From 571133751287d93598dc90fe90b58ab4580f4836 Mon Sep 17 00:00:00 2001 From: Andreas Schultz Date: Fri, 15 Jun 2012 17:35:58 +0200 Subject: ssl: Calculate handshake hash only when needed TLS/SSL version before 1.2 always used a MD5/SHA combination for the handshake hashes. With TLS 1.2 the default hash is SHA256 and it is possible to negotiate a different hash. This change delays the calculation of the handshake hashes until they are really needed. At that point the hash to use should be known. For now MD5/SHA is still hard coded. --- lib/ssl/src/ssl_handshake.hrl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/ssl/src/ssl_handshake.hrl') diff --git a/lib/ssl/src/ssl_handshake.hrl b/lib/ssl/src/ssl_handshake.hrl index fb0ebac7d1..8510def2fd 100644 --- a/lib/ssl/src/ssl_handshake.hrl +++ b/lib/ssl/src/ssl_handshake.hrl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2011. All Rights Reserved. +%% Copyright Ericsson AB 2007-2012. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -31,6 +31,7 @@ -type algo_oid() :: ?'rsaEncryption' | ?'id-dsa'. -type public_key_params() :: #'Dss-Parms'{} | term(). -type public_key_info() :: {algo_oid(), #'RSAPublicKey'{} | integer() , public_key_params()}. +-type tls_handshake_history() :: {[binary()], [binary()]}. -record(session, { session_id, -- cgit v1.2.3 From 7682bd59933f20cba5c32df96a58f252924478a9 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Thu, 28 Jun 2012 16:02:27 +0200 Subject: ssl: Fix PRF logic --- lib/ssl/src/ssl_handshake.hrl | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'lib/ssl/src/ssl_handshake.hrl') diff --git a/lib/ssl/src/ssl_handshake.hrl b/lib/ssl/src/ssl_handshake.hrl index 8510def2fd..20e498ea2e 100644 --- a/lib/ssl/src/ssl_handshake.hrl +++ b/lib/ssl/src/ssl_handshake.hrl @@ -33,6 +33,12 @@ -type public_key_info() :: {algo_oid(), #'RSAPublicKey'{} | integer() , public_key_params()}. -type tls_handshake_history() :: {[binary()], [binary()]}. +%% Signature algorithms +-define(ANON, 0). +-define(RSA, 1). +-define(DSA, 2). +-define(ECDSA, 3). + -record(session, { session_id, peer_certificate, -- cgit v1.2.3 From 0bcbe96a1a68fef87efc43719853edcee2f58720 Mon Sep 17 00:00:00 2001 From: Andreas Schultz Date: Sun, 8 Apr 2012 03:39:52 +0200 Subject: ssl: Make signature handling version dependant TLS 1.2 introduces changes on how signatures are calculate and encoded. This makes the signature handling version aware --- lib/ssl/src/ssl_handshake.hrl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib/ssl/src/ssl_handshake.hrl') diff --git a/lib/ssl/src/ssl_handshake.hrl b/lib/ssl/src/ssl_handshake.hrl index 20e498ea2e..abe2fa5261 100644 --- a/lib/ssl/src/ssl_handshake.hrl +++ b/lib/ssl/src/ssl_handshake.hrl @@ -32,6 +32,7 @@ -type public_key_params() :: #'Dss-Parms'{} | term(). -type public_key_info() :: {algo_oid(), #'RSAPublicKey'{} | integer() , public_key_params()}. -type tls_handshake_history() :: {[binary()], [binary()]}. +-type hash_algo() :: atom(). %% Signature algorithms -define(ANON, 0). @@ -136,7 +137,8 @@ -record(server_key_exchange, { params, %% #server_rsa_params{} | #server_dh_params{} - signed_params %% #signature{} + signed_params, %% #signature{} + hashsign %% term(atom(), atom()) }). %% enum { anonymous, rsa, dsa } SignatureAlgorithm; @@ -166,6 +168,7 @@ -record(certificate_request, { certificate_types, %ClientCertificateType <1..2^8-1> + hashsign_algorithms, %%SignatureAndHashAlgorithm <2^16-1>; certificate_authorities %DistinguishedName <0..2^16-1> }). @@ -200,6 +203,7 @@ %%% Certificate verify - RFC 4346 section 7.4.8 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -record(certificate_verify, { + hashsign_algorithm, signature % binary() }). -- cgit v1.2.3 From 332716f059f291eba836fb46071a9b3e718f43c0 Mon Sep 17 00:00:00 2001 From: Andreas Schultz Date: Wed, 15 Aug 2012 10:52:39 +0200 Subject: ssl: Add Signature Algorithms hello extension from TLS 1.2 This is also avoids triggering some bugs in OpenSSL. --- lib/ssl/src/ssl_handshake.hrl | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'lib/ssl/src/ssl_handshake.hrl') diff --git a/lib/ssl/src/ssl_handshake.hrl b/lib/ssl/src/ssl_handshake.hrl index abe2fa5261..9967a265c1 100644 --- a/lib/ssl/src/ssl_handshake.hrl +++ b/lib/ssl/src/ssl_handshake.hrl @@ -97,7 +97,8 @@ session_id, % opaque SessionID<0..32> cipher_suites, % cipher_suites<2..2^16-1> compression_methods, % compression_methods<1..2^8-1>, - renegotiation_info + renegotiation_info, + hash_signs % supported combinations of hashes/signature algos }). -record(server_hello, { @@ -106,7 +107,8 @@ session_id, % opaque SessionID<0..32> cipher_suite, % cipher_suites compression_method, % compression_method - renegotiation_info + renegotiation_info, + hash_signs % supported combinations of hashes/signature algos }). %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -224,6 +226,15 @@ renegotiated_connection }). +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% Signature Algorithms RFC 5746 section 7.4.1.4.1. +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +-define(SIGNATURE_ALGORITHMS_EXT, 13). + +-record(hash_sign_algos, { + hash_sign_algos + }). + -endif. % -ifdef(ssl_handshake). -- cgit v1.2.3 From f5c54053e4d99c7c6eb1163047632d16c1fd5f19 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Thu, 23 Aug 2012 15:01:40 +0200 Subject: ssl: Clean up of code thanks to dialyzer --- lib/ssl/src/ssl_handshake.hrl | 1 - 1 file changed, 1 deletion(-) (limited to 'lib/ssl/src/ssl_handshake.hrl') diff --git a/lib/ssl/src/ssl_handshake.hrl b/lib/ssl/src/ssl_handshake.hrl index 9967a265c1..cc17dc2975 100644 --- a/lib/ssl/src/ssl_handshake.hrl +++ b/lib/ssl/src/ssl_handshake.hrl @@ -32,7 +32,6 @@ -type public_key_params() :: #'Dss-Parms'{} | term(). -type public_key_info() :: {algo_oid(), #'RSAPublicKey'{} | integer() , public_key_params()}. -type tls_handshake_history() :: {[binary()], [binary()]}. --type hash_algo() :: atom(). %% Signature algorithms -define(ANON, 0). -- cgit v1.2.3