Skip to content

Commit

Permalink
Add s2n_signature_preferences_20240521
Browse files Browse the repository at this point in the history 
This preference list is to allow ECDSA sigalgs to be prioritized for
policies that need legacy sigalg(SHA1) support.

This change is needed because TLS1.3 is reliant on the sigalg
preferences to drive server certificate preference selection.
  • Loading branch information
@raycoll
raycoll committed May 21, 2024
1 parent 5f29e4c commit c7aa037
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 0 deletions.
35 changes: 35 additions & 0 deletions tls/s2n_signature_scheme.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -435,6 +435,41 @@ const struct s2n_signature_preferences s2n_certificate_signature_preferences_rfc
.signature_schemes = s2n_cert_sig_scheme_pref_list_rfc9151
};

/*
* Legacy compatibility policy based on s2n_sig_scheme_pref_list_20201021 with ECDSA prioritized.
* This list also removes ECDSA+SHA224, which is not known to be relied on by any legitimate
* use cases.
*/
const struct s2n_signature_scheme* const s2n_sig_scheme_pref_list_20240521[] = {
/* ECDSA */
&s2n_ecdsa_sha256,
&s2n_ecdsa_sha384,
&s2n_ecdsa_sha512,

/* RSA PSS */
&s2n_rsa_pss_pss_sha256,
&s2n_rsa_pss_pss_sha384,
&s2n_rsa_pss_pss_sha512,
&s2n_rsa_pss_rsae_sha256,
&s2n_rsa_pss_rsae_sha384,
&s2n_rsa_pss_rsae_sha512,

/* RSA PKCS1 */
&s2n_rsa_pkcs1_sha256,
&s2n_rsa_pkcs1_sha384,
&s2n_rsa_pkcs1_sha512,
&s2n_rsa_pkcs1_sha224,

/* SHA-1 Legacy */
&s2n_rsa_pkcs1_sha1,
&s2n_ecdsa_sha1,
};

const struct s2n_signature_preferences s2n_signature_preferences_20240521 = {
.count = s2n_array_len(s2n_sig_scheme_pref_list_20240521),
.signature_schemes = s2n_sig_scheme_pref_list_20240521
};

const struct s2n_signature_scheme* const s2n_sig_scheme_pref_list_test_all_fips[] = {
/* RSA PSS */
&s2n_rsa_pss_pss_sha256,
Expand Down
1 change: 1 addition & 0 deletions tls/s2n_signature_scheme.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ extern const struct s2n_signature_preferences s2n_signature_preferences_20140601
extern const struct s2n_signature_preferences s2n_signature_preferences_20200207;
extern const struct s2n_signature_preferences s2n_signature_preferences_20201021;
extern const struct s2n_signature_preferences s2n_signature_preferences_20210816;
extern const struct s2n_signature_preferences s2n_signature_preferences_20240521;
extern const struct s2n_signature_preferences s2n_signature_preferences_rfc9151;
extern const struct s2n_signature_preferences s2n_certificate_signature_preferences_rfc9151;
extern const struct s2n_signature_preferences s2n_signature_preferences_default_fips;
Expand Down

0 comments on commit c7aa037

Please sign in to comment.