From 1ed5fdcb034b4930f1a7243313d40f80fd281287 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Tue, 27 Nov 2018 16:44:11 +0100
Subject: ssl: Fix cipher suite selection

Accept only TLS 1.3 ciphers when TLS 1.3 is selected.

Change-Id: I4e934d344f52208263ffdeb31c357dd5727472b9
---
 lib/ssl/src/ssl_cipher.erl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/ssl/src/ssl_cipher.erl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 1b6072dbcc..32a60fe5aa 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -578,7 +578,8 @@ crypto_support_filters() ->
           end]}.
 
 is_acceptable_keyexchange(KeyExchange, _Algos) when KeyExchange == psk;
-                                                    KeyExchange == null ->
+                                                    KeyExchange == null;
+                                                    KeyExchange == any ->
     true;
 is_acceptable_keyexchange(KeyExchange, Algos) when KeyExchange == dh_anon;
                                                    KeyExchange == dhe_psk ->
-- 
cgit v1.2.3


From 40a832093a95aac9bc171616b9f11adf108419c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Thu, 6 Dec 2018 15:52:53 +0100
Subject: ssl: Calculate handshake traffic keys

Change-Id: Ifdf8978c58c15313e8a7973cff97dda3458f7721
---
 lib/ssl/src/ssl_cipher.erl | 39 ++++++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 17 deletions(-)

(limited to 'lib/ssl/src/ssl_cipher.erl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 32a60fe5aa..0628299d98 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -34,7 +34,7 @@
 -include("tls_handshake_1_3.hrl").
 -include_lib("public_key/include/public_key.hrl").
 
--export([security_parameters/2, security_parameters/3, security_parameters_1_3/3,
+-export([security_parameters/2, security_parameters/3, security_parameters_1_3/2,
 	 cipher_init/3, nonce_seed/2, decipher/6, cipher/5, aead_encrypt/5, aead_decrypt/6,
 	 suites/1, all_suites/1,  crypto_support_filters/0,
 	 chacha_suites/1, anonymous_suites/1, psk_suites/1, psk_suites_anon/1, 
@@ -44,10 +44,10 @@
 	 hash_algorithm/1, sign_algorithm/1, is_acceptable_hash/2, is_fallback/1,
 	 random_bytes/1, calc_mac_hash/4,
          is_stream_ciphersuite/1, signature_scheme/1,
-         scheme_to_components/1, hash_size/1]).
+         scheme_to_components/1, hash_size/1, effective_key_bits/1]).
 
 %% RFC 8446 TLS 1.3
--export([generate_client_shares/1, generate_server_share/1]).
+-export([generate_client_shares/1, generate_server_share/1, add_zero_padding/2]).
 
 -compile(inline).
 
@@ -88,23 +88,13 @@ security_parameters(Version, CipherSuite, SecParams) ->
       prf_algorithm = prf_algorithm(PrfHashAlg, Version),
       hash_size = hash_size(Hash)}.
 
-security_parameters_1_3(SecParams, ClientRandom, CipherSuite) ->
-     #{cipher := Cipher,
-       mac := Hash,
-       prf := PrfHashAlg} = ssl_cipher_format:suite_definition(CipherSuite),
+security_parameters_1_3(SecParams, CipherSuite) ->
+     #{cipher := Cipher, prf := PrfHashAlg} =
+        ssl_cipher_format:suite_definition(CipherSuite),
     SecParams#security_parameters{
-      client_random = ClientRandom,
       cipher_suite = CipherSuite,
       bulk_cipher_algorithm = bulk_cipher_algorithm(Cipher),
-      cipher_type = type(Cipher),
-      key_size = effective_key_bits(Cipher),
-      expanded_key_material_length = expanded_key_material(Cipher),
-      key_material_length = key_material(Cipher),
-      iv_size = iv_size(Cipher),
-      mac_algorithm = mac_algorithm(Hash),
-      prf_algorithm =prf_algorithm(PrfHashAlg, {3,4}),
-      hash_size = hash_size(Hash),
-      compression_algorithm = 0}.
+      prf_algorithm = PrfHashAlg}.  %% HKDF hash algorithm
 
 %%--------------------------------------------------------------------
 -spec cipher_init(cipher_enum(), binary(), binary()) -> #cipher_state{}.
@@ -1243,3 +1233,18 @@ generate_key_exchange(secp521r1) ->
     public_key:generate_key({namedCurve, secp521r1});
 generate_key_exchange(FFDHE) ->
     public_key:generate_key(ssl_dh_groups:dh_params(FFDHE)).
+
+
+%% TODO: Move this functionality to crypto!
+%% 7.4.1.  Finite Field Diffie-Hellman
+%%
+%%    For finite field groups, a conventional Diffie-Hellman [DH76]
+%%    computation is performed.  The negotiated key (Z) is converted to a
+%%    byte string by encoding in big-endian form and left-padded with zeros
+%%    up to the size of the prime.  This byte string is used as the shared
+%%    secret in the key schedule as specified above.
+add_zero_padding(Bin, PrimeSize)
+  when byte_size (Bin) =:= PrimeSize ->
+    Bin;
+add_zero_padding(Bin, PrimeSize) ->
+    add_zero_padding(<<0, Bin/binary>>, PrimeSize).
-- 
cgit v1.2.3


From 4f5f693bf4ece8c102a2f2f10c8d4693d2957a60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Fri, 14 Dec 2018 13:20:14 +0100
Subject: ssl: Add support for x25519 and x448 in ECDH

Change-Id: I206b851fc616c53475f4a2935f6f52baf8f3e1e6
---
 lib/ssl/src/ssl_cipher.erl | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'lib/ssl/src/ssl_cipher.erl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 0628299d98..46885130d3 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -681,10 +681,9 @@ hash_size(sha) ->
 hash_size(sha256) ->
     32;
 hash_size(sha384) ->
-    48.
-%% Uncomment when adding cipher suite that needs it
-%hash_size(sha512) ->
-%    64.
+    48;
+hash_size(sha512) ->
+    64.
 
 %%--------------------------------------------------------------------
 %%% Internal functions
@@ -888,8 +887,8 @@ scheme_to_components(ecdsa_secp521r1_sha512) -> {sha512, ecdsa, secp521r1};
 scheme_to_components(rsa_pss_rsae_sha256) -> {sha256, rsa_pss_rsae, undefined};
 scheme_to_components(rsa_pss_rsae_sha384) -> {sha384, rsa_pss_rsae, undefined};
 scheme_to_components(rsa_pss_rsae_sha512) -> {sha512, rsa_pss_rsae, undefined};
-%% scheme_to_components(ed25519) -> {undefined, undefined, undefined};
-%% scheme_to_components(ed448) -> {undefined, undefined, undefined};
+scheme_to_components(ed25519) -> {undefined, undefined, undefined};
+scheme_to_components(ed448) -> {undefined, undefined, undefined};
 scheme_to_components(rsa_pss_pss_sha256) -> {sha256, rsa_pss_pss, undefined};
 scheme_to_components(rsa_pss_pss_sha384) -> {sha384, rsa_pss_pss, undefined};
 scheme_to_components(rsa_pss_pss_sha512) -> {sha512, rsa_pss_pss, undefined};
@@ -1231,6 +1230,10 @@ generate_key_exchange(secp384r1) ->
     public_key:generate_key({namedCurve, secp384r1});
 generate_key_exchange(secp521r1) ->
     public_key:generate_key({namedCurve, secp521r1});
+generate_key_exchange(x25519) ->
+    crypto:generate_key(ecdh, x25519);
+generate_key_exchange(x448) ->
+    crypto:generate_key(ecdh, x448);
 generate_key_exchange(FFDHE) ->
     public_key:generate_key(ssl_dh_groups:dh_params(FFDHE)).
 
-- 
cgit v1.2.3


From 5550d8265860adec290aaf4a9498ec88b1a31386 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Mon, 17 Dec 2018 09:41:58 +0100
Subject: ssl: Refactor state 'negotiated'

Change-Id: I1a2e9b1b639cae0d78b6d25d7b6e761a2d90b7b1
---
 lib/ssl/src/ssl_cipher.erl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/ssl/src/ssl_cipher.erl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 46885130d3..bf64ed8b69 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -94,7 +94,8 @@ security_parameters_1_3(SecParams, CipherSuite) ->
     SecParams#security_parameters{
       cipher_suite = CipherSuite,
       bulk_cipher_algorithm = bulk_cipher_algorithm(Cipher),
-      prf_algorithm = PrfHashAlg}.  %% HKDF hash algorithm
+      prf_algorithm = PrfHashAlg,  %% HKDF hash algorithm
+      cipher_type = ?AEAD}.
 
 %%--------------------------------------------------------------------
 -spec cipher_init(cipher_enum(), binary(), binary()) -> #cipher_state{}.
-- 
cgit v1.2.3


From dc9ec91e8ba3e8bdae74c7090a9969211e355f07 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Tue, 8 Jan 2019 13:36:53 +0100
Subject: ssl: Improve AEAD encode/decode

- Update calculation of nonce and additional data
- Update cipher_aead, decipher_aead
- Add test for TLS 1.3 encode/decode

Change-Id: Id0a5cc68d8746079fb42c0192c0c64405f6d7a72
---
 lib/ssl/src/ssl_cipher.erl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/ssl/src/ssl_cipher.erl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index bf64ed8b69..4b975d753b 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -44,7 +44,8 @@
 	 hash_algorithm/1, sign_algorithm/1, is_acceptable_hash/2, is_fallback/1,
 	 random_bytes/1, calc_mac_hash/4,
          is_stream_ciphersuite/1, signature_scheme/1,
-         scheme_to_components/1, hash_size/1, effective_key_bits/1]).
+         scheme_to_components/1, hash_size/1, effective_key_bits/1,
+         key_material/1]).
 
 %% RFC 8446 TLS 1.3
 -export([generate_client_shares/1, generate_server_share/1, add_zero_padding/2]).
-- 
cgit v1.2.3