Server ECDSA for P-256

[ocheron]

With cryptonite-0.27 it's now possible to use the optimized P256 implementation when verifying ECDSA signatures for this curve. I also believe P256 signature generation is safe enough to be enabled on server side.

The PR extends the crypto module with necessary utilities.
Safety checks are present to ensure ECDSA signature is not generated for other curves.
And the handshake code ignores ECDSA credentials that are not for P256.

Server-side behavior for the "elliptic_curves" extension is also added.

And the test suite can finally include ECDSA ciphers.

[kazu-yamamoto]

At least, the version ordering in the comment and the code should be the same.

[kazu-yamamoto]

The comment talks about < TLS12 first but the code handles TLS13 first. I would like to have the same ordering. And I don't know why both let and where are used. So, I would like to recommend the following code:

isCredentialAllowed :: Version -> [ExtensionRaw] -> Credential -> Bool
isCredentialAllowed ver exts cred =
    pubkey `versionCompatible` ver && satisfiesEcPredicate p pubkey
  where (pubkey, _) = credentialPublicPrivateKeys cred
        -- ECDSA keys are tested against supported elliptic curves until
        -- TLS12 but not after.  With TLS13, the curve is linked to the
        -- signature algorithm and client support is tested with
        -- signatureCompatible13.
        p | ver <= TLS12 = case extensionLookup extensionID_NegotiatedGroups exts >>= extensionDecode MsgTClientHello of
              Nothing                    -> const True
              Just (NegotiatedGroups sg) -> (`elem` sg)
          | otherwise    = const True

[ocheron]

Changed in 280bb81.

[ocheron]

I forgot to mention the PR adds client certificates with P-256.

[kazu-yamamoto]

Now LGTM.

[kazu-yamamoto]

Merged.

[ocheron]

Thank you for your review.