diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/public_key/src/public_key.erl | 2 | ||||
-rw-r--r-- | lib/ssl/src/dtls_handshake.erl | 3 | ||||
-rw-r--r-- | lib/ssl/src/dtls_record.erl | 6 | ||||
-rw-r--r-- | lib/ssl/src/dtls_v1.erl | 2 | ||||
-rw-r--r-- | lib/ssl/src/ssl_connection.erl | 6 | ||||
-rw-r--r-- | lib/ssl/src/ssl_connection.hrl | 84 | ||||
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 13 | ||||
-rw-r--r-- | lib/ssl/src/ssl_srp.hrl | 7 | ||||
-rw-r--r-- | lib/ssl/src/tls_connection.hrl | 9 |
9 files changed, 73 insertions, 59 deletions
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index a4b6b8ad15..ceecbcc7f2 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -333,7 +333,7 @@ encrypt_private(PlainText, crypto:private_encrypt(rsa, PlainText, format_rsa_private_key(Key), Padding). %%-------------------------------------------------------------------- --spec generate_key(#'DHParameter'{} | {namedCurve, Name ::atom()} | +-spec generate_key(#'DHParameter'{} | {namedCurve, Name ::oid()} | #'ECParameters'{}) -> {Public::binary(), Private::binary()} | #'ECPrivateKey'{}. %% Description: Generates a new keypair diff --git a/lib/ssl/src/dtls_handshake.erl b/lib/ssl/src/dtls_handshake.erl index 6a54c5a305..ec7f21bd35 100644 --- a/lib/ssl/src/dtls_handshake.erl +++ b/lib/ssl/src/dtls_handshake.erl @@ -110,7 +110,7 @@ encode_handshake(Package, Version, MsgSeq, Mss) -> %-------------------------------------------------------------------- -spec get_dtls_handshake(#ssl_tls{}, #dtls_hs_state{} | binary()) -> - {[dtls_handshake()], #ssl_tls{}}. + {[dtls_handshake()], #dtls_hs_state{}} | {retransmit, #dtls_hs_state{}}. % % Description: Given a DTLS state and new data from ssl_record, collects % and returns it as a list of handshake messages, also returns a new @@ -190,7 +190,6 @@ get_dtls_handshake_aux(Version, SeqNo, get_dtls_handshake_aux(_Version, _SeqNo, <<>>, HsState) -> {lists:reverse(HsState#dtls_hs_state.completed), - HsState#dtls_hs_state.highest_record_seq, HsState#dtls_hs_state{completed = []}}. dec_dtls_fragment(Version, SeqNo, Type, Length, MessageSeq, MsgBody, diff --git a/lib/ssl/src/dtls_record.erl b/lib/ssl/src/dtls_record.erl index 7959c4d860..b0a7976864 100644 --- a/lib/ssl/src/dtls_record.erl +++ b/lib/ssl/src/dtls_record.erl @@ -296,7 +296,8 @@ connection_state_by_epoch(#connection_states{pending_write = CS}, Epoch, write) CS. %%-------------------------------------------------------------------- -spec set_connection_state_by_epoch(#connection_states{}, - #connection_state{}, read | write) -> ok. + #connection_state{}, read | write) + -> #connection_states{}. %% %% Description: Returns the instance of the connection_state record %% that is defined by the Epoch. @@ -337,7 +338,8 @@ calc_mac_hash(#connection_state{mac_secret = MacSecret, security_parameters = #security_parameters{mac_algorithm = MacAlg}}, Type, Version, Epoch, SeqNo, Fragment) -> Length = erlang:iolist_size(Fragment), - mac_hash(Version, MacAlg, MacSecret, (Epoch bsl 48) + SeqNo, Type, + NewSeq = (Epoch bsl 48) + SeqNo, + mac_hash(Version, MacAlg, MacSecret, NewSeq, Type, Length, Fragment). mac_hash(Version, MacAlg, MacSecret, SeqNo, Type, Length, Fragment) -> diff --git a/lib/ssl/src/dtls_v1.erl b/lib/ssl/src/dtls_v1.erl index c12e12e424..6e41641483 100644 --- a/lib/ssl/src/dtls_v1.erl +++ b/lib/ssl/src/dtls_v1.erl @@ -28,7 +28,7 @@ suites(Minor) -> tls_v1:suites(corresponding_minor_tls_version(Minor)). mac_hash(Version, MacAlg, MacSecret, SeqNo, Type, Length, Fragment) -> - tls_v1:mac_hash(MacAlg, MacSecret, SeqNo, Type, Version, + tls_v1:mac_hash(MacAlg, MacSecret, SeqNo, Type, corresponding_tls_version(Version), Length, Fragment). ecc_curves({_Major, Minor}) -> diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 7e43af08e5..2f5890ed31 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -917,13 +917,15 @@ calculate_secret(#server_dh_params{dh_p = Prime, dh_g = Base, dh_y = ServerPubli Keys = {_, PrivateDhKey} = crypto:generate_key(dh, [Prime, Base]), PremasterSecret = ssl_handshake:premaster_secret(ServerPublicDhKey, PrivateDhKey, Params), - calculate_master_secret(PremasterSecret, State#state{diffie_hellman_keys = Keys}, Connection, certify, certify); + calculate_master_secret(PremasterSecret, + State#state{diffie_hellman_keys = Keys}, Connection, certify, certify); calculate_secret(#server_ecdh_params{curve = ECCurve, public = ECServerPubKey}, State, Connection) -> ECDHKeys = public_key:generate_key(ECCurve), PremasterSecret = ssl_handshake:premaster_secret(#'ECPoint'{point = ECServerPubKey}, ECDHKeys), - calculate_master_secret(PremasterSecret, State#state{diffie_hellman_keys = ECDHKeys}, Connection, certify, certify); + calculate_master_secret(PremasterSecret, + State#state{diffie_hellman_keys = ECDHKeys}, Connection, certify, certify); calculate_secret(#server_psk_params{ hint = IdentityHint}, diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl index 92134dfeb3..a444f2ae03 100644 --- a/lib/ssl/src/ssl_connection.hrl +++ b/lib/ssl/src/ssl_connection.hrl @@ -26,50 +26,56 @@ -ifndef(ssl_connection). -define(ssl_connection, true). +-include("ssl_internal.hrl"). +-include("ssl_record.hrl"). +-include("ssl_handshake.hrl"). +-include("ssl_srp.hrl"). +-include_lib("public_key/include/public_key.hrl"). + -record(state, { - role :: client | server, - user_application :: {Monitor::reference(), User::pid()}, - transport_cb :: atom(), % callback module - data_tag :: atom(), % ex tcp. - close_tag :: atom(), % ex tcp_closed - error_tag :: atom(), % ex tcp_error - host, % string() | ipadress() - port :: integer(), - socket, % socket() - ssl_options, % #ssl_options{} - socket_options, % #socket_options{} - connection_states, % #connection_states{} from ssl_record.hrl - protocol_buffers, - tls_handshake_history, % tls_handshake_history() - cert_db, % - session, % #session{} from tls_handshake.hrl - session_cache, % - session_cache_cb, % - negotiated_version, % tls_version() - client_certificate_requested = false, - key_algorithm, % atom as defined by cipher_suite + role :: client | server, + user_application :: {Monitor::reference(), User::pid()}, + transport_cb :: atom(), % callback module + data_tag :: atom(), % ex tcp. + close_tag :: atom(), % ex tcp_closed + error_tag :: atom(), % ex tcp_error + host :: string() | inet:ipaddress(), + port :: integer(), + socket :: port(), + ssl_options :: #ssl_options{}, + socket_options :: #socket_options{}, + connection_states :: #connection_states{}, + protocol_buffers :: term(), %% #protocol_buffers{} from tls_record.hrl or dtls_recor.hrl + tls_handshake_history ::tls_handshake_history(), + cert_db :: reference(), + session :: #session{}, + session_cache :: db_handle(), + session_cache_cb :: atom(), + negotiated_version :: tls_version(), + client_certificate_requested = false :: boolean(), + key_algorithm :: key_algo(), hashsign_algorithm = {undefined, undefined}, cert_hashsign_algorithm, - public_key_info, % PKIX: {Algorithm, PublicKey, PublicKeyParams} - private_key, % PKIX: #'RSAPrivateKey'{} + public_key_info ::public_key_info(), + private_key ::public_key:private_key(), diffie_hellman_params, % PKIX: #'DHParameter'{} relevant for server side diffie_hellman_keys, % {PublicKey, PrivateKey} - psk_identity, % binary() - server psk identity hint - srp_params, % #srp_user{} - srp_keys, % {PublicKey, PrivateKey} - premaster_secret, % - file_ref_db, % ets() - cert_db_ref, % ref() - bytes_to_read, % integer(), # bytes to read in passive mode - user_data_buffer, % binary() - renegotiation, % {boolean(), From | internal | peer} - start_or_recv_from, % "gen_fsm From" - timer, % start_or_recv_timer - send_queue, % queue() - terminated = false ::boolean(), - allow_renegotiate = true ::boolean(), - expecting_next_protocol_negotiation = false :: boolean(), - next_protocol = undefined :: undefined | binary(), + psk_identity :: binary(), % server psk identity hint + srp_params :: #srp_user{}, + srp_keys ::{PublicKey :: binary(), PrivateKey :: binary()}, + premaster_secret :: binary(), + file_ref_db :: db_handle(), + cert_db_ref :: certdb_ref(), + bytes_to_read :: undefined | integer(), %% bytes to read in passive mode + user_data_buffer :: undefined | binary(), + renegotiation :: undefined | {boolean(), From::term() | internal | peer}, + start_or_recv_from :: term(), + timer :: undefined | reference(), % start_or_recive_timer + send_queue :: queue(), + terminated = false ::boolean(), + allow_renegotiate = true ::boolean(), + expecting_next_protocol_negotiation = false ::boolean(), + next_protocol = undefined :: undefined | binary(), client_ecc % {Curves, PointFmt} }). diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index d4dd886aab..bf091b4600 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -1045,13 +1045,12 @@ select_session(SuggestedSessionId, CipherSuites, Compressions, Port, #session{ec {resumed, Resumed} end. -supported_ecc(Version) -> - case tls_v1:ecc_curves(Version) of - [] -> - undefined; - Curves -> - #elliptic_curves{elliptic_curve_list = Curves} - end. +supported_ecc({Major, Minor} = Version) when ((Major == 3) and (Minor >= 1)) orelse (Major > 3) -> + Curves = tls_v1:ecc_curves(Version), + #elliptic_curves{elliptic_curve_list = Curves}; +supported_ecc(_) -> + undefined. + %%-------------certificate handling -------------------------------- certificate_types({KeyExchange, _, _, _}) diff --git a/lib/ssl/src/ssl_srp.hrl b/lib/ssl/src/ssl_srp.hrl index ab2be33ab2..af56a91194 100644 --- a/lib/ssl/src/ssl_srp.hrl +++ b/lib/ssl/src/ssl_srp.hrl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2012. All Rights Reserved. +%% Copyright Ericsson AB 2007-2013. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -23,9 +23,14 @@ %% see RFC 5054 %%---------------------------------------------------------------------- +-ifndef(ssl_srp). +-define(ssl_srp, true). + -record(srp_user, { generator :: binary(), prime :: binary(), salt :: binary(), verifier :: binary() }). + +-endif. % -ifdef(ssl_srp). diff --git a/lib/ssl/src/tls_connection.hrl b/lib/ssl/src/tls_connection.hrl index f802f2afa9..2beecbb84d 100644 --- a/lib/ssl/src/tls_connection.hrl +++ b/lib/ssl/src/tls_connection.hrl @@ -26,12 +26,13 @@ -define(tls_connection, true). -include("ssl_connection.hrl"). +-include("tls_record.hrl"). -record(protocol_buffers, { - tls_packets = [] :: [binary()], % Not yet handled decode SSL/TLS packets. - tls_record_buffer = <<>> :: binary(), % Buffer of incomplete records - tls_handshake_buffer = <<>> :: binary(), % Buffer of incomplete handshakes - tls_cipher_texts = [] :: [binary()] + tls_packets = [], %% :: [#ssl_tls{}], % Not yet handled decode SSL/TLS packets. + tls_record_buffer = <<>>, %% :: binary(), % Buffer of incomplete records + tls_handshake_buffer = <<>>, %% :: binary(), % Buffer of incomplete handshakes + tls_cipher_texts = [] %%:: [binary()] }). -endif. % -ifdef(tls_connection). |