From 191931c58ebc9f18efb2422d296b4a246119ab83 Mon Sep 17 00:00:00 2001
From: Andreas Schultz <aschultz@tpip.net>
Date: Wed, 15 Aug 2012 18:44:31 +0200
Subject: ssl: TLS 1.2: fix Certificate Request list of Accepted Signatur/Hash
 combinations

---
 lib/ssl/src/ssl_handshake.erl         | 13 +++++++------
 lib/ssl/test/ssl_to_openssl_SUITE.erl | 13 -------------
 2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index d096bc347d..9d251054c9 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -322,7 +322,7 @@ certificate_request(ConnectionStates, CertDbHandle, CertDbRef) ->
 		      #security_parameters{cipher_suite = CipherSuite}} =
 	ssl_record:pending_connection_state(ConnectionStates, read),
     Types = certificate_types(CipherSuite),
-    HashSigns = hashsign_algorithms(CipherSuite),
+    HashSigns = default_hash_signs(),
     Authorities = certificate_authorities(CertDbHandle, CertDbRef),
     #certificate_request{
 		    certificate_types = Types,
@@ -911,8 +911,10 @@ dec_hs({Major, Minor}, ?CERTIFICATE_REQUEST,
 	?UINT16(HashSignsLen), HashSigns:HashSignsLen/binary,
 	?UINT16(CertAuthsLen), CertAuths:CertAuthsLen/binary>>)
   when Major == 3, Minor >= 3 ->
+    HashSignAlgos = [{ssl_cipher:hash_algorithm(Hash), ssl_cipher:sign_algorithm(Sign)} ||
+			<<?BYTE(Hash), ?BYTE(Sign)>> <= HashSigns],
     #certificate_request{certificate_types = CertTypes,
-			 hashsign_algorithms = HashSigns,
+			 hashsign_algorithms = #hash_sign_algos{hash_sign_algos = HashSignAlgos},
 			 certificate_authorities = CertAuths};
 dec_hs(_Version, ?CERTIFICATE_REQUEST,
        <<?BYTE(CertTypesLen), CertTypes:CertTypesLen/binary,
@@ -1061,10 +1063,12 @@ enc_hs(#server_key_exchange{params = #server_dh_params{
 			    Signature/binary>>
     };
 enc_hs(#certificate_request{certificate_types = CertTypes,
-			    hashsign_algorithms = HashSigns,
+			    hashsign_algorithms = #hash_sign_algos{hash_sign_algos = HashSignAlgos},
 			    certificate_authorities = CertAuths},
        {Major, Minor})
   when Major == 3, Minor >= 3 ->
+    HashSigns= << <<(ssl_cipher:hash_algorithm(Hash)):8, (ssl_cipher:sign_algorithm(Sign)):8>> ||
+		   {Hash, Sign} <- HashSignAlgos >>,
     CertTypesLen = byte_size(CertTypes),
     HashSignsLen = byte_size(HashSigns),
     CertAuthsLen = byte_size(CertAuths),
@@ -1178,9 +1182,6 @@ hashsign_enc(HashAlgo, SignAlgo) ->
     Sign = ssl_cipher:sign_algorithm(SignAlgo),
     <<?BYTE(Hash), ?BYTE(Sign)>>.
 
-hashsign_algorithms(_) ->
-    hashsign_enc(sha, rsa).
-
 certificate_authorities(CertDbHandle, CertDbRef) ->
     Authorities = certificate_authorities_from_db(CertDbHandle, CertDbRef),
     Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) ->
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index ce481919f2..05ed325ae2 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -112,11 +112,6 @@ special_init(TestCase, Config)
 special_init(ssl2_erlang_server_openssl_client, Config) ->
     check_sane_openssl_sslv2(Config);
 
-special_init(TestCase, Config) when TestCase == erlang_client_openssl_server_dsa_cert;
-				    TestCase == erlang_server_openssl_client_dsa_cert;
-				    TestCase == ciphers_dsa_signed_certs ->
-    check_sane_openssl_dsa(Config);
-
 special_init(_, Config) ->
     Config.
     
@@ -1189,14 +1184,6 @@ check_sane_openssl_sslv2(Config) ->
 	    Config
     end.
 
-check_sane_openssl_dsa(Config) ->
-    case os:cmd("openssl version") of
-	"OpenSSL 1.0.1" ++ _ ->
-	    {skip, "known dsa bug in OpenSSL"};
-	_ ->
-	    Config
-    end.
-
 check_sane_openssl_version(Version) ->
     case {Version, os:cmd("openssl version")} of
 	{_, "OpenSSL 1.0.1" ++ _} ->
-- 
cgit v1.2.3