[erlang-patches] SSL: export some session key material and make the TLS PRF accessible

Andreas Schultz <>
Fri Feb 24 14:55:06 CET 2012


Hi Ingela,

I have pushed a new version to the same location.

git fetch git://github.com/RoadRunnr/otp.git tls-export-stuff

https://github.com/RoadRunnr/otp/compare/tls-export-stuff
https://github.com/RoadRunnr/otp/compare/tls-export-stuff.patch

This version removes the access to the internal security_parameters
and adopts a scheme for the prf function that is close to what you
suggested. The prf function is now:

-type prf_random() :: client | server.

prf(#sslsocket{}, Secret::binary() | 'master_secret', Label::binary(),
	  Seed::[binary() | prf_random()], WantedLen::non_neg_integer()) ->
		 {ok, binary()} | {error, reason()}

It always works on an ssl socket and uses the TLS version negotiated for
the socket. Specifying the TLS version does not really makes sense as the
internal security_parameters are TLS version dependent and I can not see
a use case for using the PRF without an active TLS connection.

Allowing the client and server randoms for the secret without exporting
them is somewhat strange, so I don't allow that. The same goes for using
the master secret as seed.

Andreas

----- Original Message -----
> Hi!
> 
> I looked into this a bit and I would prefer not to have have a
> function
> that exports security parameters as this is not really desirable and
> also
> kind of unnecessary as you send them back to the SSL/TLS-gen-fsm
> process.
> 
> I think there should be a function prf
> 
> -type security_parm_name() :: master_secret | client_random |
> server_random
> 
> prf(tls_version(), Secret::binary() | security_param_name(),
> Label::binary(),
>     Seed:: [binary()| security_parm_name()],
>     WantedLen::non_neg_integer()) -> {ok, binary()} | {error,
>     reason()}
> 
> 
> Then the erlang SSL/TLS-fsm process will replace all
> security_param_name-instances with the value of the corresponding
> security parameter
> before calling the prf-function.
> 
> I think there is no need for an {'EXIT, term()} return  if necessary
> to
> catch something {error, Reason} is sufficient and the Reason can
> provide the
> information it was a caught EXIT if that could be interesting in that
> particular case, it is not always  for example consider the following
> catch
> 
> connect(Host, Port, Socket, Options, User, CbInfo, Timeout) ->
>     try start_fsm(client, Host, Port, Socket, Options, User, CbInfo,
>           Timeout)
>     catch
>     exit:{noproc, _} ->
>         {error, ssl_not_started}
>     end.
> 
> Regards Ingela  Erlang/OTP team Ericsson AB
> 
> Andreas Schultz wrote:
> > Hi,
> >
> > Please fetch:
> >
> >   git fetch git://github.com/RoadRunnr/otp.git tls-export-stuff
> >
> > Export some session key material and make the TLS PRF accessible
> >
> > Some protocols (e.g. EAP-PEAP, EAP-TLS, EAP-TTLS) that use TLS as
> > transport layer need to generate additional application specific
> > key material. One way to generate such material is to use the TLS
> > PRF and key material from the TLS session itself.
> >     
> > This change adds a function to access the required key material and
> > makes a TLS session PRF accessible.
> >
> > https://github.com/RoadRunnr/otp/compare/tls-export-stuff
> > https://github.com/RoadRunnr/otp/compare/tls-export-stuff.patch
> >
> > Regards
> > Andreas
> >
> >   
> 
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: 
phone: +49-391-819099-224
mobil: +49-179-7654368

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------


More information about the erlang-patches mailing list