[erlang-patches] TLS: add PSK and SRP cipher suites

Fredrik <>
Wed Jan 16 10:01:32 CET 2013


Thanks,
I have re-fetched and building it now with the rest of the patches in 
the 'master-pu' branch.

BR Fredrik Gustafsson
Erlang OTP Team
On 01/15/2013 08:19 PM, Andreas Schultz wrote:
> Hi,
>
> I have address the issues:
>
>   * documentation for SSL API options added
>   * header files internalized
>   * crypto function generalized and support for multiple SRP variants
>
> New version can be found here:
>
> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites
> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites.patch
>
>
> Even if the PSK and SRP do not make it into R16, could you consider the first two
> changesets from this series, please? They are mostly code consolidations, making
> adding new key exchange algorithms much simpler.
>
> https://github.com/RoadRunnr/otp/compare/master...cf4512a
> https://github.com/RoadRunnr/otp/compare/master...cf4512a.patch
>
> Andreas
>
> ----- Original Message -----
>> Hello Andreas,
>> Your patch has finally been into review and the response was:
>> "
>>
>>    * The patch introduces new API options without documenting them.
>>    * The patch introduces new include file ssl_srp.hrl that I think shall
>>      be internal and put in src. It is undesirable to have records in the
>>      user API as it makes the user application compile time dependent on
>>      our code, better to use a proplist and then create the record
>>      internally. (Yes "sslsocket" is a record due to legacy)
>>    * The patch introduces new include file ssl_srp_primes.hrl I think it
>>      feels better to input such values as atoms and internaly uses the
>>      macros defined in this file, that would be more consistent with the
>>      rest of the API.
>>    * Functions in crypto being named TLS something seems a little
>>      strange, is this necessary?!
>>
>> "
>> Please correct this and give me a notice when it is done.
>>
>> BR Fredrik Gustafsson
>> Erlang OTP Team
>> On 10/12/2012 11:38 AM, Henrik Nord wrote:
>>> refetching
>>>
>>> On 10/12/2012 10:27 AM, Andreas Schultz wrote:
>>>> Hi Henrik,
>>>>
>>>> When I rebased my changes to the current master, a change crept in that
>>>> shouldn't have:
>>>>
>>>> https://github.com/erlang/otp/commit/747ce9191f4dc7558e12e2b6e5696396392ffbd8
>>>>
>>>>
>>>> I have removed it from my tree and pushed it.
>>>>
>>>> Andreas
>>>>
>>>> ----- Original Message -----
>>>>> Thanks, I will refetch!
>>>>> On 10/11/2012 12:49 PM, Andreas Schultz wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have pushed a change that should fix the compile error. The
>>>>>> buffer has
>>>>>> a fixed length now.
>>>>>>
>>>>>> https://github.com/RoadRunnr/otp/commit/ad73b09d948d0414132bfca2f67ff0de729fa7b2
>>>>>>
>>>>>> https://github.com/RoadRunnr/otp/commit/ad73b09d948d0414132bfca2f67ff0de729fa7b2.patch
>>>>>>
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> Does not compile on Windows.
>>>>>>>
>>>>>>> Function SHA1_Update_PAD in crypto.c is not correct. Arrays with
>>>>>>> dynamic
>>>>>>> size is not supported by the C standard we use.
>>>>>>> Use a static array instead, presuming that there is a reasonable
>>>>>>> upper
>>>>>>> limit of its size.
>>>>>>>
>>>>>>> /Sverker, Erlang/OTP
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Henrik Nord wrote:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> I have added your branch to 'master'pu' for testing.
>>>>>>>> Thank you for your contribution!
>>>>>>>>
>>>>>>>> On 10/04/2012 06:29 PM, Andreas Schultz wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Tree is rebased onto latest master.
>>>>>>>>>
>>>>>>>>> Andreas
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> Would you be so kind as to rebase this branch upon the latest
>>>>>>>>>> 'master'
>>>>>>>>>>
>>>>>>>>>> Thank you for your contribution!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 09/26/2012 07:19 PM, Andreas Schultz wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I have implemented the more interesting parts of RFC 4279, RFC
>>>>>>>>>>> 5487
>>>>>>>>>>> and RFC 5054 (aka TLS PSK and SRP ciphers). The use and
>>>>>>>>>>> usefulness
>>>>>>>>>>> of those ciphers is rather limited, the one notable exception
>>>>>>>>>>> being
>>>>>>>>>>> the eID server protocol for German national identity cards
>>>>>>>>>>> (nPA).
>>>>>>>>>>>
>>>>>>>>>>> The test suite can only verify some PSK suites against openssl
>>>>>>>>>>> as
>>>>>>>>>>> currently no openssl version supports them all. There is patch
>>>>>>>>>>> that add some to openssl, but it has not been  incorporated
>>>>>>>>>>> into
>>>>>>>>>>> upstream. GNU-TLS implements some more (but not all) PSK
>>>>>>>>>>> suites
>>>>>>>>>>> and I have manually tested interoperability.
>>>>>>>>>>>
>>>>>>>>>>> Patch info:
>>>>>>>>>>>
>>>>>>>>>>> git fetch git://github.com/RoadRunnr/otp.git
>>>>>>>>>>> tls-psk-srp-suites
>>>>>>>>>>>
>>>>>>>>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites
>>>>>>>>>>>
>>>>>>>>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites.patch
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards
>>>>>>>>>>> Andreas
>>>>>>>>>> --
>>>>>>>>>> /Henrik Nord Erlang/OTP
>>>>>>>>>>
>>>>>>>>>>
>>>>> --
>>>>> /Henrik Nord Erlang/OTP
>>>>>
>>>>>
>>



More information about the erlang-patches mailing list