From 2b9412e026ab58bac5b61f239d607db6482974ef Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 29 Jan 2019 13:21:41 +0100 Subject: ssl: Add hashsign_algorithm and cert_hashsign_algorithm to handshake_env --- lib/ssl/src/dtls_connection.erl | 7 ++++--- lib/ssl/src/ssl_connection.erl | 38 ++++++++++++++++++++------------------ lib/ssl/src/ssl_connection.hrl | 9 ++++----- lib/ssl/src/tls_connection.erl | 7 ++++--- 4 files changed, 32 insertions(+), 29 deletions(-) (limited to 'lib/ssl') diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl index 178668e808..86f79ed7e3 100644 --- a/lib/ssl/src/dtls_connection.erl +++ b/lib/ssl/src/dtls_connection.erl @@ -875,9 +875,10 @@ handle_client_hello(#client_hello{client_version = ClientVersion} = Hello, State = prepare_flight(State0#state{connection_states = ConnectionStates, negotiated_version = Version, - hashsign_algorithm = HashSign, - handshake_env = HsEnv#handshake_env{client_hello_version = ClientVersion, - negotiated_protocol = Protocol}, + handshake_env = HsEnv#handshake_env{ + hashsign_algorithm = HashSign, + client_hello_version = ClientVersion, + negotiated_protocol = Protocol}, session = Session}), ssl_connection:hello(internal, {common_client_hello, Type, ServerHelloExt}, diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index f24b4d555a..75edf2e42b 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -832,6 +832,7 @@ certify(internal, #certificate{} = Cert, end; certify(internal, #server_key_exchange{exchange_keys = Keys}, #state{static_env = #static_env{role = client}, + handshake_env = HsEnv, negotiated_version = Version, key_algorithm = Alg, public_key_info = PubKeyInfo, @@ -851,15 +852,15 @@ certify(internal, #server_key_exchange{exchange_keys = Keys}, case is_anonymous(Alg) of true -> calculate_secret(Params#server_key_params.params, - State#state{hashsign_algorithm = HashSign}, Connection); + State#state{handshake_env = HsEnv#handshake_env{hashsign_algorithm = HashSign}}, Connection); false -> case ssl_handshake:verify_server_key(Params, HashSign, ConnectionStates, ssl:tls_version(Version), PubKeyInfo) of true -> calculate_secret(Params#server_key_params.params, - State#state{hashsign_algorithm = HashSign, - session = session_handle_params(Params#server_key_params.params, Session)}, - Connection); + State#state{handshake_env = HsEnv#handshake_env{hashsign_algorithm = HashSign}, + session = session_handle_params(Params#server_key_params.params, Session)}, + Connection); false -> handle_own_alert(?ALERT_REC(?FATAL, ?DECRYPT_ERROR), Version, ?FUNCTION_NAME, State) @@ -883,8 +884,9 @@ certify(internal, #certificate_request{}, Connection:next_event(?FUNCTION_NAME, no_record, State#state{client_certificate_requested = true}); certify(internal, #certificate_request{} = CertRequest, #state{static_env = #static_env{role = client}, + handshake_env = HsEnv, session = #session{own_certificate = Cert}, - ssl_options = #ssl_options{signature_algs = SupportedHashSigns}, + ssl_options = #ssl_options{signature_algs = SupportedHashSigns}, negotiated_version = Version} = State, Connection) -> case ssl_handshake:select_hashsign(CertRequest, Cert, SupportedHashSigns, ssl:tls_version(Version)) of #alert {} = Alert -> @@ -892,7 +894,7 @@ certify(internal, #certificate_request{} = CertRequest, NegotiatedHashSign -> Connection:next_event(?FUNCTION_NAME, no_record, State#state{client_certificate_requested = true, - cert_hashsign_algorithm = NegotiatedHashSign}) + handshake_env = HsEnv#handshake_env{cert_hashsign_algorithm = NegotiatedHashSign}}) end; %% PSK and RSA_PSK might bypass the Server-Key-Exchange certify(internal, #server_hello_done{}, @@ -996,7 +998,7 @@ cipher(info, Msg, State, _) -> cipher(internal, #certificate_verify{signature = Signature, hashsign_algorithm = CertHashSign}, #state{static_env = #static_env{role = server}, - handshake_env = #handshake_env{tls_handshake_history = Hist}, + handshake_env = #handshake_env{tls_handshake_history = Hist} = HsEnv, key_algorithm = KexAlg, public_key_info = PublicKeyInfo, negotiated_version = Version, @@ -1010,7 +1012,7 @@ cipher(internal, #certificate_verify{signature = Signature, TLSVersion, HashSign, MasterSecret, Hist) of valid -> Connection:next_event(?FUNCTION_NAME, no_record, - State#state{cert_hashsign_algorithm = HashSign}); + State#state{handshake_env = HsEnv#handshake_env{cert_hashsign_algorithm = HashSign}}); #alert{} = Alert -> handle_own_alert(Alert, Version, ?FUNCTION_NAME, State) end; @@ -1566,13 +1568,13 @@ certify_client(#state{client_certificate_requested = false} = State, _) -> State. verify_client_cert(#state{static_env = #static_env{role = client}, - handshake_env = #handshake_env{tls_handshake_history = Hist}, + handshake_env = #handshake_env{tls_handshake_history = Hist, + cert_hashsign_algorithm = HashSign}, client_certificate_requested = true, negotiated_version = Version, private_key = PrivateKey, session = #session{master_secret = MasterSecret, - own_certificate = OwnCert}, - cert_hashsign_algorithm = HashSign} = State, Connection) -> + own_certificate = OwnCert}} = State, Connection) -> case ssl_handshake:client_certificate_verify(OwnCert, MasterSecret, ssl:tls_version(Version), HashSign, PrivateKey, Hist) of @@ -1701,7 +1703,7 @@ certify_server(#state{static_env = #static_env{cert_db = CertDbHandle, key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa} = State,_) -> State; key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Algo, - hashsign_algorithm = HashSignAlgo, + handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo}, diffie_hellman_params = #'DHParameter'{} = Params, private_key = PrivateKey, connection_states = ConnectionStates0, @@ -1729,7 +1731,7 @@ key_exchange(#state{static_env = #static_env{role = server}, State#state{diffie_hellman_keys = Key, session = Session#session{ecc = ECCurve}}; key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Algo, - hashsign_algorithm = HashSignAlgo, + handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo}, private_key = PrivateKey, session = #session{ecc = ECCCurve}, connection_states = ConnectionStates0, @@ -1755,7 +1757,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = psk State; key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = psk, ssl_options = #ssl_options{psk_identity = PskIdentityHint}, - hashsign_algorithm = HashSignAlgo, + handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo}, private_key = PrivateKey, connection_states = ConnectionStates0, negotiated_version = Version @@ -1772,7 +1774,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = psk Connection:queue_handshake(Msg, State0); key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = dhe_psk, ssl_options = #ssl_options{psk_identity = PskIdentityHint}, - hashsign_algorithm = HashSignAlgo, + handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo}, diffie_hellman_params = #'DHParameter'{} = Params, private_key = PrivateKey, connection_states = ConnectionStates0, @@ -1793,7 +1795,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = dhe State#state{diffie_hellman_keys = DHKeys}; key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = ecdhe_psk, ssl_options = #ssl_options{psk_identity = PskIdentityHint}, - hashsign_algorithm = HashSignAlgo, + handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo}, private_key = PrivateKey, session = #session{ecc = ECCCurve}, connection_states = ConnectionStates0, @@ -1817,7 +1819,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa State; key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa_psk, ssl_options = #ssl_options{psk_identity = PskIdentityHint}, - hashsign_algorithm = HashSignAlgo, + handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo}, private_key = PrivateKey, connection_states = ConnectionStates0, negotiated_version = Version @@ -1834,7 +1836,7 @@ key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = rsa Connection:queue_handshake(Msg, State0); key_exchange(#state{static_env = #static_env{role = server}, key_algorithm = Algo, ssl_options = #ssl_options{user_lookup_fun = LookupFun}, - hashsign_algorithm = HashSignAlgo, + handshake_env = #handshake_env{hashsign_algorithm = HashSignAlgo}, session = #session{srp_username = Username}, private_key = PrivateKey, connection_states = ConnectionStates0, diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl index 9d535cb1f2..e1a53c9982 100644 --- a/lib/ssl/src/ssl_connection.hrl +++ b/lib/ssl/src/ssl_connection.hrl @@ -65,7 +65,9 @@ sni_hostname = undefined, expecting_next_protocol_negotiation = false ::boolean(), next_protocol = undefined :: undefined | binary(), - negotiated_protocol + negotiated_protocol, + hashsign_algorithm = {undefined, undefined}, + cert_hashsign_algorithm = {undefined, undefined} }). -record(connection_env, { @@ -96,8 +98,6 @@ %% Used only in HS client_certificate_requested = false :: boolean(), key_algorithm :: ssl:key_algo(), - hashsign_algorithm = {undefined, undefined}, - cert_hashsign_algorithm = {undefined, undefined}, public_key_info :: ssl_handshake:public_key_info() | 'undefined', private_key :: public_key:private_key() | secret_printout() | 'undefined', diffie_hellman_params:: #'DHParameter'{} | undefined | secret_printout(), @@ -105,8 +105,7 @@ psk_identity :: binary() | 'undefined', % server psk identity hint srp_params :: #srp_user{} | secret_printout() | 'undefined', srp_keys ::{PublicKey :: binary(), PrivateKey :: binary()} | secret_printout() | 'undefined', - premaster_secret :: binary() | secret_printout() | 'undefined', - + premaster_secret :: binary() | secret_printout() | 'undefined', flight_buffer = [] :: list() | map(), %% Buffer of TLS/DTLS records, used during the TLS handshake %% to when possible pack more than one TLS record into the %% underlaying packet format. Introduced by DTLS - RFC 4347. diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl index 2e9ae97da0..684910db10 100644 --- a/lib/ssl/src/tls_connection.erl +++ b/lib/ssl/src/tls_connection.erl @@ -551,9 +551,10 @@ hello(internal, #client_hello{client_version = ClientVersion} = Hello, gen_handshake(?FUNCTION_NAME, internal, {common_client_hello, Type, ServerHelloExt}, State#state{connection_states = ConnectionStates, negotiated_version = Version, - hashsign_algorithm = HashSign, - handshake_env = HsEnv#handshake_env{client_hello_version = ClientVersion, - negotiated_protocol = Protocol}, + handshake_env = HsEnv#handshake_env{ + hashsign_algorithm = HashSign, + client_hello_version = ClientVersion, + negotiated_protocol = Protocol}, session = Session }) end; -- cgit v1.2.3