aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/src')
-rw-r--r--lib/ssl/src/ssl_connection.erl49
-rw-r--r--lib/ssl/src/ssl_handshake.erl54
2 files changed, 47 insertions, 56 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index a9ddc44edf..a4eaf03086 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1339,11 +1339,12 @@ key_exchange(#state{role = server, key_algorithm = Algo} = State)
Algo == dh_rsa ->
State;
-%key_exchange(#state{role = server, key_algorithm = rsa_export} = State) ->
+%% Remove or uncomment when we decide if to support export cipher suites
+%%key_exchange(#state{role = server, key_algorithm = rsa_export} = State) ->
%% TODO when the public key in the server certificate is
%% less than or equal to 512 bits in length dont send key_exchange
%% but do it otherwise
-% State;
+%% State;
key_exchange(#state{role = server, key_algorithm = Algo,
diffie_hellman_params = Params,
@@ -1412,26 +1413,11 @@ key_exchange(#state{role = client,
encode_handshake(Msg, Version, ConnectionStates0, Hashes0),
Transport:send(Socket, BinMsg),
State#state{connection_states = ConnectionStates1,
- tls_handshake_hashes = Hashes1};
-
-key_exchange(#state{role = client,
- connection_states = ConnectionStates0,
- key_algorithm = Algorithm,
- negotiated_version = Version,
- client_certificate_requested = ClientCertReq,
- own_cert = OwnCert,
- diffie_hellman_keys = DhKeys,
- socket = Socket, transport_cb = Transport,
- tls_handshake_hashes = Hashes0} = State)
- when Algorithm == dh_dss;
- Algorithm == dh_rsa ->
- Msg = dh_key_exchange(OwnCert, DhKeys, ClientCertReq),
- {BinMsg, ConnectionStates1, Hashes1} =
- encode_handshake(Msg, Version, ConnectionStates0, Hashes0),
- Transport:send(Socket, BinMsg),
- State#state{connection_states = ConnectionStates1,
tls_handshake_hashes = Hashes1}.
+%% key_algorithm = dh_rsa | dh_dss are not supported. If we want to
+%% support it we need a key_exchange clause for it here.
+
rsa_key_exchange(PremasterSecret, PublicKeyInfo = {Algorithm, _, _})
when Algorithm == ?rsaEncryption;
Algorithm == ?md2WithRSAEncryption;
@@ -1443,16 +1429,19 @@ rsa_key_exchange(PremasterSecret, PublicKeyInfo = {Algorithm, _, _})
rsa_key_exchange(_, _) ->
throw (?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE)).
-dh_key_exchange(OwnCert, DhKeys, true) ->
- case public_key:pkix_is_fixed_dh_cert(OwnCert) of
- true ->
- ssl_handshake:key_exchange(client, fixed_diffie_hellman);
- false ->
- {DhPubKey, _} = DhKeys,
- ssl_handshake:key_exchange(client, {dh, DhPubKey})
- end;
-dh_key_exchange(_, {DhPubKey, _}, false) ->
- ssl_handshake:key_exchange(client, {dh, DhPubKey}).
+%% Uncomment if we decide to support cipher suites with key_algorithm
+%% dh_rsa and dh_dss. Could also be removed if we decide support for
+%% this will not be needed. Not supported by openssl!
+%% dh_key_exchange(OwnCert, DhKeys, true) ->
+%% case public_key:pkix_is_fixed_dh_cert(OwnCert) of
+%% true ->
+%% ssl_handshake:key_exchange(client, fixed_diffie_hellman);
+%% false ->
+%% {DhPubKey, _} = DhKeys,
+%% ssl_handshake:key_exchange(client, {dh, DhPubKey})
+%% end;
+%% dh_key_exchange(_, {DhPubKey, _}, false) ->
+%% ssl_handshake:key_exchange(client, {dh, DhPubKey}).
request_client_cert(#state{ssl_options = #ssl_options{verify = verify_peer},
connection_states = ConnectionStates0,
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index f0413c4d31..54938e0fbc 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -345,11 +345,14 @@ key_exchange(client, {premaster_secret, Secret, {_, PublicKey, _}}) ->
EncPremasterSecret =
encrypted_premaster_secret(Secret, PublicKey),
#client_key_exchange{exchange_keys = EncPremasterSecret};
-key_exchange(client, fixed_diffie_hellman) ->
- #client_key_exchange{exchange_keys =
- #client_diffie_hellman_public{
- dh_public = <<>>
- }};
+
+%% Uncomment if dh_rsa and dh_dss cipher suites should
+%% be supported.
+%% key_exchange(client, fixed_diffie_hellman) ->
+%% #client_key_exchange{exchange_keys =
+%% #client_diffie_hellman_public{
+%% dh_public = <<>>
+%% }};
key_exchange(client, {dh, <<?UINT32(Len), PublicKey:Len/binary>>}) ->
#client_key_exchange{
exchange_keys = #client_diffie_hellman_public{
@@ -375,10 +378,7 @@ key_exchange(server, {dh, {<<?UINT32(_), PublicKey/binary>>, _},
?UINT16(YLen), PublicKey/binary>>),
Signed = digitally_signed(Hash, PrivateKey),
#server_key_exchange{params = ServerDHParams,
- signed_params = Signed};
-key_exchange(_, _) ->
- %%TODO : Real imp
- #server_key_exchange{}.
+ signed_params = Signed}.
%%--------------------------------------------------------------------
%% Function: master_secret(Version, Session/PremasterSecret,
@@ -812,13 +812,14 @@ dec_hs(?SERVER_HELLO, <<?BYTE(Major), ?BYTE(Minor), Random:32/binary,
renegotiation_info = RenegotiationInfo};
dec_hs(?CERTIFICATE, <<?UINT24(ACLen), ASN1Certs:ACLen/binary>>, _, _) ->
#certificate{asn1_certificates = certs_to_list(ASN1Certs)};
-dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(ModLen), Mod:ModLen/binary,
- ?UINT16(ExpLen), Exp:ExpLen/binary,
- ?UINT16(_), Sig/binary>>,
- ?KEY_EXCHANGE_RSA, _) ->
- #server_key_exchange{params = #server_rsa_params{rsa_modulus = Mod,
- rsa_exponent = Exp},
- signed_params = Sig};
+%% Uncomment if support for export ciphers is added.
+%% dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(ModLen), Mod:ModLen/binary,
+%% ?UINT16(ExpLen), Exp:ExpLen/binary,
+%% ?UINT16(_), Sig/binary>>,
+%% ?KEY_EXCHANGE_RSA, _) ->
+%% #server_key_exchange{params = #server_rsa_params{rsa_modulus = Mod,
+%% rsa_exponent = Exp},
+%% signed_params = Sig};
dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(PLen), P:PLen/binary,
?UINT16(GLen), G:GLen/binary,
?UINT16(YLen), Y:YLen/binary,
@@ -952,16 +953,17 @@ enc_hs(#certificate{asn1_certificates = ASN1CertList}, _Version, _) ->
ASN1Certs = certs_from_list(ASN1CertList),
ACLen = erlang:iolist_size(ASN1Certs),
{?CERTIFICATE, <<?UINT24(ACLen), ASN1Certs:ACLen/binary>>};
-enc_hs(#server_key_exchange{params = #server_rsa_params{rsa_modulus = Mod,
- rsa_exponent = Exp},
- signed_params = SignedParams}, _Version, _) ->
- ModLen = byte_size(Mod),
- ExpLen = byte_size(Exp),
- SignedLen = byte_size(SignedParams),
- {?SERVER_KEY_EXCHANGE, <<?UINT16(ModLen),Mod/binary,
- ?UINT16(ExpLen), Exp/binary,
- ?UINT16(SignedLen), SignedParams/binary>>
- };
+%% Uncomment if support for export ciphers is added.
+%% enc_hs(#server_key_exchange{params = #server_rsa_params{rsa_modulus = Mod,
+%% rsa_exponent = Exp},
+%% signed_params = SignedParams}, _Version, _) ->
+%% ModLen = byte_size(Mod),
+%% ExpLen = byte_size(Exp),
+%% SignedLen = byte_size(SignedParams),
+%% {?SERVER_KEY_EXCHANGE, <<?UINT16(ModLen),Mod/binary,
+%% ?UINT16(ExpLen), Exp/binary,
+%% ?UINT16(SignedLen), SignedParams/binary>>
+%% };
enc_hs(#server_key_exchange{params = #server_dh_params{
dh_p = P, dh_g = G, dh_y = Y},
signed_params = SignedParams}, _Version, _) ->