Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:24
erlang
3721-ssl-Promote-securer-algorithms-by-default....
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 3721-ssl-Promote-securer-algorithms-by-default.patch of Package erlang
From c7010912d938cb4f410f823abb7c0e8684da68e7 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin <ingela@erlang.org> Date: Mon, 28 Mar 2022 09:26:30 +0200 Subject: [PATCH 1/2] ssl: Promote securer algorithms by default Add RSASSA PSS algorithm default support to TLS-1.2. Make EDDSA preferred in TLS-1.3 OTP-17565 Also fix a bug, that is that signature_algs_cert should be configurable also in TLS-1.2. The bug was discovered due to negative test case starting to succeed when default algorithms where changed. OTP-18014 --- lib/ssl/doc/src/ssl.xml | 40 ++++++++++++++--------- lib/ssl/src/ssl.erl | 2 +- lib/ssl/src/tls_v1.erl | 57 ++++++++++++++++++++++----------- lib/ssl/test/ssl_cert_SUITE.erl | 2 +- 4 files changed, 65 insertions(+), 36 deletions(-) diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 1388111ee5..495f4426fa 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -422,7 +422,8 @@ <p>Signature algorithms used for certificates may be overridden by the <seetype marker="#sign_schemes">signature schemes</seetype> (algorithms) supplied by the <c>signature_algs_cert</c> option.</p> - <p>TLS-1.2 default is</p> + <p>TLS-1.2 default is Default_TLS_12_Alg_Pairs interleaved with rsa_pss_schemes since ssl-11.0 (OTP-25) + pss_pss is prefered over pss_rsae that is prefered over rsa</p> <p><c>Default_TLS_12_Alg_Pairs =</c></p> <code>[ @@ -439,13 +440,21 @@ {sha, ecdsa}, {sha, rsa}, {sha, dsa} -] - </code> +]</code> - <p>Support for {md5, rsa} was removed from the TLS-1.2 default in ssl-8.0 (OTP-22) </p> +<p>Support for {md5, rsa} was removed from the the TLS-1.2 default in ssl-8.0 (OTP-22) </p> + <p><c> rsa_pss_schemes =</c></p> + <code> +[rsa_pss_pss_sha512, +rsa_pss_pss_sha384, +rsa_pss_pss_sha256, +rsa_pss_rsae_sha512, +rsa_pss_rsae_sha384, +rsa_pss_rsae_sha256] + </code> - <p><c> TLS_13 _Legacy_Schemes =</c></p> + <p><c> TLS_13_Legacy_Schemes =</c></p> <code> [ %% Legacy algorithms only applicable to certificate signatures rsa_pkcs1_sha512, %% Corresponds to {sha512, rsa} @@ -458,21 +467,20 @@ rsa_pkcs1_sha1 %% Corresponds to {sha, rsa} <p><c> Default_TLS_13_Schemes =</c></p> <code> [ + %% EDDSA +eddsa_ed25519, +eddsa_ed448 + %% ECDSA ecdsa_secp521r1_sha512, ecdsa_secp384r1_sha384, -ecdsa_secp256r1_sha256, +ecdsa_secp256r1_sha256] ++ + %% RSASSA-PSS -rsa_pss_pss_sha512, -rsa_pss_pss_sha384, -rsa_pss_pss_sha256, -rsa_pss_rsae_sha512, -rsa_pss_rsae_sha384, -rsa_pss_rsae_sha256, -%% EDDSA -eddsa_ed25519, -eddsa_ed448] -</code> +rsa_pss_schemes() + </code> + + <p>EDDSA was made highest priority in ssl-11.0 (OTP-25) </p> <p>TLS-1.3 default is</p> <code>Default_TLS_13_Schemes ++ Legacy_TLS_13_Schemes </code> diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index a0217198ae..83e5b5d942 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -2481,7 +2481,7 @@ handle_hashsigns_option(_, _Version) -> undefined. handle_signature_algorithms_option(Value, Version) when is_list(Value) - andalso Version >= {3, 4} -> + andalso Version >= {3, 3} -> case tls_v1:signature_schemes(Version, Value) of [] -> throw({error, {options, diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index 75d994f18c..e036efbe8c 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -869,25 +869,47 @@ signature_algs({3, 3}, HashSigns) -> default_signature_algs([{3, 4} = Version]) -> default_signature_schemes(Version) ++ legacy_signature_schemes(Version); default_signature_algs([{3, 4}, {3,3} | _]) -> - default_signature_schemes({3,4}) ++ default_signature_algs([{3,3}]); + default_signature_schemes({3,4}) ++ default_pre_1_3_signature_algs_only(); default_signature_algs([{3, 3} = Version |_]) -> - Default = [%% SHA2 - {sha512, ecdsa}, - {sha512, rsa}, - {sha384, ecdsa}, - {sha384, rsa}, - {sha256, ecdsa}, - {sha256, rsa}, - {sha224, ecdsa}, - {sha224, rsa}, - %% SHA - {sha, ecdsa}, - {sha, rsa}, - {sha, dsa}], + Default = [%% SHA2 ++ PSS + {sha512, ecdsa}, + rsa_pss_pss_sha512, + rsa_pss_rsae_sha512, + {sha512, rsa}, + {sha384, ecdsa}, + rsa_pss_pss_sha384, + rsa_pss_rsae_sha384, + {sha384, rsa}, + {sha256, ecdsa}, + rsa_pss_pss_sha256, + rsa_pss_rsae_sha256, + {sha256, rsa}, + {sha224, ecdsa}, + {sha224, rsa}, + %% SHA + {sha, ecdsa}, + {sha, rsa}, + {sha, dsa}], signature_algs(Version, Default); default_signature_algs(_) -> undefined. +default_pre_1_3_signature_algs_only() -> + Default = [%% SHA2 + {sha512, ecdsa}, + {sha512, rsa}, + {sha384, ecdsa}, + {sha384, rsa}, + {sha256, ecdsa}, + {sha256, rsa}, + {sha224, ecdsa}, + {sha224, rsa}, + %% SHA + {sha, ecdsa}, + {sha, rsa}, + {sha, dsa}], + signature_algs({3,3}, Default). + signature_schemes(Version, [_|_] =SignatureSchemes) when is_tuple(Version) andalso Version >= {3, 3} -> @@ -957,7 +979,8 @@ signature_schemes(_, _) -> []. default_signature_schemes(Version) -> - Default = [ + Default = [eddsa_ed25519, + eddsa_ed448, ecdsa_secp521r1_sha512, ecdsa_secp384r1_sha384, ecdsa_secp256r1_sha256, @@ -966,9 +989,7 @@ default_signature_schemes(Version) -> rsa_pss_pss_sha256, rsa_pss_rsae_sha512, rsa_pss_rsae_sha384, - rsa_pss_rsae_sha256, - eddsa_ed25519, - eddsa_ed448 + rsa_pss_rsae_sha256 ], signature_schemes(Version, Default). diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl index 6b0b6f5f4d..6918a1bc22 100644 --- a/lib/ssl/test/ssl_cert_SUITE.erl +++ b/lib/ssl/test/ssl_cert_SUITE.erl @@ -1121,7 +1121,7 @@ unsupported_sign_algo_cert_client_auth(Config) -> 'tlsv1.3' -> ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required); _ -> - ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, insufficient_security) + ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, bad_certificate) end. %%-------------------------------------------------------------------- -- 2.34.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor