[gnutls-devel] GnuTLS | priority: reflect system wide config when constructing sigalgs (!1447)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Fri Jun 11 15:59:14 CEST 2021




Alexander Sosedkin started a new discussion on tests/system-override-sig-tls.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1447#note_599305535

> +
> +#define PRIO "NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:" \
> +	"+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384"
> +/* rsa_pss_rsae_sha384 */
> +#define SIGALGS_EXP "\x00\x02\x08\x05"
> +
> +static int
> +ext_callback(void *ctx, unsigned tls_id,
> +	     const unsigned char *data, unsigned size)
> +{
> +	if (tls_id == 13) {	/* signature algorithms */
> +		if (size != sizeof(SIGALGS_EXP) - 1) {
> +			fail("invalid signature_algorithms length: %u != 4\n",
> +			     size);
> +		}
> +		if (memcmp(data, SIGALGS_EXP, sizeof(SIGALGS_EXP) - 1) != 0) {

I'm confused about that part. `insecure-sig = rsa-pss-rsae-sha384` means we should *not* expect `rsa_pss_rsae_sha384` here, which would be more like `memcmp(data, SIGALGS_UNEXP, sizeof(SIGALGS_UNEXP) - 1) == 0`, correct?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1447#note_599305535
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210611/93bb6ef3/attachment-0001.html>


More information about the Gnutls-devel mailing list