Age | Commit message (Collapse) | Author |
|
|
|
With TLS 1.2 the handling of the IV in cipher blocks
changed. This prepares ssl_cipher:cipher/5 for that
change by passing the TLS version into it and allowing
generic_block_cipher_from_bin/4 to overload the IV.
|
|
TLS/SSL version before 1.2 always used a MD5/SHA combination
for the handshake hashes. With TLS 1.2 the default hash is
SHA256 and it is possible to negotiate a different hash.
This change delays the calculation of the handshake
hashes until they are really needed. At that point the hash
to use should be known.
For now MD5/SHA is still hard coded.
|
|
* ia/ssl/recv-bug/OTP-10118:
ssl: Fix bug in the handling of remote connection closure of {active,false} ssl sockets.
|
|
A general case clause was put before a less general so that the less
general case would never match.
|
|
ssl sockets.
|
|
* ia/ssl/bottlenecks/OTP-10113:
ssl: Test case fixes
ssl: Avoid second bottleneck in supervisor
ssl: File handling optimization
ssl: Simpler PEM cache
ssl: Refactored for readability
ssl: Use md5 as file ref id instead of filenames
ssl: Move ets:select bottleneck in server
ssl: Renegotiate updates session id in gen_fsm state
ssl: Use ordered_set in cache
ssl: Move and avoid ets:select bottleneck in client
ssl: Reuse session check optimization
ssl: Avoid supervior bottleneck
|
|
Do proc_lib:spawn_link instead of proc_lib:start_link as synchronized
init is not used/needed anyway.
|
|
Avoid cach validation with file:file_info/2 as this i too expensive and
causes a bottleneck in the file server. Instead we expose a new API function
ssl:clear_pem_cache/0 to deal with the problem. As we think it will be
of occasional use and the normal case is that the cache will be valid we think
it is the right thing to do.
Convert file paths to binary representation in the ssl API module to
avoid uncessarry calls in file later on.
Also add sanity checks for openssl versions in testsuite due to new
openssl bugs.
|
|
|
|
Instance of state variable that are "updated" in a function is called
for example State0 and the last instance, that should be returned, is
called State possible intermidiat versions are suffixed by increasing
numbers. State0 may be rturned in error cases.
Avoid nesting case statments.
|
|
Aviods storing a lot of data
|
|
Only use ssl_manager for selecting new ids to guarantee uniqueness,
but reuse check does not need to be performed by the manager.
|
|
The session id keept in the connection processes state must be updated to be
the id selected by ssl_handshake:client_hello, failing to do so will
cause a crash if the session is not reused.
|
|
So we can use partial bound keys for matching
|
|
Do not use ssl_manager process for selecting an id. It's unnecessary
to involve the manager process at all on the client side.
|
|
|
|
This is done by using proc_lib and gen_fsm:enter_loop
so that supervisor will not have to wait for the relative long initialization
of an ssl connection process before starting another connection process.
|
|
OTP-10106
OTP-10107
|
|
|
|
|
|
|
|
* as/ssl-tls-prf-function:
Some protocols (e.g. EAP-PEAP, EAP-TLS, EAP-TTLS)
that use TLS as transport layer need to generate
additional application specific key material
One way to generate such material is to use the
TLS PRF and key material from the TLS session itself
OTP-10024
|
|
Distribution fixes so no need to soft upgrade.
|
|
transport layer need to generate additional application specific
key material. One way to generate such material is to use the TLS
PRF and key material from the TLS session itself.
This change makes it possible to use a TLS sessions PRF either with
the session internal or caller supplied key material to generate
additional key material.
|
|
* pg/fix-ssl_tls_dist_proxy-setup-loop:
Fix setup loop of SSL TLS dist proxy
OTP-9915
OTP-9916
|
|
* pg/ssl_dist-fixes:
Robustness and improvement to distribution over SSL
|
|
Fix a bug where the caller would timeout and ssl_tls_dist_proxy would
crash.
Fix a bug where a timeout from the SSL layer would block the
distribution forever (typically when a non-SSL node tries to connect to an
SSL node).
Add this very case as a test (test_server tries to connect to SSL nodes).
Run the proxy exclusively on the loopback interface.
|
|
Background from erlang-questions:
> We use this test suite to verify our PKIX-path-validation code,
> granted we do not yet support CRL-handling but that is on its
> way. Our verify_fun will let you work around the problem that it
> is not yet supported. (Not so fun for you perhaps but a possible
> solution for now).
this is unfortunately not the case since for versions that contain
commit 4dbf3c9e4ae7cfd19b247353369166d31b8f15e5 (it is in R14B04 and
R15B) the documented behaviour (verify_fun will be called for every
certificate) is broken: the verify_fun will only be called, if the
certificate contains unknown extensions.
it is therefore not useful as a CRL workaround (anymore).
best regards
Stefan Grundmann
|
|
The proxy socket or the SSL socket can be closed during the setup phase.
In such situations, the proxy processes must exit nicely, to avoid any
leak of processes waiting forever for data from closed sockets.
|
|
|
|
* ia/ssl/session/cleanup-test:
Improve ssl session cleanup test
|
|
Check last delay timer for both client and server side to avoide
timing issues.
|
|
|
|
* ia/ssl/dialyzer-R15:
Callback specs now handled by -callback directive in the behaviour module.
|
|
Rizzo/Duong-Beast attack.
|
|
|
|
evaluating ssl:recv could be left hanging for ever.
|
|
|
|
The code is refactored and improved to make it easier to insert the
1/n-1 splitting countermeasure Rizzo/Duong-Beast that is really done
in one function clause in ssl:record_split_bin/3
|
|
|
|
* ia/ssl/ets-next-problem/OTP-9703:
Replaced ets:next traversal with ets:foldl and throw
|
|
ets:next needs an explicit safe_fixtable call to be safe, we
rather use ets:foldl and throw to get out of it when we find the
correct entry.
|
|
Added session status "new" to mark sessions that are
in the session database to reserve the session id
but not resumable yet and that we want to separate from
sessions that has been invalidated for further reuse.
|
|
The time_stamp filed is now initated in the connection process
init function, so that invalidations of sessions due to handshake failiures,
will not cause sessions in the session table to have
an uninitiated time_stamp field.
|
|
* ia/ssl/prepare-for-relese:
Prepare version and appup for release
|
|
* ia/public_key/ssl/crypto/PKCS-8/OTP-9312:
Add clause for expected input to pubkey:pseudo_random_function/2 when ASN-1 compiler is fixed.
Clean up of public_key code adding specs and documentation
Added PKCS-8 support in ssl
Additions to crypto and public_key needed for full PKCS-8 support
Add PKCS-8 support to public_key
|
|
|
|
|
|
A wrong decryption key would cause a badmatch in
generic_block_cipher_from_bin/2. The try in block_decipher/5 was
probably intendend to deal with that, but was misplace for this.
Additionaly, generating a failure alert erly, without computing the
record MAC, creates vector for a timing attack on CBC padding (for
details check TLS 1.2 RFC 5246, Sect. 6.2.3.2.). This attach vector
and the counter meassure applies to all SSL/TLS versions.
As a counter messure, compute the MAC even when decryption or padding
checks fail. A invalid padding will force a MAC failure by intentionaly
invalidating the content.
|