diff options
| author | Péter Dimitrov <[email protected]> | 2019-04-11 10:44:07 +0200 |
|---|---|---|
| committer | Péter Dimitrov <[email protected]> | 2019-04-11 10:44:07 +0200 |
| commit | 3e0e8d3a77a97674e1c62e61d568d86563f6ec19 (patch) | |
| tree | cbc391ff63a10c089a18da19d90983764bb86e9e | |
| parent | c7feac7941f4b9e345ef13feefa25e02efa95738 (diff) | |
| parent | 0a626e619eff71feb7b436fa38389be135394804 (diff) | |
| download | otp-3e0e8d3a77a97674e1c62e61d568d86563f6ec19.tar.gz otp-3e0e8d3a77a97674e1c62e61d568d86563f6ec19.tar.bz2 otp-3e0e8d3a77a97674e1c62e61d568d86563f6ec19.zip | |
Merge branch 'peterdmv/ssl/fix-tls13-handshake/ERL-908/OTP-15759'
* peterdmv/ssl/fix-tls13-handshake/ERL-908/OTP-15759:
ssl: Add chacha ciphers to openssl_suite_name/1
ssl: Filter signature_schemes before usage
ssl: Handle legacy algorithms in signature_scheme/1
Change-Id: I4caa0fb21324aceb1d3502d33e61e99bd915d9c4
| -rw-r--r-- | lib/ssl/src/ssl_cipher.erl | 5 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_cipher_format.erl | 16 | ||||
| -rw-r--r-- | lib/ssl/src/tls_handshake_1_3.erl | 4 |
3 files changed, 24 insertions, 1 deletions
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index 850dee7d4f..2238b5290d 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -939,6 +939,11 @@ signature_scheme(?RSA_PSS_PSS_SHA384) -> rsa_pss_pss_sha384; signature_scheme(?RSA_PSS_PSS_SHA512) -> rsa_pss_pss_sha512; signature_scheme(?RSA_PKCS1_SHA1) -> rsa_pkcs1_sha1; signature_scheme(?ECDSA_SHA1) -> ecdsa_sha1; +%% Handling legacy signature algorithms for logging purposes. These algorithms +%% cannot be used in TLS 1.3 handshakes. +signature_scheme(SignAlgo) when is_integer(SignAlgo) -> + <<?BYTE(Hash),?BYTE(Sign)>> = <<?UINT16(SignAlgo)>>, + {ssl_cipher:hash_algorithm(Hash), ssl_cipher:sign_algorithm(Sign)}; signature_scheme(_) -> unassigned. %% TODO: reserved code points? diff --git a/lib/ssl/src/ssl_cipher_format.erl b/lib/ssl/src/ssl_cipher_format.erl index 8737181922..e0df3662ef 100644 --- a/lib/ssl/src/ssl_cipher_format.erl +++ b/lib/ssl/src/ssl_cipher_format.erl @@ -1958,6 +1958,22 @@ openssl_suite_name(?TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256) -> openssl_suite_name(?TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384) -> "ECDH-RSA-AES256-GCM-SHA384"; +%% ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) RFC7905 +openssl_suite_name(?TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_PSK_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256"; + %% TLS 1.3 Cipher Suites RFC8446 openssl_suite_name(?TLS_AES_128_GCM_SHA256) -> "TLS_AES_128_GCM_SHA256"; diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl index 0efedf3400..20d28c33de 100644 --- a/lib/ssl/src/tls_handshake_1_3.erl +++ b/lib/ssl/src/tls_handshake_1_3.erl @@ -1323,7 +1323,9 @@ get_signature_scheme_list(#signature_algorithms_cert{ ClientSignatureSchemes; get_signature_scheme_list(#signature_algorithms{ signature_scheme_list = ClientSignatureSchemes}) -> - ClientSignatureSchemes. + %% Filter unassigned and legacy elements + lists:filter(fun (E) -> is_atom(E) andalso E =/= unassigned end, + ClientSignatureSchemes). get_supported_groups(#supported_groups{supported_groups = Groups}) -> Groups. |