diff options
| author | Péter Dimitrov <[email protected]> | 2018-11-16 09:36:08 +0100 |
|---|---|---|
| committer | Péter Dimitrov <[email protected]> | 2018-11-20 09:55:54 +0100 |
| commit | 5667810578357122b3a49949c3e7826f652833c2 (patch) | |
| tree | bfbbe58c5af5f3b5ac089637b48ca353c6a0cd38 /lib/ssl/src | |
| parent | bafd4606dfd6dbc880758f6dc7694b50238bea8c (diff) | |
| download | otp-5667810578357122b3a49949c3e7826f652833c2.tar.gz otp-5667810578357122b3a49949c3e7826f652833c2.tar.bz2 otp-5667810578357122b3a49949c3e7826f652833c2.zip | |
ssl: Fix default values of "signature_algs"
- Add function for special handling of default values of
"signature_algs" in TLS 1.3.
This change adds default values for "signature_algs" even for
TLS 1.3 clients as they must send the "signature_algs" extension
when a server authenticates itself via a certificate.
- Use "signature schemes" as default instead of the old
hash-signature algorithms tuple when using TLS 1.3.
Change-Id: I296593b16610fd7a18a4ae3f3bac63c2fad06fbd
Diffstat (limited to 'lib/ssl/src')
| -rw-r--r-- | lib/ssl/src/ssl.erl | 28 | ||||
| -rw-r--r-- | lib/ssl/src/tls_v1.erl | 4 |
2 files changed, 26 insertions, 6 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index df5628b236..2c3f8bc20f 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -1002,9 +1002,10 @@ handle_options(Opts0, Role, Host) -> proplists:get_value( signature_algs, Opts, - default_option_role(server, + default_option_role_sign_algs(server, tls_v1:default_signature_algs(HighestVersion), - Role)), + Role, + HighestVersion)), tls_version(HighestVersion)), signature_algs_cert = handle_signature_algorithms_option( @@ -1337,15 +1338,25 @@ validate_option(customize_hostname_check, Value) when is_list(Value) -> validate_option(Opt, Value) -> throw({error, {options, {Opt, Value}}}). +handle_hashsigns_option(Value, Version) when is_list(Value) + andalso Version >= {3, 4} -> + case tls_v1:signature_schemes(Version, Value) of + [] -> + throw({error, {options, + no_supported_signature_schemes, + {signature_algs, Value}}}); + _ -> + Value + end; handle_hashsigns_option(Value, Version) when is_list(Value) - andalso Version >= {3, 3} -> + andalso Version =:= {3, 3} -> case tls_v1:signature_algs(Version, Value) of [] -> throw({error, {options, no_supported_algorithms, {signature_algs, Value}}}); _ -> Value end; -handle_hashsigns_option(_, Version) when Version >= {3, 3} -> +handle_hashsigns_option(_, Version) when Version =:= {3, 3} -> handle_hashsigns_option(tls_v1:default_signature_algs(Version), Version); handle_hashsigns_option(_, _Version) -> undefined. @@ -1762,11 +1773,20 @@ handle_verify_options(Opts, CaCerts) -> throw({error, {options, {verify, Value}}}) end. +%% Added to handle default values for signature_algs in TLS 1.3 +default_option_role_sign_algs(_, Value, _, Version) when Version >= {3,4} -> + Value; +default_option_role_sign_algs(Role, Value, Role, _) -> + Value; +default_option_role_sign_algs(_, _, _, _) -> + undefined. + default_option_role(Role, Value, Role) -> Value; default_option_role(_,_,_) -> undefined. + default_cb_info(tls) -> {gen_tcp, tcp, tcp_closed, tcp_error}; default_cb_info(dtls) -> diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index 8618355089..83dd7585dd 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -346,8 +346,8 @@ signature_algs({3, 3}, HashSigns) -> end, [], HashSigns), lists:reverse(Supported). -default_signature_algs({3, 4}) -> - default_signature_algs({3, 3}); +default_signature_algs({3, 4} = Version) -> + default_signature_schemes(Version); default_signature_algs({3, 3} = Version) -> Default = [%% SHA2 {sha512, ecdsa}, |