Supporting RSAPSS defined in TLS 1.3 #207
Conversation
|
Yes this is tricky. I see we don't have much choice regarding HashAlgorithm and SignatureAlgorithm considering the assignments and backward compatibility. However internally I think we should stop using the tuple components individually as much as we can. |
|
Rebased and pushed -f to make discussion easier. |
|
I will rebase my TLS 1.3 branch onto this first and will try to understand whether or not the new data type help readability. |
|
I experimented ideas related to typing in branch ocheron:kxsigalg (without RSA PSS, but that should be easily extensible). The benefits I see are:
My understanding is that such a change would not interfere with TLS 1.3. Could you look into this? |
|
Also a remark about your PSS code: are you sure RSA blinding is not desirable? |
|
Since I need to finish another job in this week, I will get back to this issue in the next week. |
|
OK, take the time you need. |
DSS is defined only for SHA1 and does not need a hash. The data type will be extensible to RSA-PSS variant and EdDSA.
Code needing to decompose the tuple is now centralized, to better cope with an API change or TLS13 assignments.
We have only 3 possibilities for sigAlgExpected, in direct correspondance with cipher key exchange and private/public keys.
|
I have ported my code onto your I'm now trying to check if modifications are necessary for |
|
I think I have done. |
|
I'm glad you like it, and it's good we can use it for credentials too. |
core/Network/TLS/Handshake/Server.hs
Outdated
|
|
||
| -- Check that a candidate cipher with a signature requiring | ||
| -- a hash will have at least one hash available. This avoids | ||
| -- a failure later in 'decideHash'. | ||
| hasSigningRequirements = | ||
| case cipherKeyExchange cipher of | ||
| CipherKeyExchange_DHE_RSA -> SignatureRSA `elem` possibleSigAlgs | ||
| CipherKeyExchange_DHE_RSA -> isJust $ find (RSA `signatureCompatible`) possibleHashSigAlgs |
There was a problem hiding this comment.
- signatureCompatible can be used for DSS and ECDSA too.
- elemBy is
Data.List.any
core/Network/TLS/Struct.hs
Outdated
| -- and cipher key exchange. | ||
| data DigitalSignatureAlg = RSA | DSS | ECDSA | Ed25519 | Ed448 | ||
| deriving (Show, Eq) | ||
|
|
There was a problem hiding this comment.
I don't like DigitalSignatureAlg being defined in module "Struct" as it's internal and not protocol-related. Module "Types" would be better perhaps.
And if possible signatureCompatible should remain in "Handshake.Signature" where signatureParams is also defined (because those two must stay in sync).
There was a problem hiding this comment.
Does Crypto.Types make sense?
There was a problem hiding this comment.
Ah. In my old implementation, signatureCompatible is necessary for the Credential module which causes cyclic import. But this is not the case anymore. I will try.
core/Network/TLS/Parameters.hs
Outdated
| @@ -197,7 +197,8 @@ defaultSupported = Supported | |||
| { supportedVersions = [TLS12,TLS11,TLS10] | |||
| , supportedCiphers = [] | |||
| , supportedCompressions = [nullCompression] | |||
| , supportedHashSignatures = [ (Struct.HashSHA512, SignatureRSA) | |||
| , supportedHashSignatures = [ (Struct.HashTLS13, SignatureRSApssSHA256) | |||
There was a problem hiding this comment.
Ordering is questionable, I think SHA-512 and SHA-384 should still have priority over SignatureRSApssSHA256.
There was a problem hiding this comment.
Oh. This is a mistake. I don't want to modify this module.
I modified this file for local testing. I will revert this.
|
I did |
|
Yes |
|
Thanks. Merged. |
|
Reading draft-ietf-tls-rfc4492bis, I realize we could rename HashTLS13 to HashIntrinsic (cf. § 5.1.3. The signature_algorithms Extension and EdDSA). Otherwise it will be confusing to apply that to TLS 1.0, 1.1 and 1.2 too. Also I wonder if we chose the best definition to DigitalSignatureAlg if EdDSA applies to ECDHE_ECDSA ciphers. |
Oh, yes! Please rename it.
I have no idea on this. |
|
OK thanks. I can explore this as I have some code for EdDSA certificates. |
This implements #206.
Since TLS 1.3 flattens the structure of (Hash, Signature) and Hash 0x08 is a magic word for TLS 1.3, implementation is not straightforward and a little bit tricky.