[erlang-patches] SSL: export some session key material and make the TLS PRF accessible
Andreas Schultz
aschultz@REDACTED
Tue Feb 28 12:18:42 CET 2012
Hi Ingela,
Documentation is update in the same place.
The first sentence is now:
+ <p>This function can only be used with TLS connections, <c>{error, undefined}</c>
+ is returned for SSLv3 connections.</p>
I have also removed the warning.
Andreas
----- Original Message -----
> Hi Andreas!
>
> I think it looks good :)
>
> But there is a strange part in the documentation:
>
> This sentence I think needs to be reformulated!
>
> + This function is menaing for for TLS connections, <c>{error,
> undefined}</c>
> + is returned for SSLv3 connections.</p>
>
> No longer needed:
>
> + <p>When using this functions with key and/or random material from
> the
> TLS session,
> + special care needs to be take to not expose any sensitive crypto
> state</p>
> + </desc>
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
> Andreas Schultz wrote:
> > Hi Ingela,
> >
> > I have pushed a new version to the same location.
> >
> > git fetch git://github.com/RoadRunnr/otp.git tls-export-stuff
> >
> > https://github.com/RoadRunnr/otp/compare/tls-export-stuff
> > https://github.com/RoadRunnr/otp/compare/tls-export-stuff.patch
> >
> > This version removes the access to the internal security_parameters
> > and adopts a scheme for the prf function that is close to what you
> > suggested. The prf function is now:
> >
> > -type prf_random() :: client | server.
> >
> > prf(#sslsocket{}, Secret::binary() | 'master_secret',
> > Label::binary(),
> > Seed::[binary() | prf_random()], WantedLen::non_neg_integer())
> > ->
> > {ok, binary()} | {error, reason()}
> >
> > It always works on an ssl socket and uses the TLS version
> > negotiated for
> > the socket. Specifying the TLS version does not really makes sense
> > as the
> > internal security_parameters are TLS version dependent and I can
> > not see
> > a use case for using the PRF without an active TLS connection.
> >
> > Allowing the client and server randoms for the secret without
> > exporting
> > them is somewhat strange, so I don't allow that. The same goes for
> > using
> > the master secret as seed.
> >
> > Andreas
> >
> > ----- Original Message -----
> >
> >> Hi!
> >>
> >> I looked into this a bit and I would prefer not to have have a
> >> function
> >> that exports security parameters as this is not really desirable
> >> and
> >> also
> >> kind of unnecessary as you send them back to the SSL/TLS-gen-fsm
> >> process.
> >>
> >> I think there should be a function prf
> >>
> >> -type security_parm_name() :: master_secret | client_random |
> >> server_random
> >>
> >> prf(tls_version(), Secret::binary() | security_param_name(),
> >> Label::binary(),
> >> Seed:: [binary()| security_parm_name()],
> >> WantedLen::non_neg_integer()) -> {ok, binary()} | {error,
> >> reason()}
> >>
> >>
> >> Then the erlang SSL/TLS-fsm process will replace all
> >> security_param_name-instances with the value of the corresponding
> >> security parameter
> >> before calling the prf-function.
> >>
> >> I think there is no need for an {'EXIT, term()} return if
> >> necessary
> >> to
> >> catch something {error, Reason} is sufficient and the Reason can
> >> provide the
> >> information it was a caught EXIT if that could be interesting in
> >> that
> >> particular case, it is not always for example consider the
> >> following
> >> catch
> >>
> >> connect(Host, Port, Socket, Options, User, CbInfo, Timeout) ->
> >> try start_fsm(client, Host, Port, Socket, Options, User,
> >> CbInfo,
> >> Timeout)
> >> catch
> >> exit:{noproc, _} ->
> >> {error, ssl_not_started}
> >> end.
> >>
> >> Regards Ingela Erlang/OTP team Ericsson AB
> >>
> >> Andreas Schultz wrote:
> >>
> >>> Hi,
> >>>
> >>> Please fetch:
> >>>
> >>> git fetch git://github.com/RoadRunnr/otp.git tls-export-stuff
> >>>
> >>> Export some session key material and make the TLS PRF accessible
> >>>
> >>> Some protocols (e.g. EAP-PEAP, EAP-TLS, EAP-TTLS) that use TLS as
> >>> transport layer need to generate additional application specific
> >>> key material. One way to generate such material is to use the TLS
> >>> PRF and key material from the TLS session itself.
> >>>
> >>> This change adds a function to access the required key material
> >>> and
> >>> makes a TLS session PRF accessible.
> >>>
> >>> https://github.com/RoadRunnr/otp/compare/tls-export-stuff
> >>> https://github.com/RoadRunnr/otp/compare/tls-export-stuff.patch
> >>>
> >>> Regards
> >>> Andreas
> >>>
> >>>
> >>>
> >>
> >
> >
>
>
--
--
Dipl. Inform.
Andreas Schultz
email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-179-7654368
------------------ managed broadband access ------------------
Travelping GmbH phone: +49-391-8190990
Roentgenstr. 13 fax: +49-391-819099299
D-39108 Magdeburg email: info@REDACTED
GERMANY web: http://www.travelping.com
Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------
More information about the erlang-patches
mailing list