Looks good to me. Xuelei
> On Aug 16, 2019, at 3:44 PM, Jamil Nimeh <jamil.j.ni...@oracle.com> wrote: > > I think that's a good idea. I've made the change. > > http://cr.openjdk.java.net/~jnimeh/reviews/8224997/webrev.02/ > > Thanks for the review, > > --Jamil > >> On 8/16/19 9:36 AM, Xue-Lei Fan wrote: >> Good catch! >> >> For the engineGetOutputSize() implementation, as the inputLen parameter is >> an external input, we may want to ensure it is not too big to integer >> overflow. The Math.addExact() was used to check the overflow issues. What >> do you think we keep using the Math.addExact() method, at line 1243 and 1314? >> >> Otherwise, looks fine to me. >> >> Xuelei >> >> ----- Original Message ----- >> From:jamil.j.ni...@oracle.com >> To:security-dev@openjdk.java.net >> Sent: Monday, August 12, 2019 12:59:32 PM GMT -08:00 US/Canada Pacific >> Subject: [RFR] JDK-8224997: ChaCha20-Poly1305 TLS cipher suite decryption >> throws ShortBufferException >> >> Hello all, >> >> This fix addresses a problem first found by Netty/Jetty when decrypting >> payloads in excess of ~4096 bytes using one of the ChaCha20-Poly1305 >> cipher suites. The root cause of the issue is not in the TLS code, it >> is actually an issue with how ChaCha20-Poly1305 was implementing >> CipherSpi.engineGetOutputSize(). >> >> The bug was also partially worked around due to changes in CipherSpi >> from 8181386, but this properly addresses the output buffer sizing. >> >> Thanks to Adrian Todt and Bradley Wagner for the Catnip and Jetty >> support while trying to replicate the issue originally. >> >> Bug:https://bugs.openjdk.java.net/browse/JDK-8224997 >> >> Webrev:http://cr.openjdk.java.net/~jnimeh/reviews/8224997/webrev.01/ >> >> --Jamil >>
