-
-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correctly implement SSL.getSigAlgs(...) for BoringSSL #412
Conversation
Motivation: While BoringSSL does not support SSL_get_sig_algs(...) we can make use of SSL_get0_peer_verify_algorithms for our use case. Modifications: Use SSL_get0_peer_verify_algorithms when BoringSSL is used and so have a correct implemention there as well (which is needed for ExtendedSSLSession in java). Result: Be able to correctly implement ExtendedSSLSession.getPeerSupportedSignatureAlgorithms() when using BoringSSL.
@davidben FYI... |
may also be interesting for Conscrypt... |
int i; | ||
jobjectArray array; | ||
jstring algString; | ||
const uint16_t *peer_sigalgs; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need to be freed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ejona86 nope... get0 does not transfer ownership.
for (i = 0; i < num_peer_sigalgs; i++) { | ||
algString = (*e)->NewStringUTF(e, SSL_get_signature_algorithm_name(peer_sigalgs[i], SSL_version(ssl_) != TLS1_2_VERSION)); | ||
if (algString == NULL) { | ||
// something is wrong we should better just return here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't array
need to be freed here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point... this problem exists in other places as well (as this code was mostly a copy + modify of existing code). I will do a pr shortly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually no it does not need to be freed as it will be handled by the GC:
Motivation: While BoringSSL does not support SSL_get_sig_algs(...) we can make use of SSL_get0_peer_verify_algorithms for our use case. Modifications: Use SSL_get0_peer_verify_algorithms when BoringSSL is used and so have a correct implemention there as well (which is needed for ExtendedSSLSession in java). Result: Be able to correctly implement ExtendedSSLSession.getPeerSupportedSignatureAlgorithms() when using BoringSSL.
Motivation:
While BoringSSL does not support SSL_get_sig_algs(...) we can make use of SSL_get0_peer_verify_algorithms for our use case.
Modifications:
Use SSL_get0_peer_verify_algorithms when BoringSSL is used and so have a correct implemention there as well (which is needed for ExtendedSSLSession in java).
Result:
Be able to correctly implement ExtendedSSLSession.getPeerSupportedSignatureAlgorithms() when using BoringSSL.