From 69b89a8985dbf15f32e82f2a446222f3bf5ad06c Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Wed, 3 May 2023 13:38:47 +0200 Subject: ssl: Add signature_algs/2 To make it easier to configure signature algorithms with algorithms that are moved from the default add the API function signature_algs/2 that lists possible values. Also adjust signature algorithms according to TLS-1.3 RFC. That is TLS-1.3 legacy algorithms/schemes names should be used insted of TLS-1.2 algorithms names to be supported in TLS-1.2-TLS-1.3 combination. sha224 is also considered legacy and should not be part of the defaults. --- lib/ssl/doc/src/ssl.xml | 64 +++++++++++++++++++++++++++++++++++---- lib/ssl/src/ssl.erl | 45 ++++++++++++++++++++++++--- lib/ssl/src/tls_v1.erl | 20 ++++++------ lib/ssl/test/ssl_reject_SUITE.erl | 5 ++- lib/ssl/test/tls_api_SUITE.erl | 22 +++++++++++++- 5 files changed, 132 insertions(+), 24 deletions(-) diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 700709ed7a..b4a30a68c8 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -477,12 +477,10 @@ {sha384, ecdsa}, {sha384, rsa}, {sha256, ecdsa}, -{sha256, rsa}, -{sha224, ecdsa}, -{sha224, rsa} +{sha256, rsa} ] -

Support for {md5, rsa} was removed from the the TLS-1.2 default in ssl-8.0 (OTP-22) and support for SHA1 {sha, _} was removed in ssl-11.0 (OTP-26)

+

Support for {md5, rsa} was removed from the the TLS-1.2 default in ssl-8.0 (OTP-22) and support for SHA1 {sha, _} and SHA224 {sha224, _} was removed in ssl-11.0 (OTP-26)

rsa_pss_schemes =

@@ -521,10 +519,10 @@ rsa_pss_schemes()

EDDSA was made highest priority in ssl-10.8 (OTP-25)

TLS-1.3 default is

-Default_TLS_13_Schemes ++ Legacy_TLS_13_Schemes +Default_TLS_13_Schemes

If both TLS-1.3 and TLS-1.2 are supported the default will be

-Default_TLS_13_Schemes ++ Default_TLS_12_Alg_Pairs +Default_TLS_13_Schemes ++ TLS_13_Legacy_Schemes ++ Default_TLS_12_Alg_Pairs (not represented in TLS_13_Legacy_Schemes)

so appropriate algorithms can be chosen for the negotiated version. @@ -2175,6 +2173,60 @@ fun(srp, Username :: binary(), UserState :: term()) -> is useful.

+ + + + Returns a list of signature algorithms/schemes + +

Lists all possible signature algorithms corresponding to + Description that are available. The + exclusive option will exclusively list + algorithms/schemes for that protocol version, whereas the + default and all options lists the combined list to support the + range of protocols from (D)TLS-1.2, the first version to support + configuration of the signature algorithms, to Version.

+ +

Example: + + 1> ssl:signature_algs(default, 'tlsv1.3'). + [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512, + ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256, + rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256, + rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256, + rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256, + {sha512,ecdsa}, + {sha384,ecdsa}, + {sha256,ecdsa}] + + 2>ssl:signature_algs(all, 'tlsv1.3'). + [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512, + ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256, + rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256, + rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256, + rsa_pkcs1_sha512,rsa_pkcs1_sha384,rsa_pkcs1_sha256, + {sha512,ecdsa}, + {sha384,ecdsa}, + {sha256,ecdsa}, + {sha224,ecdsa}, + {sha224,rsa}, + {sha,rsa}, + {sha,dsa}] + + 3> ssl:signature_algs(exclusive, 'tlsv1.3'). + [eddsa_ed25519,eddsa_ed448,ecdsa_secp521r1_sha512, + ecdsa_secp384r1_sha384,ecdsa_secp256r1_sha256, + rsa_pss_pss_sha512,rsa_pss_pss_sha384,rsa_pss_pss_sha256, + rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,rsa_pss_rsae_sha256] +

+ +

Some TLS-1-3 scheme names overlap with TLS-1.2 + algorithm-tuple-pair-names and then TLS-1.3 names will be + used, for example rsa_pkcs1_sha256 instead of + {sha256, rsa} these are legacy algorithms in TLS-1.3 + that apply only to certificate signatures in this version of + the protocol.

 + + diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index c96173e98b..0a1db06804 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -81,6 +81,7 @@ filter_cipher_suites/2, prepend_cipher_suites/2, append_cipher_suites/2, + signature_algs/2, eccs/0, eccs/1, versions/0, @@ -183,12 +184,11 @@ -type hash() :: sha2() | legacy_hash(). % exported --type sha2() :: sha224 | - sha256 | - sha384 | - sha512. +-type sha2() :: sha256 | + sha384 | + sha512. --type legacy_hash() :: sha | md5. +-type legacy_hash() :: sha224 | sha | md5. -type sign_algo() :: rsa | dsa | ecdsa | eddsa. % exported @@ -1105,6 +1105,41 @@ append_cipher_suites(Filters, Suites) -> Deferred = filter_cipher_suites(Suites, Filters), (Suites -- Deferred) ++ Deferred. +%%-------------------------------------------------------------------- +-spec signature_algs(Description, Version) -> [signature_algs()] when + Description :: default | all | exclusive, + Version :: protocol_version(). + +%% Description: Returns possible signature algorithms/schemes +%% for TLS/DTLS version +%%-------------------------------------------------------------------- + +signature_algs(default, 'tlsv1.3') -> + tls_v1:default_signature_algs([tls_record:protocol_version_name('tlsv1.3'), + tls_record:protocol_version_name('tlsv1.2')]); +signature_algs(default, 'tlsv1.2') -> + tls_v1:default_signature_algs([tls_record:protocol_version_name('tlsv1.2')]); +signature_algs(all, 'tlsv1.3') -> + tls_v1:default_signature_algs([tls_record:protocol_version_name('tlsv1.3'), + tls_record:protocol_version_name('tlsv1.2')]) ++ + tls_v1:legacy_signature_algs_pre_13(); +signature_algs(all, 'tlsv1.2') -> + tls_v1:default_signature_algs([tls_record:protocol_version_name('tlsv1.2')]) ++ + tls_v1:legacy_signature_algs_pre_13(); +signature_algs(exclusive, 'tlsv1.3') -> + tls_v1:default_signature_algs([tls_record:protocol_version_name('tlsv1.3')]); +signature_algs(exclusive, 'tlsv1.2') -> + Algs = tls_v1:default_signature_algs([tls_record:protocol_version_name('tlsv1.2')]), + Algs ++ tls_v1:legacy_signature_algs_pre_13(); +signature_algs(Description, 'dtlsv1.2') -> + signature_algs(Description, 'tlsv1.2'); +signature_algs(Description, Version) when Description == default; + Description == all; + Description == exclusive-> + {error, {signature_algs_not_supported_in_protocol_version, Version}}; +signature_algs(Description,_) -> + {error, {badarg, Description}}. + %%-------------------------------------------------------------------- -spec eccs() -> NamedCurves when NamedCurves :: [named_curve()]. diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index 7404365520..0b5f770aa3 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -55,6 +55,7 @@ oid_to_enum/1, enum_to_oid/1, default_signature_algs/1, + legacy_signature_algs_pre_13/0, signature_algs/2, signature_schemes/2, rsa_schemes/0, @@ -883,9 +884,10 @@ signature_algs(?TLS_1_2, HashSigns) -> lists:reverse(Supported). default_signature_algs([?TLS_1_3]) -> - default_signature_schemes(?TLS_1_3) ++ legacy_signature_schemes(?TLS_1_3); + default_signature_schemes(?TLS_1_3); default_signature_algs([?TLS_1_3, ?TLS_1_2 | _]) -> - default_signature_schemes(?TLS_1_3) ++ default_pre_1_3_signature_algs_only(); + default_signature_schemes(?TLS_1_3) ++ legacy_signature_schemes(?TLS_1_3) + ++ default_pre_1_3_signature_algs_only(); default_signature_algs([?TLS_1_2 = Version |_]) -> Default = [%% SHA2 ++ PSS {sha512, ecdsa}, @@ -899,9 +901,7 @@ default_signature_algs([?TLS_1_2 = Version |_]) -> {sha256, ecdsa}, rsa_pss_pss_sha256, rsa_pss_rsae_sha256, - {sha256, rsa}, - {sha224, ecdsa}, - {sha224, rsa} + {sha256, rsa} ], signature_algs(Version, Default); default_signature_algs(_) -> @@ -910,16 +910,14 @@ default_signature_algs(_) -> default_pre_1_3_signature_algs_only() -> Default = [%% SHA2 {sha512, ecdsa}, - {sha512, rsa}, {sha384, ecdsa}, - {sha384, rsa}, - {sha256, ecdsa}, - {sha256, rsa}, - {sha224, ecdsa}, - {sha224, rsa} + {sha256, ecdsa} ], signature_algs(?TLS_1_2, Default). +legacy_signature_algs_pre_13() -> + [{sha224, ecdsa}, {sha224, rsa}, {sha, rsa}, {sha, dsa}]. + signature_schemes(Version, [_|_] =SignatureSchemes) when is_tuple(Version) andalso ?TLS_GTE(Version, ?TLS_1_2) -> CryptoSupports = crypto:supports(), diff --git a/lib/ssl/test/ssl_reject_SUITE.erl b/lib/ssl/test/ssl_reject_SUITE.erl index cc24ffbcfe..be79e0543b 100644 --- a/lib/ssl/test/ssl_reject_SUITE.erl +++ b/lib/ssl/test/ssl_reject_SUITE.erl @@ -184,9 +184,12 @@ accept_sslv3_record_hello(Config) when is_list(Config) -> Allversions = all_versions(), + AllSigAlgs = ssl:signature_algs(all, 'tlsv1.3'), + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, {from, self()}, - {options, [{versions, Allversions} | ServerOpts]}]), + {options, [{versions, Allversions}, + {signature_algs, AllSigAlgs} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), %% TLS-1.X Hello with SSL-3.0 record version diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl index 405bb74b2d..74b4e76566 100644 --- a/lib/ssl/test/tls_api_SUITE.erl +++ b/lib/ssl/test/tls_api_SUITE.erl @@ -109,7 +109,9 @@ accept_pool/0, accept_pool/1, reuseaddr/0, - reuseaddr/1 + reuseaddr/1, + signature_algs/0, + signature_algs/1 ]). %% Apply export @@ -1306,6 +1308,24 @@ tls_password_badarg(Config) when is_list(Config) -> F(fun() -> ?BADARG_PASSWORD end, {error, closed}, {error, {keyfile,badarg}}). +%%-------------------------------------------------------------------- +signature_algs() -> + [{doc, "Check that listing of signature algorithms for different version and configure combinations"}]. +signature_algs(Config) when is_list(Config) -> + true = [] =/= [Alg || Alg <- ssl:signature_algs(default, 'tlsv1.3'), is_tuple(Alg)], + true = [] == [Alg || Alg <- ssl:signature_algs(exclusive, 'tlsv1.3'), is_tuple(Alg)], + true = ssl:signature_algs(exclusive, 'tlsv1.3') =/= ssl:signature_algs(exclusive, 'tlsv1.2'), + true = length(ssl:signature_algs(defalt, 'tlsv1.2')) < + length(ssl:signature_algs(all, 'tlsv1.2')), + TLS_1_3_All = ssl:signature_algs(all, 'tlsv1.3'), + true = lists:member(rsa_pkcs1_sha512, TLS_1_3_All) andalso (not lists:member({sha512, rsa}, TLS_1_3_All)), + true = lists:member(rsa_pkcs1_sha384, TLS_1_3_All) andalso (not lists:member({sha384, rsa}, TLS_1_3_All)), + true = lists:member(rsa_pkcs1_sha256, TLS_1_3_All) andalso (not lists:member({sha256, rsa}, TLS_1_3_All)), + TLS_1_2_All = ssl:signature_algs(all, 'tlsv1.2'), + true = (not lists:member(rsa_pkcs1_sha512, TLS_1_2_All)) andalso lists:member({sha512, rsa}, TLS_1_2_All), + true = (not lists:member(rsa_pkcs1_sha384, TLS_1_2_All)) andalso lists:member({sha384, rsa}, TLS_1_2_All), + true = (not lists:member(rsa_pkcs1_sha256, TLS_1_2_All)) andalso lists:member({sha256, rsa}, TLS_1_2_All). + %%-------------------------------------------------------------------- %% Internal functions ------------------------------------------------ %%-------------------------------------------------------------------- -- cgit v1.2.1