File 3721-ssl-Promote-securer-algorithms-by-default.patch of Package erlang
From c7010912d938cb4f410f823abb7c0e8684da68e7 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 28 Mar 2022 09:26:30 +0200
Subject: [PATCH 1/2] ssl: Promote securer algorithms by default
Add RSASSA PSS algorithm default support to TLS-1.2.
Make EDDSA preferred in TLS-1.3
OTP-17565
Also fix a bug, that is that signature_algs_cert should be configurable also in
TLS-1.2. The bug was discovered due to negative test case starting to succeed
when default algorithms where changed.
OTP-18014
---
lib/ssl/doc/src/ssl.xml | 40 ++++++++++++++---------
lib/ssl/src/ssl.erl | 2 +-
lib/ssl/src/tls_v1.erl | 57 ++++++++++++++++++++++-----------
lib/ssl/test/ssl_cert_SUITE.erl | 2 +-
4 files changed, 65 insertions(+), 36 deletions(-)
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 1388111ee5..495f4426fa 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -422,7 +422,8 @@
<p>Signature algorithms used for certificates may be overridden by the
<seetype marker="#sign_schemes">signature schemes</seetype> (algorithms) supplied by the <c>signature_algs_cert</c> option.</p>
- <p>TLS-1.2 default is</p>
+ <p>TLS-1.2 default is Default_TLS_12_Alg_Pairs interleaved with rsa_pss_schemes since ssl-11.0 (OTP-25)
+ pss_pss is prefered over pss_rsae that is prefered over rsa</p>
<p><c>Default_TLS_12_Alg_Pairs =</c></p>
<code>[
@@ -439,13 +440,21 @@
{sha, ecdsa},
{sha, rsa},
{sha, dsa}
-]
- </code>
+]</code>
- <p>Support for {md5, rsa} was removed from the TLS-1.2 default in ssl-8.0 (OTP-22) </p>
+<p>Support for {md5, rsa} was removed from the the TLS-1.2 default in ssl-8.0 (OTP-22) </p>
+ <p><c> rsa_pss_schemes =</c></p>
+ <code>
+[rsa_pss_pss_sha512,
+rsa_pss_pss_sha384,
+rsa_pss_pss_sha256,
+rsa_pss_rsae_sha512,
+rsa_pss_rsae_sha384,
+rsa_pss_rsae_sha256]
+ </code>
- <p><c> TLS_13 _Legacy_Schemes =</c></p>
+ <p><c> TLS_13_Legacy_Schemes =</c></p>
<code> [
%% Legacy algorithms only applicable to certificate signatures
rsa_pkcs1_sha512, %% Corresponds to {sha512, rsa}
@@ -458,21 +467,20 @@ rsa_pkcs1_sha1 %% Corresponds to {sha, rsa}
<p><c> Default_TLS_13_Schemes =</c></p>
<code> [
+ %% EDDSA
+eddsa_ed25519,
+eddsa_ed448
+
%% ECDSA
ecdsa_secp521r1_sha512,
ecdsa_secp384r1_sha384,
-ecdsa_secp256r1_sha256,
+ecdsa_secp256r1_sha256] ++
+
%% RSASSA-PSS
-rsa_pss_pss_sha512,
-rsa_pss_pss_sha384,
-rsa_pss_pss_sha256,
-rsa_pss_rsae_sha512,
-rsa_pss_rsae_sha384,
-rsa_pss_rsae_sha256,
-%% EDDSA
-eddsa_ed25519,
-eddsa_ed448]
-</code>
+rsa_pss_schemes()
+ </code>
+
+ <p>EDDSA was made highest priority in ssl-11.0 (OTP-25) </p>
<p>TLS-1.3 default is</p>
<code>Default_TLS_13_Schemes ++ Legacy_TLS_13_Schemes </code>
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index a0217198ae..83e5b5d942 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -2481,7 +2481,7 @@ handle_hashsigns_option(_, _Version) ->
undefined.
handle_signature_algorithms_option(Value, Version) when is_list(Value)
- andalso Version >= {3, 4} ->
+ andalso Version >= {3, 3} ->
case tls_v1:signature_schemes(Version, Value) of
[] ->
throw({error, {options,
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index 75d994f18c..e036efbe8c 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -869,25 +869,47 @@ signature_algs({3, 3}, HashSigns) ->
default_signature_algs([{3, 4} = Version]) ->
default_signature_schemes(Version) ++ legacy_signature_schemes(Version);
default_signature_algs([{3, 4}, {3,3} | _]) ->
- default_signature_schemes({3,4}) ++ default_signature_algs([{3,3}]);
+ default_signature_schemes({3,4}) ++ default_pre_1_3_signature_algs_only();
default_signature_algs([{3, 3} = Version |_]) ->
- Default = [%% SHA2
- {sha512, ecdsa},
- {sha512, rsa},
- {sha384, ecdsa},
- {sha384, rsa},
- {sha256, ecdsa},
- {sha256, rsa},
- {sha224, ecdsa},
- {sha224, rsa},
- %% SHA
- {sha, ecdsa},
- {sha, rsa},
- {sha, dsa}],
+ Default = [%% SHA2 ++ PSS
+ {sha512, ecdsa},
+ rsa_pss_pss_sha512,
+ rsa_pss_rsae_sha512,
+ {sha512, rsa},
+ {sha384, ecdsa},
+ rsa_pss_pss_sha384,
+ rsa_pss_rsae_sha384,
+ {sha384, rsa},
+ {sha256, ecdsa},
+ rsa_pss_pss_sha256,
+ rsa_pss_rsae_sha256,
+ {sha256, rsa},
+ {sha224, ecdsa},
+ {sha224, rsa},
+ %% SHA
+ {sha, ecdsa},
+ {sha, rsa},
+ {sha, dsa}],
signature_algs(Version, Default);
default_signature_algs(_) ->
undefined.
+default_pre_1_3_signature_algs_only() ->
+ Default = [%% SHA2
+ {sha512, ecdsa},
+ {sha512, rsa},
+ {sha384, ecdsa},
+ {sha384, rsa},
+ {sha256, ecdsa},
+ {sha256, rsa},
+ {sha224, ecdsa},
+ {sha224, rsa},
+ %% SHA
+ {sha, ecdsa},
+ {sha, rsa},
+ {sha, dsa}],
+ signature_algs({3,3}, Default).
+
signature_schemes(Version, [_|_] =SignatureSchemes) when is_tuple(Version)
andalso Version >= {3, 3} ->
@@ -957,7 +979,8 @@ signature_schemes(_, _) ->
[].
default_signature_schemes(Version) ->
- Default = [
+ Default = [eddsa_ed25519,
+ eddsa_ed448,
ecdsa_secp521r1_sha512,
ecdsa_secp384r1_sha384,
ecdsa_secp256r1_sha256,
@@ -966,9 +989,7 @@ default_signature_schemes(Version) ->
rsa_pss_pss_sha256,
rsa_pss_rsae_sha512,
rsa_pss_rsae_sha384,
- rsa_pss_rsae_sha256,
- eddsa_ed25519,
- eddsa_ed448
+ rsa_pss_rsae_sha256
],
signature_schemes(Version, Default).
diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl
index 6b0b6f5f4d..6918a1bc22 100644
--- a/lib/ssl/test/ssl_cert_SUITE.erl
+++ b/lib/ssl/test/ssl_cert_SUITE.erl
@@ -1121,7 +1121,7 @@ unsupported_sign_algo_cert_client_auth(Config) ->
'tlsv1.3' ->
ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required);
_ ->
- ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security)
+ ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, bad_certificate)
end.
%%--------------------------------------------------------------------
--
2.34.1
