Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Selecting a cipher based on "signature_algorithms" #193

Merged
merged 6 commits into from Mar 7, 2017

Conversation

@ocheron
Copy link
Collaborator

ocheron commented Mar 5, 2017

This extends #177 so that the "signature_algorithms" extension impacts cipher selection as discussed in #191.

I added a new test case specific to TLS 1.2 where handshake can either succeed or fail depending on client and server supportedHashSignatures. This could be further extended to test more TLS 1.2 extensions like "supported_groups" when we implement it.

I also added code for DSA certificates, so that the QuickCheck properties can test more combinations.

ocheron added 5 commits Mar 3, 2017
Function credentialCanDecrypt allowed a non-RSA credential when
the certificate did not have a key usage.
Now that signature_algorithms extension is used to sign the
ServerKeyXchg, this creates a possibility that client and
server don't agree on the hash algorithm.  When this happens
a cipher with a different key-exchange should have been
selected.

We now skip ciphers when the key-exchange is not possible
because of this reason.
TLS12 -> let -- Build a list of all signature algorithms with at least
-- one hash algorithm common between client and server.
-- May contain duplicates, as it is only used for `elem`.
sigAlgExt = extensionLookup extensionID_SignatureAlgorithms exts >>= extensionDecode False

This comment has been minimized.

Copy link
@kazu-yamamoto

kazu-yamamoto Mar 6, 2017

Collaborator

The code here is a copy-and-paste.
They should be a function to avoid redundancy.

This comment has been minimized.

Copy link
@ocheron

ocheron Mar 6, 2017

Author Collaborator

Yes you're right. I added that function.

@kazu-yamamoto kazu-yamamoto self-requested a review Mar 7, 2017
Copy link
Collaborator

kazu-yamamoto left a comment

LGTM now.

@kazu-yamamoto kazu-yamamoto merged commit 2be245c into vincenthz:master Mar 7, 2017
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@kazu-yamamoto

This comment has been minimized.

Copy link
Collaborator

kazu-yamamoto commented Mar 7, 2017

I guess that it's time to release a new version.

@ocheron

This comment has been minimized.

Copy link
Collaborator Author

ocheron commented Mar 7, 2017

Thanks. I created two new issues for things we could continue further, but I don't plan to work on them immediately. Anyone can self-assign.

A new release is a good idea, we have already 70 commits since 1.3.9.

@ocheron ocheron deleted the ocheron:sigalg-ctd-new branch Mar 7, 2017
@kazu-yamamoto

This comment has been minimized.

Copy link
Collaborator

kazu-yamamoto commented Mar 8, 2017

@vincenthz Let's release a new version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.