Open
Bug 1242227
Opened 10 years ago
Updated 3 years ago
Document SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE and SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE better
Categories
(NSS :: Libraries, defect, P2)
NSS
Libraries
Tracking
(firefox46 affected)
NEW
3.23
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | affected |
People
(Reporter: wtc, Unassigned)
Details
Attachments
(2 files)
|
1.25 KB,
patch
|
ekr
:
review+
|
Details | Diff | Splinter Review |
|
1.21 KB,
patch
|
Details | Diff | Splinter Review |
SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE and SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE
are used in both the code that generates a ServerKeyExchange/ClientKeyExchange
and the code that processes a ServerKeyExchange/ClientKeyExchange. Their error
messages should cover both cases.
Also, SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE is incorrectly used in the
getWrappingKey function, which has nothing to do with ClientKeyExchange.
Attachment #8711393 -
Flags: review?(ekr)
|
||
Comment 1•10 years ago
|
||
r+ but I note that this does not change getWrappingKey.
|
|
||
Updated•10 years ago
|
Attachment #8711393 -
Flags: review?(ekr) → review+
|
Reporter | |
Comment 2•10 years ago
|
||
1. Set an error code before returning on failure.
2. getWrappingKey should not use the high-level error code
because it is never used in generating or processing the
ClientKeyExchange message.
Attachment #8711475 -
Flags: review?(ekr)
|
|
Reporter | |
Comment 3•10 years ago
|
||
I missed the actual high-level error code in the previous comment.
The second list item should read:
2. getWrappingKey should not use the high-level error code
SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE because it is never used
in generating or processing the ClientKeyExchange message.
|
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8711475 [details] [diff] [review]
Improve error reporting in ssl_UnwrapSymWrappingKey and getWrappingKey
Review of attachment 8711475 [details] [diff] [review]:
-----------------------------------------------------------------
::: lib/ssl/ssl3con.c
@@ +5723,5 @@
> #endif
>
> default:
> /* Assert? */
> + PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
Per this comment, I think an assert here would make sense.
@@ +5994,1 @@
> goto loser;
BUG? If the call to PK11_PubWrapSymKey() on line 5895 fails, doesn't we end up here with rv == SECFailure, but without having called PORT_SetError()?
Attachment #8711475 -
Flags: review?(ekr)
|
||
Updated•3 years ago
|
Severity: minor → S4
|
||
Comment 5•3 years ago
|
||
The bug assignee is inactive on Bugzilla, and this bug has priority 'P2'.
:beurdouche, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee: wtc → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(bbeurdouche)
|
||
Comment 6•3 years ago
|
||
We have modified the bot to only consider P1 as high priority, so I'm cancelling the needinfo here.
Flags: needinfo?(bbeurdouche)
You need to log in
before you can comment on or make changes to this bug.
Description
•