Merge branch 'ia/ssl/new-server-options-reuse-session/OTP-10595'

* ia/ssl/new-server-options-reuse-session/OTP-10595: ssl: Add and enhance tests ssl: Consider new server options when resuming a session
author: Ingela Anderton Andin <[email protected]> 2012-11-27 09:01:45 +0100
committer: Ingela Anderton Andin <[email protected]> 2012-11-27 09:01:45 +0100
commit: 6ab7a9e353f246f4b83537fe428eb2cd8c6accbf (patch)
tree: 2acc02651ce4c61d3fd5ac2be692d3b7b5730b21
parent: 05c9a6b36af7255d58a91b50b9513fa5bc2716f2 (diff)
parent: 305aebd55e815c0fff9bd24cd9c9ff9b40cd1189 (diff)
download: otp-6ab7a9e353f246f4b83537fe428eb2cd8c6accbf.tar.gz
otp-6ab7a9e353f246f4b83537fe428eb2cd8c6accbf.tar.bz2
otp-6ab7a9e353f246f4b83537fe428eb2cd8c6accbf.zip
2 files changed, 85 insertions, 10 deletions
diff --git a/lib/ssl/src/ssl_session.erl b/lib/ssl/src/ssl_session.erl
index 2ad422fc03..a24b2d9444 100644
--- a/lib/ssl/src/ssl_session.erl
+++ b/lib/ssl/src/ssl_session.erl
@@ -72,15 +72,12 @@ valid_session(#session{time_stamp = TimeStamp}, LifeTime) ->
 
 server_id(Port, <<>>, _SslOpts, _Cert, _, _) ->
     {ssl_manager:new_session_id(Port), undefined};
-server_id(Port, SuggestedId,
-	  #ssl_options{reuse_sessions = ReuseEnabled,
-		       reuse_session = ReuseFun},
-	  Cert, Cache, CacheCb) ->
+server_id(Port, SuggestedId, Options, Cert, Cache, CacheCb) ->
     LifeTime = case application:get_env(ssl, session_lifetime) of
 		   {ok, Time} when is_integer(Time) -> Time;
 		   _ -> ?'24H_in_sec'
 	       end,
-    case is_resumable(SuggestedId, Port, ReuseEnabled,ReuseFun,
+    case is_resumable(SuggestedId, Port, Options,
 		      Cache, CacheCb, LifeTime, Cert)
     of
 	{true, Resumed} ->
@@ -112,9 +109,9 @@ select_session(Sessions, #ssl_options{ciphers = Ciphers}, OwnCert) ->
 	[[Id, _]|_] -> Id
     end.
 
-is_resumable(_, _, false, _, _, _, _, _) ->
+is_resumable(_, _, #ssl_options{reuse_sessions = false}, _, _, _, _) ->
     {false, undefined};
-is_resumable(SuggestedSessionId, Port, true, ReuseFun, Cache,
+is_resumable(SuggestedSessionId, Port, #ssl_options{reuse_session = ReuseFun} = Options, Cache,
 	     CacheCb, SecondLifeTime, OwnCert) ->
     case CacheCb:lookup(Cache, {Port, SuggestedSessionId}) of
 	#session{cipher_suite = CipherSuite,
@@ -125,6 +122,7 @@ is_resumable(SuggestedSessionId, Port, true, ReuseFun, Cache,
 	    case resumable(IsResumable)
 		andalso (OwnCert == SessionOwnCert)
 		andalso valid_session(Session, SecondLifeTime)
+		andalso reusable_options(Options, Session)
 		andalso ReuseFun(SuggestedSessionId, PeerCert,
 				 Compression, CipherSuite)
 	    of
@@ -139,3 +137,9 @@ resumable(new) ->
     false;
 resumable(IsResumable) ->
     IsResumable.
+
+reusable_options(#ssl_options{fail_if_no_peer_cert = true,
+			   verify = verify_peer}, Session) ->
+    (Session#session.peer_certificate =/= undefined);
+reusable_options(_,_) ->
+    true.
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index a202aca943..e84582cdd7 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -274,6 +274,7 @@ certificate_verify_tests() ->
      server_verify_client_once_passive,
      server_verify_client_once_active,
      server_verify_client_once_active_once,
+     new_server_wants_peer_cert,
      client_verify_none_passive,
      client_verify_none_active,
      client_verify_none_active_once,
@@ -3610,9 +3611,14 @@ no_reuses_session_server_restart_new_cert(Config) when is_list(Config) ->
 
     %% Make sure session is registered
     test_server:sleep(?SLEEP),
+    Monitor = erlang:monitor(process, Server),
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client0),
-
+    receive
+	{'DOWN', Monitor, _, _, _} ->
+	    ok
+    end,
+    
     Server1 =
 	ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
 				   {from, self()},
@@ -3719,10 +3725,14 @@ reuseaddr(Config) when is_list(Config) ->
 				   {from, self()},
 				   {mfa, {ssl_test_lib, no_result, []}},
 				   {options, [{active, false} | ClientOpts]}]),
-    test_server:sleep(?SLEEP),
+    Monitor = erlang:monitor(process, Server),
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client),
-
+    receive
+	{'DOWN', Monitor, _, _, _} ->
+	    ok
+    end,
+    
     Server1 =
 	ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
 				   {from, self()},
@@ -4041,6 +4051,67 @@ client_server_opts({KeyAlgo,_,_}, Config) when KeyAlgo == dss orelse KeyAlgo ==
     {?config(client_dsa_opts, Config),
      ?config(server_dsa_opts, Config)}.
 
+
+%%--------------------------------------------------------------------
+
+new_server_wants_peer_cert(doc) ->
+    ["Test that server configured to do client certification does"
+     " not reuse session without a client certificate."];
+new_server_wants_peer_cert(suite) ->
+    [];
+new_server_wants_peer_cert(Config) when is_list(Config) ->
+    ServerOpts = ?config(server_opts, Config),
+    VServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
+		  | ?config(server_verification_opts, Config)],
+    ClientOpts = ?config(client_verification_opts, Config),
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server =
+	ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+				   {from, self()},
+				   {mfa, {?MODULE, peercert_result, []}},
+				   {options,  [ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client =
+	ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+				   {host, Hostname},
+				   {from, self()},
+				   {mfa, {ssl_test_lib, no_result, []}},
+				   {options, ClientOpts}]),
+
+    Monitor = erlang:monitor(process, Server),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client),
+    receive
+	{'DOWN', Monitor, _, _, _} ->
+	    ok
+    end,
+    
+    Server1 = ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
+					 {from, self()},
+					 {mfa, {?MODULE, peercert_result, []}},
+					 {options,  VServerOpts}]), 
+    Client1 =
+	ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+				   {host, Hostname},
+				   {from, self()},
+				   {mfa, {ssl_test_lib, no_result, []}},
+				   {options, [ClientOpts]}]),
+
+    CertFile = proplists:get_value(certfile, ClientOpts),
+    [{'Certificate', BinCert, _}]= ssl_test_lib:pem_to_der(CertFile),
+
+    ServerMsg = {error, no_peercert},
+    Sever1Msg = {ok, BinCert},
+   
+    ssl_test_lib:check_result(Server, ServerMsg, Server1, Sever1Msg),
+
+    ssl_test_lib:close(Server1),
+    ssl_test_lib:close(Client),
+    ssl_test_lib:close(Client1).
+
+
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
author	Ingela Anderton Andin <[email protected]>	2012-11-27 09:01:45 +0100
committer	Ingela Anderton Andin <[email protected]>	2012-11-27 09:01:45 +0100
commit	6ab7a9e353f246f4b83537fe428eb2cd8c6accbf (patch)
tree	2acc02651ce4c61d3fd5ac2be692d3b7b5730b21
parent	05c9a6b36af7255d58a91b50b9513fa5bc2716f2 (diff)
parent	305aebd55e815c0fff9bd24cd9c9ff9b40cd1189 (diff)
download	otp-6ab7a9e353f246f4b83537fe428eb2cd8c6accbf.tar.gz otp-6ab7a9e353f246f4b83537fe428eb2cd8c6accbf.tar.bz2 otp-6ab7a9e353f246f4b83537fe428eb2cd8c6accbf.zip