From 1782d1d032e0c284884a6f26d3a43b4608d5360a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= Date: Wed, 10 Apr 2019 11:37:14 +0200 Subject: ssl: Handle legacy algorithms in signature_scheme/1 Handle legacy signature algorithms in TLS 1.3 ClientHello to improve debug logging. Change-Id: If5548c828aabab83a2b147dffa7e937bd98916c6 --- lib/ssl/src/ssl_cipher.erl | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib/ssl') diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index 850dee7d4f..2238b5290d 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -939,6 +939,11 @@ signature_scheme(?RSA_PSS_PSS_SHA384) -> rsa_pss_pss_sha384; signature_scheme(?RSA_PSS_PSS_SHA512) -> rsa_pss_pss_sha512; signature_scheme(?RSA_PKCS1_SHA1) -> rsa_pkcs1_sha1; signature_scheme(?ECDSA_SHA1) -> ecdsa_sha1; +%% Handling legacy signature algorithms for logging purposes. These algorithms +%% cannot be used in TLS 1.3 handshakes. +signature_scheme(SignAlgo) when is_integer(SignAlgo) -> + <> = <>, + {ssl_cipher:hash_algorithm(Hash), ssl_cipher:sign_algorithm(Sign)}; signature_scheme(_) -> unassigned. %% TODO: reserved code points? -- cgit v1.2.3 From d315716fee44fbcf212c3b7e18acfa8203290141 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= Date: Wed, 10 Apr 2019 11:41:53 +0200 Subject: ssl: Filter signature_schemes before usage Filter unassigned and legacy elements from signature_scheme_list before further processing. Change-Id: I0a2623e53c21cebe6e736e7eee6bb6354fc698b7 --- lib/ssl/src/tls_handshake_1_3.erl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/ssl') diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl index 0efedf3400..20d28c33de 100644 --- a/lib/ssl/src/tls_handshake_1_3.erl +++ b/lib/ssl/src/tls_handshake_1_3.erl @@ -1323,7 +1323,9 @@ get_signature_scheme_list(#signature_algorithms_cert{ ClientSignatureSchemes; get_signature_scheme_list(#signature_algorithms{ signature_scheme_list = ClientSignatureSchemes}) -> - ClientSignatureSchemes. + %% Filter unassigned and legacy elements + lists:filter(fun (E) -> is_atom(E) andalso E =/= unassigned end, + ClientSignatureSchemes). get_supported_groups(#supported_groups{supported_groups = Groups}) -> Groups. -- cgit v1.2.3 From 0a626e619eff71feb7b436fa38389be135394804 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= Date: Wed, 10 Apr 2019 11:47:11 +0200 Subject: ssl: Add chacha ciphers to openssl_suite_name/1 Change-Id: I2f2cc8c64f02b50773eb455770336b159da7b9f9 --- lib/ssl/src/ssl_cipher_format.erl | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'lib/ssl') diff --git a/lib/ssl/src/ssl_cipher_format.erl b/lib/ssl/src/ssl_cipher_format.erl index 8737181922..e0df3662ef 100644 --- a/lib/ssl/src/ssl_cipher_format.erl +++ b/lib/ssl/src/ssl_cipher_format.erl @@ -1958,6 +1958,22 @@ openssl_suite_name(?TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256) -> openssl_suite_name(?TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384) -> "ECDH-RSA-AES256-GCM-SHA384"; +%% ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) RFC7905 +openssl_suite_name(?TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_PSK_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"; +openssl_suite_name(?TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256) -> + "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256"; + %% TLS 1.3 Cipher Suites RFC8446 openssl_suite_name(?TLS_AES_128_GCM_SHA256) -> "TLS_AES_128_GCM_SHA256"; -- cgit v1.2.3