fix: don't fail for 0 blinding delay #4671
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maddeleine
approved these changes
Jul 29, 2024
goatgoose
reviewed
Aug 1, 2024
goatgoose
approved these changes
Aug 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
While working on another PR, I got annoyed that s2nc and s2nd delay before reporting errors. It makes testing things take longer, and doesn't really provide any security value since s2nc and s2nd aren't intended for production use. But when I set their max blinding delay to 0, I got an error:
The problem was that we were trying to generate a random number between 0 and 0, which obviously wasn't going to work. I've fixed that bug.
Call-outs:
If we're worried about customers using s2nc and s2nd in production, I can leave the blinding enabled, or at least add an argument to disable it instead of disabling it by default.
Testing:
Added a unit test. Also, running
s2nc localhost 8000againsts2nd localhost 8000now produces a "Certificate untrusted" error instead of the s2n_random safety error.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.