Age | Commit message (Collapse) | Author |
|
|
|
TLS-1.3 needs to handle AEAD inputs diffrently than previous versions.
Refactor code to facilitate TLS-1.3 additions.
Change CHACHA20_POLY1305 NONCE to match RFC 7905. This will be
important later when we fix interop with TLS compatible crypto
invocation.
|
|
|
|
|
|
|
|
|
|
|
|
AEAD handling
|
|
|
|
Beta DTLS, not production ready. Only very basically tested, and
not everything in the SPEC is implemented and some things
are hard coded that should not be, so this implementation can not be consider
secure.
Refactor "TLS connection state" and socket handling, to facilitate
DTLS implementation.
Create dtls "listner" (multiplexor) process that spawns
DTLS connection process handlers.
Handle DTLS fragmentation.
Framework for handling retransmissions.
Replay Detection is not implemented yet.
Alerts currently always handled as in TLS.
|
|
|
|
Conflicts:
lib/ssl/src/dtls_connection.erl
lib/ssl/src/ssl_record.erl
|
|
The MSS might change between sending the a flight and possible
resend. We therefore have to be able to fragment the records
differently for resent.
Encoding and fragmenting of handshake record therefor needs to
be done independently.
With this change the handshake is encoded to it's full length
first, then queued to a flight. The fragmentation is handled
during assembly of the flights datagram.
Conflicts:
lib/ssl/src/dtls_connection.erl
|
|
Some legacy TLS 1.0 software does not tolerate the 1/n-1 content
split BEAST mitigation technique. This commit adds a beast_mitigation
SSL option (defaulting to one_n_minus_one) to select or disable the
BEAST mitigation technique.
Valid option values are (one_n_minus_one | zero_n | disabled).
|
|
ssl already used crypto:strong_rand_bytes/1 for most operations as
its use cases are mostly cryptographical. Now crypto:strong_rand_bytes/1
will be used everywhere.
However crypto:rand_bytes/1 was used as fallback if
crypto:strong_rand_bytes/1 throws low_entropy, this
will no longer be the case. This is a potential incompatibility.
The fallback was introduced a long time ago for interoperability reasons.
Now days this should not be a problem, and if it is, the security
compromise is not acceptable anyway.
|
|
|
|
|
|
|
|
disable option
|
|
|
|
|
|
Conflicts:
lib/ssl/src/dtls_record.erl
|
|
|
|
|
|
|
|
Also refactor so that TLS and DTLS can have common functions when possible.
|
|
Also phase in tls module as main API instead of ssl. To
make API clearer. As TLS is the new protocol name.
Maybe keep some API functions in ssl
|
|
|
|
Use the functions in crypto that we want to keep in the API.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
With TLS 1.2 the handling of the IV in cipher blocks
changed. This prepares ssl_cipher:cipher/5 for that
change by passing the TLS version into it and allowing
generic_block_cipher_from_bin/4 to overload the IV.
|
|
Rizzo/Duong-Beast attack.
|
|
The code is refactored and improved to make it easier to insert the
1/n-1 splitting countermeasure Rizzo/Duong-Beast that is really done
in one function clause in ssl:record_split_bin/3
|
|
|
|
|
|
Data to sign and verify should be inputed as binaries.
Also cleaned up and moved some dialyzer specs.
|
|
Also changed alert to BAD_RECORD_MAC as:
"differentiating between bad_record_mac and decryption_failed alerts
may permit certain attacks against CBC mode as used in TLS
[CBCATT]. It is preferable to uniformly use the bad_record_mac
alert to hide the specific type of the error."
Also cleaned up the code and changed a few other alert reasons in
according to alert descriptions in the TLS RFC 4346. And added function
terminate_alert/3 so that we can differentiate between a crash
in ssl (a bug in our code) and a crash in the application using ssl.
|
|
|
|
Cleaned up and documented the public_key API to
make it useful for general use.
|
|
|
|
New ssl now support client/server-certificates signed by dsa keys.
|
|
|
|
|
|
|
|
New ssl now supports secure renegotiation as described by RFC 5746.
|