File 4081-ssl-Enhance-alert-handling.patch of Package erlang
From d5b65fb55730d5cb4f11f52c2a4e05c312cd3896 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 14 May 2024 11:52:37 +0200
Subject: [PATCH] ssl: Enhance alert handling
Make it easier to distinguish between a invalid signature and unsupported signature
Closes #8466
---
lib/ssl/src/ssl_certificate.erl | 14 +++++++-------
lib/ssl/src/ssl_handshake.erl | 2 ++
lib/ssl/test/ssl_cert_SUITE.erl | 2 +-
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 09705b9497..527a9d37f4 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -222,7 +222,7 @@ validate(Issuer, {bad_cert, cert_expired}, #{issuer := Issuer}) ->
validate(_, {bad_cert, _} = Reason, _) ->
{fail, Reason};
validate(Cert, valid, #{path_len := N} = UserState) ->
- case verify_sign(Cert, UserState) of
+ case verify_sign_support(Cert, UserState) of
true ->
case maps:get(cert_ext, UserState, undefined) of
undefined ->
@@ -231,7 +231,7 @@ validate(Cert, valid, #{path_len := N} = UserState) ->
verify_cert_extensions(Cert, UserState#{path_len => N-1})
end;
false ->
- {fail, {bad_cert, invalid_signature}}
+ {fail, {bad_cert, unsupported_signature}}
end;
validate(Cert, valid_peer, UserState = #{role := client, server_name := Hostname,
customize_hostname_check := Customize}) when Hostname =/= disable ->
@@ -599,21 +599,21 @@ verify_cert_extensions(Cert, UserState, [_|Exts], Context) ->
%% Skip unknown extensions!
verify_cert_extensions(Cert, UserState, Exts, Context).
-verify_sign(_, #{version := {_, Minor}}) when Minor < 3 ->
+verify_sign_support(_, #{version := {_, Minor}}) when Minor < 3 ->
%% This verification is not applicable pre TLS-1.2
true;
-verify_sign(Cert, #{version := {3, 3},
+verify_sign_support(Cert, #{version := {3, 3},
signature_algs := SignAlgs,
signature_algs_cert := undefined}) ->
is_supported_signature_algorithm_1_2(Cert, SignAlgs);
-verify_sign(Cert, #{version := {3, 3},
+verify_sign_support(Cert, #{version := {3, 3},
signature_algs_cert := SignAlgs}) ->
is_supported_signature_algorithm_1_2(Cert, SignAlgs);
-verify_sign(Cert, #{version := {3, 4},
+verify_sign_support(Cert, #{version := {3, 4},
signature_algs := SignAlgs,
signature_algs_cert := undefined}) ->
is_supported_signature_algorithm_1_3(Cert, SignAlgs);
-verify_sign(Cert, #{version := {3, 4},
+verify_sign_support(Cert, #{version := {3, 4},
signature_algs_cert := SignAlgs}) ->
is_supported_signature_algorithm_1_3(Cert, SignAlgs).
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 7dd60829a1..09341905e9 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -2111,6 +2111,8 @@ path_validation_alert({bad_cert, invalid_issuer}) ->
?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
path_validation_alert({bad_cert, invalid_signature}) ->
?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
+path_validation_alert({bad_cert, unsupported_signature}) ->
+ ?ALERT_REC(?FATAL, ?UNSUPPORTED_CERTIFICATE);
path_validation_alert({bad_cert, name_not_permitted}) ->
?ALERT_REC(?FATAL, ?BAD_CERTIFICATE);
path_validation_alert({bad_cert, unknown_critical_extension}) ->
diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl
index ef9e2cf759..18fbddf83c 100644
--- a/lib/ssl/test/ssl_cert_SUITE.erl
+++ b/lib/ssl/test/ssl_cert_SUITE.erl
@@ -1216,7 +1216,7 @@ unsupported_sign_algo_cert_client_auth(Config) ->
'tlsv1.3' ->
ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required);
_ ->
- ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, bad_certificate)
+ ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, unsupported_certificate)
end.
%%--------------------------------------------------------------------
--
2.35.3
