Merge branch 'ingela/ssl/tls-vs-dtls-version' into maint

* ingela/ssl/tls-vs-dtls-version:
  ssl: DTLS packet support
  ssl: Enable dtls tests
  ssl: Adjust ALPN and next protocol to work with DTLS
  ssl: Enable more DTLS tests
  ssl: negotiated_hashsign/4 expects TLS version to function correctly

3 files changed, 52 insertions, 44 deletions

diff --git a/lib/ssl/src/dtls_socket.erl b/lib/ssl/src/dtls_socket.erl
index fbbd479428..5f854fbb4b 100644
--- a/lib/ssl/src/dtls_socket.erl
+++ b/lib/ssl/src/dtls_socket.erl
@@ -137,7 +137,7 @@ internal_inet_values() ->
     [{active, false}, {mode,binary}].
 
 default_inet_values() ->
-    [{active, true}, {mode, list}].
+    [{active, true}, {mode, list}, {packet, 0}, {packet_size, 0}].
 
 default_cb_info() ->
     {gen_udp, udp, udp_closed, udp_error}.
@@ -149,8 +149,12 @@ get_emulated_opts(EmOpts, EmOptNames) ->
 
 emulated_socket_options(InetValues, #socket_options{
 				       mode   = Mode,
+                                       packet = Packet,
+                                       packet_size = PacketSize,
 				       active = Active}) ->
     #socket_options{
        mode   = proplists:get_value(mode, InetValues, Mode),
+       packet = proplists:get_value(packet, InetValues, Packet),
+       packet_size = proplists:get_value(packet_size, InetValues, PacketSize),
        active = proplists:get_value(active, InetValues, Active)
       }.
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 801aa8f256..4e592c02ec 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -713,6 +713,13 @@ handle_options(Opts0, Role, Host) ->
 
     Protocol = handle_option(protocol, Opts, tls),
 
+    case Versions of
+        [{3, 0}] ->
+            reject_alpn_next_prot_options(Opts);
+        _ ->
+            ok
+    end,
+   
     SSLOptions = #ssl_options{
 		    versions   = Versions,
 		    verify     = validate_option(verify, Verify),
@@ -809,7 +816,7 @@ handle_options(Opts0, Role, Host) ->
     ConnetionCb = connection_cb(Opts),
 
     {ok, #config{ssl = SSLOptions, emulated = Emulated, inet_ssl = Sock,
-		 inet_user = SockOpts, transport_info = CbInfo, connection_cb = ConnetionCb
+		 inet_user = Sock, transport_info = CbInfo, connection_cb = ConnetionCb
 		}}.
 
 
@@ -956,55 +963,32 @@ validate_option(hibernate_after, Value) when is_integer(Value), Value >= 0 ->
 
 validate_option(erl_dist,Value) when is_boolean(Value) ->
     Value;
-validate_option(Opt, Value)
-  when Opt =:= alpn_advertised_protocols orelse Opt =:= alpn_preferred_protocols,
-       is_list(Value) ->
-    case tls_record:highest_protocol_version([]) of
-	{3,0} ->
-	    throw({error, {options, {not_supported_in_sslv3, {Opt, Value}}}});
-	_ ->
-	    validate_binary_list(Opt, Value),
-	    Value
-    end;
+validate_option(Opt, Value) when Opt =:= alpn_advertised_protocols orelse Opt =:= alpn_preferred_protocols,
+                                 is_list(Value) ->
+    validate_binary_list(Opt, Value),
+    Value;
 validate_option(Opt, Value)
   when Opt =:= alpn_advertised_protocols orelse Opt =:= alpn_preferred_protocols,
        Value =:= undefined ->
     undefined;
-validate_option(client_preferred_next_protocols = Opt, {Precedence, PreferredProtocols} = Value)
+validate_option(client_preferred_next_protocols, {Precedence, PreferredProtocols})
   when is_list(PreferredProtocols) ->
-    case tls_record:highest_protocol_version([]) of
-	{3,0} ->
-	    throw({error, {options, {not_supported_in_sslv3, {Opt, Value}}}});
-	_ ->
-	    validate_binary_list(client_preferred_next_protocols, PreferredProtocols),
-	    validate_npn_ordering(Precedence),
-	    {Precedence, PreferredProtocols, ?NO_PROTOCOL}
-    end;
-validate_option(client_preferred_next_protocols = Opt, {Precedence, PreferredProtocols, Default} = Value)
-      when is_list(PreferredProtocols), is_binary(Default),
-           byte_size(Default) > 0, byte_size(Default) < 256 ->
-    case tls_record:highest_protocol_version([]) of
-	{3,0} ->
-	    throw({error, {options, {not_supported_in_sslv3, {Opt, Value}}}});
-	_ ->
-	    validate_binary_list(client_preferred_next_protocols, PreferredProtocols),
-	    validate_npn_ordering(Precedence),
-	    Value
-    end;
-
+    validate_binary_list(client_preferred_next_protocols, PreferredProtocols),
+    validate_npn_ordering(Precedence),
+    {Precedence, PreferredProtocols, ?NO_PROTOCOL};
+validate_option(client_preferred_next_protocols, {Precedence, PreferredProtocols, Default} = Value)
+  when is_list(PreferredProtocols), is_binary(Default),
+       byte_size(Default) > 0, byte_size(Default) < 256 ->
+    validate_binary_list(client_preferred_next_protocols, PreferredProtocols),
+    validate_npn_ordering(Precedence),
+    Value;
 validate_option(client_preferred_next_protocols, undefined) ->
     undefined;
 validate_option(log_alert, Value) when is_boolean(Value) ->
     Value;
-validate_option(next_protocols_advertised = Opt, Value) when is_list(Value) ->
-    case tls_record:highest_protocol_version([]) of
-	{3,0} ->
-	    throw({error, {options, {not_supported_in_sslv3, {Opt, Value}}}});
-	_ ->
-	    validate_binary_list(next_protocols_advertised, Value),
-	    Value
-    end;
-
+validate_option(next_protocols_advertised, Value) when is_list(Value) ->
+    validate_binary_list(next_protocols_advertised, Value),
+    Value;
 validate_option(next_protocols_advertised, undefined) ->
     undefined;
 validate_option(server_name_indication = Opt, Value) when is_list(Value) ->
@@ -1483,3 +1467,22 @@ server_name_indication_default(Host) when is_list(Host) ->
     Host;
 server_name_indication_default(_) ->
     undefined.
+
+
+reject_alpn_next_prot_options(Opts) ->
+    AlpnNextOpts = [alpn_advertised_protocols,
+                    alpn_preferred_protocols,
+                    next_protocols_advertised,
+                    next_protocol_selector,
+                    client_preferred_next_protocols],
+    reject_alpn_next_prot_options(AlpnNextOpts, Opts).
+
+reject_alpn_next_prot_options([], _) ->
+    ok;
+reject_alpn_next_prot_options([Opt| AlpnNextOpts], Opts) ->
+    case lists:keyfind(Opt, 1, Opts) of
+        {Opt, Value} ->
+            throw({error, {options, {not_supported_in_sslv3, {Opt, Value}}}});
+        false ->
+            reject_alpn_next_prot_options(AlpnNextOpts, Opts)
+    end.
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 1afc4ad2af..5cd66387ae 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -673,10 +673,11 @@ cipher(internal, #certificate_verify{signature = Signature,
 	      tls_handshake_history = Handshake
 	     } = State0, Connection) ->
     
+    TLSVersion = ssl:tls_version(Version),
     %% Use negotiated value if TLS-1.2 otherwhise return default
-    HashSign = negotiated_hashsign(CertHashSign, KexAlg, PublicKeyInfo, Version),
+    HashSign = negotiated_hashsign(CertHashSign, KexAlg, PublicKeyInfo, TLSVersion),
     case ssl_handshake:certificate_verify(Signature, PublicKeyInfo,
-					  ssl:tls_version(Version), HashSign, MasterSecret, Handshake) of
+					  TLSVersion, HashSign, MasterSecret, Handshake) of
 	valid ->
 	    {Record, State} = Connection:next_record(State0),
 	    Connection:next_event(cipher, Record,