[gnutls-devel] GnuTLS | Workaround for SChannel limitations (!1138)

[Development of GNU's TLS library]

Nikos Mavrogiannopoulos started a new discussion on lib/ext/signature.c: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265170563

>  					&epriv);
>  	priv = epriv;
>  
> +#ifdef ENABLE_GOST
> +	/* Some (all SChannel) clients fail to send proper SigAlgs due to Micro$oft crazyness.
> +	 * Patch the extension for them.

To my understanding you handle few cases below (a) no SignatureAlgorithms extension, (b) SignatureAlgorithms extension present but no GOST algorithms. Are they both behaviors of this server?

For the former wouldn't it make sense to plug on the existing code which sets a default based on SHA1, and set something relevant as default for GOST? On the latter I think a similar fallback logic would be more clear on its purpose.

I think also moving the gost-specific logic outside this function would help keeping it simple (e.g., something like is_gost_sig_present() instead of the whole loop).

We may also keep this code inside a special ifdef so it is clear that it is a "temporary" workaround that can be removed at some point in the future (see TLS13_APPENDIX_D4 for a similar hack).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/1138#note_265170563
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191226/98e70a4f/attachment.html>