File 0491-ssl-Avoid-unnecessary-duplicates.patch of Package erlang
From 05bced8c31cd4ba8c6b1e5151b27e8d37495f435 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 13 Jan 2025 15:44:15 +0100
Subject: [PATCH] ssl: Avoid unnecessary duplicates
---
lib/ssl/src/ssl_cipher.erl | 40 +++++++++++++++++++---------------
lib/ssl/test/tls_api_SUITE.erl | 4 +++-
2 files changed, 25 insertions(+), 19 deletions(-)
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index c8ceaba4fc..4d705514ef 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -646,25 +646,29 @@ signature_scheme(SignAlgo) when is_integer(SignAlgo) ->
signature_scheme(_) -> unassigned.
signature_schemes_1_2(SigAlgs) ->
- lists:reverse(lists:foldl(fun(Alg, Acc) when is_atom(Alg) ->
- case scheme_to_components(Alg) of
- {Hash, Sign = rsa_pss_pss,_} ->
- [{Hash, Sign} | Acc];
- {Hash, Sign = rsa_pss_rsae,_} ->
- [{Hash, Sign} | Acc];
- %% TLS-1.2 do not constrian the
- %% curve, however must be one
- %% present in "supported groups" (eccs)
- {Hash, ecdsa = Sign, _} ->
- [{Hash, Sign} | Acc];
- {Hash, Sign, undefined} ->
- [{Hash, format_sign(Sign)} | Acc];
- {_, _, _} ->
+ Schemes = lists:foldl(fun(Alg, Acc) when is_atom(Alg) ->
+ case scheme_to_components(Alg) of
+ {Hash, Sign = rsa_pss_pss,_} ->
+ [{Hash, Sign} | Acc];
+ {Hash, Sign = rsa_pss_rsae,_} ->
+ [{Hash, Sign} | Acc];
+ %% TLS-1.2 do not constrain the
+ %% curve, however must be one
+ %% present in "supported groups" (eccs)
+ {Hash, ecdsa = Sign, _} ->
+ [{Hash, Sign} | Acc];
+ {Hash, Sign, undefined} ->
+ [{Hash, format_sign(Sign)} | Acc];
+ {_, _, _} ->
Acc
- end;
- (Alg, Acc) ->
- [Alg| Acc]
- end, [], SigAlgs)).
+ end;
+ (Alg, Acc) ->
+ [Alg| Acc]
+ end, [], SigAlgs),
+ %% Make sure that if ECDSA TLS-1.2 names are specified do not duplicate them
+ %% earlier in list by allowing TLS-1.3 schemes to be interpreted as TLS-1.2 algs
+ %% unless the ECDSA TLS-1.2 representation is missing and we want to work around it.
+ lists:reverse(lists:uniq(Schemes)).
%% TODO: reserved code points?
diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl
index 0e8da54b6c..156571beb9 100644
--- a/lib/ssl/test/tls_api_SUITE.erl
+++ b/lib/ssl/test/tls_api_SUITE.erl
@@ -1370,7 +1370,9 @@ signature_algs(Config) when is_list(Config) ->
true = (not lists:member(rsa_pkcs1_sha384, TLS_1_2_All)) andalso lists:member({sha384, rsa}, TLS_1_2_All),
true = (not lists:member(rsa_pkcs1_sha256, TLS_1_2_All)) andalso lists:member({sha256, rsa}, TLS_1_2_All),
true = (not lists:member(rsa_pkcs1_sha, TLS_1_2_All)) andalso lists:member({sha, rsa}, TLS_1_2_All),
- true = (not lists:member(ecdsa_sha1, TLS_1_2_All)) andalso lists:member({sha, ecdsa}, TLS_1_2_All).
+ true = (not lists:member(ecdsa_sha1, TLS_1_2_All)) andalso lists:member({sha, ecdsa}, TLS_1_2_All),
+ All = ssl_cipher:signature_schemes_1_2(ssl:signature_algs(default, 'tlsv1.3')),
+ true = length(All) == length(lists:uniq(All)).
%%--------------------------------------------------------------------
%% Internal functions ------------------------------------------------
--
2.43.0
