diff options
Diffstat (limited to 'lib/ssl/src/tls_connection_1_3.erl')
-rw-r--r-- | lib/ssl/src/tls_connection_1_3.erl | 46 |
1 files changed, 30 insertions, 16 deletions
diff --git a/lib/ssl/src/tls_connection_1_3.erl b/lib/ssl/src/tls_connection_1_3.erl index 4795ade2a1..9f7a82223e 100644 --- a/lib/ssl/src/tls_connection_1_3.erl +++ b/lib/ssl/src/tls_connection_1_3.erl @@ -159,21 +159,22 @@ negotiated(internal, #state{connection_states = ConnectionStates0, session = #session{session_id = SessionId, own_certificate = OwnCert}, - cert_db = CertDbHandle, - cert_db_ref = CertDbRef, ssl_options = #ssl_options{} = SslOpts, key_share = KeyShare, tls_handshake_history = HHistory0, - static_env = #static_env{socket = Socket, - transport_cb = Transport}}, _Module) -> - + private_key = CertPrivateKey, + static_env = #static_env{ + cert_db = CertDbHandle, + cert_db_ref = CertDbRef, + socket = Socket, + transport_cb = Transport}}, _Module) -> %% Create server_hello %% Extensions: supported_versions, key_share, (pre_shared_key) ServerHello = tls_handshake_1_3:server_hello(SessionId, KeyShare, ConnectionStates0, Map), %% Update handshake_history (done in encode!) %% Encode handshake - {BinMsg, ConnectionStates, HHistory} = + {BinMsg, ConnectionStates1, HHistory1} = tls_connection:encode_handshake(ServerHello, {3,4}, ConnectionStates0, HHistory0), %% Send server_hello tls_connection:send(Transport, Socket, BinMsg), @@ -187,7 +188,7 @@ negotiated(internal, ssl_logger:debug(SslOpts#ssl_options.log_level, Report, #{domain => [otp,ssl,tls_record]}), #{security_parameters := SecParamsR} = - ssl_record:pending_connection_state(ConnectionStates, read), + ssl_record:pending_connection_state(ConnectionStates1, read), #security_parameters{prf_algorithm = HKDFAlgo, cipher_suite = CipherSuite} = SecParamsR, @@ -196,6 +197,7 @@ negotiated(internal, ClientKey = maps:get(client_share, Map), %% Raw data?! What about EC? SelectedGroup = maps:get(group, Map), + SignatureScheme = maps:get(sign_alg, Map), PrivateKey = get_server_private_key(KeyShare), %% #'ECPrivateKey'{} @@ -203,11 +205,11 @@ negotiated(internal, HandshakeSecret = tls_v1:key_schedule(handshake_secret, HKDFAlgo, IKM, EarlySecret), %% Calculate [sender]_handshake_traffic_secret - {Messages, _} = HHistory, + {Messages1, _} = HHistory1, ClientHSTrafficSecret = - tls_v1:client_handshake_traffic_secret(HKDFAlgo, HandshakeSecret, lists:reverse(Messages)), + tls_v1:client_handshake_traffic_secret(HKDFAlgo, HandshakeSecret, lists:reverse(Messages1)), ServerHSTrafficSecret = - tls_v1:server_handshake_traffic_secret(HKDFAlgo, HandshakeSecret, lists:reverse(Messages)), + tls_v1:server_handshake_traffic_secret(HKDFAlgo, HandshakeSecret, lists:reverse(Messages1)), %% Calculate traffic keys #{cipher := Cipher} = ssl_cipher_format:suite_definition(CipherSuite), @@ -215,8 +217,8 @@ negotiated(internal, {WriteKey, WriteIV} = tls_v1:calculate_traffic_keys(HKDFAlgo, Cipher, ServerHSTrafficSecret), %% Update pending connection state - PendingRead0 = ssl_record:pending_connection_state(ConnectionStates0, read), - PendingWrite0 = ssl_record:pending_connection_state(ConnectionStates0, write), + PendingRead0 = ssl_record:pending_connection_state(ConnectionStates1, read), + PendingWrite0 = ssl_record:pending_connection_state(ConnectionStates1, write), PendingRead = update_conn_state(PendingRead0, HandshakeSecret, ReadKey, ReadIV), PendingWrite = update_conn_state(PendingWrite0, HandshakeSecret, WriteKey, WriteIV), @@ -224,16 +226,28 @@ negotiated(internal, %% Update pending and copy to current (activate) %% All subsequent handshake messages are encrypted %% ([sender]_handshake_traffic_secret) - ConnectionStates1 = ConnectionStates0#{current_read => PendingRead, + ConnectionStates2 = ConnectionStates1#{current_read => PendingRead, current_write => PendingWrite, pending_read => PendingRead, pending_write => PendingWrite}, - %% Create Certificate, CertificateVerify + %% Create Certificate Certificate = tls_handshake_1_3:certificate(OwnCert, CertDbHandle, CertDbRef, <<>>, server), - io:format("### Certificate: ~p~n", [Certificate]), - %% CertificateVerify = tls_handshake_1_3:certificate_verify(), + %% Encode Certificate + {_CertificateBin, _ConnectionStates2, HHistory2} = + tls_connection:encode_handshake(ServerHello, {3,4}, ConnectionStates1, HHistory1), + + %% Create CertificateVerify + + {Messages2, _} = HHistory2, + + %% Use selected signature_alg from here, HKDF only used for key_schedule + CertificateVerify = tls_handshake_1_3:certificate_verify(OwnCert, CertPrivateKey, SignatureScheme, + Messages2, server), + io:format("### CertificateVerify: ~p~n", [CertificateVerify]), + + %% Encode CertificateVerify %% Send Certificate, CertifricateVerify |