diff options
| author | Ingela Anderton Andin <[email protected]> | 2018-04-17 16:43:28 +0200 |
|---|---|---|
| committer | Ingela Anderton Andin <[email protected]> | 2018-04-30 07:30:35 +0200 |
| commit | a34cb1484224134c6e02ce033459523d2333f430 (patch) | |
| tree | 253c39f53ee6d2b5d9ce7ce4c66743c1a52ab433 /lib/ssl/src/ssl_connection.erl | |
| parent | 6f4139977174602a558e98f09d96295122bc3d7f (diff) | |
| download | otp-a34cb1484224134c6e02ce033459523d2333f430.tar.gz otp-a34cb1484224134c6e02ce033459523d2333f430.tar.bz2 otp-a34cb1484224134c6e02ce033459523d2333f430.zip | |
ssl: Avoid hardcoding of cipher suites and fix ECDH suite handling
ECDH suite handling did not use the EC parameters form the certs
as expected.
Diffstat (limited to 'lib/ssl/src/ssl_connection.erl')
| -rw-r--r-- | lib/ssl/src/ssl_connection.erl | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 3f8c1f97f9..ec034af44c 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -1472,7 +1472,7 @@ connection_info(#state{sni_hostname = SNIHostname, RecordCB = record_cb(Connection), CipherSuiteDef = #{key_exchange := KexAlg} = ssl_cipher:suite_definition(CipherSuite), IsNamedCurveSuite = lists:member(KexAlg, - [ecdh_ecdsa, ecdhe_ecdsa, ecdh_anon]), + [ecdh_ecdsa, ecdhe_ecdsa, ecdh_rsa, ecdh_anon]), CurveInfo = case ECCCurve of {namedCurve, Curve} when IsNamedCurveSuite -> [{ecc, {named_curve, pubkey_cert_records:namedCurves(Curve)}}]; @@ -1572,11 +1572,14 @@ handle_peer_cert(Role, PeerCert, PublicKeyInfo, handle_peer_cert_key(client, _, {?'id-ecPublicKey', #'ECPoint'{point = _ECPoint} = PublicKey, PublicKeyParams}, - KeyAlg, State) when KeyAlg == ecdh_rsa; - KeyAlg == ecdh_ecdsa -> + KeyAlg, #state{session = Session} = State) when KeyAlg == ecdh_rsa; + KeyAlg == ecdh_ecdsa -> ECDHKey = public_key:generate_key(PublicKeyParams), + {namedCurve, Oid} = PublicKeyParams, + Curve = pubkey_cert_records:namedCurves(Oid), %% Need API function PremasterSecret = ssl_handshake:premaster_secret(PublicKey, ECDHKey), - master_secret(PremasterSecret, State#state{diffie_hellman_keys = ECDHKey}); + master_secret(PremasterSecret, State#state{diffie_hellman_keys = ECDHKey, + session = Session#session{ecc = {named_curve, Curve}}}); %% We do currently not support cipher suites that use fixed DH. %% If we want to implement that the following clause can be used %% to extract DH parameters form cert. |