diff options
author | Andreas Schultz <[email protected]> | 2012-08-15 18:44:31 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2012-08-22 14:00:46 +0200 |
commit | 191931c58ebc9f18efb2422d296b4a246119ab83 (patch) | |
tree | 6fe0016f47e534d294e36a768c2ec9cdf42ff893 | |
parent | 332716f059f291eba836fb46071a9b3e718f43c0 (diff) | |
download | otp-191931c58ebc9f18efb2422d296b4a246119ab83.tar.gz otp-191931c58ebc9f18efb2422d296b4a246119ab83.tar.bz2 otp-191931c58ebc9f18efb2422d296b4a246119ab83.zip |
ssl: TLS 1.2: fix Certificate Request list of Accepted Signatur/Hash combinations
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 13 | ||||
-rw-r--r-- | lib/ssl/test/ssl_to_openssl_SUITE.erl | 13 |
2 files changed, 7 insertions, 19 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index d096bc347d..9d251054c9 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -322,7 +322,7 @@ certificate_request(ConnectionStates, CertDbHandle, CertDbRef) -> #security_parameters{cipher_suite = CipherSuite}} = ssl_record:pending_connection_state(ConnectionStates, read), Types = certificate_types(CipherSuite), - HashSigns = hashsign_algorithms(CipherSuite), + HashSigns = default_hash_signs(), Authorities = certificate_authorities(CertDbHandle, CertDbRef), #certificate_request{ certificate_types = Types, @@ -911,8 +911,10 @@ dec_hs({Major, Minor}, ?CERTIFICATE_REQUEST, ?UINT16(HashSignsLen), HashSigns:HashSignsLen/binary, ?UINT16(CertAuthsLen), CertAuths:CertAuthsLen/binary>>) when Major == 3, Minor >= 3 -> + HashSignAlgos = [{ssl_cipher:hash_algorithm(Hash), ssl_cipher:sign_algorithm(Sign)} || + <<?BYTE(Hash), ?BYTE(Sign)>> <= HashSigns], #certificate_request{certificate_types = CertTypes, - hashsign_algorithms = HashSigns, + hashsign_algorithms = #hash_sign_algos{hash_sign_algos = HashSignAlgos}, certificate_authorities = CertAuths}; dec_hs(_Version, ?CERTIFICATE_REQUEST, <<?BYTE(CertTypesLen), CertTypes:CertTypesLen/binary, @@ -1061,10 +1063,12 @@ enc_hs(#server_key_exchange{params = #server_dh_params{ Signature/binary>> }; enc_hs(#certificate_request{certificate_types = CertTypes, - hashsign_algorithms = HashSigns, + hashsign_algorithms = #hash_sign_algos{hash_sign_algos = HashSignAlgos}, certificate_authorities = CertAuths}, {Major, Minor}) when Major == 3, Minor >= 3 -> + HashSigns= << <<(ssl_cipher:hash_algorithm(Hash)):8, (ssl_cipher:sign_algorithm(Sign)):8>> || + {Hash, Sign} <- HashSignAlgos >>, CertTypesLen = byte_size(CertTypes), HashSignsLen = byte_size(HashSigns), CertAuthsLen = byte_size(CertAuths), @@ -1178,9 +1182,6 @@ hashsign_enc(HashAlgo, SignAlgo) -> Sign = ssl_cipher:sign_algorithm(SignAlgo), <<?BYTE(Hash), ?BYTE(Sign)>>. -hashsign_algorithms(_) -> - hashsign_enc(sha, rsa). - certificate_authorities(CertDbHandle, CertDbRef) -> Authorities = certificate_authorities_from_db(CertDbHandle, CertDbRef), Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) -> diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl index ce481919f2..05ed325ae2 100644 --- a/lib/ssl/test/ssl_to_openssl_SUITE.erl +++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl @@ -112,11 +112,6 @@ special_init(TestCase, Config) special_init(ssl2_erlang_server_openssl_client, Config) -> check_sane_openssl_sslv2(Config); -special_init(TestCase, Config) when TestCase == erlang_client_openssl_server_dsa_cert; - TestCase == erlang_server_openssl_client_dsa_cert; - TestCase == ciphers_dsa_signed_certs -> - check_sane_openssl_dsa(Config); - special_init(_, Config) -> Config. @@ -1189,14 +1184,6 @@ check_sane_openssl_sslv2(Config) -> Config end. -check_sane_openssl_dsa(Config) -> - case os:cmd("openssl version") of - "OpenSSL 1.0.1" ++ _ -> - {skip, "known dsa bug in OpenSSL"}; - _ -> - Config - end. - check_sane_openssl_version(Version) -> case {Version, os:cmd("openssl version")} of {_, "OpenSSL 1.0.1" ++ _} -> |