I'll mark as noreg-trivial.
>
> Brad
>
>
>>>>>> On 11/5/2016 6:17 AM, Bradford Wetmore wrote:
>>>>>>>
>>>>>>> https://bugs.openjdk.java.net/browse/JDK-8169229
>>>>>>> http://cr.openjdk.java.net/~wetmore/8169229/webrev.00/
>>>>>>>
>>>>>>> Please review this minor bug fix.  Our RSAClientKeyExchange isn't
>>>>>>> properly outputing the RSA PreMasterSecret field.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Brad
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic