[erlang-patches] TLS: add PSK and SRP cipher suites

Andreas Schultz <>
Tue Jan 15 20:19:42 CET 2013


Hi,

I have address the issues:

 * documentation for SSL API options added
 * header files internalized
 * crypto function generalized and support for multiple SRP variants

New version can be found here:

https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites
https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites.patch


Even if the PSK and SRP do not make it into R16, could you consider the first two
changesets from this series, please? They are mostly code consolidations, making
adding new key exchange algorithms much simpler.

https://github.com/RoadRunnr/otp/compare/master...cf4512a
https://github.com/RoadRunnr/otp/compare/master...cf4512a.patch

Andreas

----- Original Message -----
> Hello Andreas,
> Your patch has finally been into review and the response was:
> "
> 
>   * The patch introduces new API options without documenting them.
>   * The patch introduces new include file ssl_srp.hrl that I think shall
>     be internal and put in src. It is undesirable to have records in the
>     user API as it makes the user application compile time dependent on
>     our code, better to use a proplist and then create the record
>     internally. (Yes "sslsocket" is a record due to legacy)
>   * The patch introduces new include file ssl_srp_primes.hrl I think it
>     feels better to input such values as atoms and internaly uses the
>     macros defined in this file, that would be more consistent with the
>     rest of the API.
>   * Functions in crypto being named TLS something seems a little
>     strange, is this necessary?!
> 
> "
> Please correct this and give me a notice when it is done.
> 
> BR Fredrik Gustafsson
> Erlang OTP Team
> On 10/12/2012 11:38 AM, Henrik Nord wrote:
> > refetching
> >
> > On 10/12/2012 10:27 AM, Andreas Schultz wrote:
> >> Hi Henrik,
> >>
> >> When I rebased my changes to the current master, a change crept in that
> >> shouldn't have:
> >>
> >> https://github.com/erlang/otp/commit/747ce9191f4dc7558e12e2b6e5696396392ffbd8
> >>
> >>
> >> I have removed it from my tree and pushed it.
> >>
> >> Andreas
> >>
> >> ----- Original Message -----
> >>> Thanks, I will refetch!
> >>> On 10/11/2012 12:49 PM, Andreas Schultz wrote:
> >>>> Hi,
> >>>>
> >>>> I have pushed a change that should fix the compile error. The
> >>>> buffer has
> >>>> a fixed length now.
> >>>>
> >>>> https://github.com/RoadRunnr/otp/commit/ad73b09d948d0414132bfca2f67ff0de729fa7b2
> >>>>
> >>>> https://github.com/RoadRunnr/otp/commit/ad73b09d948d0414132bfca2f67ff0de729fa7b2.patch
> >>>>
> >>>>
> >>>> Andreas
> >>>>
> >>>> ----- Original Message -----
> >>>>> Does not compile on Windows.
> >>>>>
> >>>>> Function SHA1_Update_PAD in crypto.c is not correct. Arrays with
> >>>>> dynamic
> >>>>> size is not supported by the C standard we use.
> >>>>> Use a static array instead, presuming that there is a reasonable
> >>>>> upper
> >>>>> limit of its size.
> >>>>>
> >>>>> /Sverker, Erlang/OTP
> >>>>>
> >>>>>
> >>>>>
> >>>>> Henrik Nord wrote:
> >>>>>> Hi
> >>>>>>
> >>>>>> I have added your branch to 'master'pu' for testing.
> >>>>>> Thank you for your contribution!
> >>>>>>
> >>>>>> On 10/04/2012 06:29 PM, Andreas Schultz wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> Tree is rebased onto latest master.
> >>>>>>>
> >>>>>>> Andreas
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> Would you be so kind as to rebase this branch upon the latest
> >>>>>>>> 'master'
> >>>>>>>>
> >>>>>>>> Thank you for your contribution!
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 09/26/2012 07:19 PM, Andreas Schultz wrote:
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>> I have implemented the more interesting parts of RFC 4279, RFC
> >>>>>>>>> 5487
> >>>>>>>>> and RFC 5054 (aka TLS PSK and SRP ciphers). The use and
> >>>>>>>>> usefulness
> >>>>>>>>> of those ciphers is rather limited, the one notable exception
> >>>>>>>>> being
> >>>>>>>>> the eID server protocol for German national identity cards
> >>>>>>>>> (nPA).
> >>>>>>>>>
> >>>>>>>>> The test suite can only verify some PSK suites against openssl
> >>>>>>>>> as
> >>>>>>>>> currently no openssl version supports them all. There is patch
> >>>>>>>>> that add some to openssl, but it has not been  incorporated
> >>>>>>>>> into
> >>>>>>>>> upstream. GNU-TLS implements some more (but not all) PSK
> >>>>>>>>> suites
> >>>>>>>>> and I have manually tested interoperability.
> >>>>>>>>>
> >>>>>>>>> Patch info:
> >>>>>>>>>
> >>>>>>>>> git fetch git://github.com/RoadRunnr/otp.git
> >>>>>>>>> tls-psk-srp-suites
> >>>>>>>>>
> >>>>>>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites
> >>>>>>>>>
> >>>>>>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites.patch
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Regards
> >>>>>>>>> Andreas
> >>>>>>>> --
> >>>>>>>> /Henrik Nord Erlang/OTP
> >>>>>>>>
> >>>>>>>>
> >>> --
> >>> /Henrik Nord Erlang/OTP
> >>>
> >>>
> >
> 
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: 
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------


More information about the erlang-patches mailing list