diff options
Diffstat (limited to 'lib/ssl')
| -rw-r--r-- | lib/ssl/src/inet_tls_dist.erl | 100 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_cipher.erl | 84 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 5 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_ECC.erl | 44 | 
4 files changed, 144 insertions, 89 deletions
| diff --git a/lib/ssl/src/inet_tls_dist.erl b/lib/ssl/src/inet_tls_dist.erl index 3e9828a2fe..d45f209838 100644 --- a/lib/ssl/src/inet_tls_dist.erl +++ b/lib/ssl/src/inet_tls_dist.erl @@ -518,51 +518,16 @@ gen_setup(Driver, Node, Type, MyNode, LongOrShortNames, SetupTime) ->  do_setup(Driver, Kernel, Node, Type, MyNode, LongOrShortNames, SetupTime) ->      {Name, Address} = split_node(Driver, Node, LongOrShortNames), -    case Driver:getaddr(Address) of +    ErlEpmd = net_kernel:epmd_module(), +    {ARMod, ARFun} = get_address_resolver(ErlEpmd, Driver), +    Timer = trace(dist_util:start_timer(SetupTime)), +    case ARMod:ARFun(Address) of +    {ok, Ip, TcpPort, Version} -> +        do_setup_connect(Driver, Kernel, Node, Address, Ip, TcpPort, Version, Type, MyNode, Timer);  	{ok, Ip} -> -            Timer = trace(dist_util:start_timer(SetupTime)), -	    ErlEpmd = net_kernel:epmd_module(),  	    case ErlEpmd:port_please(Name, Ip) of  		{port, TcpPort, Version} -> -                    Opts = -                        trace( -                          connect_options( -                            %% -                            %% Use verify_server/3 to verify that -                            %% the server's certificate is for Node -                            %% -                            setup_verify_server( -                              get_ssl_options(client), Node))), -		    dist_util:reset_timer(Timer), -                    case ssl:connect( -                           Address, TcpPort, -                           [binary, {active, false}, {packet, 4}, -                            Driver:family(), nodelay()] ++ Opts, -                           net_kernel:connecttime()) of -			{ok, #sslsocket{pid = DistCtrl} = SslSocket} -> -                            _ = monitor_pid(DistCtrl), -                            ok = ssl:controlling_process(SslSocket, self()), -                            HSData0 = hs_data_common(SslSocket), -			    HSData = -                                HSData0#hs_data{ -                                  kernel_pid = Kernel, -                                  other_node = Node, -                                  this_node = MyNode, -                                  socket = DistCtrl, -                                  timer = Timer, -                                  this_flags = 0, -                                  other_version = Version, -                                  request_type = Type}, -                            link(DistCtrl), -			    dist_util:handshake_we_started(trace(HSData)); -			Other -> -			    %% Other Node may have closed since  -			    %% port_please ! -			    ?shutdown2( -                               Node, -                               trace( -                                 {ssl_connect_failed, Ip, TcpPort, Other})) -		    end; +                do_setup_connect(Driver, Kernel, Node, Address, Ip, TcpPort, Version, Type, MyNode, Timer);  		Other ->  		    ?shutdown2(                         Node, @@ -575,6 +540,47 @@ do_setup(Driver, Kernel, Node, Type, MyNode, LongOrShortNames, SetupTime) ->                 trace({getaddr_failed, Driver, Address, Other}))      end. +do_setup_connect(Driver, Kernel, Node, Address, Ip, TcpPort, Version, Type, MyNode, Timer) -> +    Opts = +        trace( +            connect_options( +            %% +            %% Use verify_server/3 to verify that +            %% the server's certificate is for Node +            %% +            setup_verify_server( +                get_ssl_options(client), Node))), +    dist_util:reset_timer(Timer), +    case ssl:connect( +        Address, TcpPort, +        [binary, {active, false}, {packet, 4}, +            Driver:family(), nodelay()] ++ Opts, +        net_kernel:connecttime()) of +    {ok, #sslsocket{pid = DistCtrl} = SslSocket} -> +            _ = monitor_pid(DistCtrl), +            ok = ssl:controlling_process(SslSocket, self()), +            HSData0 = hs_data_common(SslSocket), +        HSData = +                HSData0#hs_data{ +                kernel_pid = Kernel, +                other_node = Node, +                this_node = MyNode, +                socket = DistCtrl, +                timer = Timer, +                this_flags = 0, +                other_version = Version, +                request_type = Type}, +            link(DistCtrl), +    dist_util:handshake_we_started(trace(HSData)); +    Other -> +    %% Other Node may have closed since +    %% port_please ! +    ?shutdown2( +            Node, +            trace( +                {ssl_connect_failed, Ip, TcpPort, Other})) +    end. +  close(Socket) ->      gen_close(inet, Socket). @@ -644,6 +650,16 @@ verify_server(PeerCert, valid_peer, {CertNodesFun,Node} = S) ->  %% ------------------------------------------------------------ +%% Determine if EPMD module supports address resolving. Default +%% is to use inet_tcp:getaddr/2. +%% ------------------------------------------------------------ +get_address_resolver(EpmdModule, Driver) -> +    case erlang:function_exported(EpmdModule, address_please, 3) of +        true -> {EpmdModule, address_please}; +        _    -> {Driver, getaddr} +    end. + +%% ------------------------------------------------------------  %% Do only accept new connection attempts from nodes at our  %% own LAN, if the check_ip environment parameter is true.  %% ------------------------------------------------------------ diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index 0956d3501d..3f8b9a8a9b 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -2230,7 +2230,7 @@ filter(DerCert, Ciphers0, Version) ->                  Ciphers0, Version, OtpCert),      {_, Sign} = public_key:pkix_sign_types(SigAlg#'SignatureAlgorithm'.algorithm),      filter_suites_signature(Sign, Ciphers, Version). -  +  %%--------------------------------------------------------------------  -spec filter_suites([erl_cipher_suite()] | [cipher_suite()], map()) ->                             [erl_cipher_suite()] |  [cipher_suite()]. @@ -2662,29 +2662,33 @@ next_iv(Bin, IV) ->      <<_:FirstPart/binary, NextIV:IVSz/binary>> = Bin,      NextIV. - -filter_suites_pubkey(rsa, CiphersSuites0, Version, OtpCert) -> +filter_suites_pubkey(rsa, CiphersSuites0, _Version, OtpCert) ->      KeyUses = key_uses(OtpCert), +    NotECDSAKeyed = (CiphersSuites0 -- ec_keyed_suites(CiphersSuites0))  +        -- dss_keyed_suites(CiphersSuites0),      CiphersSuites = filter_keyuse_suites(keyEncipherment, KeyUses, -                                         (CiphersSuites0 -- ec_keyed_suites(CiphersSuites0))  -                                         -- dss_keyed_suites(CiphersSuites0), +                                         NotECDSAKeyed,                                           rsa_suites_encipher(CiphersSuites0)),      filter_keyuse_suites(digitalSignature, KeyUses, CiphersSuites, -                         rsa_signed_suites(CiphersSuites, Version)); -filter_suites_pubkey(dsa, Ciphers, _, _OtpCert) ->   -    (Ciphers -- rsa_keyed_suites(Ciphers)) -- ec_keyed_suites(Ciphers); +                         rsa_ecdhe_dhe_suites(CiphersSuites)); +filter_suites_pubkey(dsa, Ciphers, _, OtpCert) ->   +    KeyUses = key_uses(OtpCert), +    NotECRSAKeyed =  (Ciphers -- rsa_keyed_suites(Ciphers)) -- ec_keyed_suites(Ciphers), +    filter_keyuse_suites(digitalSignature, KeyUses, NotECRSAKeyed, +                         dss_dhe_suites(Ciphers));  filter_suites_pubkey(ec, Ciphers, _, OtpCert) -> -    Uses = key_uses(OtpCert),   -    filter_keyuse_suites(digitalSignature, Uses, -                         (Ciphers -- rsa_keyed_suites(Ciphers)) -- dss_keyed_suites(Ciphers), -                         ecdsa_sign_suites(Ciphers)). +    Uses = key_uses(OtpCert), +    NotRSADSAKeyed = (Ciphers -- rsa_keyed_suites(Ciphers)) -- dss_keyed_suites(Ciphers), +    CiphersSuites = filter_keyuse_suites(digitalSignature, Uses, NotRSADSAKeyed, +                                   ec_ecdhe_suites(Ciphers)), +    filter_keyuse_suites(keyAgreement, Uses, CiphersSuites, ec_ecdh_suites(Ciphers)).  filter_suites_signature(rsa, Ciphers, Version) -> -    Ciphers -- ecdsa_signed_suites(Ciphers, Version) -- dsa_signed_suites(Ciphers, Version); +    (Ciphers -- ecdsa_signed_suites(Ciphers, Version)) -- dsa_signed_suites(Ciphers, Version);  filter_suites_signature(dsa, Ciphers, Version) -> -    Ciphers -- ecdsa_signed_suites(Ciphers, Version) -- rsa_signed_suites(Ciphers, Version); +    (Ciphers -- ecdsa_signed_suites(Ciphers, Version)) -- rsa_signed_suites(Ciphers, Version);  filter_suites_signature(ecdsa, Ciphers, Version) -> -    Ciphers -- rsa_signed_suites(Ciphers, Version) -- dsa_signed_suites(Ciphers, Version). +    (Ciphers -- rsa_signed_suites(Ciphers, Version)) -- dsa_signed_suites(Ciphers, Version).  %% From RFC 5246 - Section  7.4.2.  Server Certificate @@ -2751,8 +2755,6 @@ rsa_keyed(rsa_psk) ->      true;  rsa_keyed(srp_rsa) ->       true; -rsa_keyed(ecdhe_rsa) ->  -    true;  rsa_keyed(_) ->       false. @@ -2793,24 +2795,22 @@ dsa_signed_suites(Ciphers, Version) ->                               cipher_filters => [],                               mac_filters => [],                               prf_filters => []}). - -dsa_signed({3,N}) when N >= 3 -> -    fun(dhe_dss) -> true; -       (ecdhe_dss) -> true; -       (_) -> false -    end;  dsa_signed(_) ->      fun(dhe_dss) -> true; -       (ecdh_dss) -> true; -       (ecdhe_dss) -> true;         (_) -> false      end. +dss_dhe_suites(Ciphers) -> +    filter_suites(Ciphers, #{key_exchange_filters => [fun(dhe_dss) -> true; +                                                         (_) -> false +                                                      end], +                             cipher_filters => [], +                             mac_filters => [], +                             prf_filters => []}). +  ec_keyed(ecdh_ecdsa) ->      true; -ec_keyed(ecdhe_ecdsa) ->  -    true; -ec_keyed(ecdh_rsa) ->  +ec_keyed(ecdh_rsa) ->      true;  ec_keyed(_) ->       false. @@ -2822,9 +2822,28 @@ ec_keyed_suites(Ciphers) ->                               mac_filters => [],                               prf_filters => []}). -%% EC Certs key can be used for signing -ecdsa_sign_suites(Ciphers)-> +%% EC Certs key usage keyAgreement +ec_ecdh_suites(Ciphers)-> +    filter_suites(Ciphers, #{key_exchange_filters => [fun(ecdh_ecdsa) -> true; +                                                         (_) -> false +                                                      end], +                             cipher_filters => [], +                             mac_filters => [], +                             prf_filters => []}). + +%% EC Certs key usage digitalSignature +ec_ecdhe_suites(Ciphers) ->      filter_suites(Ciphers, #{key_exchange_filters => [fun(ecdhe_ecdsa) -> true; +                                                         (ecdhe_rsa) -> true; +                                                         (_) -> false +                                                      end], +                             cipher_filters => [], +                             mac_filters => [], +                             prf_filters => []}). +%% RSA Certs key usage digitalSignature +rsa_ecdhe_dhe_suites(Ciphers) -> +    filter_suites(Ciphers, #{key_exchange_filters => [fun(dhe_rsa) -> true; +                                                         (ecdhe_rsa) -> true;                                                           (_) -> false                                                        end],                               cipher_filters => [], @@ -2837,11 +2856,14 @@ key_uses(OtpCert) ->      Extensions = ssl_certificate:extensions_list(TBSExtensions),      case ssl_certificate:select_extension(?'id-ce-keyUsage', Extensions) of  	undefined -> -	    undefined; +	    [];  	#'Extension'{extnValue = KeyUses} ->              KeyUses      end. +%% If no key-usage extension is defined all key-usages are allowed +filter_keyuse_suites(_, [], CiphersSuites, _) -> +    CiphersSuites;  filter_keyuse_suites(Use, KeyUse, CipherSuits, Suites) ->      case ssl_certificate:is_valid_key_usage(KeyUse, Use) of  	true -> diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 090e7b69b7..ebbb633b22 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -2233,13 +2233,12 @@ sign_algo(Alg) ->  is_acceptable_hash_sign(Algos, _, _, KeyExAlgo, SupportedHashSigns) when         KeyExAlgo == dh_dss;        KeyExAlgo == dh_rsa; -      KeyExAlgo == ecdh_ecdsa;        KeyExAlgo == ecdh_rsa;        KeyExAlgo == ecdh_ecdsa        ->      %% *dh_* could be called only *dh in TLS-1.2      is_acceptable_hash_sign(Algos, SupportedHashSigns);  -is_acceptable_hash_sign(Algos, rsa, ecdsa, ecdh_rsa, SupportedHashSigns) -> +is_acceptable_hash_sign(Algos, rsa, ecdsa, ecdhe_rsa, SupportedHashSigns) ->      is_acceptable_hash_sign(Algos, SupportedHashSigns);   is_acceptable_hash_sign({_, rsa} = Algos, rsa, _, dhe_rsa, SupportedHashSigns) ->      is_acceptable_hash_sign(Algos, SupportedHashSigns);  @@ -2270,7 +2269,7 @@ is_acceptable_hash_sign(_, _, _, KeyExAlgo, _) when        KeyExAlgo == ecdhe_anon             ->      true;  -is_acceptable_hash_sign(_,_, _,_,_) -> +is_acceptable_hash_sign(_,_,_,_,_) ->      false.					  is_acceptable_hash_sign(Algos, SupportedHashSigns) ->      lists:member(Algos, SupportedHashSigns). diff --git a/lib/ssl/test/ssl_ECC.erl b/lib/ssl/test/ssl_ECC.erl index 2096cf8166..36d949f74b 100644 --- a/lib/ssl/test/ssl_ECC.erl +++ b/lib/ssl/test/ssl_ECC.erl @@ -34,53 +34,65 @@  %% ECDH_RSA   client_ecdh_rsa_server_ecdh_rsa(Config) when is_list(Config) -> +    Ext = x509_test:extensions([{key_usage, [keyAgreement]}]),      Suites = all_rsa_suites(Config),      Default = ssl_test_lib:default_cert_chain_conf(), -    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},  +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, +                                                        [[], [], [{extensions, Ext}]]},                                                         {client_chain, Default}],                                                        ecdh_rsa, ecdh_rsa, Config),      ssl_test_lib:basic_test(ssl_test_lib:ssl_options(COpts, Config),                  ssl_test_lib:ssl_options(SOpts, Config),                 [{check_keyex, ecdh_rsa}, {ciphers, Suites} | proplists:delete(check_keyex, Config)]).  client_ecdhe_rsa_server_ecdh_rsa(Config)  when is_list(Config) -> +    Ext = x509_test:extensions([{key_usage, [keyAgreement]}]),      Suites = all_rsa_suites(Config),      Default = ssl_test_lib:default_cert_chain_conf(), -    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},  +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, +                                                        [[], [], [{extensions, Ext}]]},                                                         {client_chain, Default}],                                                         ecdhe_rsa, ecdh_rsa, Config),      ssl_test_lib:basic_test(ssl_test_lib:ssl_options(COpts, Config),                  ssl_test_lib:ssl_options(SOpts, Config),                   [{check_keyex, ecdh_rsa}, {ciphers, Suites} | proplists:delete(check_keyex, Config)]).  client_ecdhe_ecdsa_server_ecdh_rsa(Config)  when is_list(Config) -> +    Ext = x509_test:extensions([{key_usage, [keyAgreement]}]),      Suites = all_rsa_suites(Config),      Default = ssl_test_lib:default_cert_chain_conf(), -    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},  +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, +                                                        [[], [], [{extensions, Ext}]]},                                                         {client_chain, Default}],                                                        ecdhe_ecdsa, ecdh_rsa, Config),      ssl_test_lib:basic_test(ssl_test_lib:ssl_options(COpts, Config),  -               ssl_test_lib:ssl_options(SOpts, Config), -               [{check_keyex, ecdh_rsa}, {ciphers, Suites} | proplists:delete(check_keyex, Config)]). +                            ssl_test_lib:ssl_options(SOpts, Config), +                            [{check_keyex, ecdh_rsa}, {ciphers, Suites} | proplists:delete(check_keyex, Config)]).  %% ECDHE_RSA      client_ecdh_rsa_server_ecdhe_rsa(Config)  when is_list(Config) -> +    Ext = x509_test:extensions([{key_usage, [digitalSignature]}]),      Default = ssl_test_lib:default_cert_chain_conf(), -    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},  +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, +                                                        [[], [], [{extensions, Ext}]]},                                                         {client_chain, Default}],                                                         ecdh_rsa, ecdhe_rsa, Config),      ssl_test_lib:basic_test(ssl_test_lib:ssl_options(COpts, Config),                  ssl_test_lib:ssl_options(SOpts, Config),                  [{check_keyex, ecdhe_rsa} | proplists:delete(check_keyex, Config)]).  client_ecdhe_rsa_server_ecdhe_rsa(Config)  when is_list(Config) -> +    Ext = x509_test:extensions([{key_usage, [digitalSignature]}]),      Default = ssl_test_lib:default_cert_chain_conf(), -    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},  +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, +                                                        [[], [], [{extensions, Ext}]]},                                                         {client_chain, Default}],                                                         ecdhe_rsa, ecdhe_rsa, Config),      ssl_test_lib:basic_test(ssl_test_lib:ssl_options(COpts, Config),  -               ssl_test_lib:ssl_options(SOpts, Config),   +                            ssl_test_lib:ssl_options(SOpts, Config),                 [{check_keyex, ecdhe_rsa} | proplists:delete(check_keyex, Config)]).  client_ecdhe_ecdsa_server_ecdhe_rsa(Config)  when is_list(Config) -> +    Ext = x509_test:extensions([{key_usage, [digitalSignature]}]),      Default = ssl_test_lib:default_cert_chain_conf(), -    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},  +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, +                                                        [[], [], [{extensions, Ext}]]},                                                         {client_chain, Default}],                                                        ecdh_ecdsa, ecdhe_rsa, Config),      ssl_test_lib:basic_test(ssl_test_lib:ssl_options(COpts, Config),  @@ -122,24 +134,30 @@ client_ecdhe_ecdsa_server_ecdh_ecdsa(Config)  when is_list(Config) ->  %% ECDHE_ECDSA  client_ecdh_rsa_server_ecdhe_ecdsa(Config)  when is_list(Config) -> -     Default = ssl_test_lib:default_cert_chain_conf(), -    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},  +    Ext = x509_test:extensions([{key_usage, [digitalSignature]}]), +    Default = ssl_test_lib:default_cert_chain_conf(), +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, +                                                        [[], [], [{extensions, Ext}]]},                                                         {client_chain, Default}],                                                         ecdh_rsa, ecdhe_ecdsa, Config),       ssl_test_lib:basic_test(ssl_test_lib:ssl_options(COpts, Config),                  ssl_test_lib:ssl_options(SOpts, Config),                  [{check_keyex, ecdhe_ecdsa} | proplists:delete(check_keyex, Config)]).  client_ecdh_ecdsa_server_ecdhe_ecdsa(Config)  when is_list(Config) -> +    Ext = x509_test:extensions([{key_usage, [digitalSignature]}]),      Default = ssl_test_lib:default_cert_chain_conf(), -    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},  +    {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, +                                                        [[], [], [{extensions, Ext}]]},                                                         {client_chain, Default}],                                                         ecdh_ecdsa, ecdhe_ecdsa, Config),       ssl_test_lib:basic_test(ssl_test_lib:ssl_options(COpts, Config),                  ssl_test_lib:ssl_options(SOpts, Config),                 [{check_keyex, ecdhe_ecdsa} | proplists:delete(check_keyex, Config)]).  client_ecdhe_ecdsa_server_ecdhe_ecdsa(Config)  when is_list(Config) -> +    Ext = x509_test:extensions([{key_usage, [digitalSignature]}]),      Default = ssl_test_lib:default_cert_chain_conf(), -     {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},  +     {COpts, SOpts} = ssl_test_lib:make_ec_cert_chains([{server_chain, +                                                         [[], [], [{extensions, Ext}]]},                                                          {client_chain, Default}],                                                          ecdhe_ecdsa, ecdhe_ecdsa, Config),      ssl_test_lib:basic_test(ssl_test_lib:ssl_options(COpts, Config),  | 
