ssl: Add option signature_algs

In TLS-1.2 The signature algorithm and the hash function algorithm used to produce the digest that is used when creating the digital signature may be negotiated through the signature algorithm extension RFC 5246. We want to make these algorithm pairs configurable. In connections using lower versions of TLS these algorithms are implicit defined and can not be negotiated or configured. DTLS is updated to not cause dialyzer errors, but needs to get a real implementation later.
author: Ingela Anderton Andin <[email protected]> 2016-02-05 17:39:04 +0100
committer: Ingela Anderton Andin <[email protected]> 2016-04-06 11:38:30 +0200
commit: 923ea90fb23ff65071b688fbee09c00b47afc272 (patch)
tree: 809441054e9067fe86226b66add8155318598b99 /lib/ssl/src/ssl_handshake.erl
parent: 30b22c1a3835fa411733763c49c65f2e2abb1640 (diff)
download: otp-923ea90fb23ff65071b688fbee09c00b47afc272.tar.gz
otp-923ea90fb23ff65071b688fbee09c00b47afc272.tar.bz2
otp-923ea90fb23ff65071b688fbee09c00b47afc272.zip
1 files changed, 125 insertions, 77 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index e98073080a..644903cf4b 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -46,7 +46,7 @@
 
 %% Handshake messages
 -export([hello_request/0, server_hello/4, server_hello_done/0,
-	 certificate/4, certificate_request/4, key_exchange/3,
+	 certificate/4, certificate_request/5, key_exchange/3,
 	 finished/5,  next_protocol/1]).
 
 %% Handle handshake messages
@@ -64,8 +64,8 @@
 	]).
 
 %% Cipher suites handling
--export([available_suites/2, cipher_suites/2,
-	 select_session/10, supported_ecc/1]).
+-export([available_suites/2, available_signature_algs/3, cipher_suites/2,
+	 select_session/11, supported_ecc/1]).
 
 %% Extensions handling
 -export([client_hello_extensions/6,
@@ -74,8 +74,8 @@
 	]).
 
 %% MISC
--export([select_version/3, prf/5, select_hashsign/3, 
-	 select_hashsign_algs/2, select_hashsign_algs/3,
+-export([select_version/3, prf/5, select_hashsign/5, 
+	 select_hashsign_algs/3,
 	 premaster_secret/2, premaster_secret/3, premaster_secret/4]).
 
 %%====================================================================
@@ -120,7 +120,8 @@ server_hello(SessionId, Version, ConnectionStates, Extensions) ->
 server_hello_done() ->
     #server_hello_done{}.
 
-client_hello_extensions(Host, Version, CipherSuites, SslOpts, ConnectionStates, Renegotiation) ->
+client_hello_extensions(Host, Version, CipherSuites, 
+			#ssl_options{signature_algs = SupportedHashSigns, versions = AllVersions} = SslOpts, ConnectionStates, Renegotiation) ->
     {EcPointFormats, EllipticCurves} =
 	case advertises_ec_ciphers(lists:map(fun ssl_cipher:suite_definition/1, CipherSuites)) of
 	    true ->
@@ -134,7 +135,7 @@ client_hello_extensions(Host, Version, CipherSuites, SslOpts, ConnectionStates,
        renegotiation_info = renegotiation_info(tls_record, client,
 					       ConnectionStates, Renegotiation),
        srp = SRP,
-       hash_signs = advertised_hash_signs(Version),
+       signature_algs = available_signature_algs(SupportedHashSigns, Version, AllVersions),
        ec_point_formats = EcPointFormats,
        elliptic_curves = EllipticCurves,
        alpn = encode_alpn(SslOpts#ssl_options.alpn_advertised_protocols, Renegotiation),
@@ -203,14 +204,14 @@ client_certificate_verify(OwnCert, MasterSecret, Version,
     end.
 
 %%--------------------------------------------------------------------
--spec certificate_request(ssl_cipher:cipher_suite(), db_handle(), certdb_ref(), ssl_record:ssl_version()) ->
-    #certificate_request{}.
+-spec certificate_request(ssl_cipher:cipher_suite(), db_handle(), 
+			  certdb_ref(),  #hash_sign_algos{}, ssl_record:ssl_version()) ->
+				 #certificate_request{}.
 %%
 %% Description: Creates a certificate_request message, called by the server.
 %%--------------------------------------------------------------------
-certificate_request(CipherSuite, CertDbHandle, CertDbRef, Version) ->
+certificate_request(CipherSuite, CertDbHandle, CertDbRef, HashSigns, Version) ->
     Types = certificate_types(ssl_cipher:suite_definition(CipherSuite), Version),
-    HashSigns = advertised_hash_signs(Version),
     Authorities = certificate_authorities(CertDbHandle, CertDbRef),
     #certificate_request{
 		    certificate_types = Types,
@@ -351,6 +352,9 @@ verify_server_key(#server_key_params{params_bin = EncParams,
 %%
 %% Description: Checks that the certificate_verify message is valid.
 %%--------------------------------------------------------------------
+certificate_verify(_, _, _, undefined, _, _) ->
+    ?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE);
+
 certificate_verify(Signature, PublicKeyInfo, Version,
 		   HashSign = {HashAlgo, _}, MasterSecret, {_, Handshake}) ->
     Hash = calc_certificate_verify(Version, HashAlgo, MasterSecret, Handshake),
@@ -379,10 +383,11 @@ verify_signature(_Version, Hash, _HashAlgo, Signature, {?rsaEncryption, PubKey,
     end;
 verify_signature(_Version, Hash, {HashAlgo, dsa}, Signature, {?'id-dsa', PublicKey, PublicKeyParams}) ->
     public_key:verify({digest, Hash}, HashAlgo, Signature, {PublicKey, PublicKeyParams});
-verify_signature(_Version, Hash, {HashAlgo, ecdsa}, Signature,
+verify_signature(_, Hash, {HashAlgo, _SignAlg}, Signature,
 		 {?'id-ecPublicKey', PublicKey, PublicKeyParams}) ->
     public_key:verify({digest, Hash}, HashAlgo, Signature, {PublicKey, PublicKeyParams}).
 
+
 %%--------------------------------------------------------------------
 -spec certify(#certificate{}, db_handle(), certdb_ref(), integer() | nolimit,
 	      verify_peer | verify_none, {fun(), term}, fun(), term(), term(),
@@ -573,43 +578,46 @@ prf({3,_N}, Secret, Label, Seed, WantedLength) ->
 
 
 %%--------------------------------------------------------------------
--spec select_hashsign(#hash_sign_algos{}| undefined,  undefined | binary(), ssl_record:ssl_version()) ->
-			      {atom(), atom()} | undefined.
+-spec select_hashsign(#hash_sign_algos{} | undefined,  undefined | binary(), 
+		      atom(), [atom()], ssl_record:ssl_version()) ->
+			     {atom(), atom()} | undefined  | #alert{}.
 
 %%
-%% Description:
+%% Description: Handles signature_algorithms extension
 %%--------------------------------------------------------------------
-select_hashsign(_, undefined, _Version) ->
+select_hashsign(_, undefined, _,  _, _Version) ->
     {null, anon};
 %% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have
 %% negotiated a lower version.
-select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, {Major, Minor} = Version)
-  when Major >= 3 andalso Minor >= 3 ->
-    #'OTPCertificate'{tbsCertificate = TBSCert} =public_key:pkix_decode_cert(Cert, otp),
+select_hashsign(HashSigns, Cert, KeyExAlgo, 
+		undefined, {Major, Minor} = Version)  when Major >= 3 andalso Minor >= 3->
+    select_hashsign(HashSigns, Cert, KeyExAlgo, tls_v1:default_signature_algs(Version), Version);
+select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, KeyExAlgo, SupportedHashSigns,
+		{Major, Minor}) when Major >= 3 andalso Minor >= 3 ->
+    #'OTPCertificate'{tbsCertificate = TBSCert} = public_key:pkix_decode_cert(Cert, otp),
     #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
-    DefaultHashSign = {_, Sign} = select_hashsign_algs(undefined, Algo, Version),
-    case lists:filter(fun({sha, dsa}) ->
+    Sign = cert_sign(Algo),
+    case lists:filter(fun({sha, dsa = S}) when S == Sign ->
 			      true;
 			 ({_, dsa}) ->
 			      false;
-			 ({Hash, S}) when  S == Sign ->
-			      ssl_cipher:is_acceptable_hash(Hash,
-							    proplists:get_value(hashs, crypto:supports()));
+			 ({_, _} = Algos) ->
+			      is_acceptable_hash_sign(Algos, Sign, KeyExAlgo, SupportedHashSigns);
 			 (_)  ->
 			      false
 		      end, HashSigns) of
 	[] ->
-	    DefaultHashSign;
-	[HashSign| _] ->
+	    ?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY);
+	[HashSign | _] ->
 	    HashSign
     end;
-select_hashsign(_, Cert, Version) ->
+select_hashsign(_, Cert, _, _, Version) ->
     #'OTPCertificate'{tbsCertificate = TBSCert} = public_key:pkix_decode_cert(Cert, otp),
     #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
     select_hashsign_algs(undefined, Algo, Version).
 
 %%--------------------------------------------------------------------
--spec select_hashsign_algs(#hash_sign_algos{}| undefined, oid(), ssl_record:ssl_version()) ->
+-spec select_hashsign_algs({atom(), atom()}| undefined, oid(), ssl_record:ssl_version()) ->
 				  {atom(), atom()}.
 
 %% Description: For TLS 1.2 hash function and signature algorithm pairs can be
@@ -642,24 +650,6 @@ select_hashsign_algs(undefined, ?rsaEncryption, _) ->
 select_hashsign_algs(undefined, ?'id-dsa', _) ->
     {sha, dsa}.
 
--spec select_hashsign_algs(atom(),  ssl_record:ssl_version()) -> {atom(), atom()}.
-%% Wrap function to keep the knowledge of the default values in
-%% one place only 
-select_hashsign_algs(Alg, Version) when (Alg == rsa orelse
-				    Alg == dhe_rsa orelse
-				    Alg == dh_rsa orelse
-				    Alg == ecdhe_rsa orelse
-				    Alg == ecdh_rsa orelse
-				    Alg == srp_rsa) ->    
-    select_hashsign_algs(undefined, ?rsaEncryption, Version);
-select_hashsign_algs(Alg, Version) when (Alg == dhe_dss orelse
-				    Alg == dh_dss orelse
-				    Alg == srp_dss) ->
-    select_hashsign_algs(undefined, ?'id-dsa', Version);
-select_hashsign_algs(Alg, Version) when (Alg == ecdhe_ecdsa orelse
-					 Alg == ecdh_ecdsa) ->
-    select_hashsign_algs(undefined, ?'id-ecPublicKey', Version).
-
 %%--------------------------------------------------------------------
 -spec master_secret(atom(), ssl_record:ssl_version(), #session{} | binary(), #connection_states{},
 		   client | server) -> {binary(), #connection_states{}} | #alert{}.
@@ -1063,9 +1053,56 @@ available_suites(UserSuites, Version) ->
 			    lists:member(Suite, ssl_cipher:all_suites(Version))
 		    end, UserSuites).
 
-available_suites(ServerCert, UserSuites, Version, Curve) ->
+available_suites(ServerCert, UserSuites, Version, undefined, Curve) ->
     ssl_cipher:filter(ServerCert, available_suites(UserSuites, Version))
-	-- unavailable_ecc_suites(Curve).
+	-- unavailable_ecc_suites(Curve);
+available_suites(ServerCert, UserSuites, Version, HashSigns, Curve) ->
+    Suites = available_suites(ServerCert, UserSuites, Version, undefined, Curve),
+    filter_hashsigns(Suites, [ssl_cipher:suite_definition(Suite) || Suite <- Suites], HashSigns, []).
+filter_hashsigns([], [], _, Acc) ->
+    lists:reverse(Acc);
+filter_hashsigns([Suite | Suites], [{KeyExchange,_,_,_} | Algos], HashSigns,
+		 Acc) when KeyExchange == dhe_ecdsa;
+			   KeyExchange == ecdhe_ecdsa ->
+    do_filter_hashsigns(ecdsa, Suite, Suites, Algos, HashSigns, Acc);
+
+filter_hashsigns([Suite | Suites], [{KeyExchange,_,_,_} | Algos], HashSigns,
+		 Acc) when KeyExchange == rsa;
+			   KeyExchange == dhe_rsa;
+			   KeyExchange == ecdhe_rsa;
+			   KeyExchange == srp_rsa;
+			   KeyExchange == rsa_psk ->
+    do_filter_hashsigns(rsa, Suite, Suites, Algos, HashSigns, Acc);
+filter_hashsigns([Suite | Suites], [{KeyExchange,_,_,_} | Algos], HashSigns, Acc) when 
+      KeyExchange == dhe_dss;
+      KeyExchange == srp_dss ->							       
+    do_filter_hashsigns(dsa, Suite, Suites, Algos, HashSigns, Acc);
+filter_hashsigns([Suite | Suites], [{KeyExchange,_,_,_} | Algos], HashSigns, Acc) when 
+      KeyExchange == dh_dss; 
+      KeyExchange == dh_rsa; 
+      KeyExchange == dh_ecdsa;
+      KeyExchange == ecdh_rsa;    
+      KeyExchange == ecdh_ecdsa ->
+      %%  Fixed DH certificates MAY be signed with any hash/signature
+      %%  algorithm pair appearing in the hash_sign extension.  The names
+    %%  DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA are historical.
+    filter_hashsigns(Suites, Algos, HashSigns, [Suite| Acc]);
+filter_hashsigns([Suite | Suites], [{KeyExchange,_,_,_} | Algos], HashSigns, Acc) when 
+      KeyExchange == dh_anon;
+      KeyExchange == ecdh_anon;
+      KeyExchange == srp_anon;
+      KeyExchange == psk;
+      KeyExchange == dhe_psk ->
+    %% In this case hashsigns is not used as the kexchange is anonaymous
+    filter_hashsigns(Suites, Algos, HashSigns, [Suite| Acc]).
+
+do_filter_hashsigns(SignAlgo, Suite, Suites, Algos, HashSigns, Acc) ->
+    case lists:keymember(SignAlgo, 2, HashSigns) of
+	true ->
+	    filter_hashsigns(Suites, Algos, HashSigns, [Suite| Acc]);
+	false ->
+	    filter_hashsigns(Suites, Algos, HashSigns, Acc)
+    end.
 
 unavailable_ecc_suites(no_curve) ->
     ssl_cipher:ec_keyed_suites();
@@ -1077,17 +1114,17 @@ cipher_suites(Suites, false) ->
 cipher_suites(Suites, true) ->
     Suites.
 
-select_session(SuggestedSessionId, CipherSuites, Compressions, Port, #session{ecc = ECCCurve} = 
+select_session(SuggestedSessionId, CipherSuites, HashSigns, Compressions, Port, #session{ecc = ECCCurve} = 
 		   Session, Version,
-	       #ssl_options{ciphers = UserSuites, honor_cipher_order = HCO} = SslOpts,
+	       #ssl_options{ciphers = UserSuites, honor_cipher_order = HonorCipherOrder} = SslOpts,
 	       Cache, CacheCb, Cert) ->
     {SessionId, Resumed} = ssl_session:server_id(Port, SuggestedSessionId,
 						 SslOpts, Cert,
 						 Cache, CacheCb),
     case Resumed of
         undefined ->
-	    Suites = available_suites(Cert, UserSuites, Version, ECCCurve),
-	    CipherSuite = select_cipher_suite(CipherSuites, Suites, HCO),
+	    Suites = available_suites(Cert, UserSuites, Version, HashSigns, ECCCurve),
+	    CipherSuite = select_cipher_suite(CipherSuites, Suites, HonorCipherOrder),
 	    Compression = select_compression(Compressions),
 	    {new, Session#session{session_id = SessionId,
 				  cipher_suite = CipherSuite,
@@ -1155,7 +1192,7 @@ handle_client_hello_extensions(RecordCB, Random, ClientCipherSuites,
 			       #hello_extensions{renegotiation_info = Info,
 						 srp = SRP,
 						 ec_point_formats = ECCFormat,
-                         alpn = ALPN,
+						 alpn = ALPN,
 						 next_protocol_negotiation = NextProtocolNegotiation}, Version,
 			       #ssl_options{secure_renegotiate = SecureRenegotation,
                                             alpn_preferred_protocols = ALPNPreferredProtocols} = Opts,
@@ -1324,7 +1361,7 @@ handle_renegotiation_info(_RecordCB, ConnectionStates, SecureRenegotation) ->
 
 hello_extensions_list(#hello_extensions{renegotiation_info = RenegotiationInfo,
 					srp = SRP,
-					hash_signs = HashSigns,
+					signature_algs = HashSigns,
 					ec_point_formats = EcPointFormats,
 					elliptic_curves = EllipticCurves,
                                         alpn = ALPN,
@@ -1799,7 +1836,7 @@ dec_hello_extensions(<<?UINT16(?SIGNATURE_ALGORITHMS_EXT), ?UINT16(Len),
     <<?UINT16(SignAlgoListLen), SignAlgoList/binary>> = ExtData,
     HashSignAlgos = [{ssl_cipher:hash_algorithm(Hash), ssl_cipher:sign_algorithm(Sign)} ||
 			<<?BYTE(Hash), ?BYTE(Sign)>> <= SignAlgoList],
-    dec_hello_extensions(Rest, Acc#hello_extensions{hash_signs =
+    dec_hello_extensions(Rest, Acc#hello_extensions{signature_algs =
 						    #hash_sign_algos{hash_sign_algos = HashSignAlgos}});
 
 dec_hello_extensions(<<?UINT16(?ELLIPTIC_CURVES_EXT), ?UINT16(Len),
@@ -1899,7 +1936,7 @@ from_2bytes(<<?UINT16(N), Rest/binary>>, Acc) ->
 key_exchange_alg(rsa) ->
     ?KEY_EXCHANGE_RSA;
 key_exchange_alg(Alg) when Alg == dhe_rsa; Alg == dhe_dss;
-			    Alg == dh_dss; Alg == dh_rsa; Alg == dh_anon ->
+			   Alg == dh_dss; Alg == dh_rsa; Alg == dh_anon ->
     ?KEY_EXCHANGE_DIFFIE_HELLMAN;
 key_exchange_alg(Alg) when Alg == ecdhe_rsa; Alg == ecdh_rsa;
 			   Alg == ecdhe_ecdsa; Alg == ecdh_ecdsa;
@@ -2008,27 +2045,16 @@ is_member(Suite, SupportedSuites) ->
 select_compression(_CompressionMetodes) ->
     ?NULL.
 
--define(TLSEXT_SIGALG_RSA(MD), {MD, rsa}).
--define(TLSEXT_SIGALG_DSA(MD), {MD, dsa}).
--define(TLSEXT_SIGALG_ECDSA(MD), {MD, ecdsa}).
-
--define(TLSEXT_SIGALG(MD), ?TLSEXT_SIGALG_ECDSA(MD), ?TLSEXT_SIGALG_RSA(MD)).
-
-advertised_hash_signs({Major, Minor}) when Major >= 3 andalso Minor >= 3 ->
-    HashSigns = [?TLSEXT_SIGALG(sha512),
-		 ?TLSEXT_SIGALG(sha384),
-		 ?TLSEXT_SIGALG(sha256),
-		 ?TLSEXT_SIGALG(sha224),
-		 ?TLSEXT_SIGALG(sha),
-		 ?TLSEXT_SIGALG_DSA(sha),
-		 ?TLSEXT_SIGALG_RSA(md5)],
-    CryptoSupport = crypto:supports(),
-    HasECC = proplists:get_bool(ecdsa,  proplists:get_value(public_keys, CryptoSupport)),
-    Hashs = proplists:get_value(hashs, CryptoSupport),
-    #hash_sign_algos{hash_sign_algos =
-			 lists:filter(fun({Hash, ecdsa}) -> HasECC andalso proplists:get_bool(Hash, Hashs);
-					 ({Hash, _}) -> proplists:get_bool(Hash, Hashs) end, HashSigns)};
-advertised_hash_signs(_) ->
+available_signature_algs(undefined, _, _)  ->
+    undefined;
+available_signature_algs(SupportedHashSigns, {Major, Minor}, AllVersions) when Major >= 3 andalso Minor >= 3 ->
+    case tls_record:lowest_protocol_version(AllVersions) of
+	{3, 3} ->
+	    #hash_sign_algos{hash_sign_algos = SupportedHashSigns};
+	_ ->
+	    undefined
+    end;	
+available_signature_algs(_, _, _) ->
     undefined.
 
 psk_secret(PSKIdentity, PSKLookup) ->
@@ -2123,3 +2149,25 @@ distpoints_lookup([DistPoint | Rest], Callback, CRLDbHandle) ->
 	CRLs ->
 	    [{DistPoint, {CRL, public_key:der_decode('CertificateList', CRL)}} ||  CRL <- CRLs]
     end.	
+
+cert_sign(?rsaEncryption) ->
+    rsa;
+cert_sign(?'id-ecPublicKey') ->
+    ecdsa;
+cert_sign(?'id-dsa') ->
+    dsa;
+cert_sign(Alg) ->
+    {_, Sign} =public_key:pkix_sign_types(Alg),
+    Sign.
+
+is_acceptable_hash_sign({_, Sign} = Algos, Sign, _, SupportedHashSigns) ->
+    is_acceptable_hash_sign(Algos, SupportedHashSigns);
+is_acceptable_hash_sign(Algos,_, KeyExAlgo, SupportedHashSigns) when KeyExAlgo == dh_ecdsa;
+								     KeyExAlgo == ecdh_rsa;    
+								     KeyExAlgo == ecdh_ecdsa ->
+    is_acceptable_hash_sign(Algos, SupportedHashSigns); 
+is_acceptable_hash_sign(_,_,_,_) ->
+    false.
+is_acceptable_hash_sign(Algos, SupportedHashSigns) ->
+    lists:member(Algos, SupportedHashSigns).
+
author	Ingela Anderton Andin <[email protected]>	2016-02-05 17:39:04 +0100
committer	Ingela Anderton Andin <[email protected]>	2016-04-06 11:38:30 +0200
commit	923ea90fb23ff65071b688fbee09c00b47afc272 (patch)
tree	809441054e9067fe86226b66add8155318598b99 /lib/ssl/src/ssl_handshake.erl
parent	30b22c1a3835fa411733763c49c65f2e2abb1640 (diff)
download	otp-923ea90fb23ff65071b688fbee09c00b47afc272.tar.gz otp-923ea90fb23ff65071b688fbee09c00b47afc272.tar.bz2 otp-923ea90fb23ff65071b688fbee09c00b47afc272.zip