aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2019-01-29 13:21:41 +0100
committerIngela Anderton Andin <[email protected]>2019-02-08 09:22:26 +0100
commit2b9412e026ab58bac5b61f239d607db6482974ef (patch)
treec5db354f3d5a0a8f9e5f29783c478b2f9045dddb /lib/ssl/src
parent94e43acfeb4d5d5e2f1944ef55ffa302cc901e1f (diff)
downloadotp-2b9412e026ab58bac5b61f239d607db6482974ef.tar.gz
otp-2b9412e026ab58bac5b61f239d607db6482974ef.tar.bz2
otp-2b9412e026ab58bac5b61f239d607db6482974ef.zip
ssl: Add hashsign_algorithm and cert_hashsign_algorithm to handshake_env
Diffstat (limited to 'lib/ssl/src')
-rw-r--r--lib/ssl/src/dtls_connection.erl7
-rw-r--r--lib/ssl/src/ssl_connection.erl38
-rw-r--r--lib/ssl/src/ssl_connection.hrl9
-rw-r--r--lib/ssl/src/tls_connection.erl7
4 files changed, 32 insertions, 29 deletions
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index 178668e808..86f79ed7e3 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -875,9 +875,10 @@ handle_client_hello(#client_hello{client_version = ClientVersion} = Hello,
State = prepare_flight(State0#state{connection_states = ConnectionStates,
negotiated_version = Version,
- hashsign_algorithm = HashSign,
- handshake_env = HsEnv#handshake_env{client_hello_version = ClientVersion,
- negotiated_protocol = Protocol},
+ handshake_env = HsEnv#handshake_env{
+ hashsign_algorithm = HashSign,
+ client_hello_version = ClientVersion,
+ negotiated_protocol = Protocol},
session = Session}),
ssl_connection:hello(internal, {common_client_hello, Type, ServerHelloExt},
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index f24b4d555a..75edf2e42b 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -832,6 +832,7 @@ certify(internal, #certificate{} = Cert,
end;
certify(internal, #server_key_exchange{exchange_keys = Keys},
#state{static_env = #static_env{role = client},
+ handshake_env = HsEnv,
negotiated_version = Version,
key_algorithm = Alg,
public_key_info = PubKeyInfo,
@@ -851,15 +852,15 @@ certify(internal, #server_key_exchange{exchange_keys = Keys},
case is_anonymous(Alg) of
true ->
calculate_secret(Params#server_key_params.params,
- State#state{hashsign_algorithm = HashSign}, Connection);
+ State#state{handshake_env = HsEnv#handshake_env{hashsign_algorithm = HashSign}}, Connection);
false ->
case ssl_handshake:verify_server_key(Params, HashSign,
ConnectionStates, ssl:tls_version(Version), PubKeyInfo) of
true ->
calculate_secret(Params#server_key_params.params,
- State#state{hashsign_algorithm = HashSign,
- session = session_handle_params(Params#server_key_params.params, Session)},
- Connection);
+ State#state{handshake_env = HsEnv#handshake_env{hashsign_algorithm = HashSign},
+ session = session_handle_params(Params#server_key_params.params, Session)},
+ Connection);
false ->
handle_own_alert(?ALERT_REC(?FATAL, ?DECRYPT_ERROR),
Version, ?FUNCTION_NAME, State)
@@ -883,8 +884,9 @@ certify(internal, #certificate_request{},
Connection:next_event(?FUNCTION_NAME, no_record, State#state{client_certificate_requested = true});
certify(internal, #certificate_request{} = CertRequest,
#state{static_env = #static_env{role = client},
+ handshake_env = HsEnv,
session = #session{own_certificate = Cert},
- ssl_options = #ssl_options{signature_algs = SupportedHashSigns},
+ ssl_options = #ssl_options{signature_algs = SupportedHashSigns},
negotiated_version = Version} = State, Connection) ->
case ssl_handshake:select_hashsign(CertRequest, Cert, SupportedHashSigns, ssl:tls_version(Version)) of
#alert {} = Alert ->
@@ -892,7 +894,7 @@ certify(internal, #certificate_request{} = CertRequest,
NegotiatedHashSign ->
Connection:next_event(?FUNCTION_NAME, no_record,
State#state{client_certificate_requested = true,
- cert_hashsign_algorithm = NegotiatedHashSign})
+ handshake_env = HsEnv#handshake_env{cert_hashsign_algorithm = NegotiatedHashSign}})
end;
%% PSK and RSA_PSK might bypass the Server-Key-Exchange
certify(internal, #server_hello_done{},
@@ -996,7 +998,7 @@ cipher(info, Msg, State, _) ->
cipher(internal, #certificate_verify{signature = Signature,
hashsign_algorithm = CertHashSign},
#state{static_env = #static_env{role = server},
- handshake_env = #handshake_env{tls_handshake_history = Hist},
+ handshake_env = #handshake_env{tls_handshake_history = Hist} = HsEnv,
key_algorithm = KexAlg,
public_key_info = PublicKeyInfo,
negotiated_version = Version,
@@ -1010,7 +1012,7 @@ cipher(internal, #certificate_verify{signature = Signature,
TLSVersion, HashSign, MasterSecret, Hist) of
valid ->
Connection:next_event(?FUNCTION_NAME, no_record,
- State#state{cert_hashsign_algorithm = HashSign});
+ State#state{handshake_env = HsEnv#handshake_env{cert_hashsign_algorithm = HashSign}});
#alert{} = Alert ->
handle_own_alert(Alert, Version, ?FUNCTION_NAME, State)
end;
@@ -1566,13 +1568,13 @@ certify_client(#state{client_certificate_requested = false} = State, _) ->
State.
verify_client_cert(#state{static_env = #static_env{role = client},
- handshake_env = #handshake_env{tls_handshake_history = Hist},
+ handshake_env = #handshake_env{tls_handshake_history = Hist,
+ cert_hashsign_algorithm = HashSign},
client_certificate_requested = true,
negotiated_version = Version,
private_key = PrivateKey,
session = #session{master_secret = MasterSecret,
- own_certificate = OwnCert},
- cert_hashsign_algorithm = HashSign} = State, Connection) ->
+ own_certificate = OwnCert}} = State, Connection) ->
case ssl_handshake:client_certificate_verify(OwnCert, MasterSecret,
ssl:tls_version(Version), HashSign, PrivateKey, Hist) of
@@ -1701,7 +1703,7 @@ certify_server(#state{static_env = #static_env{cert_db = CertDbHandle,
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa} = State,_) ->
State;
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Algo,
- hashsign_algorithm = HashSignAlgo,
+ handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
diffie_hellman_params = #'DHParameter'{} = Params,
private_key = PrivateKey,
connection_states = ConnectionStates0,
@@ -1729,7 +1731,7 @@ key_exchange(#state{static_env = #static_env{role = server},
State#state{diffie_hellman_keys = Key,
session = Session#session{ecc = ECCurve}};
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Algo,
- hashsign_algorithm = HashSignAlgo,
+ handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
private_key = PrivateKey,
session = #session{ecc = ECCCurve},
connection_states = ConnectionStates0,
@@ -1755,7 +1757,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = psk
State;
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = psk,
ssl_options = #ssl_options{psk_identity = PskIdentityHint},
- hashsign_algorithm = HashSignAlgo,
+ handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
private_key = PrivateKey,
connection_states = ConnectionStates0,
negotiated_version = Version
@@ -1772,7 +1774,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = psk
Connection:queue_handshake(Msg, State0);
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = dhe_psk,
ssl_options = #ssl_options{psk_identity = PskIdentityHint},
- hashsign_algorithm = HashSignAlgo,
+ handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
diffie_hellman_params = #'DHParameter'{} = Params,
private_key = PrivateKey,
connection_states = ConnectionStates0,
@@ -1793,7 +1795,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = dhe
State#state{diffie_hellman_keys = DHKeys};
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = ecdhe_psk,
ssl_options = #ssl_options{psk_identity = PskIdentityHint},
- hashsign_algorithm = HashSignAlgo,
+ handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
private_key = PrivateKey,
session = #session{ecc = ECCCurve},
connection_states = ConnectionStates0,
@@ -1817,7 +1819,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa
State;
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa_psk,
ssl_options = #ssl_options{psk_identity = PskIdentityHint},
- hashsign_algorithm = HashSignAlgo,
+ handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
private_key = PrivateKey,
connection_states = ConnectionStates0,
negotiated_version = Version
@@ -1834,7 +1836,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa
Connection:queue_handshake(Msg, State0);
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Algo,
ssl_options = #ssl_options{user_lookup_fun = LookupFun},
- hashsign_algorithm = HashSignAlgo,
+ handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
session = #session{srp_username = Username},
private_key = PrivateKey,
connection_states = ConnectionStates0,
diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl
index 9d535cb1f2..e1a53c9982 100644
--- a/lib/ssl/src/ssl_connection.hrl
+++ b/lib/ssl/src/ssl_connection.hrl
@@ -65,7 +65,9 @@
sni_hostname = undefined,
expecting_next_protocol_negotiation = false ::boolean(),
next_protocol = undefined :: undefined | binary(),
- negotiated_protocol
+ negotiated_protocol,
+ hashsign_algorithm = {undefined, undefined},
+ cert_hashsign_algorithm = {undefined, undefined}
}).
-record(connection_env, {
@@ -96,8 +98,6 @@
%% Used only in HS
client_certificate_requested = false :: boolean(),
key_algorithm :: ssl:key_algo(),
- hashsign_algorithm = {undefined, undefined},
- cert_hashsign_algorithm = {undefined, undefined},
public_key_info :: ssl_handshake:public_key_info() | 'undefined',
private_key :: public_key:private_key() | secret_printout() | 'undefined',
diffie_hellman_params:: #'DHParameter'{} | undefined | secret_printout(),
@@ -105,8 +105,7 @@
psk_identity :: binary() | 'undefined', % server psk identity hint
srp_params :: #srp_user{} | secret_printout() | 'undefined',
srp_keys ::{PublicKey :: binary(), PrivateKey :: binary()} | secret_printout() | 'undefined',
- premaster_secret :: binary() | secret_printout() | 'undefined',
-
+ premaster_secret :: binary() | secret_printout() | 'undefined',
flight_buffer = [] :: list() | map(), %% Buffer of TLS/DTLS records, used during the TLS handshake
%% to when possible pack more than one TLS record into the
%% underlaying packet format. Introduced by DTLS - RFC 4347.
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 2e9ae97da0..684910db10 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -551,9 +551,10 @@ hello(internal, #client_hello{client_version = ClientVersion} = Hello,
gen_handshake(?FUNCTION_NAME, internal, {common_client_hello, Type, ServerHelloExt},
State#state{connection_states = ConnectionStates,
negotiated_version = Version,
- hashsign_algorithm = HashSign,
- handshake_env = HsEnv#handshake_env{client_hello_version = ClientVersion,
- negotiated_protocol = Protocol},
+ handshake_env = HsEnv#handshake_env{
+ hashsign_algorithm = HashSign,
+ client_hello_version = ClientVersion,
+ negotiated_protocol = Protocol},
session = Session
})
end;