diff options
| author | Ingela Anderton Andin <ingela@erlang.org> | 2020-03-03 10:28:12 +0100 |
|---|---|---|
| committer | Ingela Anderton Andin <ingela@erlang.org> | 2020-03-04 13:24:10 +0100 |
| commit | f7fe3ee24c3fefc94a2688d4e1dcbb068c7b7eb0 (patch) | |
| tree | 46ac88b76f4965d9ab16615ebef9ea7e1f8bfe2f | |
| parent | 7d294eaafc62af4acf4206e76c4fea7a84f2d410 (diff) | |
| download | erlang-f7fe3ee24c3fefc94a2688d4e1dcbb068c7b7eb0.tar.gz | |
ssl: Add support for key exchange with Edwards curves and RSASSA-PSS in TLS-1.2
| -rw-r--r-- | lib/ssl/src/ssl.app.src | 2 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 20 | ||||
| -rw-r--r-- | lib/ssl/src/tls_v1.erl | 6 |
3 files changed, 26 insertions, 2 deletions
diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src index c45e6bcf9a..63ccaabd74 100644 --- a/lib/ssl/src/ssl.app.src +++ b/lib/ssl/src/ssl.app.src @@ -74,5 +74,5 @@ {applications, [crypto, public_key, kernel, stdlib]}, {env, []}, {mod, {ssl_app, []}}, - {runtime_dependencies, ["stdlib-3.5","public_key-1.5","kernel-6.0", + {runtime_dependencies, ["stdlib-3.5","public_key-@OTP-16528@","kernel-6.0", "erts-10.0","crypto-4.2", "inets-5.10.7"]}]}. diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 8e53be72ed..3b33af95d0 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -402,6 +402,12 @@ certificate_verify(Signature, PublicKeyInfo, Version, %%-------------------------------------------------------------------- verify_signature(_Version, _Hash, {_HashAlgo, anon}, _Signature, _) -> true; +verify_signature({3, Minor}, Hash, {HashAlgo, rsa_pss_rsae}, Signature, {?rsaEncryption, PubKey, _PubKeyParams}) + when Minor >= 3 -> + public_key:verify({digest, Hash}, HashAlgo, Signature, PubKey, + [{rsa_padding, rsa_pkcs1_pss_padding}, + {rsa_pss_saltlen, -1}, + {rsa_mgf1_md, HashAlgo}]); verify_signature({3, Minor}, Hash, {HashAlgo, rsa}, Signature, {?rsaEncryption, PubKey, _PubKeyParams}) when Minor >= 3 -> public_key:verify({digest, Hash}, HashAlgo, Signature, PubKey); @@ -2356,6 +2362,20 @@ dec_server_key_params(Len, Keys, Version) -> <<Params:Len/bytes, Signature/binary>> = Keys, dec_server_key_signature(Params, Signature, Version). +dec_server_key_signature(Params, <<?BYTE(8), ?BYTE(SignAlgo), + ?UINT16(0)>>, {Major, Minor}) + when Major == 3, Minor >= 3 -> + <<?UINT16(Scheme0)>> = <<?BYTE(8), ?BYTE(SignAlgo)>>, + Scheme = ssl_cipher:signature_scheme(Scheme0), + {Hash, Sign, _} = ssl_cipher:scheme_to_components(Scheme), + {Params, {Hash, Sign}, <<>>}; +dec_server_key_signature(Params, <<?BYTE(8), ?BYTE(SignAlgo), + ?UINT16(Len), Signature:Len/binary>>, {Major, Minor}) + when Major == 3, Minor >= 3 -> + <<?UINT16(Scheme0)>> = <<?BYTE(8), ?BYTE(SignAlgo)>>, + Scheme = ssl_cipher:signature_scheme(Scheme0), + {Hash, Sign, _} = ssl_cipher:scheme_to_components(Scheme), + {Params, {Hash, Sign}, Signature}; dec_server_key_signature(Params, <<?BYTE(HashAlgo), ?BYTE(SignAlgo), ?UINT16(0)>>, {Major, Minor}) when Major == 3, Minor >= 3 -> diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index 381793c65d..38594151d9 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -884,7 +884,9 @@ oid_to_enum(?secp384r1) -> 24; oid_to_enum(?secp521r1) -> 25; oid_to_enum(?brainpoolP256r1) -> 26; oid_to_enum(?brainpoolP384r1) -> 27; -oid_to_enum(?brainpoolP512r1) -> 28. +oid_to_enum(?brainpoolP512r1) -> 28; +oid_to_enum(?'id-X25519') -> 29; +oid_to_enum(?'id-X448') -> 30. enum_to_oid(1) -> ?sect163k1; enum_to_oid(2) -> ?sect163r1; @@ -914,5 +916,7 @@ enum_to_oid(25) -> ?secp521r1; enum_to_oid(26) -> ?brainpoolP256r1; enum_to_oid(27) -> ?brainpoolP384r1; enum_to_oid(28) -> ?brainpoolP512r1; +enum_to_oid(29) -> ?'id-X25519'; +enum_to_oid(30) -> ?'id-X448'; enum_to_oid(_) -> undefined. |