diff options
Diffstat (limited to 'lib/ssl/src')
-rw-r--r-- | lib/ssl/src/ssl_connection.erl | 49 | ||||
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 54 |
2 files changed, 47 insertions, 56 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index a9ddc44edf..a4eaf03086 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -1339,11 +1339,12 @@ key_exchange(#state{role = server, key_algorithm = Algo} = State) Algo == dh_rsa -> State; -%key_exchange(#state{role = server, key_algorithm = rsa_export} = State) -> +%% Remove or uncomment when we decide if to support export cipher suites +%%key_exchange(#state{role = server, key_algorithm = rsa_export} = State) -> %% TODO when the public key in the server certificate is %% less than or equal to 512 bits in length dont send key_exchange %% but do it otherwise -% State; +%% State; key_exchange(#state{role = server, key_algorithm = Algo, diffie_hellman_params = Params, @@ -1412,26 +1413,11 @@ key_exchange(#state{role = client, encode_handshake(Msg, Version, ConnectionStates0, Hashes0), Transport:send(Socket, BinMsg), State#state{connection_states = ConnectionStates1, - tls_handshake_hashes = Hashes1}; - -key_exchange(#state{role = client, - connection_states = ConnectionStates0, - key_algorithm = Algorithm, - negotiated_version = Version, - client_certificate_requested = ClientCertReq, - own_cert = OwnCert, - diffie_hellman_keys = DhKeys, - socket = Socket, transport_cb = Transport, - tls_handshake_hashes = Hashes0} = State) - when Algorithm == dh_dss; - Algorithm == dh_rsa -> - Msg = dh_key_exchange(OwnCert, DhKeys, ClientCertReq), - {BinMsg, ConnectionStates1, Hashes1} = - encode_handshake(Msg, Version, ConnectionStates0, Hashes0), - Transport:send(Socket, BinMsg), - State#state{connection_states = ConnectionStates1, tls_handshake_hashes = Hashes1}. +%% key_algorithm = dh_rsa | dh_dss are not supported. If we want to +%% support it we need a key_exchange clause for it here. + rsa_key_exchange(PremasterSecret, PublicKeyInfo = {Algorithm, _, _}) when Algorithm == ?rsaEncryption; Algorithm == ?md2WithRSAEncryption; @@ -1443,16 +1429,19 @@ rsa_key_exchange(PremasterSecret, PublicKeyInfo = {Algorithm, _, _}) rsa_key_exchange(_, _) -> throw (?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE)). -dh_key_exchange(OwnCert, DhKeys, true) -> - case public_key:pkix_is_fixed_dh_cert(OwnCert) of - true -> - ssl_handshake:key_exchange(client, fixed_diffie_hellman); - false -> - {DhPubKey, _} = DhKeys, - ssl_handshake:key_exchange(client, {dh, DhPubKey}) - end; -dh_key_exchange(_, {DhPubKey, _}, false) -> - ssl_handshake:key_exchange(client, {dh, DhPubKey}). +%% Uncomment if we decide to support cipher suites with key_algorithm +%% dh_rsa and dh_dss. Could also be removed if we decide support for +%% this will not be needed. Not supported by openssl! +%% dh_key_exchange(OwnCert, DhKeys, true) -> +%% case public_key:pkix_is_fixed_dh_cert(OwnCert) of +%% true -> +%% ssl_handshake:key_exchange(client, fixed_diffie_hellman); +%% false -> +%% {DhPubKey, _} = DhKeys, +%% ssl_handshake:key_exchange(client, {dh, DhPubKey}) +%% end; +%% dh_key_exchange(_, {DhPubKey, _}, false) -> +%% ssl_handshake:key_exchange(client, {dh, DhPubKey}). request_client_cert(#state{ssl_options = #ssl_options{verify = verify_peer}, connection_states = ConnectionStates0, diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index f0413c4d31..54938e0fbc 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -345,11 +345,14 @@ key_exchange(client, {premaster_secret, Secret, {_, PublicKey, _}}) -> EncPremasterSecret = encrypted_premaster_secret(Secret, PublicKey), #client_key_exchange{exchange_keys = EncPremasterSecret}; -key_exchange(client, fixed_diffie_hellman) -> - #client_key_exchange{exchange_keys = - #client_diffie_hellman_public{ - dh_public = <<>> - }}; + +%% Uncomment if dh_rsa and dh_dss cipher suites should +%% be supported. +%% key_exchange(client, fixed_diffie_hellman) -> +%% #client_key_exchange{exchange_keys = +%% #client_diffie_hellman_public{ +%% dh_public = <<>> +%% }}; key_exchange(client, {dh, <<?UINT32(Len), PublicKey:Len/binary>>}) -> #client_key_exchange{ exchange_keys = #client_diffie_hellman_public{ @@ -375,10 +378,7 @@ key_exchange(server, {dh, {<<?UINT32(_), PublicKey/binary>>, _}, ?UINT16(YLen), PublicKey/binary>>), Signed = digitally_signed(Hash, PrivateKey), #server_key_exchange{params = ServerDHParams, - signed_params = Signed}; -key_exchange(_, _) -> - %%TODO : Real imp - #server_key_exchange{}. + signed_params = Signed}. %%-------------------------------------------------------------------- %% Function: master_secret(Version, Session/PremasterSecret, @@ -812,13 +812,14 @@ dec_hs(?SERVER_HELLO, <<?BYTE(Major), ?BYTE(Minor), Random:32/binary, renegotiation_info = RenegotiationInfo}; dec_hs(?CERTIFICATE, <<?UINT24(ACLen), ASN1Certs:ACLen/binary>>, _, _) -> #certificate{asn1_certificates = certs_to_list(ASN1Certs)}; -dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(ModLen), Mod:ModLen/binary, - ?UINT16(ExpLen), Exp:ExpLen/binary, - ?UINT16(_), Sig/binary>>, - ?KEY_EXCHANGE_RSA, _) -> - #server_key_exchange{params = #server_rsa_params{rsa_modulus = Mod, - rsa_exponent = Exp}, - signed_params = Sig}; +%% Uncomment if support for export ciphers is added. +%% dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(ModLen), Mod:ModLen/binary, +%% ?UINT16(ExpLen), Exp:ExpLen/binary, +%% ?UINT16(_), Sig/binary>>, +%% ?KEY_EXCHANGE_RSA, _) -> +%% #server_key_exchange{params = #server_rsa_params{rsa_modulus = Mod, +%% rsa_exponent = Exp}, +%% signed_params = Sig}; dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(PLen), P:PLen/binary, ?UINT16(GLen), G:GLen/binary, ?UINT16(YLen), Y:YLen/binary, @@ -952,16 +953,17 @@ enc_hs(#certificate{asn1_certificates = ASN1CertList}, _Version, _) -> ASN1Certs = certs_from_list(ASN1CertList), ACLen = erlang:iolist_size(ASN1Certs), {?CERTIFICATE, <<?UINT24(ACLen), ASN1Certs:ACLen/binary>>}; -enc_hs(#server_key_exchange{params = #server_rsa_params{rsa_modulus = Mod, - rsa_exponent = Exp}, - signed_params = SignedParams}, _Version, _) -> - ModLen = byte_size(Mod), - ExpLen = byte_size(Exp), - SignedLen = byte_size(SignedParams), - {?SERVER_KEY_EXCHANGE, <<?UINT16(ModLen),Mod/binary, - ?UINT16(ExpLen), Exp/binary, - ?UINT16(SignedLen), SignedParams/binary>> - }; +%% Uncomment if support for export ciphers is added. +%% enc_hs(#server_key_exchange{params = #server_rsa_params{rsa_modulus = Mod, +%% rsa_exponent = Exp}, +%% signed_params = SignedParams}, _Version, _) -> +%% ModLen = byte_size(Mod), +%% ExpLen = byte_size(Exp), +%% SignedLen = byte_size(SignedParams), +%% {?SERVER_KEY_EXCHANGE, <<?UINT16(ModLen),Mod/binary, +%% ?UINT16(ExpLen), Exp/binary, +%% ?UINT16(SignedLen), SignedParams/binary>> +%% }; enc_hs(#server_key_exchange{params = #server_dh_params{ dh_p = P, dh_g = G, dh_y = Y}, signed_params = SignedParams}, _Version, _) -> |