ssl: Avoid unnecessary duplicates

erlang · Jan 13, 2025 · 05bced8 · 05bced8
1 parent a2c9c99
commit 05bced8
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 19 deletions.
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
@@ -646,25 +646,29 @@ signature_scheme(SignAlgo) when is_integer(SignAlgo) ->
 signature_scheme(_) -> unassigned.
 
 signature_schemes_1_2(SigAlgs) ->
-    lists:reverse(lists:foldl(fun(Alg, Acc) when is_atom(Alg) ->
-                        case scheme_to_components(Alg) of
-                            {Hash, Sign = rsa_pss_pss,_} ->
-                                [{Hash, Sign} | Acc];
-                            {Hash, Sign = rsa_pss_rsae,_} ->
-                                [{Hash, Sign} | Acc];
-                            %% TLS-1.2 do not constrian the
-                            %% curve, however must be one
-                            %% present in "supported groups" (eccs)
-                            {Hash, ecdsa = Sign, _} ->
-                                [{Hash, Sign} | Acc];
-                            {Hash, Sign, undefined} ->
-                                [{Hash, format_sign(Sign)} | Acc];
-                            {_, _, _} ->
+    Schemes = lists:foldl(fun(Alg, Acc) when is_atom(Alg) ->
+                                  case scheme_to_components(Alg) of
+                                      {Hash, Sign = rsa_pss_pss,_} ->
+                                          [{Hash, Sign} | Acc];
+                                      {Hash, Sign = rsa_pss_rsae,_} ->
+                                          [{Hash, Sign} | Acc];
+                                      %% TLS-1.2 do not constrain the
+                                      %% curve, however must be one
+                                      %% present in "supported groups" (eccs)
+                                      {Hash, ecdsa = Sign, _} ->
+                                          [{Hash, Sign} | Acc];
+                                      {Hash, Sign, undefined} ->
+                                          [{Hash, format_sign(Sign)} | Acc];
+                                      {_, _, _} ->
                                 Acc
-                        end;
-                   (Alg, Acc) ->
-                        [Alg| Acc]
-                end, [], SigAlgs)).
+                                  end;
+                             (Alg, Acc) ->
+                                  [Alg| Acc]
+                          end, [], SigAlgs),
+    %% Make sure that if ECDSA TLS-1.2 names are specified do not duplicate them
+    %% earlier in list by allowing TLS-1.3 schemes to be interpreted as TLS-1.2 algs
+    %% unless the ECDSA TLS-1.2 representation is missing and we want to work around it.
+    lists:reverse(lists:uniq(Schemes)).
 
 %% TODO: reserved code points?
 

diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl
@@ -1370,7 +1370,9 @@ signature_algs(Config) when is_list(Config) ->
     true = (not lists:member(rsa_pkcs1_sha384, TLS_1_2_All)) andalso lists:member({sha384, rsa}, TLS_1_2_All),
     true = (not lists:member(rsa_pkcs1_sha256, TLS_1_2_All)) andalso lists:member({sha256, rsa}, TLS_1_2_All),
     true = (not lists:member(rsa_pkcs1_sha, TLS_1_2_All)) andalso lists:member({sha, rsa}, TLS_1_2_All),
-    true = (not lists:member(ecdsa_sha1, TLS_1_2_All)) andalso lists:member({sha, ecdsa}, TLS_1_2_All).
+    true = (not lists:member(ecdsa_sha1, TLS_1_2_All)) andalso lists:member({sha, ecdsa}, TLS_1_2_All),
+    All = ssl_cipher:signature_schemes_1_2(ssl:signature_algs(default, 'tlsv1.3')),
+    true = length(All) == length(lists:uniq(All)).
 
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------