diff options
author | Péter Dimitrov <[email protected]> | 2019-03-11 16:40:47 +0100 |
---|---|---|
committer | Péter Dimitrov <[email protected]> | 2019-03-14 09:53:59 +0100 |
commit | 22ce783fe400ee5e3996802a634c8d5868edc82f (patch) | |
tree | 11cb0c18ab164ad13e19b0ab3c485955d07c1632 /lib/ssl/src/ssl_cipher.erl | |
parent | 6608e84968c96366d76b6cc4a854d32a1c458fea (diff) | |
download | otp-22ce783fe400ee5e3996802a634c8d5868edc82f.tar.gz otp-22ce783fe400ee5e3996802a634c8d5868edc82f.tar.bz2 otp-22ce783fe400ee5e3996802a634c8d5868edc82f.zip |
ssl: Improve verification of received Certificate
Validate peer certificate against supported signature algorithms.
Send 'Hanshake Failure' Alert if signature algorithm is not
supported by the server.
Change-Id: Iad428aad337f0f9764d23404c203f966664c4555
Diffstat (limited to 'lib/ssl/src/ssl_cipher.erl')
-rw-r--r-- | lib/ssl/src/ssl_cipher.erl | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index 6e751f9ceb..fe8736d2df 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -45,7 +45,7 @@ random_bytes/1, calc_mac_hash/4, calc_mac_hash/6, is_stream_ciphersuite/1, signature_scheme/1, scheme_to_components/1, hash_size/1, effective_key_bits/1, - key_material/1]). + key_material/1, signature_algorithm_to_scheme/1]). %% RFC 8446 TLS 1.3 -export([generate_client_shares/1, generate_server_share/1, add_zero_padding/2]). @@ -900,6 +900,18 @@ scheme_to_components(rsa_pss_pss_sha512) -> {sha512, rsa_pss_pss, undefined}; scheme_to_components(rsa_pkcs1_sha1) -> {sha1, rsa_pkcs1, undefined}; scheme_to_components(ecdsa_sha1) -> {sha1, ecdsa, undefined}. + +%% TODO: Add support for EC and RSA-SSA signatures +signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?sha1WithRSAEncryption}) -> + rsa_pkcs1_sha1; +signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?sha256WithRSAEncryption}) -> + rsa_pkcs1_sha256; +signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?sha384WithRSAEncryption}) -> + rsa_pkcs1_sha384; +signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?sha512WithRSAEncryption}) -> + rsa_pkcs1_sha512. + + %% RFC 5246: 6.2.3.2. CBC Block Cipher %% %% Implementation note: Canvel et al. [CBCTIME] have demonstrated a |