File 3941-ssl-Adjust-signature-algorithms-to-support... of Package erlang

Overview Repositories Revisions Requests Users Attributes Meta

File 3941-ssl-Adjust-signature-algorithms-to-support-test-of-l.patch of Package erlang

From 9e5a2ecf6fd194e1e27cd21c76e21d8e298953bd Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 15 Feb 2023 12:31:37 +0100
Subject: [PATCH] ssl: Adjust signature algorithms to support test of legacy
 DSA with SHA1

---
 lib/ssl/test/openssl_client_cert_SUITE.erl | 39 ++++++++++++++--------
 1 file changed, 25 insertions(+), 14 deletions(-)

diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl
index 018b49e0b7..cf1a653ac0 100644
--- a/lib/ssl/test/openssl_client_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_client_cert_SUITE.erl
@@ -277,35 +277,37 @@ init_per_group(eddsa_1_3, Config0) ->
     end;
 init_per_group(Group, Config0) when Group == dsa ->
     PKAlg = crypto:supports(public_keys),
-    case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg) 
+    NVersion = ssl_test_lib:n_version(proplists:get_value(version, Config0)),
+    SigAlgs = ssl_test_lib:sig_algs(dsa, NVersion),
+    case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg)
         andalso (ssl_test_lib:openssl_dsa_suites() =/= []) of
         true ->
-            Config = ssl_test_lib:make_dsa_cert(Config0),    
-            COpts = proplists:get_value(client_dsa_opts, Config),
-            SOpts = proplists:get_value(server_dsa_opts, Config),
+            Config = ssl_test_lib:make_dsa_cert(Config0),
+            COpts = SigAlgs ++ proplists:get_value(client_dsa_opts, Config),
+            SOpts = SigAlgs ++ proplists:get_value(server_dsa_opts, Config),
             %% Make sure dhe_dss* suite is chosen by ssl_test_lib:start_server
             Version = ssl_test_lib:protocol_version(Config),
-            Ciphers =  ssl_cert_tests:test_ciphers(fun(dh_dss) -> 
+            Ciphers =  ssl_cert_tests:test_ciphers(fun(dh_dss) ->
                                                            true;
-                                                      (dhe_dss) -> 
+                                                      (dhe_dss) ->
                                                            true;
                                                       (_) ->
-                                                           false 
-                                                   end, Version), 
+                                                           false
+                                                   end, Version),
             case Ciphers of
                 [_|_] ->
                     [{cert_key_alg, dsa} |
                      lists:delete(cert_key_alg,
-                                  [{client_cert_opts, [{ciphers, Ciphers} | COpts]}, 
-                                   {server_cert_opts, SOpts} | 
-                                   lists:delete(server_cert_opts, 
+                                  [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
+                                   {server_cert_opts, [{ciphers, Ciphers} | SOpts]} |
+                                   lists:delete(server_cert_opts,
                                                 lists:delete(client_cert_opts, Config))])];
                 [] ->
                     {skip, {no_sup, Group, Version}}
             end;
         false ->
             {skip, "Missing DSS crypto support"}
-    end;    
+    end;
 init_per_group(GroupName, Config) ->
     ssl_test_lib:init_per_group_openssl(GroupName, Config).
 
@@ -366,7 +368,11 @@ client_auth_use_partial_chain() ->
     [{doc, "Server does not trust an intermediat CA and fails the connetion as ROOT has expired"}].
 client_auth_use_partial_chain(Config) when is_list(Config) ->
     Prop = proplists:get_value(tc_group_properties, Config),
-    DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(proplists:get_value(name, Prop)),
+    Group = proplists:get_value(name, Prop),
+    Version = proplists:get_value(version, Config),
+    DefaultCertConf = ssl_test_lib:default_ecc_cert_chain_conf(Group),
+    Ciphers = appropriate_ciphers(Group, Version),
+
     {Year, Month, Day} = date(),
     #{client_config := ClientOpts0,
       server_config := ServerOpts0} = ssl_test_lib:make_cert_chains_pem(proplists:get_value(cert_key_alg, Config),
@@ -391,7 +397,7 @@ client_auth_use_partial_chain(Config) when is_list(Config) ->
 			    end
 		    end,
     ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, {partial_chain, PartialChain} |
-                  ssl_test_lib:ssl_options(extra_server, ServerOpts0, Config)],
+                  ssl_test_lib:ssl_options(extra_server, [{ciphers, Ciphers} | ServerOpts0], Config)],
     ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
 %%--------------------------------------------------------------------
 %%  Have to use partial chain functionality on side running Erlang (we are not testing OpenSSL features)
@@ -509,3 +515,8 @@ openssl_sig_algs(rsa_pss_pss_1_3) ->
     [{sigalgs, "rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_pss_sha256"}];
 openssl_sig_algs(rsa_pss_rsae_1_3) ->
     [{sigalgs,"rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256"}].
+
+appropriate_ciphers(dsa, Version) ->
+    ssl:cipher_suites(all, Version);
+appropriate_ciphers(_, Version) ->
+    ssl:cipher_suites(default, Version).
-- 
2.35.3

Places

File 3941-ssl-Adjust-signature-algorithms-to-support-test-of-l.patch of Package erlang

Places