fix: don't fail for 0 blinding delay #4671
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
While working on another PR, I got annoyed that s2nc and s2nd delay before reporting errors. It makes testing things take longer, and doesn't really provide any security value since s2nc and s2nd aren't intended for production use. But when I set their max blinding delay to 0, I got an error:
The problem was that we were trying to generate a random number between 0 and 0, which obviously wasn't going to work. I've fixed that bug.
Call-outs:
If we're worried about customers using s2nc and s2nd in production, I can leave the blinding enabled, or at least add an argument to disable it instead of disabling it by default.
Testing:
Added a unit test. Also, running
s2nc localhost 8000
againsts2nd localhost 8000
now produces a "Certificate untrusted" error instead of the s2n_random safety error.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.