diff options
author | Andreas Schultz <[email protected]> | 2015-04-13 16:36:32 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2015-04-20 12:12:47 +0200 |
commit | 27d754a0083d6e1dce4145af3b0c0ef87a367415 (patch) | |
tree | 3d8c489888b343ba0f5309a3ab411f04ee73902e | |
parent | ddfbbcbbd489913120a55b2a054b046c68b40a8a (diff) | |
download | otp-27d754a0083d6e1dce4145af3b0c0ef87a367415.tar.gz otp-27d754a0083d6e1dce4145af3b0c0ef87a367415.tar.bz2 otp-27d754a0083d6e1dce4145af3b0c0ef87a367415.zip |
ssl: Ignore signature_algorithm (TLS 1.2 extension) sent to TLS 1.0/1 server
pre TLS 1.2 server should ignore the signature_algorithms extension.
The server code would attempt to select the signature/hash algorithm
even when using TLS 1.0 or 1.1. Instead it should simply use the default
algorithm on those versions.
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index f29aa00a60..b538fefe53 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -578,11 +578,10 @@ prf({3,_N}, Secret, Label, Seed, WantedLength) -> %%-------------------------------------------------------------------- select_hashsign(_, undefined, _Version) -> {null, anon}; -select_hashsign(undefined, Cert, Version) -> - #'OTPCertificate'{tbsCertificate = TBSCert} = public_key:pkix_decode_cert(Cert, otp), - #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo, - select_hashsign_algs(undefined, Algo, Version); -select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, Version) -> +%% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have +%% negotiated a lower version. +select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, {Major, Minor} = Version) + when Major >= 3 andalso Minor >= 3 -> #'OTPCertificate'{tbsCertificate = TBSCert} =public_key:pkix_decode_cert(Cert, otp), #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo, DefaultHashSign = {_, Sign} = select_hashsign_algs(undefined, Algo, Version), @@ -600,7 +599,11 @@ select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, Version) -> DefaultHashSign; [HashSign| _] -> HashSign - end. + end; +select_hashsign(_, Cert, Version) -> + #'OTPCertificate'{tbsCertificate = TBSCert} = public_key:pkix_decode_cert(Cert, otp), + #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo, + select_hashsign_algs(undefined, Algo, Version). %%-------------------------------------------------------------------- -spec select_hashsign_algs(#hash_sign_algos{}| undefined, oid(), ssl_record:ssl_version()) -> |