aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/src')
-rw-r--r--lib/ssl/src/ssl_connection.erl50
-rw-r--r--lib/ssl/src/ssl_connection.hrl4
2 files changed, 28 insertions, 26 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 237cd03c0c..c770ecbdd0 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -607,7 +607,8 @@ handle_session(#server_hello{cipher_suite = CipherSuite,
%%--------------------------------------------------------------------
-spec ssl_config(#ssl_options{}, client | server, #state{}) -> #state{}.
%%--------------------------------------------------------------------
-ssl_config(Opts, Role, #state{static_env = InitStatEnv0} = State0) ->
+ssl_config(Opts, Role, #state{static_env = InitStatEnv0,
+ connection_env = CEnv} = State0) ->
{ok, #{cert_db_ref := Ref,
cert_db_handle := CertDbHandle,
fileref_db_handle := FileRefHandle,
@@ -629,7 +630,7 @@ ssl_config(Opts, Role, #state{static_env = InitStatEnv0} = State0) ->
crl_db = CRLDbHandle,
session_cache = CacheHandle
},
- private_key = Key,
+ connection_env = CEnv#connection_env{private_key = Key},
diffie_hellman_params = DHParams,
ssl_options = Opts}.
@@ -1413,8 +1414,8 @@ format_status(terminate, [_, StateName, State]) ->
protocol_buffers = ?SECRET_PRINTOUT,
user_data_buffer = ?SECRET_PRINTOUT,
handshake_env = ?SECRET_PRINTOUT,
+ connection_env = ?SECRET_PRINTOUT,
session = ?SECRET_PRINTOUT,
- private_key = ?SECRET_PRINTOUT,
diffie_hellman_params = ?SECRET_PRINTOUT,
diffie_hellman_keys = ?SECRET_PRINTOUT,
srp_params = ?SECRET_PRINTOUT,
@@ -1572,9 +1573,9 @@ certify_client(#state{client_certificate_requested = false} = State, _) ->
verify_client_cert(#state{static_env = #static_env{role = client},
handshake_env = #handshake_env{tls_handshake_history = Hist,
cert_hashsign_algorithm = HashSign},
- connection_env = #connection_env{negotiated_version = Version},
+ connection_env = #connection_env{negotiated_version = Version,
+ private_key = PrivateKey},
client_certificate_requested = true,
- private_key = PrivateKey,
session = #session{master_secret = MasterSecret,
own_certificate = OwnCert}} = State, Connection) ->
@@ -1615,7 +1616,7 @@ server_certify_and_key_exchange(State0, Connection) ->
request_client_cert(State2, Connection).
certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS},
- #state{private_key = Key,
+ #state{connection_env = #connection_env{private_key = Key},
handshake_env = #handshake_env{client_hello_version = {Major, Minor} = Version}}
= State, Connection) ->
FakeSecret = make_premaster_secret(Version, rsa),
@@ -1672,7 +1673,7 @@ certify_client_key_exchange(#client_ecdhe_psk_identity{} = ClientKey,
ssl_handshake:premaster_secret(ClientKey, ServerEcDhPrivateKey, PSKLookup),
calculate_master_secret(PremasterSecret, State, Connection, certify, cipher);
certify_client_key_exchange(#client_rsa_psk_identity{} = ClientKey,
- #state{private_key = Key,
+ #state{connection_env = #connection_env{private_key = Key},
ssl_options =
#ssl_options{user_lookup_fun = PSKLookup}} = State0,
Connection) ->
@@ -1706,9 +1707,9 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa
State;
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Algo,
handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
- connection_env = #connection_env{negotiated_version = Version},
+ connection_env = #connection_env{negotiated_version = Version,
+ private_key = PrivateKey},
diffie_hellman_params = #'DHParameter'{} = Params,
- private_key = PrivateKey,
connection_states = ConnectionStates0} = State0, Connection)
when Algo == dhe_dss;
Algo == dhe_rsa;
@@ -1725,7 +1726,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Alg
State = Connection:queue_handshake(Msg, State0),
State#state{diffie_hellman_keys = DHKeys};
key_exchange(#state{static_env = #static_env{role = server},
- private_key = #'ECPrivateKey'{parameters = ECCurve} = Key,
+ connection_env = #connection_env{private_key = #'ECPrivateKey'{parameters = ECCurve} = Key},
key_algorithm = Algo,
session = Session} = State, _)
when Algo == ecdh_ecdsa; Algo == ecdh_rsa ->
@@ -1733,8 +1734,8 @@ key_exchange(#state{static_env = #static_env{role = server},
session = Session#session{ecc = ECCurve}};
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Algo,
handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
- connection_env = #connection_env{negotiated_version = Version},
- private_key = PrivateKey,
+ connection_env = #connection_env{negotiated_version = Version,
+ private_key = PrivateKey},
session = #session{ecc = ECCCurve},
connection_states = ConnectionStates0} = State0, Connection)
when Algo == ecdhe_ecdsa; Algo == ecdhe_rsa;
@@ -1758,8 +1759,8 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = psk
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = psk,
ssl_options = #ssl_options{psk_identity = PskIdentityHint},
handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
- connection_env = #connection_env{negotiated_version = Version},
- private_key = PrivateKey,
+ connection_env = #connection_env{negotiated_version = Version,
+ private_key = PrivateKey},
connection_states = ConnectionStates0} = State0, Connection) ->
#{security_parameters := SecParams} =
ssl_record:pending_connection_state(ConnectionStates0, read),
@@ -1774,9 +1775,9 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = psk
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = dhe_psk,
ssl_options = #ssl_options{psk_identity = PskIdentityHint},
handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
- connection_env = #connection_env{negotiated_version = Version},
+ connection_env = #connection_env{negotiated_version = Version,
+ private_key = PrivateKey},
diffie_hellman_params = #'DHParameter'{} = Params,
- private_key = PrivateKey,
connection_states = ConnectionStates0
} = State0, Connection) ->
DHKeys = public_key:generate_key(Params),
@@ -1795,8 +1796,8 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = dhe
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = ecdhe_psk,
ssl_options = #ssl_options{psk_identity = PskIdentityHint},
handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
- connection_env = #connection_env{negotiated_version = Version},
- private_key = PrivateKey,
+ connection_env = #connection_env{negotiated_version = Version,
+ private_key = PrivateKey},
session = #session{ecc = ECCCurve},
connection_states = ConnectionStates0
} = State0, Connection) ->
@@ -1819,8 +1820,8 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa_psk,
ssl_options = #ssl_options{psk_identity = PskIdentityHint},
handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
- connection_env = #connection_env{negotiated_version = Version},
- private_key = PrivateKey,
+ connection_env = #connection_env{negotiated_version = Version,
+ private_key = PrivateKey},
connection_states = ConnectionStates0
} = State0, Connection) ->
#{security_parameters := SecParams} =
@@ -1836,9 +1837,9 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa
key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Algo,
ssl_options = #ssl_options{user_lookup_fun = LookupFun},
handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo},
- connection_env = #connection_env{negotiated_version = Version},
+ connection_env = #connection_env{negotiated_version = Version,
+ private_key = PrivateKey},
session = #session{srp_username = Username},
- private_key = PrivateKey,
connection_states = ConnectionStates0
} = State0, Connection)
when Algo == srp_dss;
@@ -2727,7 +2728,8 @@ invalidate_session(server, _, Port, Session) ->
handle_sni_extension(undefined, State) ->
State;
handle_sni_extension(#sni{hostname = Hostname}, #state{static_env = #static_env{role = Role} = InitStatEnv0,
- handshake_env = HsEnv} = State0) ->
+ handshake_env = HsEnv,
+ connection_env = CEnv} = State0) ->
NewOptions = update_ssl_options_from_sni(State0#state.ssl_options, Hostname),
case NewOptions of
undefined ->
@@ -2751,7 +2753,7 @@ handle_sni_extension(#sni{hostname = Hostname}, #state{static_env = #static_env{
crl_db = CRLDbHandle,
session_cache = CacheHandle
},
- private_key = Key,
+ connection_env = CEnv#connection_env{private_key = Key},
diffie_hellman_params = DHParams,
ssl_options = NewOptions,
handshake_env = HsEnv#handshake_env{sni_hostname = Hostname}
diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl
index 21c200271d..fc8e6bdec2 100644
--- a/lib/ssl/src/ssl_connection.hrl
+++ b/lib/ssl/src/ssl_connection.hrl
@@ -77,7 +77,8 @@
downgrade,
terminated = false ::boolean() | closed,
negotiated_version :: ssl_record:ssl_version() | 'undefined',
- erl_dist_handle = undefined :: erlang:dist_handle() | undefined
+ erl_dist_handle = undefined :: erlang:dist_handle() | undefined,
+ private_key :: public_key:private_key() | secret_printout() | 'undefined'
}).
-record(state, {
@@ -101,7 +102,6 @@
%% Used only in HS
client_certificate_requested = false :: boolean(),
key_algorithm :: ssl:key_algo(),
- private_key :: public_key:private_key() | secret_printout() | 'undefined',
diffie_hellman_params:: #'DHParameter'{} | undefined | secret_printout(),
diffie_hellman_keys :: {PublicKey :: binary(), PrivateKey :: binary()} | #'ECPrivateKey'{} | undefined | secret_printout(),
psk_identity :: binary() | 'undefined', % server psk identity hint