aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/src/ssl_handshake.erl
AgeCommit message (Collapse)Author
2013-03-28SSL: add TLS-SRP (RFC 5054) cipher suitesAndreas Schultz
2013-03-28SSL: add TLS PSK (RFC 4279 and RFC 5487) cipher suitesAndreas Schultz
2013-03-05ssl: Check that negotiated version is a supported version.Ingela Anderton Andin
2013-01-17SSL: simplify server key encoding, decoding and signature handlingAndreas Schultz
server key encoding depends to the negotiated key exchange. Before the encoding was limited to diffie-hellman keys. This changes allows to select the key structure to decode and verify. It also consolidates the transport encoding of the parameters into one place.
2013-01-17SSL: unify the different implementations signature check implementationsAndreas Schultz
ssl_handshake and ssl_connection where doing essentially the same when checking a public key signature. This unify both into a single function
2012-11-18SSL: TLS 1.2, advertise sha224 supportAndreas Schultz
SHA-224 is still better than SHA-1, so let the world know we support it
2012-09-20ssl: Dialyzer fixes and code cleaningIngela Anderton Andin
Types in a record where wrongly type specified, did not include undefined. Make them comments for now, maybe we will specify internal records with dialyzer types later, but as the other record fields are not specified at the moment, with dialyzer types, make the code consistent.
2012-09-20ssl: Changed default behaviour of next protocol negotiation to makeIngela Anderton Andin
more "sense" (be true to the specification).
2012-09-20ssl: Support for SSL Next Protocol NegotiationBen Murphy
* http://technotes.googlecode.com/git/nextprotoneg.html
2012-08-24ssl & public_key: Workaround that some certificates encode countryname as ↵Ingela Anderton Andin
utf8 and close down gracefully if other ASN-1 errors occur. The reason certificate_unknown that is used as ALERT for ASN-1 encoding failure is described as: Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.
2012-08-23ssl: Clean up of code thanks to dialyzerIngela Anderton Andin
2012-08-22ssl & public_key: Add use of more "sha-rsa oids"Ingela Anderton Andin
2012-08-22ssl: TLS 1.2: fix hash and signature handlingAndreas Schultz
with TLS 1.2 the hash and signature on a certify message can differ from the defaults. So we have to make sure to always use the hash and signature algorithm indicated in the handshake message
2012-08-22ssl: TLS 1.2: fix Certificate Request list of Accepted Signatur/Hash ↵Andreas Schultz
combinations
2012-08-22ssl: Add Signature Algorithms hello extension from TLS 1.2Andreas Schultz
This is also avoids triggering some bugs in OpenSSL.
2012-08-22ssl: Signture type bugIngela Anderton Andin
2012-08-22ssl: Dialyzer fixesIngela Anderton Andin
2012-08-22ssl: Implement TLS 1.2 signature supportAndreas Schultz
2012-08-22ssl: Make signature handling version dependantAndreas Schultz
TLS 1.2 introduces changes on how signatures are calculate and encoded. This makes the signature handling version aware
2012-08-22ssl: Fix PRF logicIngela Anderton Andin
2012-08-22ssl: Implement and activate PRFs for TLS 1.1 and 1.2Andreas Schultz
2012-08-22ssl: make PRF function selectableAndreas Schultz
TLS 1.2 allows to negotiate the used PRF, additional the default PRF uses a different hash. This change make the PRF selectable and hardwires the PRF for TLS < 1.2
2012-08-22ssl: Add TLS version to dec_hs/2Andreas Schultz
TLS 1.2 changes the layout of several handshake records. This adds the TLS version to dec_hs/2 so it can decode those.
2012-08-22ssl: Add TLS version to ssl_handshake:key_exchange/3Andreas Schultz
TLS 1.2 changed the way digital signatures are done. key_exchange/3 needs to pass the version to it.
2012-08-22ssl: Calculate handshake hash only when neededAndreas Schultz
TLS/SSL version before 1.2 always used a MD5/SHA combination for the handshake hashes. With TLS 1.2 the default hash is SHA256 and it is possible to negotiate a different hash. This change delays the calculation of the handshake hashes until they are really needed. At that point the hash to use should be known. For now MD5/SHA is still hard coded.
2012-06-08ssl: Move ets:select bottleneck in serverDan Gudmundsson
Only use ssl_manager for selecting new ids to guarantee uniqueness, but reuse check does not need to be performed by the manager.
2012-06-08ssl: Move and avoid ets:select bottleneck in clientIngela Anderton Andin
Do not use ssl_manager process for selecting an id. It's unnecessary to involve the manager process at all on the client side.
2012-03-27Corrected dialyzer specs and exported some dialyzer specsIngela Anderton Andin
2012-03-05Some protocols (e.g. EAP-PEAP, EAP-TLS, EAP-TTLS) that use TLS asAndreas Schultz
transport layer need to generate additional application specific key material. One way to generate such material is to use the TLS PRF and key material from the TLS session itself. This change makes it possible to use a TLS sessions PRF either with the session internal or caller supplied key material to generate additional key material.
2012-02-08User defined verify_fun is now called correctlyIngela Anderton Andin
Background from erlang-questions: > We use this test suite to verify our PKIX-path-validation code, > granted we do not yet support CRL-handling but that is on its > way. Our verify_fun will let you work around the problem that it > is not yet supported. (Not so fun for you perhaps but a possible > solution for now). this is unfortunately not the case since for versions that contain commit 4dbf3c9e4ae7cfd19b247353369166d31b8f15e5 (it is in R14B04 and R15B) the documented behaviour (verify_fun will be called for every certificate) is broken: the verify_fun will only be called, if the certificate contains unknown extensions. it is therefore not useful as a CRL workaround (anymore). best regards Stefan Grundmann
2011-11-23Implementation of 1/n-1 splitting countermeasure Rizzo/Duong-BeastIngela Anderton Andin
The code is refactored and improved to make it easier to insert the 1/n-1 splitting countermeasure Rizzo/Duong-Beast that is really done in one function clause in ssl:record_split_bin/3
2011-11-15Replaced ets:next traversal with ets:foldl and throwIngela Anderton Andin
ets:next needs an explicit safe_fixtable call to be safe, we rather use ets:foldl and throw to get out of it when we find the correct entry.
2011-09-27Both the SSLv3 and TLS 1.0/TLS 1.1 specifications requireIngela Anderton Andin
implementations to ignore data following the ClientHello (i.e., extensions) if they do not understand them. Data not following the protocol format for extensions will be ignored by the last dec_hello_extensions-clause. OTP-8596
2011-09-27fix unknown ssl extension parsing by changing length from bits to bytesBen Murphy
2011-09-05Corrected spec name errors: ip_adress -> ip_address port_num -> port_numberIngela Anderton Andin
2011-08-31Merge branch 'ia/ssl/use-inet-and-gen-specs' into devIngela Anderton Andin
* ia/ssl/use-inet-and-gen-specs: Use inet and gen_* dialyzer specs
2011-08-31Use inet and gen_* dialyzer specsIngela Anderton Andin
2011-08-30Corrected input argument to error_logger:error_report/1Ingela Anderton Andin
2011-06-29Removed global name from the certificate tabelIngela Anderton Andin
We want the certificate table to be handled the same way as the session table and not have a global name, so that we may easier create a separate ssl-manager to handle erlang distribution over ssl.
2011-01-17Verification of a critical extended_key_usage-extension correctedIngela Anderton Andin
When a verify fun is supplied, it should not be called to verify the extended_key_usage-extension when it is already verified by the ssl_certificate:validate_extension/2
2010-12-16Cache invaldation first version does not break old test casesIngela Anderton Andin
2010-11-30Fixed guard and test caseIngela Anderton Andin
Data to sign and verify should be inputed as binaries. Also cleaned up and moved some dialyzer specs.
2010-11-18Added alert in stream cipher case.Ingela Anderton Andin
Also changed alert to BAD_RECORD_MAC as: "differentiating between bad_record_mac and decryption_failed alerts may permit certain attacks against CBC mode as used in TLS [CBCATT]. It is preferable to uniformly use the bad_record_mac alert to hide the specific type of the error." Also cleaned up the code and changed a few other alert reasons in according to alert descriptions in the TLS RFC 4346. And added function terminate_alert/3 so that we can differentiate between a crash in ssl (a bug in our code) and a crash in the application using ssl.
2010-10-21Merge branch 'ia/ssl/certificate-verify/wrong-key-method/OTP-8897' into devBjörn Gustavsson
* ia/ssl/certificate-verify/wrong-key-method/OTP-8897: Correct handling of client certificate verify message Conflicts: lib/ssl/src/ssl_handshake.erl
2010-10-20Correct handling of client certificate verify messageIngela Anderton Andin
When checking the client certificate verify message the server used the wrong algorithm identifier to determine the signing algorithm, causing a function clause error in the public_key application when the key-exchange algorithm and the public key algorithm of the client certificate happen to differ.
2010-10-07Anonymous cipher suitesIngela Anderton Andin
For testing purposes ssl now also support some anonymous cipher suites when explicitly configured to do so. Also moved session cache tests to its own suite, so that timeout of end_per_testcase when the mnesia is used as session cache will not affect other test cases.
2010-09-27Merge branch 'ia/ssl-and-public_key/backwards-compatibility/OTP-8858' into devIngela Anderton Andin
* ia/ssl-and-public_key/backwards-compatibility/OTP-8858: Backwards compatibility Conflicts: lib/ssl/src/ssl_certificate_db.erl Use short INFO-message. Debugging information can be fairly easily recreated so we do not want to clutter the logs.
2010-09-24Backwards compatibilityIngela Anderton Andin
Changed implementation to retain backwards compatibility for old option {verify, 0} that shall be equivalent to {verify, verify_none}, also separate the cases unknown CA and selfsigned peer cert, and restored return value of deprecated function public_key:pem_to_der/1.
2010-09-15Corrected and added dialyzer specsIngela Anderton Andin
2010-09-06Handling of path validation errors by the applicationIngela Anderton Andin
Changed the behavior of the verify_fun option so that the application can be responsible for handling path validation errors even on the server side. Also replaced the not yet documented validate_extensions_fun to be handled by the verify_fun instead. If the verify callback fun returns {fail, Reason}, the verification process is immediately stopped and an alert is sent to the peer and the TLS/SSL handshake is terminated. If the verify callback fun returns {valid, UserState}, the verification process is continued. If the verify callback fun always returns {valid, UserState}, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. The verify callback fun will also be able to verify application specific extensions.