Open
Bug 1312976
Opened 8 years ago
Updated 11 months ago
Add support for exporters on SHA 384 cipher suites
Categories
(NSS :: Libraries, defect, P3)
Tracking
(Not tracked)
ASSIGNED
People
(Reporter: mt, Assigned: mt)
References
Details
(Whiteboard: [nss-fx])
Attachments
(1 file)
20.28 KB,
patch
|
Details | Diff | Splinter Review |
We do absolutely the wrong thing for exporting when the PRF hash is SHA-384. See bug 1310061 for details.
Assignee | ||
Comment 1•8 years ago
|
||
Bob, we recently discovered that Elio's work on implementing AES-256-GCM and SHA-384 was incomplete. This makes the TLS 1.2 PRF more generic (it takes a hash argument). Can you check that my pk11 code isn't completely bonkers?
Assignee: nobody → martin.thomson
Status: NEW → ASSIGNED
Attachment #8806201 -
Flags: review?(rrelyea)
Assignee | ||
Comment 2•8 years ago
|
||
Oh, to be clear here, I am treating mechanisms as requiring ABI compatibility. On that basis, none of the existing mechanisms are usable here. The only one to take a variable hash function also limits the size of its output (to the size of the TLS Finished).
Comment 3•8 years ago
|
||
if we have problems with the mechansims as defined, we should submit patches back to the OASIS spec rather than define yet another NSS specific version.
Assignee | ||
Comment 4•8 years ago
|
||
Note that the existing mechanisms I'm talking about are also NSS internal mechanisms.
Assignee | ||
Comment 5•8 years ago
|
||
Oh, and I think that we should ask OASIS for help here, but TLS 1.3 is a moving target, and clearly TLS 1.2 never got the proper treatment.
Assignee | ||
Comment 6•8 years ago
|
||
OK, this is just a safeguard for the moment. https://hg.mozilla.org/projects/nss/rev/5a2b0e8da4e1b59c64f5bd8b9256116a753aff70
Assignee | ||
Comment 7•8 years ago
|
||
Bob, see https://docs.google.com/document/d/1vNkQcZ_yAVtzh1JZPULVqtQbqVYHKWkZf2-WCBHvsv8/edit?usp=sharing
Updated•7 years ago
|
Priority: -- → P3
Comment 8•6 years ago
|
||
side question: is there any command line tool that can print and/or derive the TLS Exporter values? I don't see anything in the tstclnt help meesage in 3.39.0...
Assignee | ||
Comment 9•6 years ago
|
||
Writing an addition to tstclnt or selfserv (or both) would be relatively straightforward. I would suggest that you open a new bug for that though.
Comment 10•6 years ago
|
||
(In reply to Martin Thomson [:mt:] from comment #9) > Writing an addition to tstclnt or selfserv (or both) would be relatively > straightforward. I would suggest that you open a new bug for that though. done, bug 1494063
Updated•3 years ago
|
Severity: normal → S4
Whiteboard: [nss-fx]
You need to log in
before you can comment on or make changes to this bug.
Description
•