Merge branch 'ingela/ssl/interop-PSS-TLS-1.2/GH-5255/OTP-17688' into …

…maint * ingela/ssl/interop-PSS-TLS-1.2/GH-5255/OTP-17688: ssl: Add guard for possible future algorithms not beeing handled as legacy ssl: Add OpenSSL interop tests ssl: Fix filter and conversions of singnature algorithms schemes for TLS-1.2 ssl: Fix Authority to not become empty in pre TLS-1.3 CertificateRequest
erlang · Oct 15, 2021 · 99f3bcf · 99f3bcf
2 parents 4068b51 + 50abbfd
commit 99f3bcf
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 12 deletions.
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
@@ -597,6 +597,19 @@ signature_scheme(rsa_pss_pss_sha384) -> ?RSA_PSS_PSS_SHA384;
 signature_scheme(rsa_pss_pss_sha512) -> ?RSA_PSS_PSS_SHA512;
 signature_scheme(rsa_pkcs1_sha1) -> ?RSA_PKCS1_SHA1;
 signature_scheme(ecdsa_sha1) -> ?ECDSA_SHA1;
+%% New algorithms on legacy format
+signature_scheme({sha512, rsa_pss_pss}) ->
+    ?RSA_PSS_PSS_SHA512;
+signature_scheme({sha384, rsa_pss_pss}) ->
+    ?RSA_PSS_PSS_SHA384;
+signature_scheme({sha256, rsa_pss_pss}) ->
+    ?RSA_PSS_PSS_SHA256;
+signature_scheme({sha512, rsa_pss_rsae}) ->
+    ?RSA_PSS_RSAE_SHA512;
+signature_scheme({sha384, rsa_pss_rsae}) ->
+    ?RSA_PSS_RSAE_SHA384;
+signature_scheme({sha256, rsa_pss_rsae}) ->
+    ?RSA_PSS_RSAE_SHA256;
 %% Handling legacy signature algorithms
 signature_scheme({Hash0, Sign0}) ->
     Hash = hash_algorithm(Hash0),
@@ -623,14 +636,27 @@ signature_scheme(?ECDSA_SHA1) -> ecdsa_sha1;
 %% cannot be used in TLS 1.3 handshakes.
 signature_scheme(SignAlgo) when is_integer(SignAlgo) ->
     <<?BYTE(Hash),?BYTE(Sign)>> = <<?UINT16(SignAlgo)>>,
-    {ssl_cipher:hash_algorithm(Hash), ssl_cipher:sign_algorithm(Sign)};
+    try
+        {ssl_cipher:hash_algorithm(Hash), ssl_cipher:sign_algorithm(Sign)}
+    catch
+        _:_ ->
+            unassigned
+    end;
 signature_scheme(_) -> unassigned.
 
 signature_schemes_1_2(SigAlgs) ->
-    lists:map(fun(Algs) ->
-                      {Hash, Sign, _} = scheme_to_components(Algs),
-                      {Hash, Sign}
-              end, SigAlgs).
+    lists:foldl(fun(Alg, Acc) when is_atom(Alg) ->
+                        case scheme_to_components(Alg) of
+                            {Hash, Sign = rsa_pss_pss,_} ->
+                                [{Hash, Sign} | Acc];
+                            {Hash, Sign = rsa_pss_rsae,_} ->
+                                [{Hash, Sign} | Acc];
+                            {_, _, _} ->
+                                Acc
+                        end;
+                   (Alg, Acc) ->
+                        [Alg| Acc]
+                end, [], SigAlgs).
 
 %% TODO: reserved code points?
 

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
@@ -652,8 +652,8 @@ encode_extensions([#srp{username = UserName} | Rest], Acc) ->
     encode_extensions(Rest, <<?UINT16(?SRP_EXT), ?UINT16(Len), ?BYTE(SRPLen),
 				    UserName/binary, Acc/binary>>);
 encode_extensions([#hash_sign_algos{hash_sign_algos = HashSignAlgos} | Rest], Acc) ->
-    SignAlgoList = << <<(ssl_cipher:hash_algorithm(Hash)):8, (ssl_cipher:sign_algorithm(Sign)):8>> ||
-		       {Hash, Sign} <- HashSignAlgos >>,
+    SignAlgoList = << <<(ssl_cipher:signature_scheme(SignatureScheme)):16 >> ||
+		       SignatureScheme <- HashSignAlgos >>,
     ListLen = byte_size(SignAlgoList),
     Len = ListLen + 2,
     encode_extensions(Rest, <<?UINT16(?SIGNATURE_ALGORITHMS_EXT),
@@ -988,12 +988,18 @@ available_signature_algs(undefined, _)  ->
 available_signature_algs(SupportedHashSigns, Version) when Version >= {3, 3} ->
     case contains_scheme(SupportedHashSigns) of
         true ->
-            #signature_algorithms{signature_scheme_list = SupportedHashSigns};
+            case Version of 
+                {3,3} ->
+                    #hash_sign_algos{hash_sign_algos = ssl_cipher:signature_schemes_1_2(SupportedHashSigns)};
+                _ ->
+                    #signature_algorithms{signature_scheme_list = SupportedHashSigns}
+            end;
         false ->
             #hash_sign_algos{hash_sign_algos = SupportedHashSigns}
     end;
 available_signature_algs(_, _) ->
     undefined.
+
 available_signature_algs(undefined, SupportedHashSigns, _, Version) when 
       Version >= {3,3} ->
     SupportedHashSigns;
@@ -1887,14 +1893,14 @@ supported_cert_type_or_empty(Algo, Type) ->
     end.
 
 certificate_authorities(CertDbHandle, CertDbRef) ->
-    Authorities = certificate_authorities_from_db(CertDbHandle, CertDbRef),
+    Authorities = [ Cert || #cert{otp = Cert} <- certificate_authorities_from_db(CertDbHandle, CertDbRef)],
     Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) ->
 		  OTPSubj = TBSCert#'OTPTBSCertificate'.subject,
 		  DNEncodedBin = public_key:pkix_encode('Name', OTPSubj, otp),
 		  DNEncodedLen = byte_size(DNEncodedBin),
 		  <<?UINT16(DNEncodedLen), DNEncodedBin/binary>>
 	  end,
-    list_to_binary([Enc(Cert) || {_, Cert} <- Authorities]).
+    list_to_binary([Enc(Cert) || Cert <- Authorities]).
 
 certificate_authorities_from_db(CertDbHandle, CertDbRef) when is_reference(CertDbRef) ->
     ConnectionCerts = fun({{Ref, _, _}, Cert}, Acc) when Ref  == CertDbRef ->

diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl
@@ -82,7 +82,7 @@ groups() ->
     [
      {openssl_client, [], protocol_groups()},
      {'tlsv1.3', [], tls_1_3_protocol_groups()},
-     {'tlsv1.2', [], pre_tls_1_3_protocol_groups()}, %% Seems to be broken in OpenSSL [{group, rsa_pss_rsae}, {group, rsa_pss_pss}]},
+     {'tlsv1.2', [], pre_tls_1_3_protocol_groups() ++ [{group, rsa_pss_rsae}, {group, rsa_pss_pss}]},
      {'tlsv1.1', [], pre_tls_1_3_protocol_groups()},
      {'tlsv1', [], pre_tls_1_3_protocol_groups()},
      {'dtlsv1.2', [], pre_tls_1_3_protocol_groups()},
@@ -93,7 +93,7 @@ groups() ->
      {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_client_auth,
                                                               unsupported_sign_algo_cert_client_auth]},
      {rsa_pss_rsae, [], all_version_tests()},
-     {rsa_pss_pss, [], all_version_tests() ++ tls_1_3_tests()},
+     {rsa_pss_pss, [], all_version_tests()},
      {rsa_pss_rsae_1_3, [], all_version_tests() ++ tls_1_3_tests()},
      {rsa_pss_pss_1_3, [], all_version_tests() ++ tls_1_3_tests()},
      {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()},