diff options
-rw-r--r-- | lib/ssl/src/dtls_connection.erl | 6 | ||||
-rw-r--r-- | lib/ssl/src/ssl_connection.erl | 37 | ||||
-rw-r--r-- | lib/ssl/src/ssl_connection.hrl | 11 | ||||
-rw-r--r-- | lib/ssl/src/tls_connection.erl | 4 |
4 files changed, 30 insertions, 28 deletions
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl index 0c7446e894..493f3bf581 100644 --- a/lib/ssl/src/dtls_connection.erl +++ b/lib/ssl/src/dtls_connection.erl @@ -339,9 +339,9 @@ reinit_handshake_data(#state{static_env = #static_env{data_tag = DataTag}, protocol_buffers = Buffers, protocol_specific = PS, handshake_env = HsEnv} = State) -> - State#state{premaster_secret = undefined, - handshake_env = HsEnv#handshake_env{tls_handshake_history = ssl_handshake:init_handshake_history(), - public_key_info = undefined}, + State#state{handshake_env = HsEnv#handshake_env{tls_handshake_history = ssl_handshake:init_handshake_history(), + public_key_info = undefined, + premaster_secret = undefined}, protocol_specific = PS#{flight_state => initial_flight_state(DataTag)}, flight_buffer = new_flight(), protocol_buffers = diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index c770ecbdd0..e2c9423560 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -590,8 +590,8 @@ handle_session(#server_hello{cipher_suite = CipherSuite, State = State0#state{key_algorithm = KeyAlgorithm, connection_states = ConnectionStates, - premaster_secret = PremasterSecret, - handshake_env = HsEnv#handshake_env{expecting_next_protocol_negotiation = ExpectNPN, + handshake_env = HsEnv#handshake_env{premaster_secret = PremasterSecret, + expecting_next_protocol_negotiation = ExpectNPN, negotiated_protocol = Protocol}, connection_env = CEnv#connection_env{negotiated_version = Version}}, @@ -901,9 +901,9 @@ certify(internal, #server_hello_done{}, #state{static_env = #static_env{role = client}, session = #session{master_secret = undefined}, connection_env = #connection_env{negotiated_version = Version}, + handshake_env = #handshake_env{premaster_secret = undefined} = HsEnv, psk_identity = PSKIdentity, ssl_options = #ssl_options{user_lookup_fun = PSKLookup}, - premaster_secret = undefined, key_algorithm = Alg} = State0, Connection) when Alg == psk -> case ssl_handshake:premaster_secret({Alg, PSKIdentity}, PSKLookup) of @@ -911,16 +911,17 @@ certify(internal, #server_hello_done{}, handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0); PremasterSecret -> State = master_secret(PremasterSecret, - State0#state{premaster_secret = PremasterSecret}), - client_certify_and_key_exchange(State, Connection) + State0#state{handshake_env = + HsEnv#handshake_env{premaster_secret = PremasterSecret}}), + client_certify_and_key_exchange(State, Connection) end; certify(internal, #server_hello_done{}, #state{static_env = #static_env{role = client}, connection_env = #connection_env{negotiated_version = {Major, Minor}} = Version, + handshake_env = #handshake_env{premaster_secret = undefined} = HsEnv, session = #session{master_secret = undefined}, ssl_options = #ssl_options{user_lookup_fun = PSKLookup}, psk_identity = PSKIdentity, - premaster_secret = undefined, key_algorithm = Alg} = State0, Connection) when Alg == rsa_psk -> Rand = ssl_cipher:random_bytes(?NUM_OF_PREMASTERSECRET_BYTES-2), @@ -931,16 +932,17 @@ certify(internal, #server_hello_done{}, handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0); PremasterSecret -> State = master_secret(PremasterSecret, - State0#state{premaster_secret = RSAPremasterSecret}), + State0#state{handshake_env = + HsEnv#handshake_env{premaster_secret = RSAPremasterSecret}}), client_certify_and_key_exchange(State, Connection) end; %% Master secret was determined with help of server-key exchange msg certify(internal, #server_hello_done{}, #state{static_env = #static_env{role = client}, connection_env = #connection_env{negotiated_version = Version}, + handshake_env = #handshake_env{premaster_secret = undefined}, session = #session{master_secret = MasterSecret} = Session, - connection_states = ConnectionStates0, - premaster_secret = undefined} = State0, Connection) -> + connection_states = ConnectionStates0} = State0, Connection) -> case ssl_handshake:master_secret(ssl:tls_version(Version), Session, ConnectionStates0, client) of {MasterSecret, ConnectionStates} -> @@ -953,9 +955,9 @@ certify(internal, #server_hello_done{}, certify(internal, #server_hello_done{}, #state{static_env = #static_env{role = client}, connection_env = #connection_env{negotiated_version = Version}, + handshake_env = #handshake_env{premaster_secret = PremasterSecret}, session = Session0, - connection_states = ConnectionStates0, - premaster_secret = PremasterSecret} = State0, Connection) -> + connection_states = ConnectionStates0} = State0, Connection) -> case ssl_handshake:master_secret(ssl:tls_version(Version), PremasterSecret, ConnectionStates0, client) of {MasterSecret, ConnectionStates} -> @@ -1420,7 +1422,6 @@ format_status(terminate, [_, StateName, State]) -> diffie_hellman_keys = ?SECRET_PRINTOUT, srp_params = ?SECRET_PRINTOUT, srp_keys = ?SECRET_PRINTOUT, - premaster_secret = ?SECRET_PRINTOUT, ssl_options = NewOptions, flight_buffer = ?SECRET_PRINTOUT} }}]}]. @@ -1865,10 +1866,10 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Alg State#state{srp_params = SrpParams, srp_keys = Keys}; key_exchange(#state{static_env = #static_env{role = client}, - handshake_env = #handshake_env{public_key_info = PublicKeyInfo}, + handshake_env = #handshake_env{public_key_info = PublicKeyInfo, + premaster_secret = PremasterSecret}, connection_env = #connection_env{negotiated_version = Version}, - key_algorithm = rsa, - premaster_secret = PremasterSecret} = State0, Connection) -> + key_algorithm = rsa} = State0, Connection) -> Msg = rsa_key_exchange(ssl:tls_version(Version), PremasterSecret, PublicKeyInfo), Connection:queue_handshake(Msg, State0); key_exchange(#state{static_env = #static_env{role = client}, @@ -1920,11 +1921,11 @@ key_exchange(#state{static_env = #static_env{role = client}, Connection:queue_handshake(Msg, State0); key_exchange(#state{static_env = #static_env{role = client}, - handshake_env = #handshake_env{public_key_info = PublicKeyInfo}, + handshake_env = #handshake_env{public_key_info = PublicKeyInfo, + premaster_secret = PremasterSecret}, connection_env = #connection_env{negotiated_version = Version}, ssl_options = SslOpts, - key_algorithm = rsa_psk, - premaster_secret = PremasterSecret} + key_algorithm = rsa_psk} = State0, Connection) -> Msg = rsa_psk_key_exchange(ssl:tls_version(Version), SslOpts#ssl_options.psk_identity, PremasterSecret, PublicKeyInfo), diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl index 4c9f95c110..d598e513fa 100644 --- a/lib/ssl/src/ssl_connection.hrl +++ b/lib/ssl/src/ssl_connection.hrl @@ -69,7 +69,8 @@ hashsign_algorithm = {undefined, undefined}, cert_hashsign_algorithm = {undefined, undefined}, %% key exchange - public_key_info :: ssl_handshake:public_key_info() | 'undefined' + public_key_info :: ssl_handshake:public_key_info() | 'undefined', + premaster_secret :: binary() | secret_printout() | 'undefined' }). -record(connection_env, { @@ -95,7 +96,9 @@ bytes_to_read :: undefined | integer(), %% bytes to read in passive mode start_or_recv_from :: term(), timer :: undefined | reference(), % start_or_recive_timer - + + protocol_specific = #{} :: map(), + %% Change seldome ssl_options :: #ssl_options{}, socket_options :: #socket_options{}, @@ -109,13 +112,11 @@ psk_identity :: binary() | 'undefined', % server psk identity hint srp_params :: #srp_user{} | secret_printout() | 'undefined', srp_keys ::{PublicKey :: binary(), PrivateKey :: binary()} | secret_printout() | 'undefined', - premaster_secret :: binary() | secret_printout() | 'undefined', - flight_buffer = [] :: list() | map(), %% Buffer of TLS/DTLS records, used during the TLS handshake + flight_buffer = [] :: list() | map() %% Buffer of TLS/DTLS records, used during the TLS handshake %% to when possible pack more than one TLS record into the %% underlaying packet format. Introduced by DTLS - RFC 4347. %% The mecahnism is also usefull in TLS although we do not %% need to worry about packet loss in TLS. In DTLS we need to track DTLS handshake seqnr - protocol_specific = #{} :: map() }). diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl index a94782f305..e1080b2fc9 100644 --- a/lib/ssl/src/tls_connection.erl +++ b/lib/ssl/src/tls_connection.erl @@ -347,9 +347,9 @@ reinit_handshake_data(#state{handshake_env = HsEnv} =State) -> %% are only needed during the handshake phase. %% To reduce memory foot print of a connection reinitialize them. State#state{ - premaster_secret = undefined, handshake_env = HsEnv#handshake_env{tls_handshake_history = ssl_handshake:init_handshake_history(), - public_key_info = undefined} + public_key_info = undefined, + premaster_secret = undefined} }. select_sni_extension(#client_hello{extensions = HelloExtensions}) -> |