Merge branch 'maint'

5 files changed, 88 insertions, 5 deletions

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 4910a6f1b8..62a79e15eb 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -122,6 +122,9 @@
    <p> <c>hash() = md5 | sha
     </c></p>
 
+    <p><c>prf_random() =  client_random | server_random
+    </c></p>
+
   </section>
 
   <section>
@@ -561,6 +564,26 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
     </func>
     
     <func>
+      <name>prf(Socket, Secret, Label, Seed, WantedLength) -> {ok, binary()} | {error, reason()}</name>
+      <fsummary>Use a sessions pseudo random function to generate key material.</fsummary>
+      <type>
+	<v>Socket = sslsocket()</v>
+	<v>Secret = binary() | master_secret</v>
+	<v>Label = binary()</v>
+	<v>Seed = [binary() | prf_random()]</v>
+	<v>WantedLength = non_neg_integer()</v>
+      </type>
+      <desc>
+        <p>Use the pseudo random function (PRF) of a TLS session to generate
+	  additional key material. It either takes user generated values for
+	  <c>Secret</c> and <c>Seed</c> or atoms directing it use a specific
+	  value from the session security parameters.</p>
+        <p>This function can only be used with TLS connections, <c>{error, undefined}</c>
+	  is returned for SSLv3 connections.</p>
+      </desc>
+    </func>
+
+    <func>
       <name>renegotiate(Socket) -> ok | {error, Reason}</name>
       <fsummary> Initiates a new handshake.</fsummary>
       <type>
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index d0693445e0..1048583eca 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -30,7 +30,7 @@
 	 controlling_process/2, listen/2, pid/1, peername/1, peercert/1,
 	 recv/2, recv/3, send/2, getopts/2, setopts/2, sockname/1,
 	 versions/0, session_info/1, format_error/1,
-	 renegotiate/1]).
+	 renegotiate/1, prf/5]).
 
 -deprecated({pid, 1, next_major_release}).
 
@@ -67,7 +67,7 @@
 -type ssl_imp()      :: new | old.
 
 -type transport_option() :: {cb_info, {CallbackModule::atom(), DataTag::atom(), ClosedTag::atom()}}.
-
+-type prf_random() :: client_random | server_random.
 
 %%--------------------------------------------------------------------
 -spec start() -> ok  | {error, reason()}.
@@ -414,6 +414,17 @@ versions() ->
 renegotiate(#sslsocket{pid = Pid, fd = new_ssl}) ->
     ssl_connection:renegotiation(Pid).
 
+%%--------------------------------------------------------------------
+-spec prf(#sslsocket{}, binary() | 'master_secret', binary(),
+	  binary() | prf_random(), non_neg_integer()) ->
+		 {ok, binary()} | {error, reason()}.
+%%
+%% Description: use a ssl sessions TLS PRF to generate key material
+%%--------------------------------------------------------------------
+prf(#sslsocket{pid = Pid, fd = new_ssl},
+    Secret, Label, Seed, WantedLength) ->
+    ssl_connection:prf(Pid, Secret, Label, Seed, WantedLength).
+
 %%---------------------------------------------------------------
 -spec format_error({error, term()}) -> list().
 %%
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 28dd0c85d0..59133dccf0 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -40,7 +40,8 @@
 -export([send/2, recv/3, connect/7, ssl_accept/6, handshake/2,
 	 socket_control/3, close/1, shutdown/2,
 	 new_user/2, get_opts/2, set_opts/2, info/1, session_info/1, 
-	 peer_certificate/1, sockname/1, peername/1, renegotiation/1]).
+	 peer_certificate/1, sockname/1, peername/1, renegotiation/1,
+	 prf/5]).
 
 %% Called by ssl_connection_sup
 -export([start_link/7]). 
@@ -273,6 +274,16 @@ peer_certificate(ConnectionPid) ->
 renegotiation(ConnectionPid) ->
     sync_send_all_state_event(ConnectionPid, renegotiate). 
 
+%%--------------------------------------------------------------------
+-spec prf(pid(), binary() | 'master_secret', binary(),
+	  binary() | ssl:prf_secret(), non_neg_integer()) ->
+		 {ok, binary()} | {error, reason()} | {'EXIT', term()}.
+%%
+%% Description: use a ssl sessions TLS PRF to generate key material
+%%--------------------------------------------------------------------
+prf(ConnectionPid, Secret, Label, Seed, WantedLength) ->
+    sync_send_all_state_event(ConnectionPid, {prf, Secret, Label, Seed, WantedLength}).
+
 %%====================================================================
 %% ssl_connection_sup API
 %%====================================================================
@@ -868,6 +879,32 @@ handle_sync_event(renegotiate, From, connection, State) ->
 handle_sync_event(renegotiate, _, StateName, State) ->
     {reply, {error, already_renegotiating}, StateName, State, get_timeout(State)};
 
+handle_sync_event({prf, Secret, Label, Seed, WantedLength}, _, StateName,
+		  #state{connection_states = ConnectionStates,
+			 negotiated_version = Version} = State) ->
+    ConnectionState =
+	ssl_record:current_connection_state(ConnectionStates, read),
+    SecParams = ConnectionState#connection_state.security_parameters,
+    #security_parameters{master_secret = MasterSecret,
+			 client_random = ClientRandom,
+			 server_random = ServerRandom} = SecParams,
+    Reply = try
+		SecretToUse = case Secret of
+				  _ when is_binary(Secret) -> Secret;
+				  master_secret -> MasterSecret
+			      end,
+		SeedToUse = lists:reverse(
+			      lists:foldl(fun(X, Acc) when is_binary(X) -> [X|Acc];
+					     (client_random, Acc) -> [ClientRandom|Acc];
+					     (server_random, Acc) -> [ServerRandom|Acc]
+					  end, [], Seed)),
+		ssl_handshake:prf(Version, SecretToUse, Label, SeedToUse, WantedLength)
+	    catch
+		exit:_ -> {error, badarg};
+		error:Reason -> {error, Reason}
+	    end,
+    {reply, Reply, StateName, State, get_timeout(State)};
+
 handle_sync_event(info, _, StateName, 
 		  #state{negotiated_version = Version,
 			 session = #session{cipher_suite = Suite}} = State) ->
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 542033e6ce..ef60cac6df 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -37,7 +37,7 @@
 	 finished/4, verify_connection/5, get_tls_handshake/2,
 	 decode_client_key/3, server_hello_done/0,
 	 encode_handshake/2, init_hashes/0, update_hashes/2,
-	 decrypt_premaster_secret/2]).
+	 decrypt_premaster_secret/2, prf/5]).
 
 -export([dec_hello_extensions/2]).
 
@@ -543,6 +543,18 @@ server_key_exchange_hash(dhe_dss, Value) ->
     crypto:sha(Value).
 
 %%--------------------------------------------------------------------
+-spec prf(tls_version(), binary(), binary(), binary(), non_neg_integer()) ->
+		 {ok, binary()} | {error, undefined}.
+%%
+%% Description: use the TLS PRF to generate key material
+%%--------------------------------------------------------------------
+prf({3,0}, _, _, _, _) ->
+    {error, undefined};
+prf({3,N}, Secret, Label, Seed, WantedLength)
+  when N == 1; N == 2 ->
+    {ok, ssl_tls1:prf(Secret, Label, Seed, WantedLength)}.
+
+%%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
 get_tls_handshake_aux(<<?BYTE(Type), ?UINT24(Length), 
diff --git a/lib/ssl/src/ssl_tls1.erl b/lib/ssl/src/ssl_tls1.erl
index 5f9850c386..7351f34b61 100644
--- a/lib/ssl/src/ssl_tls1.erl
+++ b/lib/ssl/src/ssl_tls1.erl
@@ -29,7 +29,7 @@
 -include("ssl_record.hrl"). 			
 
 -export([master_secret/3, finished/3, certificate_verify/2, mac_hash/7, 
-	 setup_keys/6, suites/0]).
+	 setup_keys/6, suites/0, prf/4]).
 
 %%====================================================================
 %% Internal application API