Correctly implement SSL.getSigAlgs(...) for BoringSSL #412
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation: While BoringSSL does not support SSL_get_sig_algs(...) we can make use of SSL_get0_peer_verify_algorithms for our use case. Modifications: Use SSL_get0_peer_verify_algorithms when BoringSSL is used and so have a correct implemention there as well (which is needed for ExtendedSSLSession in java). Result: Be able to correctly implement ExtendedSSLSession.getPeerSupportedSignatureAlgorithms() when using BoringSSL.
normanmaurer
requested review from
carl-mastrangelo and
ejona86
and removed request for
carl-mastrangelo
|
@davidben FYI... |
|
may also be interesting for Conscrypt... |
ejona86
reviewed
Nov 14, 2018
| int i; | ||
| jobjectArray array; | ||
| jstring algString; | ||
| const uint16_t *peer_sigalgs; |
There was a problem hiding this comment.
@ejona86 nope... get0 does not transfer ownership.
ejona86
approved these changes
Nov 14, 2018
| for (i = 0; i < num_peer_sigalgs; i++) { | ||
| algString = (*e)->NewStringUTF(e, SSL_get_signature_algorithm_name(peer_sigalgs[i], SSL_version(ssl_) != TLS1_2_VERSION)); | ||
| if (algString == NULL) { | ||
| // something is wrong we should better just return here |
There was a problem hiding this comment.
Doesn't array need to be freed here?
There was a problem hiding this comment.
Good point... this problem exists in other places as well (as this code was mostly a copy + modify of existing code). I will do a pr shortly.
There was a problem hiding this comment.
Actually no it does not need to be freed as it will be handled by the GC:
fzakaria
pushed a commit
to fzakaria/netty-tcnative
that referenced
this pull request
Feb 4, 2019
Motivation: While BoringSSL does not support SSL_get_sig_algs(...) we can make use of SSL_get0_peer_verify_algorithms for our use case. Modifications: Use SSL_get0_peer_verify_algorithms when BoringSSL is used and so have a correct implemention there as well (which is needed for ExtendedSSLSession in java). Result: Be able to correctly implement ExtendedSSLSession.getPeerSupportedSignatureAlgorithms() when using BoringSSL.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
While BoringSSL does not support SSL_get_sig_algs(...) we can make use of SSL_get0_peer_verify_algorithms for our use case.
Modifications:
Use SSL_get0_peer_verify_algorithms when BoringSSL is used and so have a correct implemention there as well (which is needed for ExtendedSSLSession in java).
Result:
Be able to correctly implement ExtendedSSLSession.getPeerSupportedSignatureAlgorithms() when using BoringSSL.