1 files changed, 57 insertions, 73 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index cde13069b5..e5a6181a88 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -372,8 +372,7 @@ hello(#server_hello{cipher_suite = CipherSuite,
 	     ssl_options = SslOptions} = State0) ->
     case ssl_handshake:hello(Hello, SslOptions, ConnectionStates0, Renegotiation) of
 	#alert{} = Alert ->
-	    handle_own_alert(Alert, ReqVersion, hello, State0), 
-            {stop, {shutdown, own_alert}, State0};
+	    handle_own_alert(Alert, ReqVersion, hello, State0);
 	{Version, NewId, ConnectionStates, NextProtocol} ->
 	    {KeyAlgorithm, _, _, _} =
 		ssl_cipher:suite_definition(CipherSuite),
@@ -1135,7 +1134,7 @@ init_certificates(#ssl_options{cacerts = CaCerts,
 	    {ok, _, _, _, _, _} = ssl_manager:connection_init(Certs, Role)
 	catch
 	    Error:Reason ->
-		handle_file_error(?LINE, Error, Reason, CACertFile, ecacertfile,
+		handle_file_error(?LINE, Error, Reason, CACertFile, {ecacertfile, Reason},
 				  erlang:get_stacktrace())
 	end,
     init_certificates(Cert, CertDbRef, CertDbHandle, FileRefHandle, PemCacheHandle, CacheHandle, CertFile, Role).
@@ -1157,7 +1156,7 @@ init_certificates(undefined, CertDbRef, CertDbHandle, FileRefHandle, PemCacheHan
 	{ok, CertDbRef, CertDbHandle, FileRefHandle, PemCacheHandle, CacheRef, OwnCert}
     catch
 	Error:Reason ->
-	    handle_file_error(?LINE, Error, Reason, CertFile, ecertfile,
+	    handle_file_error(?LINE, Error, Reason, CertFile, {ecertfile, Reason},
 			      erlang:get_stacktrace())
     end;
 init_certificates(Cert, CertDbRef, CertDbHandle, FileRefHandle, PemCacheHandle, CacheRef, _, _) ->
@@ -1176,7 +1175,7 @@ init_private_key(DbHandle, undefined, KeyFile, Password, _) ->
 	private_key(public_key:pem_entry_decode(PemEntry, Password))
     catch 
 	Error:Reason ->
-	    handle_file_error(?LINE, Error, Reason, KeyFile, ekeyfile,
+	    handle_file_error(?LINE, Error, Reason, KeyFile, {ekeyfile, Reason},
 			      erlang:get_stacktrace()) 
     end;
 
@@ -1234,7 +1233,7 @@ init_diffie_hellman(DbHandle,_, DHParamFile, server) ->
     catch
 	Error:Reason ->
 	    handle_file_error(?LINE, Error, Reason, 
-			      DHParamFile, edhfile,  erlang:get_stacktrace()) 
+			      DHParamFile, {edhfile, Reason},  erlang:get_stacktrace()) 
     end.
 
 sync_send_all_state_event(FsmPid, Event) ->
@@ -1628,78 +1627,49 @@ save_verify_data(client, #finished{verify_data = Data}, ConnectionStates, abbrev
 save_verify_data(server, #finished{verify_data = Data}, ConnectionStates, abbreviated) ->
     ssl_record:set_server_verify_data(current_write, Data, ConnectionStates).
 
-handle_server_key(#server_key_exchange{params =
-					   #server_dh_params{dh_p = P,
-							     dh_g = G,
-							     dh_y = ServerPublicDhKey},
-				       signed_params = <<>>},
-		  #state{key_algorithm = dh_anon} = State) ->
-    dh_master_secret(P, G, ServerPublicDhKey, undefined, State);
-
-handle_server_key(
-  #server_key_exchange{params = 
-		       #server_dh_params{dh_p = P,
-					 dh_g = G,
-					 dh_y = ServerPublicDhKey}, 
-		       signed_params = Signed,
-		       hashsign = HashSign},
-  #state{negotiated_version = Version,
-	 public_key_info = PubKeyInfo,
-	 connection_states = ConnectionStates} = State) ->
-     
-    PLen = size(P),
-    GLen = size(G),
-    YLen = size(ServerPublicDhKey),
-    HashAlgo = connection_hash_algo(HashSign, State),
+handle_server_key(#server_key_exchange{exchange_keys = Keys},
+		  #state{key_algorithm = KeyAlg,
+			 negotiated_version = Version} = State) ->
+    Params = ssl_handshake:decode_server_key(Keys, KeyAlg, Version),
+    HashSign = connection_hashsign(Params#server_key_params.hashsign, State),
+    case HashSign of
+	{_, anon} ->
+	    server_master_secret(Params#server_key_params.params, State);
+	_ ->
+	    verify_server_key(Params, HashSign, State)
+    end.
 
-    ConnectionState = 
+verify_server_key(#server_key_params{params = Params,
+				     params_bin = EncParams,
+				     signature = Signature},
+		  HashSign = {HashAlgo, _},
+		  #state{negotiated_version = Version,
+			 public_key_info = PubKeyInfo,
+			 connection_states = ConnectionStates} = State) ->
+    ConnectionState =
 	ssl_record:pending_connection_state(ConnectionStates, read),
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams, 
     Hash = ssl_handshake:server_key_exchange_hash(HashAlgo,
-						  <<ClientRandom/binary, 
-						   ServerRandom/binary, 
-						   ?UINT16(PLen), P/binary, 
-						   ?UINT16(GLen), G/binary,
-						   ?UINT16(YLen),
-						   ServerPublicDhKey/binary>>),
-
-    case verify_dh_params(Version, Signed, Hash, HashAlgo, PubKeyInfo) of
+						  <<ClientRandom/binary,
+						    ServerRandom/binary,
+						    EncParams/binary>>),
+    case ssl_handshake:verify_signature(Version, Hash, HashSign, Signature, PubKeyInfo) of
 	true ->
-	    dh_master_secret(P, G, ServerPublicDhKey, undefined, State);
+	    server_master_secret(Params, State);
 	false ->
 	    ?ALERT_REC(?FATAL, ?DECRYPT_ERROR)
     end.
 
-verify_dh_params({3, Minor}, Signed, Hashes, HashAlgo, {?rsaEncryption, PubKey, _PubKeyParams})
-  when Minor >= 3 ->
-    public_key:verify({digest, Hashes}, HashAlgo, Signed, PubKey);
-verify_dh_params(_Version, Signed, Hashes, _HashAlgo, {?rsaEncryption, PubKey, _PubKeyParams}) ->
-    case public_key:decrypt_public(Signed, PubKey, 
-				   [{rsa_pad, rsa_pkcs1_padding}]) of
-	Hashes ->
-	    true;
-	_ ->
-	    false
-    end;
-verify_dh_params(_Version, Signed, Hash, HashAlgo, {?'id-dsa', PublicKey, PublicKeyParams}) ->
-    public_key:verify({digest, Hash}, HashAlgo, Signed, {PublicKey, PublicKeyParams}).
-
-dh_master_secret(Prime, Base, PublicDhKey, undefined, State) ->
-    PMpint = mpint_binary(Prime),
-    GMpint = mpint_binary(Base),
-    Keys = {_, PrivateDhKey} =
-	crypto:dh_generate_key([PMpint,GMpint]),
-    dh_master_secret(PMpint, GMpint, PublicDhKey, PrivateDhKey, State#state{diffie_hellman_keys = Keys});
+server_master_secret(#server_dh_params{dh_p = P, dh_g = G, dh_y = ServerPublicDhKey},
+		     State) ->
+    dh_master_secret(P, G, ServerPublicDhKey, undefined, State).
 
-dh_master_secret(PMpint, GMpint, PublicDhKey, PrivateDhKey,
-		 #state{session = Session,
-			negotiated_version = Version, role = Role,
-			connection_states = ConnectionStates0} = State) ->
-    PremasterSecret =
-	crypto:dh_compute_key(mpint_binary(PublicDhKey), PrivateDhKey,
-			      [PMpint, GMpint]),
+master_from_premaster_secret(PremasterSecret,
+			     #state{session = Session,
+				    negotiated_version = Version, role = Role,
+				    connection_states = ConnectionStates0} = State) ->
     case ssl_handshake:master_secret(Version, PremasterSecret,
 				     ConnectionStates0, Role) of
 	{MasterSecret, ConnectionStates} ->
@@ -1711,6 +1681,19 @@ dh_master_secret(PMpint, GMpint, PublicDhKey, PrivateDhKey,
 	    Alert
     end.
 
+dh_master_secret(Prime, Base, PublicDhKey, undefined, State) ->
+    PMpint = mpint_binary(Prime),
+    GMpint = mpint_binary(Base),
+    Keys = {_, PrivateDhKey} =
+	crypto:dh_generate_key([PMpint,GMpint]),
+    dh_master_secret(PMpint, GMpint, PublicDhKey, PrivateDhKey, State#state{diffie_hellman_keys = Keys});
+
+dh_master_secret(PMpint, GMpint, PublicDhKey, PrivateDhKey, State) ->
+    PremasterSecret =
+	crypto:dh_compute_key(mpint_binary(PublicDhKey), PrivateDhKey,
+			      [PMpint, GMpint]),
+    master_from_premaster_secret(PremasterSecret, State).
+
 cipher_role(client, Data, Session, #state{connection_states = ConnectionStates0} = State) -> 
     ConnectionStates = ssl_record:set_server_verify_data(current_both, Data, ConnectionStates0),
     next_state_connection(cipher, ack_connection(State#state{session = Session,
@@ -2485,10 +2468,10 @@ get_pending_connection_state_prf(CStates, Direction) ->
 	CS = ssl_record:pending_connection_state(CStates, Direction),
 	CS#connection_state.security_parameters#security_parameters.prf_algorithm.
 
-connection_hash_algo({HashAlgo, _}, _State) ->
-    HashAlgo;
-connection_hash_algo(_, #state{hashsign_algorithm = {HashAlgo, _}}) ->
-    HashAlgo.
+connection_hashsign(HashSign = {_, _}, _State) ->
+    HashSign;
+connection_hashsign(_, #state{hashsign_algorithm = HashSign}) ->
+    HashSign.
 
 %% RFC 5246, Sect. 7.4.1.4.1.  Signature Algorithms
 %% If the client does not send the signature_algorithms extension, the
@@ -2526,12 +2509,13 @@ default_hashsign(_Version, KeyExchange)
 start_or_recv_cancel_timer(infinity, _RecvFrom) ->
     undefined;
 start_or_recv_cancel_timer(Timeout, RecvFrom) ->
-    erlang:send_after(Timeout, self(), {cancel_start_or_recv, RecvFrom}).    
+    erlang:send_after(Timeout, self(), {cancel_start_or_recv, RecvFrom}).
 
 cancel_timer(undefined) ->
     ok;
 cancel_timer(Timer) ->
-    erlang:cancel_timer(Timer).
+    erlang:cancel_timer(Timer),
+    ok.
 
 handle_unrecv_data(StateName, #state{socket = Socket, transport_cb = Transport} = State) ->
     inet:setopts(Socket, [{active, false}]),