1 files changed, 36 insertions, 12 deletions

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index fc67d2c28d..94ffd180c5 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -201,13 +201,13 @@ client_certificate_verify(OwnCert, MasterSecret, Version,
     end.
 
 %%--------------------------------------------------------------------
--spec certificate_request(ssl_cipher:erl_cipher_suite(), db_handle(), certdb_ref(), ssl_record:ssl_version()) ->
+-spec certificate_request(ssl_cipher:cipher_suite(), db_handle(), certdb_ref(), ssl_record:ssl_version()) ->
     #certificate_request{}.
 %%
 %% Description: Creates a certificate_request message, called by the server.
 %%--------------------------------------------------------------------
 certificate_request(CipherSuite, CertDbHandle, CertDbRef, Version) ->
-    Types = certificate_types(CipherSuite),
+    Types = certificate_types(ssl_cipher:suite_definition(CipherSuite), Version),
     HashSigns = advertised_hash_signs(Version),
     Authorities = certificate_authorities(CertDbHandle, CertDbRef),
     #certificate_request{
@@ -1098,19 +1098,31 @@ supported_ecc(_) ->
 
 %%-------------certificate handling --------------------------------
 
-certificate_types({KeyExchange, _, _, _})
-  when KeyExchange == rsa;
-       KeyExchange == dhe_dss;
-       KeyExchange == dhe_rsa;
-       KeyExchange == ecdhe_rsa ->
-    <<?BYTE(?RSA_SIGN), ?BYTE(?DSS_SIGN)>>;
+certificate_types(_, {N, M}) when N >= 3 andalso M >= 3 ->
+    case proplists:get_bool(ecdsa,  
+			    proplists:get_value(public_keys, crypto:supports())) of
+	true ->
+	    <<?BYTE(?ECDSA_SIGN), ?BYTE(?RSA_SIGN), ?BYTE(?DSS_SIGN)>>;
+	false ->
+	    <<?BYTE(?RSA_SIGN), ?BYTE(?DSS_SIGN)>>
+    end;
+
+certificate_types({KeyExchange, _, _, _}, _) when KeyExchange == rsa;
+						  KeyExchange == dhe_rsa;
+						  KeyExchange == ecdhe_rsa ->
+    <<?BYTE(?RSA_SIGN)>>;
 
-certificate_types({KeyExchange, _, _, _})
-  when KeyExchange == dh_ecdsa;
-       KeyExchange == dhe_ecdsa ->
+certificate_types({KeyExchange, _, _, _}, _)  when KeyExchange == dhe_dss;
+						   KeyExchange == srp_dss ->
+    <<?BYTE(?DSS_SIGN)>>;
+
+certificate_types({KeyExchange, _, _, _}, _) when KeyExchange == dh_ecdsa;
+						  KeyExchange == dhe_ecdsa;
+						  KeyExchange == ecdh_ecdsa;
+						  KeyExchange == ecdhe_ecdsa ->
     <<?BYTE(?ECDSA_SIGN)>>;
 
-certificate_types(_) ->
+certificate_types(_, _) ->
     <<?BYTE(?RSA_SIGN)>>.
 
 certificate_authorities(CertDbHandle, CertDbRef) ->
@@ -1719,6 +1731,11 @@ dec_hello_extensions(<<?UINT16(?EC_POINT_FORMATS_EXT), ?UINT16(Len),
     dec_hello_extensions(Rest, Acc#hello_extensions{ec_point_formats =
 							#ec_point_formats{ec_point_format_list =
 									      ECPointFormats}});
+
+dec_hello_extensions(<<?UINT16(?SNI_EXT), ?UINT16(Len),
+                ExtData:Len/binary, Rest/binary>>, Acc) ->
+    <<?UINT16(_), NameList/binary>> = ExtData,
+    dec_hello_extensions(Rest, Acc#hello_extensions{sni = dec_sni(NameList)});
 %% Ignore data following the ClientHello (i.e.,
 %% extensions) if not understood.
 
@@ -1731,6 +1748,13 @@ dec_hello_extensions(_, Acc) ->
 dec_hashsign(<<?BYTE(HashAlgo), ?BYTE(SignAlgo)>>) ->
     {ssl_cipher:hash_algorithm(HashAlgo), ssl_cipher:sign_algorithm(SignAlgo)}.
 
+%% Ignore unknown names (only host_name is supported)
+dec_sni(<<?BYTE(?SNI_NAMETYPE_HOST_NAME), ?UINT16(Len),
+                HostName:Len/binary, _/binary>>) ->
+    #sni{hostname = binary_to_list(HostName)};
+dec_sni(<<?BYTE(_), ?UINT16(Len), _:Len, Rest/binary>>) -> dec_sni(Rest);
+dec_sni(_) -> undefined.
+
 decode_next_protocols({next_protocol_negotiation, Protocols}) ->
     decode_next_protocols(Protocols, []).
 decode_next_protocols(<<>>, Acc) ->