From f552b7d03cd799324ac5e44f1c70bfb954ead4b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Wed, 12 Dec 2018 13:49:44 +0100
Subject: ssl: Check if RSASSA-PSS is supported by crypto

Filter all rsa_pss_rsae and rsa_pss_pss signature schemes if
rsa_pkcs1_pss_padding is not supported by crypto.

Change-Id: Ie6d7ca3736011c71462eac925055f831777f9c9d
---
 lib/ssl/src/tls_v1.erl | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index 737ecadab4..66baa47c9b 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -542,15 +542,23 @@ signature_schemes(Version, SignatureSchemes) when is_tuple(Version)
     Hashes = proplists:get_value(hashs, CryptoSupports),
     PubKeys = proplists:get_value(public_keys, CryptoSupports),
     Curves = proplists:get_value(curves, CryptoSupports),
+    RSAPSSSupported = lists:member(rsa_pkcs1_pss_padding,
+                                   proplists:get_value(rsa_opts, CryptoSupports)),
     Fun = fun (Scheme, Acc) when is_atom(Scheme) ->
                   {Hash0, Sign0, Curve} =
                       ssl_cipher:scheme_to_components(Scheme),
                   Sign = case Sign0 of
-                             rsa_pkcs1 -> rsa;
+                             rsa_pkcs1 ->
+                                 rsa;
+                             rsa_pss_rsae when RSAPSSSupported ->
+                                 rsa;
+                             rsa_pss_pss when RSAPSSSupported ->
+                                 rsa;
                              S -> S
                          end,
                   Hash = case Hash0 of
-                             sha1 -> sha;
+                             sha1 ->
+                                 sha;
                              H -> H
                          end,
                   case proplists:get_bool(Sign, PubKeys)
-- 
cgit v1.2.3