6 files changed, 42 insertions, 46 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 0ba59cede2..fc06b5f1b0 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -612,8 +612,15 @@ handle_options(Opts0, _Role) ->
 
     CertFile = handle_option(certfile, Opts, <<>>),
     
+    Versions = case handle_option(versions, Opts, []) of
+		   [] ->
+		       ssl_record:supported_protocol_versions();  
+		   Vsns  ->
+		       [ssl_record:protocol_version(Vsn) || Vsn <- Vsns]
+	       end,  
+
     SSLOptions = #ssl_options{
-      versions   = handle_option(versions, Opts, []),
+      versions   = Versions,
       verify     = validate_option(verify, Verify),
       verify_fun = VerifyFun,
       fail_if_no_peer_cert = FailIfNoPeerCert,
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 86f5617b54..01a7cd93b5 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -37,8 +37,7 @@
 	 is_valid_extkey_usage/2,
 	 is_valid_key_usage/2,
 	 select_extension/2,
-	 extensions_list/1,
-	 signature_type/1
+	 extensions_list/1
 	]).
  
 %%====================================================================
@@ -167,22 +166,6 @@ extensions_list(Extensions) ->
     Extensions.
 
 %%--------------------------------------------------------------------
--spec signature_type(term()) -> rsa | dsa .
-%%
-%% Description: 
-%%--------------------------------------------------------------------
-signature_type(RSA) when RSA == ?sha1WithRSAEncryption;
-			 RSA == ?md5WithRSAEncryption;
-			 RSA == ?sha224WithRSAEncryption;
-			 RSA == ?sha256WithRSAEncryption;
-			 RSA == ?sha384WithRSAEncryption;
-			 RSA == ?sha512WithRSAEncryption
-			 ->
-    rsa;
-signature_type(?'id-dsa-with-sha1') ->
-    dsa.
-
-%%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
 certificate_chain(OtpCert, _Cert, CertDbHandle, CertsDbRef, Chain) ->
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 567690a413..d91e2a89a0 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -483,10 +483,10 @@ filter(undefined, Ciphers) ->
 filter(DerCert, Ciphers) ->
     OtpCert = public_key:pkix_decode_cert(DerCert, otp),
     SigAlg = OtpCert#'OTPCertificate'.signatureAlgorithm,
-    case ssl_certificate:signature_type(SigAlg#'SignatureAlgorithm'.algorithm) of
-	rsa ->
+    case public_key:pkix_sign_types(SigAlg#'SignatureAlgorithm'.algorithm) of
+	{_, rsa} ->
 	    filter_rsa(OtpCert, Ciphers -- dsa_signed_suites());
-	dsa ->
+	{_, dsa} ->
 	    Ciphers -- rsa_signed_suites()
     end.
 	
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 8f4fd88d42..4d29ecce7a 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -73,7 +73,6 @@
 	  session_cache,        % 
 	  session_cache_cb,     %
           negotiated_version,   % tls_version()
-          supported_protocol_versions, % [atom()]
           client_certificate_requested = false,
 	  key_algorithm,       % atom as defined by cipher_suite
 	  hashsign_algorithm,  % atom as defined by cipher_suite
@@ -472,6 +471,13 @@ abbreviated(#finished{verify_data = Data} = Finished,
 	    handle_own_alert(Alert, Version, abbreviated, State)
     end;
 
+%% only allowed to send next_protocol message after change cipher spec
+%% & before finished message and it is not allowed during renegotiation
+abbreviated(#next_protocol{selected_protocol = SelectedProtocol},
+	    #state{role = server, expecting_next_protocol_negotiation = true} = State0) ->
+    {Record, State} = next_record(State0#state{next_protocol = SelectedProtocol}),
+    next_state(abbreviated, abbreviated, Record, State);
+
 abbreviated(timeout, State) ->
     { next_state, abbreviated, State, hibernate };
 
@@ -656,11 +662,10 @@ cipher(#certificate_verify{signature = Signature, hashsign_algorithm = CertHashS
 	    handle_own_alert(Alert, Version, cipher, State0)
     end;
 
-% client must send a next protocol message if we are expecting it
+%% client must send a next protocol message if we are expecting it
 cipher(#finished{}, #state{role = server, expecting_next_protocol_negotiation = true,
 			   next_protocol = undefined, negotiated_version = Version} = State0) ->
-       handle_own_alert(?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE), Version, cipher, State0),
-       {stop, normal, State0};
+       handle_own_alert(?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE), Version, cipher, State0);
 
 cipher(#finished{verify_data = Data} = Finished, 
        #state{negotiated_version = Version,
@@ -682,8 +687,8 @@ cipher(#finished{verify_data = Data} = Finished,
 	    handle_own_alert(Alert, Version, cipher, State)
     end;
 
-% only allowed to send next_protocol message after change cipher spec
-% & before finished message and it is not allowed during renegotiation
+%% only allowed to send next_protocol message after change cipher spec
+%% & before finished message and it is not allowed during renegotiation
 cipher(#next_protocol{selected_protocol = SelectedProtocol},
        #state{role = server, expecting_next_protocol_negotiation = true} = State0) ->
     {Record, State} = next_record(State0#state{next_protocol = SelectedProtocol}),
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 1929370991..889d310ca8 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -61,11 +61,7 @@ client_hello(Host, Port, ConnectionStates,
 			  ciphers = UserSuites
 			 } = SslOpts,
 	     Cache, CacheCb, Renegotiation, OwnCert) ->
-
-    Fun = fun(Version) ->
-		  ssl_record:protocol_version(Version)
-	  end,
-    Version = ssl_record:highest_protocol_version(lists:map(Fun, Versions)),
+    Version = ssl_record:highest_protocol_version(Versions),
     Pending = ssl_record:pending_connection_state(ConnectionStates, read),
     SecParams = Pending#connection_state.security_parameters,
     Ciphers = available_suites(UserSuites, Version),
@@ -139,10 +135,11 @@ hello(#server_hello{cipher_suite = CipherSuite, server_version = Version,
 		    compression_method = Compression, random = Random,
 		    session_id = SessionId, renegotiation_info = Info,
 		    hash_signs = _HashSigns} = Hello,
-      #ssl_options{secure_renegotiate = SecureRenegotation, next_protocol_selector = NextProtocolSelector},
+      #ssl_options{secure_renegotiate = SecureRenegotation, next_protocol_selector = NextProtocolSelector,
+		   versions = SupportedVersions},
       ConnectionStates0, Renegotiation) ->
     %%TODO: select hash and signature algorigthm
-    case ssl_record:is_acceptable_version(Version) of
+    case ssl_record:is_acceptable_version(Version, SupportedVersions) of
 	true ->
 	    case handle_renegotiation_info(client, Info, ConnectionStates0, 
 					   Renegotiation, SecureRenegotation, []) of
@@ -171,7 +168,7 @@ hello(#client_hello{client_version = ClientVersion, random = Random,
       {Port, Session0, Cache, CacheCb, ConnectionStates0, Cert}, Renegotiation) ->
 %% TODO: select hash and signature algorithm
     Version = select_version(ClientVersion, Versions),
-    case ssl_record:is_acceptable_version(Version) of
+    case ssl_record:is_acceptable_version(Version, Versions) of
 	true ->
 	    {Type, #session{cipher_suite = CipherSuite,
 			    compression_method = Compression} = Session} 
@@ -869,11 +866,7 @@ hello_security_parameters(server, Version, ConnectionState, CipherSuite, Random,
      }.
 
 select_version(ClientVersion, Versions) ->   
-    Fun = fun(Version) ->
-		  ssl_record:protocol_version(Version)
-	  end,
-    ServerVersion = ssl_record:highest_protocol_version(lists:map(Fun,
-								  Versions)),
+    ServerVersion = ssl_record:highest_protocol_version(Versions),
     ssl_record:lowest_protocol_version(ClientVersion, ServerVersion).
 
 select_cipher_suite([], _) ->
diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl
index 173b9611c6..26aca56739 100644
--- a/lib/ssl/src/ssl_record.erl
+++ b/lib/ssl/src/ssl_record.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -56,7 +56,7 @@
 %% Misc.
 -export([protocol_version/1, lowest_protocol_version/2,
 	 highest_protocol_version/1, supported_protocol_versions/0,
-	 is_acceptable_version/1]).
+	 is_acceptable_version/1, is_acceptable_version/2]).
 
 -export([compressions/0]).
 
@@ -475,8 +475,10 @@ supported_protocol_versions([_|_] = Vsns) ->
 
 %%--------------------------------------------------------------------
 -spec is_acceptable_version(tls_version()) -> boolean().
+-spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean().
 %%     
 %% Description: ssl version 2 is not acceptable security risks are too big.
+%% 
 %%--------------------------------------------------------------------
 is_acceptable_version({N,_}) 
   when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
@@ -484,6 +486,12 @@ is_acceptable_version({N,_})
 is_acceptable_version(_) ->
     false.
 
+is_acceptable_version({N,_} = Version, Versions)   
+  when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+    lists:member(Version, Versions);
+is_acceptable_version(_,_) ->
+    false.
+
 %%--------------------------------------------------------------------
 -spec compressions() -> [binary()].
 %%