-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server ECDSA for P-256 #436
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At least, the version ordering in the comment and the code should be the same.
core/Network/TLS/Handshake/Server.hs
Outdated
-- ECDSA keys are tested against supported elliptic curves until TLS12 but | ||
-- not after. With TLS13, the curve is linked to the signature algorithm | ||
-- and client support is tested with signatureCompatible13. | ||
let p | ver > TLS12 = const True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment talks about < TLS12 first but the code handles TLS13 first. I would like to have the same ordering. And I don't know why both let
and where
are used. So, I would like to recommend the following code:
isCredentialAllowed :: Version -> [ExtensionRaw] -> Credential -> Bool
isCredentialAllowed ver exts cred =
pubkey `versionCompatible` ver && satisfiesEcPredicate p pubkey
where (pubkey, _) = credentialPublicPrivateKeys cred
-- ECDSA keys are tested against supported elliptic curves until
-- TLS12 but not after. With TLS13, the curve is linked to the
-- signature algorithm and client support is tested with
-- signatureCompatible13.
p | ver <= TLS12 = case extensionLookup extensionID_NegotiatedGroups exts >>= extensionDecode MsgTClientHello of
Nothing -> const True
Just (NegotiatedGroups sg) -> (`elem` sg)
| otherwise = const True
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed in 280bb81.
I forgot to mention the PR adds client certificates with P-256. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now LGTM.
Merged. |
Thank you for your review. |
With cryptonite-0.27 it's now possible to use the optimized P256 implementation when verifying ECDSA signatures for this curve. I also believe P256 signature generation is safe enough to be enabled on server side.
The PR extends the crypto module with necessary utilities.
Safety checks are present to ensure ECDSA signature is not generated for other curves.
And the handshake code ignores ECDSA credentials that are not for P256.
Server-side behavior for the "elliptic_curves" extension is also added.
And the test suite can finally include ECDSA ciphers.