From dca65c70badd3b33903a0535ef2366eecc3e12dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Fri, 14 Jun 2019 15:53:47 +0200
Subject: ssl: Improve handling of signature algorithms

TLS 1.2 ClientHello caused handshake failure in the TLS 1.2 server
if the signature_algorithms_cert extension contained legacy algorithms.

Update TLS 1.2 server to properly handle legacy signature algorithms
in the signature_algorithms_cert extension.

Update TLS 1.3 client so that it can send legacy algorithms in its
signature_algorithms_cert extension.
---
 lib/ssl/src/ssl_cipher.erl    | 10 +++++++++-
 lib/ssl/src/ssl_handshake.erl |  5 +----
 lib/ssl/src/tls_v1.erl        | 22 ++++++++++++++++++++--
 3 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 21db887bb5..4da50d2af8 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -923,6 +923,12 @@ signature_scheme(rsa_pss_pss_sha384) -> ?RSA_PSS_PSS_SHA384;
 signature_scheme(rsa_pss_pss_sha512) -> ?RSA_PSS_PSS_SHA512;
 signature_scheme(rsa_pkcs1_sha1) -> ?RSA_PKCS1_SHA1;
 signature_scheme(ecdsa_sha1) -> ?ECDSA_SHA1;
+%% Handling legacy signature algorithms
+signature_scheme({Hash0, Sign0}) ->
+    Hash = hash_algorithm(Hash0),
+    Sign = sign_algorithm(Sign0),
+    <<?UINT16(SigAlg)>> = <<?BYTE(Hash),?BYTE(Sign)>>,
+    SigAlg;
 signature_scheme(?RSA_PKCS1_SHA256) -> rsa_pkcs1_sha256;
 signature_scheme(?RSA_PKCS1_SHA384) -> rsa_pkcs1_sha384;
 signature_scheme(?RSA_PKCS1_SHA512) -> rsa_pkcs1_sha512;
@@ -962,7 +968,9 @@ scheme_to_components(rsa_pss_pss_sha256) -> {sha256, rsa_pss_pss, undefined};
 scheme_to_components(rsa_pss_pss_sha384) -> {sha384, rsa_pss_pss, undefined};
 scheme_to_components(rsa_pss_pss_sha512) -> {sha512, rsa_pss_pss, undefined};
 scheme_to_components(rsa_pkcs1_sha1) -> {sha1, rsa_pkcs1, undefined};
-scheme_to_components(ecdsa_sha1) -> {sha1, ecdsa, undefined}.
+scheme_to_components(ecdsa_sha1) -> {sha1, ecdsa, undefined};
+%% Handling legacy signature algorithms
+scheme_to_components({Hash,Sign}) -> {Hash, Sign, undefined}.
 
 
 %% TODO: Add support for EC and RSA-SSA signatures
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index f68d3e9b26..3d2abb714f 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1186,10 +1186,7 @@ signature_algs_ext(undefined) ->
 signature_algs_ext(SignatureSchemes0) ->
     %% The SSL option signature_algs contains both hash-sign algorithms (tuples) and
     %% signature schemes (atoms) if TLS 1.3 is configured.
-    %% Filter out all hash-sign tuples when creating the signature_algs extension.
-    %% (TLS 1.3 specific record type)
-    SignatureSchemes = lists:filter(fun is_atom/1, SignatureSchemes0),
-    #signature_algorithms{signature_scheme_list = SignatureSchemes}.
+    #signature_algorithms{signature_scheme_list = SignatureSchemes0}.
 
 signature_algs_cert(undefined) ->
     undefined;
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index 27cd5765e5..f7c8c770ae 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -606,8 +606,26 @@ signature_schemes(Version, SignatureSchemes) when is_tuple(Version)
                           Acc
                   end;
               %% Special clause for filtering out the legacy hash-sign tuples.
-              (_ , Acc) ->
-                  Acc
+              ({Hash, dsa = Sign} = Alg, Acc) ->
+                  case proplists:get_bool(dss, PubKeys)
+                      andalso proplists:get_bool(Hash, Hashes)
+                      andalso is_pair(Hash, Sign, Hashes)
+                  of
+                      true ->
+                          [Alg | Acc];
+                      false ->
+                          Acc
+                  end;
+              ({Hash, Sign} = Alg, Acc) ->
+                  case proplists:get_bool(Sign, PubKeys)
+                      andalso proplists:get_bool(Hash, Hashes)
+                      andalso is_pair(Hash, Sign, Hashes)
+                  of
+                      true ->
+                          [Alg | Acc];
+                      false ->
+                          Acc
+                  end
           end,
     Supported = lists:foldl(Fun, [], SignatureSchemes),
     lists:reverse(Supported);
-- 
cgit v1.2.3


From 1564864b8e7a6cd247995eb74efa5d9ab7f9ea0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Fri, 14 Jun 2019 16:08:46 +0200
Subject: ssl: Add interop test

Add interoperability test for TLS 1.2 server and TLS 1.3 client.
---
 lib/ssl/test/ssl_basic_SUITE.erl | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 785ea98fa0..93c03daa45 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -249,6 +249,7 @@ tls13_test_group() ->
      tls_record_1_3_encode_decode,
      tls13_finished_verify_data,
      tls13_1_RTT_handshake,
+     tls12_ssl_server_tls13_ssl_client,
      tls13_basic_ssl_server_openssl_client,
      tls13_custom_groups_ssl_server_openssl_client,
      tls13_hello_retry_request_ssl_server_openssl_client,
@@ -5351,6 +5352,41 @@ tls13_finished_verify_data(_Config) ->
     FinishedKey = tls_v1:finished_key(BaseKey, sha256),
     VerifyData = tls_v1:finished_verify_data(FinishedKey, sha256, Messages).
 
+
+tls12_ssl_server_tls13_ssl_client() ->
+     [{doc,"Test basic connection between TLS 1.2 server and TLS 1.3 client"}].
+
+tls12_ssl_server_tls13_ssl_client(Config) ->
+    ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_opts, Config),
+    ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    %% Set versions
+    ServerOpts = [{versions, ['tlsv1.2']}|ServerOpts0],
+    ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']},
+                  {signature_algs_cert, [ecdsa_secp384r1_sha384,
+                                         rsa_pss_rsae_sha256,
+                                         rsa_pkcs1_sha256,
+                                         {sha256,rsa},{sha256,dsa}]}|ClientOpts0],
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ClientOpts}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close_port(Client).
+
+
 tls13_basic_ssl_server_openssl_client() ->
      [{doc,"Test TLS 1.3 basic connection between ssl server and openssl s_client"}].
 
-- 
cgit v1.2.3