ssl: Refactor to provide common handshake functions for TLS/DTLS

Common functions will be located in ssl_handshake.erl while
specific functions will be located in tls_handshake.erl and dtls_handshake.erl

1 files changed, 52 insertions, 55 deletions

diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 0415ea6ecc..b6b0558965 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -106,10 +106,6 @@
 		       base = ?DEFAULT_DIFFIE_HELLMAN_GENERATOR}).
 -define(WAIT_TO_ALLOW_RENEGOTIATION, 12000).
 
--type state_name()           :: hello | abbreviated | certify | cipher | connection.
--type gen_fsm_state_return() :: {next_state, state_name(), #state{}} |
-				{next_state, state_name(), #state{}, timeout()} |
-				{stop, term(), #state{}}.
 
 %%====================================================================
 %% Internal application API
@@ -418,15 +414,15 @@ hello(Hello = #client_hello{client_version = ClientVersion,
 		     session_cache_cb = CacheCb,
 		     ssl_options = SslOpts}) ->
 
-    HashSign = tls_handshake:select_hashsign(HashSigns, Cert),
+    HashSign = ssl_handshake:select_hashsign(HashSigns, Cert),
     case tls_handshake:hello(Hello, SslOpts, {Port, Session0, Cache, CacheCb,
 				     ConnectionStates0, Cert}, Renegotiation) of
-        {Version, {Type,  #session{cipher_suite = CipherSuite} = Session}, ConnectionStates, ProtocolsToAdvertise,
-	 EcPointFormats, EllipticCurves} ->
+        {Version, {Type,  #session{cipher_suite = CipherSuite} = Session}, ConnectionStates,
+	 #hello_extensions{ec_point_formats = EcPointFormats,
+			   elliptic_curves = EllipticCurves} = ServerHelloExt} ->
 	    {KeyAlgorithm, _, _, _} = ssl_cipher:suite_definition(CipherSuite),
 	    NH = negotiated_hashsign(HashSign, KeyAlgorithm, Version),
-            do_server_hello(Type, ProtocolsToAdvertise,
-			    EcPointFormats, EllipticCurves,
+            do_server_hello(Type, ServerHelloExt,
 			    State#state{connection_states  = ConnectionStates,
 					negotiated_version = Version,
 					session = Session,
@@ -456,7 +452,7 @@ abbreviated(#finished{verify_data = Data} = Finished,
 		   session = #session{master_secret = MasterSecret},
 		  connection_states = ConnectionStates0} = 
 	    State) ->
-    case tls_handshake:verify_connection(Version, Finished, client,
+    case ssl_handshake:verify_connection(Version, Finished, client,
 					 get_current_connection_state_prf(ConnectionStates0, write),
 					 MasterSecret, Handshake) of
         verified ->  
@@ -472,7 +468,7 @@ abbreviated(#finished{verify_data = Data} = Finished,
 		   session = #session{master_secret = MasterSecret},
 		   negotiated_version = Version,
 		   connection_states = ConnectionStates0} = State) ->
-    case tls_handshake:verify_connection(Version, Finished, server,
+    case ssl_handshake:verify_connection(Version, Finished, server,
 					 get_pending_connection_state_prf(ConnectionStates0, write),
 					 MasterSecret, Handshake0) of
         verified ->
@@ -531,7 +527,7 @@ certify(#certificate{} = Cert,
 	       cert_db = CertDbHandle,
 	       cert_db_ref = CertDbRef,
 	       ssl_options = Opts} = State) ->
-    case tls_handshake:certify(Cert, CertDbHandle, CertDbRef, Opts#ssl_options.depth,
+    case ssl_handshake:certify(Cert, CertDbHandle, CertDbRef, Opts#ssl_options.depth,
 			       Opts#ssl_options.verify,
 			       Opts#ssl_options.verify_fun, Role) of
         {PeerCert, PublicKeyInfo} ->
@@ -613,7 +609,7 @@ certify(#server_hello_done{},
 	       negotiated_version = Version,
 	       premaster_secret = undefined,
 	       role = client} = State0) ->
-    case tls_handshake:master_secret(Version, Session, 
+    case ssl_handshake:master_secret(tls_record, Version, Session,
 				     ConnectionStates0, client) of
 	{MasterSecret, ConnectionStates} ->
 	    State = State0#state{connection_states = ConnectionStates},
@@ -629,7 +625,7 @@ certify(#server_hello_done{},
 	       negotiated_version = Version,
 	       premaster_secret = PremasterSecret,
 	       role = client} = State0) ->    
-    case tls_handshake:master_secret(Version, PremasterSecret, 
+    case ssl_handshake:master_secret(tls_record, Version, PremasterSecret,
 				     ConnectionStates0, client) of
 	{MasterSecret, ConnectionStates} ->
 	    Session = Session0#session{master_secret = MasterSecret},
@@ -650,7 +646,7 @@ certify(#client_key_exchange{} = Msg,
 certify(#client_key_exchange{exchange_keys = Keys},
 	State = #state{key_algorithm = KeyAlg, negotiated_version = Version}) ->
     try
-	certify_client_key_exchange(tls_handshake:decode_client_key(Keys, KeyAlg, Version), State)
+	certify_client_key_exchange(ssl_handshake:decode_client_key(Keys, KeyAlg, Version), State)
     catch 
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, certify, State)
@@ -668,8 +664,8 @@ certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS
 				   connection_states = ConnectionStates0,
 				   session = Session0,
 				   private_key = Key} = State0) ->
-    PremasterSecret = tls_handshake:decrypt_premaster_secret(EncPMS, Key),
-    case tls_handshake:master_secret(Version, PremasterSecret,
+    PremasterSecret = ssl_handshake:decrypt_premaster_secret(EncPMS, Key),
+    case ssl_handshake:master_secret(tls_record, Version, PremasterSecret,
 				     ConnectionStates0, server) of
 	{MasterSecret, ConnectionStates} ->
 	    Session = Session0#session{master_secret = MasterSecret},
@@ -735,7 +731,7 @@ certify_client_key_exchange(#client_rsa_psk_identity{
 				   #encrypted_premaster_secret{premaster_secret= EncPMS}},
 			    #state{negotiated_version = Version,
 				   private_key = Key} = State0) ->
-    PremasterSecret = tls_handshake:decrypt_premaster_secret(EncPMS, Key),
+    PremasterSecret = ssl_handshake:decrypt_premaster_secret(EncPMS, Key),
     case server_rsa_psk_master_secret(PskIdentity, PremasterSecret, State0) of
 	#state{} = State1 ->
 	    {Record, State} = next_record(State1),
@@ -775,7 +771,7 @@ cipher(#certificate_verify{signature = Signature, hashsign_algorithm = CertHashS
 	     } = State0) -> 
 
     HashSign = tls_handshake:select_cert_hashsign(CertHashSign, Algo, Version),
-    case tls_handshake:certificate_verify(Signature, PublicKeyInfo,
+    case ssl_handshake:certificate_verify(Signature, PublicKeyInfo,
 					  Version, HashSign, MasterSecret, Handshake) of
 	valid ->
 	    {Record, State} = next_record(State0),
@@ -798,7 +794,7 @@ cipher(#finished{verify_data = Data} = Finished,
 	      = Session0,
 		  connection_states = ConnectionStates0,
 	      tls_handshake_history = Handshake0} = State) ->
-    case tls_handshake:verify_connection(Version, Finished, 
+    case ssl_handshake:verify_connection(Version, Finished,
 					 opposite_role(Role), 
 					 get_current_connection_state_prf(ConnectionStates0, read),
 					 MasterSecret, Handshake0) of
@@ -1048,7 +1044,7 @@ handle_sync_event({prf, Secret, Label, Seed, WantedLength}, _, StateName,
 					     (client_random, Acc) -> [ClientRandom|Acc];
 					     (server_random, Acc) -> [ServerRandom|Acc]
 					  end, [], Seed)),
-		tls_handshake:prf(Version, SecretToUse, Label, SeedToUse, WantedLength)
+		ssl_handshake:prf(Version, SecretToUse, Label, SeedToUse, WantedLength)
 	    catch
 		exit:_ -> {error, badarg};
 		error:Reason -> {error, Reason}
@@ -1414,7 +1410,7 @@ certify_client(#state{client_certificate_requested = true, role = client,
 		      session = #session{own_certificate = OwnCert},
                       socket = Socket,
                       tls_handshake_history = Handshake0} = State) ->
-    Certificate = tls_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, client),
+    Certificate = ssl_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, client),
     {BinCert, ConnectionStates, Handshake} =
         encode_handshake(Certificate, Version, ConnectionStates0, Handshake0),
     Transport:send(Socket, BinCert),
@@ -1451,21 +1447,17 @@ verify_client_cert(#state{client_certificate_requested = true, role = client,
 verify_client_cert(#state{client_certificate_requested = false} = State) ->
     State.
 
-do_server_hello(Type, NextProtocolsToSend,
-		EcPointFormats, EllipticCurves,
+do_server_hello(Type, #hello_extensions{next_protocol_negotiation = NextProtocols} = ServerHelloExt,
 		#state{negotiated_version = Version,
 		       session = #session{session_id = SessId},
-		       connection_states = ConnectionStates0,
-		       renegotiation = {Renegotiation, _}}
+		       connection_states = ConnectionStates0}
 		= State0) when is_atom(Type) ->
 
     ServerHello = 
-	tls_handshake:server_hello(SessId, Version, 
-                                   ConnectionStates0, Renegotiation,
-				   NextProtocolsToSend, EcPointFormats, EllipticCurves),
+	tls_handshake:server_hello(SessId, Version, ConnectionStates0, ServerHelloExt),
     State = server_hello(ServerHello,
 			 State0#state{expecting_next_protocol_negotiation =
-					  NextProtocolsToSend =/= undefined}),
+					  NextProtocols =/= undefined}),
     case Type of	
 	new ->
 	    new_server_hello(ServerHello, State);
@@ -1496,7 +1488,7 @@ resumed_server_hello(#state{session = Session,
 			    connection_states = ConnectionStates0,
 			    negotiated_version = Version} = State0) ->
 
-    case tls_handshake:master_secret(Version, Session,
+    case ssl_handshake:master_secret(tls_record, Version, Session,
 				     ConnectionStates0, server) of
 	{_, ConnectionStates1} ->
 	    State1 = State0#state{connection_states = ConnectionStates1,
@@ -1525,7 +1517,7 @@ handle_resumed_session(SessId, #state{connection_states = ConnectionStates0,
 				      session_cache = Cache,
 				      session_cache_cb = CacheCb} = State0) ->
     Session = CacheCb:lookup(Cache, {{Host, Port}, SessId}),
-    case tls_handshake:master_secret(Version, Session, 
+    case ssl_handshake:master_secret(tls_record, Version, Session,
 				     ConnectionStates0, client) of
 	{_, ConnectionStates} ->
 	    {Record, State} = 
@@ -1584,7 +1576,7 @@ server_hello_done(#state{transport_cb = Transport,
                          connection_states = ConnectionStates0,
                          tls_handshake_history = Handshake0} = State) ->
     
-    HelloDone = tls_handshake:server_hello_done(),
+    HelloDone = ssl_handshake:server_hello_done(),
     
     {BinHelloDone, ConnectionStates, Handshake} =
         encode_handshake(HelloDone, Version, ConnectionStates0, Handshake0),
@@ -1604,7 +1596,7 @@ certify_server(#state{transport_cb = Transport,
 		      cert_db = CertDbHandle,
 		      cert_db_ref = CertDbRef,
 		      session = #session{own_certificate = OwnCert}} = State) ->
-    case tls_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, server) of
+    case ssl_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, server) of
 	CertMsg = #certificate{} ->
 	    {BinCertMsg, ConnectionStates, Handshake} =
 		encode_handshake(CertMsg, Version, ConnectionStates0, Handshake0),
@@ -1637,7 +1629,7 @@ key_exchange(#state{role = server, key_algorithm = Algo,
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams, 
-    Msg = tls_handshake:key_exchange(server, Version, {dh, DHKeys, Params,
+    Msg = ssl_handshake:key_exchange(server, Version, {dh, DHKeys, Params,
 					       HashSignAlgo, ClientRandom,
 					       ServerRandom,
 					       PrivateKey}),
@@ -1669,7 +1661,7 @@ key_exchange(#state{role = server, key_algorithm = Algo,
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
-    Msg =  tls_handshake:key_exchange(server, Version, {ecdh, ECDHKeys,
+    Msg =  ssl_handshake:key_exchange(server, Version, {ecdh, ECDHKeys,
 							HashSignAlgo, ClientRandom,
 							ServerRandom,
 							PrivateKey}),
@@ -1698,7 +1690,7 @@ key_exchange(#state{role = server, key_algorithm = psk,
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
-    Msg = tls_handshake:key_exchange(server, Version, {psk, PskIdentityHint,
+    Msg = ssl_handshake:key_exchange(server, Version, {psk, PskIdentityHint,
 						       HashSignAlgo, ClientRandom,
 						       ServerRandom,
 						       PrivateKey}),
@@ -1725,7 +1717,7 @@ key_exchange(#state{role = server, key_algorithm = dhe_psk,
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
-    Msg =  tls_handshake:key_exchange(server, Version, {dhe_psk, PskIdentityHint, DHKeys, Params,
+    Msg =  ssl_handshake:key_exchange(server, Version, {dhe_psk, PskIdentityHint, DHKeys, Params,
 					       HashSignAlgo, ClientRandom,
 					       ServerRandom,
 					       PrivateKey}),
@@ -1754,7 +1746,7 @@ key_exchange(#state{role = server, key_algorithm = rsa_psk,
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
-    Msg =  tls_handshake:key_exchange(server, Version, {psk, PskIdentityHint,
+    Msg =  ssl_handshake:key_exchange(server, Version, {psk, PskIdentityHint,
 					       HashSignAlgo, ClientRandom,
 					       ServerRandom,
 					       PrivateKey}),
@@ -1790,7 +1782,7 @@ key_exchange(#state{role = server, key_algorithm = Algo,
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
-    Msg =  tls_handshake:key_exchange(server, Version, {srp, Keys, SrpParams,
+    Msg =  ssl_handshake:key_exchange(server, Version, {srp, Keys, SrpParams,
 					       HashSignAlgo, ClientRandom,
 					       ServerRandom,
 					       PrivateKey}),
@@ -1826,7 +1818,7 @@ key_exchange(#state{role = client,
   when Algorithm == dhe_dss;
        Algorithm == dhe_rsa;
        Algorithm == dh_anon ->
-    Msg =  tls_handshake:key_exchange(client, Version, {dh, DhPubKey}),
+    Msg =  ssl_handshake:key_exchange(client, Version, {dh, DhPubKey}),
     {BinMsg, ConnectionStates, Handshake} =
         encode_handshake(Msg, Version, ConnectionStates0, Handshake0),
     Transport:send(Socket, BinMsg),
@@ -1843,7 +1835,7 @@ key_exchange(#state{role = client,
   when Algorithm == ecdhe_ecdsa; Algorithm == ecdhe_rsa;
        Algorithm == ecdh_ecdsa; Algorithm == ecdh_rsa;
        Algorithm == ecdh_anon ->
-    Msg = tls_handshake:key_exchange(client, Version, {ecdh, Keys}),
+    Msg = ssl_handshake:key_exchange(client, Version, {ecdh, Keys}),
     {BinMsg, ConnectionStates, Handshake} =
         encode_handshake(Msg, Version, ConnectionStates0, Handshake0),
     Transport:send(Socket, BinMsg),
@@ -1857,7 +1849,7 @@ key_exchange(#state{role = client,
 		    negotiated_version = Version,
 		    socket = Socket, transport_cb = Transport,
 		    tls_handshake_history = Handshake0} = State) ->
-    Msg =  tls_handshake:key_exchange(client, Version, {psk, SslOpts#ssl_options.psk_identity}),
+    Msg =  ssl_handshake:key_exchange(client, Version, {psk, SslOpts#ssl_options.psk_identity}),
     {BinMsg, ConnectionStates, Handshake} =
         encode_handshake(Msg, Version, ConnectionStates0, Handshake0),
     Transport:send(Socket, BinMsg),
@@ -1872,7 +1864,7 @@ key_exchange(#state{role = client,
 		    diffie_hellman_keys = {DhPubKey, _},
 		    socket = Socket, transport_cb = Transport,
 		    tls_handshake_history = Handshake0} = State) ->
-    Msg =  tls_handshake:key_exchange(client, Version, {dhe_psk, SslOpts#ssl_options.psk_identity, DhPubKey}),
+    Msg =  ssl_handshake:key_exchange(client, Version, {dhe_psk, SslOpts#ssl_options.psk_identity, DhPubKey}),
     {BinMsg, ConnectionStates, Handshake} =
         encode_handshake(Msg, Version, ConnectionStates0, Handshake0),
     Transport:send(Socket, BinMsg),
@@ -1905,7 +1897,7 @@ key_exchange(#state{role = client,
   when Algorithm == srp_dss;
        Algorithm == srp_rsa;
        Algorithm == srp_anon ->
-    Msg =  tls_handshake:key_exchange(client, Version, {srp, ClientPubKey}),
+    Msg =  ssl_handshake:key_exchange(client, Version, {srp, ClientPubKey}),
     {BinMsg, ConnectionStates, Handshake} =
         encode_handshake(Msg, Version, ConnectionStates0, Handshake0),
     Transport:send(Socket, BinMsg),
@@ -1922,7 +1914,7 @@ rsa_key_exchange(Version, PremasterSecret, PublicKeyInfo = {Algorithm, _, _})
        Algorithm == ?sha384WithRSAEncryption;
        Algorithm == ?sha512WithRSAEncryption
        ->
-    tls_handshake:key_exchange(client, Version,
+    ssl_handshake:key_exchange(client, Version,
 			       {premaster_secret, PremasterSecret,
 				PublicKeyInfo});
 rsa_key_exchange(_, _, _) ->
@@ -1938,7 +1930,7 @@ rsa_psk_key_exchange(Version, PskIdentity, PremasterSecret, PublicKeyInfo = {Alg
        Algorithm == ?sha384WithRSAEncryption;
        Algorithm == ?sha512WithRSAEncryption
        ->
-    tls_handshake:key_exchange(client, Version,
+    ssl_handshake:key_exchange(client, Version,
 			       {psk_premaster_secret, PskIdentity, PremasterSecret,
 				PublicKeyInfo});
 rsa_psk_key_exchange(_, _, _, _) ->
@@ -1952,7 +1944,11 @@ request_client_cert(#state{ssl_options = #ssl_options{verify = verify_peer},
 			   negotiated_version = Version,
 			   socket = Socket,
 			   transport_cb = Transport} = State) ->
-    Msg = tls_handshake:certificate_request(ConnectionStates0, CertDbHandle, CertDbRef, Version),
+    #connection_state{security_parameters =
+			  #security_parameters{cipher_suite = CipherSuite}} =
+	tls_record:pending_connection_state(ConnectionStates0, read),
+    Msg = ssl_handshake:certificate_request(CipherSuite, CertDbHandle, CertDbRef),
+
     {BinMsg, ConnectionStates, Handshake} =
         encode_handshake(Msg, Version, ConnectionStates0, Handshake0),
     Transport:send(Socket, BinMsg),
@@ -1985,7 +1981,7 @@ next_protocol(#state{transport_cb = Transport, socket = Socket,
 		     next_protocol = NextProtocol,
 		     connection_states = ConnectionStates0,
 		     tls_handshake_history = Handshake0} = State) ->
-    NextProtocolMessage = tls_handshake:next_protocol(NextProtocol),
+    NextProtocolMessage = ssl_handshake:next_protocol(NextProtocol),
     {BinMsg, ConnectionStates, Handshake} = encode_handshake(NextProtocolMessage, Version, ConnectionStates0, Handshake0),
     Transport:send(Socket, BinMsg),
     State#state{connection_states = ConnectionStates,
@@ -2007,7 +2003,7 @@ finished(#state{role = Role, socket = Socket, negotiated_version = Version,
                 connection_states = ConnectionStates0,
                 tls_handshake_history = Handshake0}, StateName) ->
     MasterSecret = Session#session.master_secret,
-    Finished = tls_handshake:finished(Version, Role,
+    Finished = ssl_handshake:finished(Version, Role,
 				       get_current_connection_state_prf(ConnectionStates0, write),
 				       MasterSecret, Handshake0),
     ConnectionStates1 = save_verify_data(Role, Finished, ConnectionStates0, StateName),
@@ -2028,7 +2024,8 @@ save_verify_data(server, #finished{verify_data = Data}, ConnectionStates, abbrev
 handle_server_key(#server_key_exchange{exchange_keys = Keys},
 		  #state{key_algorithm = KeyAlg,
 			 negotiated_version = Version} = State) ->
-    Params = tls_handshake:decode_server_key(Keys, KeyAlg, Version),
+
+    Params = ssl_handshake:decode_server_key(Keys, KeyAlg, Version),
     HashSign = negotiated_hashsign(Params#server_key_params.hashsign, KeyAlg, Version),
     case is_anonymous(KeyAlg) of
 	true ->
@@ -2050,11 +2047,11 @@ verify_server_key(#server_key_params{params = Params,
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams, 
-    Hash = tls_handshake:server_key_exchange_hash(HashAlgo,
+    Hash = ssl_handshake:server_key_exchange_hash(HashAlgo,
 						  <<ClientRandom/binary,
 						    ServerRandom/binary,
 						    EncParams/binary>>),
-    case tls_handshake:verify_signature(Version, Hash, HashSign, Signature, PubKeyInfo) of
+    case ssl_handshake:verify_signature(Version, Hash, HashSign, Signature, PubKeyInfo) of
 	true ->
 	    server_master_secret(Params, State);
 	false ->
@@ -2090,7 +2087,7 @@ master_from_premaster_secret(PremasterSecret,
 			     #state{session = Session,
 				    negotiated_version = Version, role = Role,
 				    connection_states = ConnectionStates0} = State) ->
-    case tls_handshake:master_secret(Version, PremasterSecret,
+    case ssl_handshake:master_secret(tls_record, Version, PremasterSecret,
 				     ConnectionStates0, Role) of
 	{MasterSecret, ConnectionStates} ->
 	    State#state{
@@ -2926,7 +2923,7 @@ renegotiate(#state{role = server,
 		   transport_cb = Transport,
 		   negotiated_version = Version,
 		   connection_states = ConnectionStates0} = State0) ->
-    HelloRequest = tls_handshake:hello_request(),
+    HelloRequest = ssl_handshake:hello_request(),
     Frag = tls_handshake:encode_handshake(HelloRequest, Version),
     Hs0 = tls_handshake:init_handshake_history(),
     {BinMsg, ConnectionStates} =