-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strip leading zeros in DHE premaster secret #201
Conversation
@kazu-yamamoto I've changed directly |
core/Network/TLS/Crypto/DH.hs
Outdated
where | ||
-- strips leading zeros from the result of DH.getShared, as required | ||
-- for DH(E) premaster secret in SSL/TLS before version 1.3. | ||
stripLeadingZeros (DH.SharedKey sb) = DH.SharedKey (snd $ B.span (== 0) sb) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that you should use dropWhile
instead of span
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ordinarily yes, but here it's Data.ByteArray
from memory and there is no dropWhile
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah. OK.
Thank you for your kindness but you don't have to check my |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Strip leading zeros in DHE premaster secret
Merged, thanks for reviewing. I don't plan to look at TLS 1.3 very often, only on occasions. I still have many things to learn on the previous versions. Here the tlswg PR was helpful to understand why a difference between DH/ECDH. |
This is a remplacement for #197, in order to fix DHE without changing ECDHE.
Fixes an infrequent and random
BadRecordMac
failure during handshake, when DHE is selected and the premaster secret begins with a 0x00 byte. It was not visible in the test suite as both server and client code performed the same erroneous computation.