diff options
Diffstat (limited to 'lib/ssl/src')
-rw-r--r-- | lib/ssl/src/ssl_connection.erl | 20 | ||||
-rw-r--r-- | lib/ssl/src/tls_connection.erl | 95 |
2 files changed, 45 insertions, 70 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 22d107ff9c..b45c5c8fc6 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -786,12 +786,24 @@ downgrade(Type, Event, State, Connection) -> %% Event handling functions called by state functions to handle %% common or unexpected events for the state. %%-------------------------------------------------------------------- +handle_common_event(internal, {handshake, {#hello_request{} = Handshake, _}}, connection = StateName, + #state{role = client} = State, _) -> + %% Should not be included in handshake history + {next_state, StateName, State#state{renegotiation = {true, peer}}, [{next_event, internal, Handshake}]}; +handle_common_event(internal, {handshake, {#hello_request{}, _}}, StateName, #state{role = client}, _) + when StateName =/= connection -> + {keep_state_and_data}; +handle_common_event(internal, {handshake, {Handshake, Raw}}, StateName, + #state{tls_handshake_history = Hs0} = State0, Connection) -> + %% This function handles client SNI hello extension when Handshake is + %% a client_hello, which needs to be determined by the connection callback. + %% In other cases this is a noop + State = Connection:handle_sni_extension(Handshake, State0), + HsHist = ssl_handshake:update_handshake_history(Hs0, Raw), + {next_state, StateName, State#state{tls_handshake_history = HsHist}, + [{next_event, internal, Handshake}]}; handle_common_event(internal, {tls_record, TLSRecord}, StateName, State, Connection) -> Connection:handle_common_event(internal, TLSRecord, StateName, State); -handle_common_event(internal, #hello_request{}, StateName, #state{role = client} = State0, Connection) - when StateName =:= connection -> - {Record, State} = Connection:next_record(State0), - Connection:next_event(StateName, Record, State); handle_common_event(timeout, hibernate, _, _, _) -> {keep_state_and_data, [hibernate]}; handle_common_event(internal, {application_data, Data}, StateName, State0, Connection) -> diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl index 91903b4a1f..56e516bce2 100644 --- a/lib/ssl/src/tls_connection.erl +++ b/lib/ssl/src/tls_connection.erl @@ -50,7 +50,7 @@ %% Handshake handling -export([renegotiate/2, send_handshake/2, send_change_cipher/2, - reinit_handshake_data/1]). + reinit_handshake_data/1, handle_sni_extension/2]). %% Alert and close handling -export([send_alert/2, handle_own_alert/4, handle_close_alert/3, @@ -228,16 +228,16 @@ error(_, _, _) -> gen_statem:state_function_result(). %%-------------------------------------------------------------------- hello(internal, #client_hello{client_version = ClientVersion, - extensions = #hello_extensions{ec_point_formats = EcPointFormats, - elliptic_curves = EllipticCurves}} = Hello, - State = #state{connection_states = ConnectionStates0, - port = Port, session = #session{own_certificate = Cert} = Session0, - renegotiation = {Renegotiation, _}, - session_cache = Cache, - session_cache_cb = CacheCb, - negotiated_protocol = CurrentProtocol, - key_algorithm = KeyExAlg, - ssl_options = SslOpts}) -> + extensions = #hello_extensions{ec_point_formats = EcPointFormats, + elliptic_curves = EllipticCurves}} = Hello, + #state{connection_states = ConnectionStates0, + port = Port, session = #session{own_certificate = Cert} = Session0, + renegotiation = {Renegotiation, _}, + session_cache = Cache, + session_cache_cb = CacheCb, + negotiated_protocol = CurrentProtocol, + key_algorithm = KeyExAlg, + ssl_options = SslOpts} = State) -> case tls_handshake:hello(Hello, SslOpts, {Port, Session0, Cache, CacheCb, ConnectionStates0, Cert, KeyExAlg}, Renegotiation) of @@ -311,7 +311,7 @@ cipher(Type, Event, State) -> connection(info, Event, State) -> handle_info(Event, connection, State); connection(internal, #hello_request{}, - #state{host = Host, port = Port, + #state{role = client, host = Host, port = Port, session = #session{own_certificate = Cert} = Session0, session_cache = Cache, session_cache_cb = CacheCb, ssl_options = SslOpts, @@ -326,14 +326,16 @@ connection(internal, #hello_request{}, = Hello#client_hello.session_id}}), next_event(hello, Record, State); connection(internal, #client_hello{} = Hello, - #state{role = server, allow_renegotiate = true} = State) -> + #state{role = server, allow_renegotiate = true} = State0) -> %% Mitigate Computational DoS attack %% http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html %% http://www.thc.org/thc-ssl-dos/ Rather than disabling client %% initiated renegotiation we will disallow many client initiated %% renegotiations immediately after each other. erlang:send_after(?WAIT_TO_ALLOW_RENEGOTIATION, self(), allow_renegotiate), - {next_state, hello, State#state{allow_renegotiate = false}, [{next_event, internal, Hello}]}; + {Record, State} = next_record(State0#state{allow_renegotiate = false, + renegotiation = {true, peer}}), + next_event(hello, Record, State, [{next_event, internal, Hello}]); connection(internal, #client_hello{}, #state{role = server, allow_renegotiate = false} = State0) -> Alert = ?ALERT_REC(?WARNING, ?NO_RENEGOTIATION), @@ -398,39 +400,12 @@ handle_common_event(internal, #ssl_tls{type = ?HANDSHAKE, fragment = Data}, StateName, #state{protocol_buffers = #protocol_buffers{tls_handshake_buffer = Buf0} = Buffers, negotiated_version = Version} = State0) -> - - Handle = - fun({#hello_request{} = Packet, _}, {connection, HState}) -> - %% This message should not be included in handshake - %% message hashes. Starts new handshake (renegotiation) - Hs0 = ssl_handshake:init_handshake_history(), - {HState#state{tls_handshake_history = Hs0, - renegotiation = {true, peer}}, - {next_event, internal, Packet}}; - ({#hello_request{}, _}, {next_state, _SName, HState}) -> - %% This message should not be included in handshake - %% message hashes. Already in negotiation so it will be ignored! - {HState, []}; - ({#client_hello{} = Packet, Raw}, {connection, HState0}) -> - HState = handle_sni_extension(Packet, HState0), - Version = Packet#client_hello.client_version, - Hs0 = ssl_handshake:init_handshake_history(), - Hs1 = ssl_handshake:update_handshake_history(Hs0, Raw), - {HState#state{tls_handshake_history = Hs1, - renegotiation = {true, peer}}, - {next_event, internal, Packet}}; - - ({Packet, Raw}, {_SName, HState0 = #state{tls_handshake_history=Hs0}}) -> - HState = handle_sni_extension(Packet, HState0), - Hs1 = ssl_handshake:update_handshake_history(Hs0, Raw), - {HState#state{tls_handshake_history=Hs1}, {next_event, internal, Packet}} - end, - try + try {Packets, Buf} = tls_handshake:get_tls_handshake(Version,Data,Buf0), - State1 = State0#state{protocol_buffers = - Buffers#protocol_buffers{tls_packets = Packets, - tls_handshake_buffer = Buf}}, - {State, Events} = tls_handshake_events(Handle, StateName, State1, []), + State = + State0#state{protocol_buffers = + Buffers#protocol_buffers{tls_handshake_buffer = Buf}}, + Events = tls_handshake_events(Packets), case StateName of connection -> ssl_connection:hibernate_after(StateName, State, Events); @@ -779,24 +754,12 @@ send_or_reply(_, Pid, _From, Data) -> send_user(Pid, Msg) -> Pid ! Msg. -tls_handshake_events(Handle, StateName, - #state{protocol_buffers = - #protocol_buffers{tls_packets = [Packet]} = Buffers} = State0, Acc) -> - {State, Event} = Handle(Packet, {StateName, - State0#state{protocol_buffers = - Buffers#protocol_buffers{tls_packets = []}}}), - {State, lists:reverse([Event |Acc])}; -tls_handshake_events(Handle, StateName, - #state{protocol_buffers = - #protocol_buffers{tls_packets = - [Packet | Packets]} = Buffers} = State0, Acc) -> - {State, Event} = Handle(Packet, {StateName, State0#state{protocol_buffers = - Buffers#protocol_buffers{tls_packets = - Packets}}}), - tls_handshake_events(Handle, StateName, State, [Event | Acc]); - -tls_handshake_events(_Handle, _, #state{}, _) -> - throw(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE)). +tls_handshake_events([]) -> + throw(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, malformed_handshake)); +tls_handshake_events(Packets) -> + lists:map(fun(Packet) -> + {next_event, internal, {handshake, Packet}} + end, Packets). write_application_data(Data0, From, #state{socket = Socket, @@ -1065,5 +1028,5 @@ handle_sni_extension(#client_hello{extensions = HelloExtensions}, State0) -> } end end; -handle_sni_extension(_, State0) -> - State0. +handle_sni_extension(_, State) -> + State. |