aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Schultz <[email protected]>2012-08-15 18:44:31 +0200
committerIngela Anderton Andin <[email protected]>2012-08-22 14:00:46 +0200
commit191931c58ebc9f18efb2422d296b4a246119ab83 (patch)
tree6fe0016f47e534d294e36a768c2ec9cdf42ff893
parent332716f059f291eba836fb46071a9b3e718f43c0 (diff)
downloadotp-191931c58ebc9f18efb2422d296b4a246119ab83.tar.gz
otp-191931c58ebc9f18efb2422d296b4a246119ab83.tar.bz2
otp-191931c58ebc9f18efb2422d296b4a246119ab83.zip
ssl: TLS 1.2: fix Certificate Request list of Accepted Signatur/Hash combinations
-rw-r--r--lib/ssl/src/ssl_handshake.erl13
-rw-r--r--lib/ssl/test/ssl_to_openssl_SUITE.erl13
2 files changed, 7 insertions, 19 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index d096bc347d..9d251054c9 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -322,7 +322,7 @@ certificate_request(ConnectionStates, CertDbHandle, CertDbRef) ->
#security_parameters{cipher_suite = CipherSuite}} =
ssl_record:pending_connection_state(ConnectionStates, read),
Types = certificate_types(CipherSuite),
- HashSigns = hashsign_algorithms(CipherSuite),
+ HashSigns = default_hash_signs(),
Authorities = certificate_authorities(CertDbHandle, CertDbRef),
#certificate_request{
certificate_types = Types,
@@ -911,8 +911,10 @@ dec_hs({Major, Minor}, ?CERTIFICATE_REQUEST,
?UINT16(HashSignsLen), HashSigns:HashSignsLen/binary,
?UINT16(CertAuthsLen), CertAuths:CertAuthsLen/binary>>)
when Major == 3, Minor >= 3 ->
+ HashSignAlgos = [{ssl_cipher:hash_algorithm(Hash), ssl_cipher:sign_algorithm(Sign)} ||
+ <<?BYTE(Hash), ?BYTE(Sign)>> <= HashSigns],
#certificate_request{certificate_types = CertTypes,
- hashsign_algorithms = HashSigns,
+ hashsign_algorithms = #hash_sign_algos{hash_sign_algos = HashSignAlgos},
certificate_authorities = CertAuths};
dec_hs(_Version, ?CERTIFICATE_REQUEST,
<<?BYTE(CertTypesLen), CertTypes:CertTypesLen/binary,
@@ -1061,10 +1063,12 @@ enc_hs(#server_key_exchange{params = #server_dh_params{
Signature/binary>>
};
enc_hs(#certificate_request{certificate_types = CertTypes,
- hashsign_algorithms = HashSigns,
+ hashsign_algorithms = #hash_sign_algos{hash_sign_algos = HashSignAlgos},
certificate_authorities = CertAuths},
{Major, Minor})
when Major == 3, Minor >= 3 ->
+ HashSigns= << <<(ssl_cipher:hash_algorithm(Hash)):8, (ssl_cipher:sign_algorithm(Sign)):8>> ||
+ {Hash, Sign} <- HashSignAlgos >>,
CertTypesLen = byte_size(CertTypes),
HashSignsLen = byte_size(HashSigns),
CertAuthsLen = byte_size(CertAuths),
@@ -1178,9 +1182,6 @@ hashsign_enc(HashAlgo, SignAlgo) ->
Sign = ssl_cipher:sign_algorithm(SignAlgo),
<<?BYTE(Hash), ?BYTE(Sign)>>.
-hashsign_algorithms(_) ->
- hashsign_enc(sha, rsa).
-
certificate_authorities(CertDbHandle, CertDbRef) ->
Authorities = certificate_authorities_from_db(CertDbHandle, CertDbRef),
Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) ->
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index ce481919f2..05ed325ae2 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -112,11 +112,6 @@ special_init(TestCase, Config)
special_init(ssl2_erlang_server_openssl_client, Config) ->
check_sane_openssl_sslv2(Config);
-special_init(TestCase, Config) when TestCase == erlang_client_openssl_server_dsa_cert;
- TestCase == erlang_server_openssl_client_dsa_cert;
- TestCase == ciphers_dsa_signed_certs ->
- check_sane_openssl_dsa(Config);
-
special_init(_, Config) ->
Config.
@@ -1189,14 +1184,6 @@ check_sane_openssl_sslv2(Config) ->
Config
end.
-check_sane_openssl_dsa(Config) ->
- case os:cmd("openssl version") of
- "OpenSSL 1.0.1" ++ _ ->
- {skip, "known dsa bug in OpenSSL"};
- _ ->
- Config
- end.
-
check_sane_openssl_version(Version) ->
case {Version, os:cmd("openssl version")} of
{_, "OpenSSL 1.0.1" ++ _} ->