Strict handling of hash/signatures #337

ocheron · 2019-01-20T08:05:50Z

This PR:

Restricts received hash/signatures to make sure the peer selected from what was advertised in the "signature_algorithms" extension.
With TLS13, rejects use of MD5, SHA-1, RSA PKCS#1, DSS as TLS level. This is done regardless of supportedHashSignatures, which may include the algorithms for earlier protocol versions.
Use supportedHashSignatures to send a list of certificate types with TLS12, like was done with TLS13.
Aborts TLS13 without "signature_algorithms" extension (instead of using SHA-1 algorithms as default) but only when CertVerify messages are required.

Related to #194.

kazu-yamamoto

LGTM.

kazu-yamamoto · 2019-01-21T06:19:42Z

Rebased and merged.

ocheron added 9 commits January 18, 2019 19:16

Use same alerts with TLS13 and earlier versions

3feefe8

Better description of credentialMatchesHashSignatures

53cdffc

Decide server credential only when required

94b0cf5

Make "signature_algorithms" extension mandatory for TLS13

c20e550

Replace ByteString with type alias

b585db6

Enforce supportedHashSignatures when verifying

9c100dd

Test TLS13 fallback with EdDSA instead of DSS

a3e7d3e

Reject RSA PKCS#1, DSS, SHA-1, MD5 with TLS13 signatures

2c59a42

Make certificate types dynamic for TLS 1.2 too

49e874f

kazu-yamamoto self-requested a review January 21, 2019 04:22

kazu-yamamoto approved these changes Jan 21, 2019

View reviewed changes

kazu-yamamoto added a commit to kazu-yamamoto/hs-tls that referenced this pull request Jan 21, 2019

Merge PR haskell-tls#337.

4f56155

kazu-yamamoto closed this Jan 21, 2019

ocheron deleted the strict-hashsigs branch January 21, 2019 18:13

Provide feedback