File 1653-ssl-Be-explcit-about-negotiated-params.patch of Package erlang

Overview Repositories Revisions Requests Users Attributes Meta

File 1653-ssl-Be-explcit-about-negotiated-params.patch of Package erlang

From 7ac2a64a813e4d22789ef57a36e2ca02afa29525 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Sat, 25 Nov 2023 10:50:19 +0100
Subject: [PATCH 3/4] ssl: Be explcit about negotiated params

Do not use undocumented OpenSSL "implicit param", rather be explicit about what
PSS params that where negotiated.
---
 lib/ssl/src/ssl_handshake.erl | 41 ++++++++++++++++++++---------------
 1 file changed, 24 insertions(+), 17 deletions(-)

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index c72c950d1b..c59d97b882 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -388,15 +388,15 @@ certificate_verify(Signature, PublicKeyInfo, Version,
 %% Description: Checks that a public_key signature is valid.
 %%--------------------------------------------------------------------
 verify_signature(_, Msg, {HashAlgo, SignAlgo}, Signature,
-                 {_, PubKey, PubKeyParams}) when  SignAlgo == rsa_pss_rsae;
-                                                  SignAlgo == rsa_pss_pss ->
-    Options = verify_options(SignAlgo, HashAlgo, PubKeyParams),
+                 {_, PubKey, _}) when  SignAlgo == rsa_pss_rsae;
+                                       SignAlgo == rsa_pss_pss ->
+    Options = verify_options(SignAlgo, HashAlgo),
     public_key:verify(Msg, HashAlgo, Signature, PubKey, Options);
-verify_signature(Version, Msg, {HashAlgo, SignAlgo}, Signature, {?rsaEncryption, PubKey, PubKeyParams})
+verify_signature(Version, Msg, {HashAlgo, SignAlgo}, Signature, {?rsaEncryption, PubKey, _})
   when ?TLS_GTE(Version, ?TLS_1_2) ->
-    Options = verify_options(SignAlgo, HashAlgo, PubKeyParams),
+    Options = verify_options(SignAlgo, HashAlgo),
     public_key:verify(Msg, HashAlgo, Signature, PubKey, Options);
-verify_signature(Version, {digest, Digest}, _HashAlgo, Signature, {?rsaEncryption, PubKey, _PubKeyParams})
+verify_signature(Version, {digest, Digest}, _HashAlgo, Signature, {?rsaEncryption, PubKey, _})
   when ?TLS_LTE(Version, ?TLS_1_1) ->
     case public_key:decrypt_public(Signature, PubKey,
 				   [{rsa_pad, rsa_pkcs1_padding}]) of
@@ -2167,25 +2167,32 @@ do_digitally_signed(_, Msg, HashAlgo, Key, SignAlgo) ->
     Options = signature_options(SignAlgo, HashAlgo),
     public_key:sign(Msg, HashAlgo, Key, Options).
     
-signature_options(SignAlgo, HashAlgo) when SignAlgo =:= rsa_pss_rsae orelse
-                                           SignAlgo =:= rsa_pss_pss ->
-    pss_options(HashAlgo);
+signature_options(rsa_pss_rsae, HashAlgo) ->
+    pss_options(HashAlgo, hash_algo_byte_size(HashAlgo));
+signature_options(rsa_pss_pss, HashAlgo) ->
+    pss_options(HashAlgo, hash_algo_byte_size(HashAlgo));
 signature_options(_, _) ->
     [].
 
-verify_options(SignAlgo, HashAlgo, _KeyParams)
-  when SignAlgo =:= rsa_pss_rsae orelse
-       SignAlgo =:= rsa_pss_pss ->
-    pss_options(HashAlgo);
-verify_options(_, _, _) ->
+verify_options(rsa_pss_rsae, HashAlgo) ->
+    pss_options(HashAlgo, hash_algo_byte_size(HashAlgo));
+verify_options(rsa_pss_pss, HashAlgo) ->
+    pss_options(HashAlgo, hash_algo_byte_size(HashAlgo));
+verify_options(_, _) ->
     [].
 
-pss_options(HashAlgo) ->
-    %% of the digest algorithm: rsa_pss_saltlen = -1
+pss_options(HashAlgo, SaltLen) ->
     [{rsa_padding, rsa_pkcs1_pss_padding},
-     {rsa_pss_saltlen, -1},
+     {rsa_pss_saltlen, SaltLen},
      {rsa_mgf1_md, HashAlgo}].
 
+hash_algo_byte_size(sha256) ->
+    32;
+hash_algo_byte_size(sha384) ->
+    48;
+hash_algo_byte_size(sha512) ->
+    64.
+
 bad_key(#'DSAPrivateKey'{}) ->
     unacceptable_dsa_key;
 bad_key(#'RSAPrivateKey'{}) ->
-- 
2.35.3

Places

File 1653-ssl-Be-explcit-about-negotiated-params.patch of Package erlang

Places