[erlang-patches] SSL: export some session key material and make the TLS PRF accessible
Andreas Schultz
aschultz@REDACTED
Fri Feb 24 14:55:06 CET 2012
Hi Ingela,
I have pushed a new version to the same location.
git fetch git://github.com/RoadRunnr/otp.git tls-export-stuff
https://github.com/RoadRunnr/otp/compare/tls-export-stuff
https://github.com/RoadRunnr/otp/compare/tls-export-stuff.patch
This version removes the access to the internal security_parameters
and adopts a scheme for the prf function that is close to what you
suggested. The prf function is now:
-type prf_random() :: client | server.
prf(#sslsocket{}, Secret::binary() | 'master_secret', Label::binary(),
Seed::[binary() | prf_random()], WantedLen::non_neg_integer()) ->
{ok, binary()} | {error, reason()}
It always works on an ssl socket and uses the TLS version negotiated for
the socket. Specifying the TLS version does not really makes sense as the
internal security_parameters are TLS version dependent and I can not see
a use case for using the PRF without an active TLS connection.
Allowing the client and server randoms for the secret without exporting
them is somewhat strange, so I don't allow that. The same goes for using
the master secret as seed.
Andreas
----- Original Message -----
> Hi!
>
> I looked into this a bit and I would prefer not to have have a
> function
> that exports security parameters as this is not really desirable and
> also
> kind of unnecessary as you send them back to the SSL/TLS-gen-fsm
> process.
>
> I think there should be a function prf
>
> -type security_parm_name() :: master_secret | client_random |
> server_random
>
> prf(tls_version(), Secret::binary() | security_param_name(),
> Label::binary(),
> Seed:: [binary()| security_parm_name()],
> WantedLen::non_neg_integer()) -> {ok, binary()} | {error,
> reason()}
>
>
> Then the erlang SSL/TLS-fsm process will replace all
> security_param_name-instances with the value of the corresponding
> security parameter
> before calling the prf-function.
>
> I think there is no need for an {'EXIT, term()} return if necessary
> to
> catch something {error, Reason} is sufficient and the Reason can
> provide the
> information it was a caught EXIT if that could be interesting in that
> particular case, it is not always for example consider the following
> catch
>
> connect(Host, Port, Socket, Options, User, CbInfo, Timeout) ->
> try start_fsm(client, Host, Port, Socket, Options, User, CbInfo,
> Timeout)
> catch
> exit:{noproc, _} ->
> {error, ssl_not_started}
> end.
>
> Regards Ingela Erlang/OTP team Ericsson AB
>
> Andreas Schultz wrote:
> > Hi,
> >
> > Please fetch:
> >
> > git fetch git://github.com/RoadRunnr/otp.git tls-export-stuff
> >
> > Export some session key material and make the TLS PRF accessible
> >
> > Some protocols (e.g. EAP-PEAP, EAP-TLS, EAP-TTLS) that use TLS as
> > transport layer need to generate additional application specific
> > key material. One way to generate such material is to use the TLS
> > PRF and key material from the TLS session itself.
> >
> > This change adds a function to access the required key material and
> > makes a TLS session PRF accessible.
> >
> > https://github.com/RoadRunnr/otp/compare/tls-export-stuff
> > https://github.com/RoadRunnr/otp/compare/tls-export-stuff.patch
> >
> > Regards
> > Andreas
> >
> >
>
>
--
--
Dipl. Inform.
Andreas Schultz
email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-179-7654368
------------------ managed broadband access ------------------
Travelping GmbH phone: +49-391-8190990
Roentgenstr. 13 fax: +49-391-819099299
D-39108 Magdeburg email: info@REDACTED
GERMANY web: http://www.travelping.com
Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------
More information about the erlang-patches
mailing list