Merge branch 'ia/pr/678/OTP-1267'

* ia/pr/678/OTP-1267: Revert "Add workaround for problems with s_client defaults" ssl: Add unit test case ssl: Ignore signature_algorithm (TLS 1.2 extension) sent to TLS 1.0/1 server
author: Ingela Anderton Andin <[email protected]> 2015-04-22 09:33:49 +0200
committer: Ingela Anderton Andin <[email protected]> 2015-04-22 09:33:49 +0200
commit: 4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1 (patch)
tree: a189aa7d88ec73e01df515b66a433257c8fa507a /lib
parent: c72bf109ab015815ac828e6faf823ec721cea5da (diff)
parent: 5edda23ee854038c9d4bcddd0d676ee0ffd20da5 (diff)
download: otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.tar.gz
otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.tar.bz2
otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.zip
3 files changed, 70 insertions, 14 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index f29aa00a60..b538fefe53 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -578,11 +578,10 @@ prf({3,_N}, Secret, Label, Seed, WantedLength) ->
 %%--------------------------------------------------------------------
 select_hashsign(_, undefined, _Version) ->
     {null, anon};
-select_hashsign(undefined,  Cert, Version) ->
-    #'OTPCertificate'{tbsCertificate = TBSCert} = public_key:pkix_decode_cert(Cert, otp),
-    #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
-    select_hashsign_algs(undefined, Algo, Version);
-select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, Version) ->
+%% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have
+%% negotiated a lower version.
+select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, {Major, Minor} = Version)
+  when Major >= 3 andalso Minor >= 3 ->
     #'OTPCertificate'{tbsCertificate = TBSCert} =public_key:pkix_decode_cert(Cert, otp),
     #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
     DefaultHashSign = {_, Sign} = select_hashsign_algs(undefined, Algo, Version),
@@ -600,7 +599,11 @@ select_hashsign(#hash_sign_algos{hash_sign_algos = HashSigns}, Cert, Version) ->
 	    DefaultHashSign;
 	[HashSign| _] ->
 	    HashSign
-    end.
+    end;
+select_hashsign(_, Cert, Version) ->
+    #'OTPCertificate'{tbsCertificate = TBSCert} = public_key:pkix_decode_cert(Cert, otp),
+    #'OTPSubjectPublicKeyInfo'{algorithm = {_,Algo, _}} = TBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo,
+    select_hashsign_algs(undefined, Algo, Version).
 
 %%--------------------------------------------------------------------
 -spec select_hashsign_algs(#hash_sign_algos{}| undefined, oid(), ssl_record:ssl_version()) ->
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index 8dca733526..d4433393a1 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2014. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -40,7 +40,47 @@ all() -> [decode_hello_handshake,
 	  encode_single_hello_sni_extension_correctly,
 	  decode_single_hello_sni_extension_correctly,
 	  decode_empty_server_sni_correctly,
-	  select_proper_tls_1_2_rsa_default_hashsign].
+	  select_proper_tls_1_2_rsa_default_hashsign,
+	  ignore_hassign_extension_pre_tls_1_2].
+
+%%--------------------------------------------------------------------
+init_per_suite(Config) ->
+    Config.
+end_per_suite(Config) ->
+    Config.
+
+init_per_group(_GroupName, Config) ->
+    Config.
+
+end_per_group(_,Config) ->
+    Config.
+
+init_per_testcase(ignore_hassign_extension_pre_tls_1_2, Config0) ->
+    catch crypto:stop(),
+    try crypto:start() of
+	ok ->
+	    case is_supported(sha512) of
+		true ->
+		    ssl:start(),
+		    %% make rsa certs using oppenssl
+		    Result =
+			(catch make_certs:all(?config(data_dir, Config0),
+					      ?config(priv_dir, Config0))),
+		    ct:log("Make certs  ~p~n", [Result]),
+		    ssl_test_lib:cert_options(Config0);
+		false ->
+		    {skip, "Crypto did not support sha512"}  
+	    end
+    catch _:_ ->
+	    {skip, "Crypto did not start"}
+    end;
+init_per_testcase(_, Config0) ->
+    Config0.
+
+end_per_testcase(ignore_hassign_extension_pre_tls_1_2, _) ->
+    crypto:stop();
+end_per_testcase(_TestCase, Config) ->
+    Config.
 
 %%--------------------------------------------------------------------
 %% Test Cases --------------------------------------------------------
@@ -121,3 +161,18 @@ select_proper_tls_1_2_rsa_default_hashsign(_Config) ->
     {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,2}),
     {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,0}).
 
+
+ignore_hassign_extension_pre_tls_1_2(Config) ->
+    Opts = ?config(server_opts, Config),
+    CertFile = proplists:get_value(certfile, Opts),
+    [{_, Cert, _}] = ssl_test_lib:pem_to_der(CertFile),
+    HashSigns = #hash_sign_algos{hash_sign_algos = [{sha512, rsa}, {sha, dsa}]},
+    {sha512, rsa} = ssl_handshake:select_hashsign(HashSigns, Cert, {3,3}),
+    %%% Ignore
+    {md5sha, rsa} = ssl_handshake:select_hashsign(HashSigns, Cert, {3,2}),
+    {md5sha, rsa} = ssl_handshake:select_hashsign(HashSigns, Cert, {3,0}).
+
+is_supported(Hash) ->
+    Algos = crypto:supports(),
+    Hashs = proplists:get_value(hashs, Algos), 
+    lists:member(Hash, Hashs).
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 27ee07ffc6..94426a3061 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -291,7 +291,7 @@ basic_erlang_server_openssl_client(Config) when is_list(Config) ->
     Port = ssl_test_lib:inet_port(Server),
 
     Cmd = "openssl s_client -port " ++ integer_to_list(Port) ++
-	" -host localhost" ++ workaround_openssl_s_client(),
+	" -host localhost" ++ workaround_openssl_s_clinent(),
 
     ct:log("openssl cmd: ~p~n", [Cmd]),
     
@@ -1658,7 +1658,7 @@ supports_sslv2(Port) ->
 	    true
     end.
 
-workaround_openssl_s_client() ->
+workaround_openssl_s_clinent() ->
     %% http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683159
     %% https://bugs.archlinux.org/task/33919
     %% Bug seems to manifests it self if TLS version is not
@@ -1672,8 +1672,6 @@ workaround_openssl_s_client() ->
 	    " -no_tls1_2 ";
 	"OpenSSL 1.0.1f" ++ _ ->
 	    " -no_tls1_2 ";
-	"OpenSSL 1.0.1l" ++ _ ->
-	    " -cipher AES256-SHA";
-	_  ->	    
+	_  ->
 	    ""
     end.
author	Ingela Anderton Andin <[email protected]>	2015-04-22 09:33:49 +0200
committer	Ingela Anderton Andin <[email protected]>	2015-04-22 09:33:49 +0200
commit	4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1 (patch)
tree	a189aa7d88ec73e01df515b66a433257c8fa507a /lib
parent	c72bf109ab015815ac828e6faf823ec721cea5da (diff)
parent	5edda23ee854038c9d4bcddd0d676ee0ffd20da5 (diff)
download	otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.tar.gz otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.tar.bz2 otp-4bbc18a0f382cd27e3a91d5e195a2a921fdd28f1.zip