Closed
Bug 1295060
Opened 8 years ago
Closed 8 years ago
Don't pretend signature_algorithms wasn't present when there are no common algorithms
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.28
People
(Reporter: mt, Assigned: mt)
Details
Attachments
(1 file)
10.82 KB,
patch
|
Details | Diff | Splinter Review |
In handling signature algorithms, we decide that when there are no supported signature algorithms that this must mean that there was no extension. That's daft because what really happened is that we didn't have any signature schemes in common. This is server only, or I would suggest that we need some compatibility testing on the browser end.
Assignee | ||
Comment 1•8 years ago
|
||
Bob, if I were to fail the handshake if there were no common signature algorithms (as opposed to assuming the defaults), would this cause Redhat any issues?
Flags: needinfo?(rrelyea)
Comment 2•8 years ago
|
||
Shouldn't we be testing whether the signature algorithms extension was negotiated?
Assignee | ||
Comment 3•8 years ago
|
||
Probably, yes. We currently check the number of signature schemes that we have in common before deciding to use the common ones. The idea of this patch would be to change the defaults check to be based on whether the extension was present.
Assignee | ||
Comment 4•8 years ago
|
||
If signature_algorithms is present, but we don't support any of the schemes that were provided by the client, don't fall back to the defaults.
Assignee: nobody → martin.thomson
Attachment #8782238 -
Flags: superreview?(rrelyea)
Attachment #8782238 -
Flags: review?(ekr)
Comment 5•8 years ago
|
||
Comment on attachment 8782238 [details] [diff] [review] bug1295060-1.patch Review of attachment 8782238 [details] [diff] [review]: ----------------------------------------------------------------- Martin, Can you please produce a test that demonstrates that if SigAlgs is omitted, then you cannot negotiate ECDSA? ::: lib/ssl/ssl3con.c @@ +7055,5 @@ > SECStatus rv; > > + if (!ssl3_ExtensionNegotiated(ss, ssl_signature_algorithms_xtn)) { > + /* The signature_algorithms extension is mandatory if the client expects > + * the server to authenticate with a signature. */ an you fix this comment and put it inside the 1.3block?
Attachment #8782238 -
Flags: review?(ekr)
Assignee | ||
Comment 6•8 years ago
|
||
Statute of limitations has expired. ekr, see https://nss-dev.phacility.com/D18 I realize that this probably messes with your stuff, so I'm happy to rebase on top of the negotiation patch if needed, but the test seems to be valuable. I'm ambivalent regarding the error code.
Flags: needinfo?(rrelyea)
Assignee | ||
Comment 7•8 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/502c53690edf
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.28
Assignee | ||
Comment 8•8 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/449fbc61acf9
Assignee | ||
Updated•8 years ago
|
Attachment #8782238 -
Flags: superreview?(rrelyea)
You need to log in
before you can comment on or make changes to this bug.
Description
•