aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/src/dtls_handshake.erl3
-rw-r--r--lib/ssl/src/dtls_record.erl6
-rw-r--r--lib/ssl/src/dtls_v1.erl2
-rw-r--r--lib/ssl/src/ssl_connection.erl6
-rw-r--r--lib/ssl/src/ssl_connection.hrl84
-rw-r--r--lib/ssl/src/ssl_handshake.erl13
-rw-r--r--lib/ssl/src/ssl_srp.hrl7
-rw-r--r--lib/ssl/src/tls_connection.hrl9
8 files changed, 72 insertions, 58 deletions
diff --git a/lib/ssl/src/dtls_handshake.erl b/lib/ssl/src/dtls_handshake.erl
index 6a54c5a305..ec7f21bd35 100644
--- a/lib/ssl/src/dtls_handshake.erl
+++ b/lib/ssl/src/dtls_handshake.erl
@@ -110,7 +110,7 @@ encode_handshake(Package, Version, MsgSeq, Mss) ->
%--------------------------------------------------------------------
-spec get_dtls_handshake(#ssl_tls{}, #dtls_hs_state{} | binary()) ->
- {[dtls_handshake()], #ssl_tls{}}.
+ {[dtls_handshake()], #dtls_hs_state{}} | {retransmit, #dtls_hs_state{}}.
%
% Description: Given a DTLS state and new data from ssl_record, collects
% and returns it as a list of handshake messages, also returns a new
@@ -190,7 +190,6 @@ get_dtls_handshake_aux(Version, SeqNo,
get_dtls_handshake_aux(_Version, _SeqNo, <<>>, HsState) ->
{lists:reverse(HsState#dtls_hs_state.completed),
- HsState#dtls_hs_state.highest_record_seq,
HsState#dtls_hs_state{completed = []}}.
dec_dtls_fragment(Version, SeqNo, Type, Length, MessageSeq, MsgBody,
diff --git a/lib/ssl/src/dtls_record.erl b/lib/ssl/src/dtls_record.erl
index 7959c4d860..b0a7976864 100644
--- a/lib/ssl/src/dtls_record.erl
+++ b/lib/ssl/src/dtls_record.erl
@@ -296,7 +296,8 @@ connection_state_by_epoch(#connection_states{pending_write = CS}, Epoch, write)
CS.
%%--------------------------------------------------------------------
-spec set_connection_state_by_epoch(#connection_states{},
- #connection_state{}, read | write) -> ok.
+ #connection_state{}, read | write)
+ -> #connection_states{}.
%%
%% Description: Returns the instance of the connection_state record
%% that is defined by the Epoch.
@@ -337,7 +338,8 @@ calc_mac_hash(#connection_state{mac_secret = MacSecret,
security_parameters = #security_parameters{mac_algorithm = MacAlg}},
Type, Version, Epoch, SeqNo, Fragment) ->
Length = erlang:iolist_size(Fragment),
- mac_hash(Version, MacAlg, MacSecret, (Epoch bsl 48) + SeqNo, Type,
+ NewSeq = (Epoch bsl 48) + SeqNo,
+ mac_hash(Version, MacAlg, MacSecret, NewSeq, Type,
Length, Fragment).
mac_hash(Version, MacAlg, MacSecret, SeqNo, Type, Length, Fragment) ->
diff --git a/lib/ssl/src/dtls_v1.erl b/lib/ssl/src/dtls_v1.erl
index c12e12e424..6e41641483 100644
--- a/lib/ssl/src/dtls_v1.erl
+++ b/lib/ssl/src/dtls_v1.erl
@@ -28,7 +28,7 @@ suites(Minor) ->
tls_v1:suites(corresponding_minor_tls_version(Minor)).
mac_hash(Version, MacAlg, MacSecret, SeqNo, Type, Length, Fragment) ->
- tls_v1:mac_hash(MacAlg, MacSecret, SeqNo, Type, Version,
+ tls_v1:mac_hash(MacAlg, MacSecret, SeqNo, Type, corresponding_tls_version(Version),
Length, Fragment).
ecc_curves({_Major, Minor}) ->
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 7e43af08e5..2f5890ed31 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -917,13 +917,15 @@ calculate_secret(#server_dh_params{dh_p = Prime, dh_g = Base, dh_y = ServerPubli
Keys = {_, PrivateDhKey} = crypto:generate_key(dh, [Prime, Base]),
PremasterSecret =
ssl_handshake:premaster_secret(ServerPublicDhKey, PrivateDhKey, Params),
- calculate_master_secret(PremasterSecret, State#state{diffie_hellman_keys = Keys}, Connection, certify, certify);
+ calculate_master_secret(PremasterSecret,
+ State#state{diffie_hellman_keys = Keys}, Connection, certify, certify);
calculate_secret(#server_ecdh_params{curve = ECCurve, public = ECServerPubKey},
State, Connection) ->
ECDHKeys = public_key:generate_key(ECCurve),
PremasterSecret = ssl_handshake:premaster_secret(#'ECPoint'{point = ECServerPubKey}, ECDHKeys),
- calculate_master_secret(PremasterSecret, State#state{diffie_hellman_keys = ECDHKeys}, Connection, certify, certify);
+ calculate_master_secret(PremasterSecret,
+ State#state{diffie_hellman_keys = ECDHKeys}, Connection, certify, certify);
calculate_secret(#server_psk_params{
hint = IdentityHint},
diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl
index 92134dfeb3..a444f2ae03 100644
--- a/lib/ssl/src/ssl_connection.hrl
+++ b/lib/ssl/src/ssl_connection.hrl
@@ -26,50 +26,56 @@
-ifndef(ssl_connection).
-define(ssl_connection, true).
+-include("ssl_internal.hrl").
+-include("ssl_record.hrl").
+-include("ssl_handshake.hrl").
+-include("ssl_srp.hrl").
+-include_lib("public_key/include/public_key.hrl").
+
-record(state, {
- role :: client | server,
- user_application :: {Monitor::reference(), User::pid()},
- transport_cb :: atom(), % callback module
- data_tag :: atom(), % ex tcp.
- close_tag :: atom(), % ex tcp_closed
- error_tag :: atom(), % ex tcp_error
- host, % string() | ipadress()
- port :: integer(),
- socket, % socket()
- ssl_options, % #ssl_options{}
- socket_options, % #socket_options{}
- connection_states, % #connection_states{} from ssl_record.hrl
- protocol_buffers,
- tls_handshake_history, % tls_handshake_history()
- cert_db, %
- session, % #session{} from tls_handshake.hrl
- session_cache, %
- session_cache_cb, %
- negotiated_version, % tls_version()
- client_certificate_requested = false,
- key_algorithm, % atom as defined by cipher_suite
+ role :: client | server,
+ user_application :: {Monitor::reference(), User::pid()},
+ transport_cb :: atom(), % callback module
+ data_tag :: atom(), % ex tcp.
+ close_tag :: atom(), % ex tcp_closed
+ error_tag :: atom(), % ex tcp_error
+ host :: string() | inet:ipaddress(),
+ port :: integer(),
+ socket :: port(),
+ ssl_options :: #ssl_options{},
+ socket_options :: #socket_options{},
+ connection_states :: #connection_states{},
+ protocol_buffers :: term(), %% #protocol_buffers{} from tls_record.hrl or dtls_recor.hrl
+ tls_handshake_history ::tls_handshake_history(),
+ cert_db :: reference(),
+ session :: #session{},
+ session_cache :: db_handle(),
+ session_cache_cb :: atom(),
+ negotiated_version :: tls_version(),
+ client_certificate_requested = false :: boolean(),
+ key_algorithm :: key_algo(),
hashsign_algorithm = {undefined, undefined},
cert_hashsign_algorithm,
- public_key_info, % PKIX: {Algorithm, PublicKey, PublicKeyParams}
- private_key, % PKIX: #'RSAPrivateKey'{}
+ public_key_info ::public_key_info(),
+ private_key ::public_key:private_key(),
diffie_hellman_params, % PKIX: #'DHParameter'{} relevant for server side
diffie_hellman_keys, % {PublicKey, PrivateKey}
- psk_identity, % binary() - server psk identity hint
- srp_params, % #srp_user{}
- srp_keys, % {PublicKey, PrivateKey}
- premaster_secret, %
- file_ref_db, % ets()
- cert_db_ref, % ref()
- bytes_to_read, % integer(), # bytes to read in passive mode
- user_data_buffer, % binary()
- renegotiation, % {boolean(), From | internal | peer}
- start_or_recv_from, % "gen_fsm From"
- timer, % start_or_recv_timer
- send_queue, % queue()
- terminated = false ::boolean(),
- allow_renegotiate = true ::boolean(),
- expecting_next_protocol_negotiation = false :: boolean(),
- next_protocol = undefined :: undefined | binary(),
+ psk_identity :: binary(), % server psk identity hint
+ srp_params :: #srp_user{},
+ srp_keys ::{PublicKey :: binary(), PrivateKey :: binary()},
+ premaster_secret :: binary(),
+ file_ref_db :: db_handle(),
+ cert_db_ref :: certdb_ref(),
+ bytes_to_read :: undefined | integer(), %% bytes to read in passive mode
+ user_data_buffer :: undefined | binary(),
+ renegotiation :: undefined | {boolean(), From::term() | internal | peer},
+ start_or_recv_from :: term(),
+ timer :: undefined | reference(), % start_or_recive_timer
+ send_queue :: queue(),
+ terminated = false ::boolean(),
+ allow_renegotiate = true ::boolean(),
+ expecting_next_protocol_negotiation = false ::boolean(),
+ next_protocol = undefined :: undefined | binary(),
client_ecc % {Curves, PointFmt}
}).
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index d4dd886aab..bf091b4600 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1045,13 +1045,12 @@ select_session(SuggestedSessionId, CipherSuites, Compressions, Port, #session{ec
{resumed, Resumed}
end.
-supported_ecc(Version) ->
- case tls_v1:ecc_curves(Version) of
- [] ->
- undefined;
- Curves ->
- #elliptic_curves{elliptic_curve_list = Curves}
- end.
+supported_ecc({Major, Minor} = Version) when ((Major == 3) and (Minor >= 1)) orelse (Major > 3) ->
+ Curves = tls_v1:ecc_curves(Version),
+ #elliptic_curves{elliptic_curve_list = Curves};
+supported_ecc(_) ->
+ undefined.
+
%%-------------certificate handling --------------------------------
certificate_types({KeyExchange, _, _, _})
diff --git a/lib/ssl/src/ssl_srp.hrl b/lib/ssl/src/ssl_srp.hrl
index ab2be33ab2..af56a91194 100644
--- a/lib/ssl/src/ssl_srp.hrl
+++ b/lib/ssl/src/ssl_srp.hrl
@@ -1,7 +1,7 @@
%%
%% %CopyrightBegin%
%%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
@@ -23,9 +23,14 @@
%% see RFC 5054
%%----------------------------------------------------------------------
+-ifndef(ssl_srp).
+-define(ssl_srp, true).
+
-record(srp_user, {
generator :: binary(),
prime :: binary(),
salt :: binary(),
verifier :: binary()
}).
+
+-endif. % -ifdef(ssl_srp).
diff --git a/lib/ssl/src/tls_connection.hrl b/lib/ssl/src/tls_connection.hrl
index f802f2afa9..2beecbb84d 100644
--- a/lib/ssl/src/tls_connection.hrl
+++ b/lib/ssl/src/tls_connection.hrl
@@ -26,12 +26,13 @@
-define(tls_connection, true).
-include("ssl_connection.hrl").
+-include("tls_record.hrl").
-record(protocol_buffers, {
- tls_packets = [] :: [binary()], % Not yet handled decode SSL/TLS packets.
- tls_record_buffer = <<>> :: binary(), % Buffer of incomplete records
- tls_handshake_buffer = <<>> :: binary(), % Buffer of incomplete handshakes
- tls_cipher_texts = [] :: [binary()]
+ tls_packets = [], %% :: [#ssl_tls{}], % Not yet handled decode SSL/TLS packets.
+ tls_record_buffer = <<>>, %% :: binary(), % Buffer of incomplete records
+ tls_handshake_buffer = <<>>, %% :: binary(), % Buffer of incomplete handshakes
+ tls_cipher_texts = [] %%:: [binary()]
}).
-endif. % -ifdef(tls_connection).