-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Negotiated FFDHE parameters #256
Conversation
Adds the check related to dh_Ys explained in RFC 7919 section 3. Client still accepts any custom group the server chooses.
As precaution bit sizes are slightly larger than minimum described in RFC 7919 appendix A. What is used instead is next multiple of 16.
This is server behavior from RFC 7919 section 4. Now DHE ciphers do not need serverDHEParams when finite-field groups are negotiated.
This may be used: * to reject all custom groups between peers compatible with RFC 7919 * to implement local policy about minimum/maximum group size or other properties
With short exponents this little overhead brings huge benefit when the match is successful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For TLS 1.3, please define/export availableGroups
(availableECGroups ++ availableFFGroups
.
Except that, this PR looks good to me.
Thank you for reviewing, I've added For information in haskell-crypto/cryptonite#204 I put some measurements about the groups we have. |
I have confirmed that my tls13 branch on this works well. So, I have merged this PR. |
After ECDH this is to improve validation in DH key exchange:
When DHE params match a named group, internally module Crypto.IES is used and the
implementation generates short exponents as optimisation.
Unfortunately because of compatibility this means we get 3 sets of APIs with some redundancy: