-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supporting RSAPSS defined in TLS 1.3 #207
Conversation
Yes this is tricky. I see we don't have much choice regarding HashAlgorithm and SignatureAlgorithm considering the assignments and backward compatibility. However internally I think we should stop using the tuple components individually as much as we can. |
Rebased and pushed -f to make discussion easier. |
I will rebase my TLS 1.3 branch onto this first and will try to understand whether or not the new data type help readability. |
I experimented ideas related to typing in branch ocheron:kxsigalg (without RSA PSS, but that should be easily extensible). The benefits I see are:
My understanding is that such a change would not interfere with TLS 1.3. Could you look into this? |
Also a remark about your PSS code: are you sure RSA blinding is not desirable? |
Since I need to finish another job in this week, I will get back to this issue in the next week. |
OK, take the time you need. |
DSS is defined only for SHA1 and does not need a hash. The data type will be extensible to RSA-PSS variant and EdDSA.
Code needing to decompose the tuple is now centralized, to better cope with an API change or TLS13 assignments.
We have only 3 possibilities for sigAlgExpected, in direct correspondance with cipher key exchange and private/public keys.
I have ported my code onto your I'm now trying to check if modifications are necessary for |
I think I have done. |
I'm glad you like it, and it's good we can use it for credentials too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly minor items, except default supportedHashSignatures where there is a real choice to be made.
core/Network/TLS/Handshake/Server.hs
Outdated
|
||
-- Check that a candidate cipher with a signature requiring | ||
-- a hash will have at least one hash available. This avoids | ||
-- a failure later in 'decideHash'. | ||
hasSigningRequirements = | ||
case cipherKeyExchange cipher of | ||
CipherKeyExchange_DHE_RSA -> SignatureRSA `elem` possibleSigAlgs | ||
CipherKeyExchange_DHE_RSA -> isJust $ find (RSA `signatureCompatible`) possibleHashSigAlgs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- signatureCompatible can be used for DSS and ECDSA too.
- elemBy is
Data.List.any
core/Network/TLS/Struct.hs
Outdated
-- and cipher key exchange. | ||
data DigitalSignatureAlg = RSA | DSS | ECDSA | Ed25519 | Ed448 | ||
deriving (Show, Eq) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like DigitalSignatureAlg being defined in module "Struct" as it's internal and not protocol-related. Module "Types" would be better perhaps.
And if possible signatureCompatible should remain in "Handshake.Signature" where signatureParams is also defined (because those two must stay in sync).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does Crypto.Types
make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah. In my old implementation, signatureCompatible
is necessary for the Credential
module which causes cyclic import. But this is not the case anymore. I will try.
core/Network/TLS/Parameters.hs
Outdated
@@ -197,7 +197,8 @@ defaultSupported = Supported | |||
{ supportedVersions = [TLS12,TLS11,TLS10] | |||
, supportedCiphers = [] | |||
, supportedCompressions = [nullCompression] | |||
, supportedHashSignatures = [ (Struct.HashSHA512, SignatureRSA) | |||
, supportedHashSignatures = [ (Struct.HashTLS13, SignatureRSApssSHA256) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ordering is questionable, I think SHA-512 and SHA-384 should still have priority over SignatureRSApssSHA256.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh. This is a mistake. I don't want to modify this module.
I modified this file for local testing. I will revert this.
I did |
Yes |
Thanks. Merged. |
Reading draft-ietf-tls-rfc4492bis, I realize we could rename HashTLS13 to HashIntrinsic (cf. § 5.1.3. The signature_algorithms Extension and EdDSA). Otherwise it will be confusing to apply that to TLS 1.0, 1.1 and 1.2 too. Also I wonder if we chose the best definition to DigitalSignatureAlg if EdDSA applies to ECDHE_ECDSA ciphers. |
Oh, yes! Please rename it.
I have no idea on this. |
OK thanks. I can explore this as I have some code for EdDSA certificates. |
This implements #206.
Since TLS 1.3 flattens the structure of (Hash, Signature) and Hash 0x08 is a magic word for TLS 1.3, implementation is not straightforward and a little bit tricky.