File 4572-ssl-Fix-filter-and-conversions-of-singnature-algorit.patch of Package erlang
From b7f0b29d2e3f5209a947a922e6c6606734494579 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 13 Oct 2021 15:05:06 +0200
Subject: [PATCH 2/4] ssl: Fix filter and conversions of singnature algorithms
schemes for TLS-1.2
---
lib/ssl/src/ssl_cipher.erl | 29 +++++++++++++++++++++++++----
lib/ssl/src/ssl_handshake.erl | 12 +++++++++---
2 files changed, 34 insertions(+), 7 deletions(-)
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 63f46346ee..af53640ab9 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -597,6 +597,19 @@ signature_scheme(rsa_pss_pss_sha384) -> ?RSA_PSS_PSS_SHA384;
signature_scheme(rsa_pss_pss_sha512) -> ?RSA_PSS_PSS_SHA512;
signature_scheme(rsa_pkcs1_sha1) -> ?RSA_PKCS1_SHA1;
signature_scheme(ecdsa_sha1) -> ?ECDSA_SHA1;
+%% New algorithms on legacy format
+signature_scheme({sha512, rsa_pss_pss}) ->
+ ?RSA_PSS_PSS_SHA512;
+signature_scheme({sha384, rsa_pss_pss}) ->
+ ?RSA_PSS_PSS_SHA384;
+signature_scheme({sha256, rsa_pss_pss}) ->
+ ?RSA_PSS_PSS_SHA256;
+signature_scheme({sha512, rsa_pss_rsae}) ->
+ ?RSA_PSS_RSAE_SHA512;
+signature_scheme({sha384, rsa_pss_rsae}) ->
+ ?RSA_PSS_RSAE_SHA384;
+signature_scheme({sha256, rsa_pss_rsae}) ->
+ ?RSA_PSS_RSAE_SHA256;
%% Handling legacy signature algorithms
signature_scheme({Hash0, Sign0}) ->
Hash = hash_algorithm(Hash0),
@@ -627,10 +640,18 @@ signature_scheme(SignAlgo) when is_integer(SignAlgo) ->
signature_scheme(_) -> unassigned.
signature_schemes_1_2(SigAlgs) ->
- lists:map(fun(Algs) ->
- {Hash, Sign, _} = scheme_to_components(Algs),
- {Hash, Sign}
- end, SigAlgs).
+ lists:foldl(fun(Alg, Acc) when is_atom(Alg) ->
+ case scheme_to_components(Alg) of
+ {Hash, Sign = rsa_pss_pss,_} ->
+ [{Hash, Sign} | Acc];
+ {Hash, Sign = rsa_pss_rsae,_} ->
+ [{Hash, Sign} | Acc];
+ {_, _, _} ->
+ Acc
+ end;
+ (Alg, Acc) ->
+ [Alg| Acc]
+ end, [], SigAlgs).
%% TODO: reserved code points?
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 6210240011..2d5e29fb61 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -652,8 +652,8 @@ encode_extensions([#srp{username = UserName} | Rest], Acc) ->
encode_extensions(Rest, <<?UINT16(?SRP_EXT), ?UINT16(Len), ?BYTE(SRPLen),
UserName/binary, Acc/binary>>);
encode_extensions([#hash_sign_algos{hash_sign_algos = HashSignAlgos} | Rest], Acc) ->
- SignAlgoList = << <<(ssl_cipher:hash_algorithm(Hash)):8, (ssl_cipher:sign_algorithm(Sign)):8>> ||
- {Hash, Sign} <- HashSignAlgos >>,
+ SignAlgoList = << <<(ssl_cipher:signature_scheme(SignatureScheme)):16 >> ||
+ SignatureScheme <- HashSignAlgos >>,
ListLen = byte_size(SignAlgoList),
Len = ListLen + 2,
encode_extensions(Rest, <<?UINT16(?SIGNATURE_ALGORITHMS_EXT),
@@ -988,12 +988,18 @@ available_signature_algs(undefined, _) ->
available_signature_algs(SupportedHashSigns, Version) when Version >= {3, 3} ->
case contains_scheme(SupportedHashSigns) of
true ->
- #signature_algorithms{signature_scheme_list = SupportedHashSigns};
+ case Version of
+ {3,3} ->
+ #hash_sign_algos{hash_sign_algos = ssl_cipher:signature_schemes_1_2(SupportedHashSigns)};
+ _ ->
+ #signature_algorithms{signature_scheme_list = SupportedHashSigns}
+ end;
false ->
#hash_sign_algos{hash_sign_algos = SupportedHashSigns}
end;
available_signature_algs(_, _) ->
undefined.
+
available_signature_algs(undefined, SupportedHashSigns, _, Version) when
Version >= {3,3} ->
SupportedHashSigns;
--
2.31.1