From fbe15664033aecd247aa3ee7446562639c10a0f4 Mon Sep 17 00:00:00 2001
From: Wil Tan <wil@cloudregistry.net>
Date: Wed, 6 Jan 2010 04:10:10 +1100
Subject: Send CA list during Certificate Request in new_ssl

When requesting for client certificate, an SSL/TLS server may send a
list of the distinguished names of acceptable certificate authorities.
OpenSSL does this by default.
---
 lib/public_key/src/pubkey_cert_records.erl |  2 +-
 lib/ssl/src/ssl_handshake.erl              | 28 +++++++++++++++++++++++++---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/lib/public_key/src/pubkey_cert_records.erl b/lib/public_key/src/pubkey_cert_records.erl
index 36b7c47a9c..7f9f3c84f4 100644
--- a/lib/public_key/src/pubkey_cert_records.erl
+++ b/lib/public_key/src/pubkey_cert_records.erl
@@ -23,7 +23,7 @@
 
 -include("public_key.hrl").
 
--export([decode_cert/2, encode_cert/1, encode_tbs_cert/1]).
+-export([decode_cert/2, encode_cert/1, encode_tbs_cert/1, transform/2]).
 
 -export([old_decode_cert/2, old_encode_cert/1]).  %% Debugging and testing new code.
 
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 829e0c2ba6..85dc61d3aa 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -860,9 +860,31 @@ certificate_types(_) ->
     %% a RSA_FIXED_DH or DSS_FIXED_DH
     <<?BYTE(?RSA_SIGN)>>.
 
-certificate_authorities(_) ->
-    %%TODO Make list of know CA:s
-    <<>>.
+certificate_authorities(CertDbRef) ->
+    Authorities = certificate_authorities_from_db(CertDbRef),
+    Enc = fun(Cert) ->
+	TBSCert = Cert#'OTPCertificate'.tbsCertificate,
+	Subj = pubkey_cert_records:transform(TBSCert#'OTPTBSCertificate'.subject, encode),
+	{ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj),
+	DNEncodedBin = iolist_to_binary(DNEncoded),
+	DNEncodedLen = byte_size(DNEncodedBin),
+	<<?UINT16(DNEncodedLen), DNEncodedBin/binary>>
+    end,
+	list_to_binary(lists:map(Enc, [Cert || {_, Cert} <- Authorities])).
+
+certificate_authorities_from_db(CertDbRef) ->
+    certificate_authorities_from_db(CertDbRef, no_candidate, []).
+
+certificate_authorities_from_db(CertDbRef, PrevKey, Acc) ->
+    case ssl_certificate_db:issuer_candidate(PrevKey) of
+	no_more_candidates ->
+	    lists:reverse(Acc);
+	{{CertDbRef, _, _} = Key, Cert} ->
+	    certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]);
+	{Key, _Cert} ->
+		% skip certs not from this ssl connection
+	    certificate_authorities_from_db(CertDbRef, Key, Acc)
+    end.
 
 digitally_signed(Hashes, #'RSAPrivateKey'{} = Key) ->
     public_key:encrypt_private(Hashes, Key,
-- 
cgit v1.2.3


From bce8acaa10f2265e5454c29097e33680076c7ccb Mon Sep 17 00:00:00 2001
From: Dan Gudmundsson <dgud@erlang.org>
Date: Tue, 12 Jan 2010 13:43:59 +0100
Subject: Code cleanup

---
 lib/ssl/src/ssl_handshake.erl | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 85dc61d3aa..e502c21df4 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -862,15 +862,15 @@ certificate_types(_) ->
 
 certificate_authorities(CertDbRef) ->
     Authorities = certificate_authorities_from_db(CertDbRef),
-    Enc = fun(Cert) ->
-	TBSCert = Cert#'OTPCertificate'.tbsCertificate,
-	Subj = pubkey_cert_records:transform(TBSCert#'OTPTBSCertificate'.subject, encode),
-	{ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj),
-	DNEncodedBin = iolist_to_binary(DNEncoded),
-	DNEncodedLen = byte_size(DNEncodedBin),
-	<<?UINT16(DNEncodedLen), DNEncodedBin/binary>>
-    end,
-	list_to_binary(lists:map(Enc, [Cert || {_, Cert} <- Authorities])).
+    Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) ->
+		  OTPSubj = TBSCert#'OTPTBSCertificate'.subject,
+		  Subj = pubkey_cert_records:transform(OTPSubj, encode),
+		  {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj),
+		  DNEncodedBin = iolist_to_binary(DNEncoded),
+		  DNEncodedLen = byte_size(DNEncodedBin),
+		  <<?UINT16(DNEncodedLen), DNEncodedBin/binary>>
+	  end,
+    list_to_binary([Enc(Cert) || {_, Cert} <- Authorities]).
 
 certificate_authorities_from_db(CertDbRef) ->
     certificate_authorities_from_db(CertDbRef, no_candidate, []).
@@ -882,7 +882,7 @@ certificate_authorities_from_db(CertDbRef, PrevKey, Acc) ->
 	{{CertDbRef, _, _} = Key, Cert} ->
 	    certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]);
 	{Key, _Cert} ->
-		% skip certs not from this ssl connection
+	    %% skip certs not from this ssl connection
 	    certificate_authorities_from_db(CertDbRef, Key, Acc)
     end.
 
-- 
cgit v1.2.3


From c9c70aa3cc4e2087cf0da4c4ba36f3dd4e4e4627 Mon Sep 17 00:00:00 2001
From: Wil Tan <wil@cloudregistry.net>
Date: Thu, 7 Jan 2010 03:18:45 +1100
Subject: new_ssl fix session reuse

When an SSL client presents a previous session ID, the server should
either honour the request to reuse the parameters previously negotiated
for the given session ID, or ignore the request and generate a new
session ID.

In this situation, new_ssl tries to complete the handshake by sending
the client a "Finished" handshake message, which violates the SSL/TLS
specs. It should instead send a ChangeCipherSpec message before sending
the FInished message. This patch fixes it.
---
 lib/ssl/src/ssl_connection.erl | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 178c055cdf..c292fd70c7 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1115,13 +1115,13 @@ do_server_hello(Type, #state{negotiated_version = Version,
 	    case ssl_handshake:master_secret(Version, Session,
 					     ConnectionStates0, server) of
 		{_, ConnectionStates1} ->
-		    {ConnectionStates, Hashes} =
-			finished(State#state{connection_states =
-					     ConnectionStates1}),
-		    {next_state, abbreviated,
-		     next_record(State#state{connection_states = 
-					     ConnectionStates,
-					     tls_handshake_hashes = Hashes})};
+		    {ConnectionStates, Hashes} = 
+			finalize_server_handshake(State#state{connection_states=ConnectionStates1, session = Session}),
+		    NewState = 
+			State#state{connection_states = ConnectionStates,
+				    session = Session,
+				    tls_handshake_hashes = Hashes},
+		    {next_state, abbreviated, next_record(NewState)};
 		#alert{} = Alert ->
 		    handle_own_alert(Alert, Version, hello, State), 
 		    {stop, normal, State}
-- 
cgit v1.2.3


From 5c0e1b1642002cfd906ac5a03b9814ae0836d8c1 Mon Sep 17 00:00:00 2001
From: Dan Gudmundsson <dgud@erlang.org>
Date: Tue, 12 Jan 2010 14:59:08 +0100
Subject: Minor code cleanup

---
 lib/ssl/src/ssl_connection.erl | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index c292fd70c7..8e563f36f9 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1115,13 +1115,12 @@ do_server_hello(Type, #state{negotiated_version = Version,
 	    case ssl_handshake:master_secret(Version, Session,
 					     ConnectionStates0, server) of
 		{_, ConnectionStates1} ->
-		    {ConnectionStates, Hashes} = 
-			finalize_server_handshake(State#state{connection_states=ConnectionStates1, session = Session}),
-		    NewState = 
-			State#state{connection_states = ConnectionStates,
-				    session = Session,
-				    tls_handshake_hashes = Hashes},
-		    {next_state, abbreviated, next_record(NewState)};
+		    State1 = State#state{connection_states=ConnectionStates1, 
+					 session = Session},
+		    {ConnectionStates, Hashes} = finalize_server_handshake(State1),
+		    Resumed = State1#state{connection_states = ConnectionStates,
+					   tls_handshake_hashes = Hashes},
+		    {next_state, abbreviated, next_record(Resumed)};
 		#alert{} = Alert ->
 		    handle_own_alert(Alert, Version, hello, State), 
 		    {stop, normal, State}
-- 
cgit v1.2.3


From fe93630eaef3c403edda47e0531dbd5c11c2aa4a Mon Sep 17 00:00:00 2001
From: Dan Gudmundsson <dgud@erlang.org>
Date: Wed, 13 Jan 2010 13:20:18 +0100
Subject: Added a public_key:pkix_transform/2 instead and used it from ssl.

---
 lib/public_key/src/public_key.erl | 16 +++++++++++++++-
 lib/ssl/src/ssl_handshake.erl     |  2 +-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index b0b0b7a832..b7d0d8c286 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -30,7 +30,7 @@
 	 sign/2, sign/3,
 	 verify_signature/3, verify_signature/4, verify_signature/5,
 	 pem_to_der/1, pem_to_der/2,
-	 pkix_decode_cert/2, pkix_encode_cert/1,
+	 pkix_decode_cert/2, pkix_encode_cert/1, pkix_transform/2,
 	 pkix_is_self_signed/1, pkix_is_fixed_dh_cert/1,
 	 pkix_issuer_id/2,
 	 pkix_is_issuer/2, pkix_normalize_general_name/1,
@@ -161,6 +161,20 @@ pkix_decode_cert(BinCert, Type) ->
 pkix_encode_cert(Cert) ->
     pubkey_cert_records:encode_cert(Cert).
     
+%%--------------------------------------------------------------------
+%% Function: pkix_transform(CertPart, Op) -> TransformedCertPart
+%%
+%%	CertPart = pkix part data
+%%      Op = encode | decode
+%%
+%% Description: Transform parts of a pkix certificate between 'plain' format
+%% and the internal 'otp' format, see pkix_decode_cert/2.
+%% Decode transforms from 'plain' to 'otp' and encode from 'otp' to 'plain'
+%% format.
+%%--------------------------------------------------------------------
+pkix_transform(CertPart, Op) ->
+    pubkey_cert_records:transform(CertPart, Op).
+
 %%--------------------------------------------------------------------
 %% Function: pkix_path_validation(TrustedCert, CertChain, Options) -> 
 %%   {ok, {{algorithm(), public_key(), public_key_params()} policy_tree()}} |
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index e502c21df4..07a9f644fa 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -864,7 +864,7 @@ certificate_authorities(CertDbRef) ->
     Authorities = certificate_authorities_from_db(CertDbRef),
     Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) ->
 		  OTPSubj = TBSCert#'OTPTBSCertificate'.subject,
-		  Subj = pubkey_cert_records:transform(OTPSubj, encode),
+		  Subj = public_key:pkix_transform(OTPSubj, encode),
 		  {ok, DNEncoded} = 'OTP-PUB-KEY':encode('Name', Subj),
 		  DNEncodedBin = iolist_to_binary(DNEncoded),
 		  DNEncodedLen = byte_size(DNEncodedBin),
-- 
cgit v1.2.3