Merge branch 'ia/ssl/maint15/poodle' into maint-r15

* ia/ssl/maint15/poodle: ssl: Special Poodle protection version for OTP-R15 track ssl: Check that negotiated version is a supported version. ssl: Renable padding check
author: Erlang/OTP <[email protected]> 2015-03-13 16:35:40 +0100
committer: Erlang/OTP <[email protected]> 2015-03-13 16:35:40 +0100
commit: 6e2268e187c84908572e2e6a1fb282a7ba8dc45a (patch)
tree: e7aca7375e491169ff6a3ec79da163c21614d15e /lib/ssl/src
parent: 5a137003f1eb045a39c18438ecc1b22081747487 (diff)
parent: 90e3fdf7a7ed036d51fcd0477141343af9f1cc30 (diff)
download: otp-6e2268e187c84908572e2e6a1fb282a7ba8dc45a.tar.gz
otp-6e2268e187c84908572e2e6a1fb282a7ba8dc45a.tar.bz2
otp-6e2268e187c84908572e2e6a1fb282a7ba8dc45a.zip
6 files changed, 34 insertions, 35 deletions
diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index c04d29bfc6..89eb5a240b 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -1,18 +1,12 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
-  {"5.1.2",      [{restart_application, ssl}]},
-  {"5.1.1",      [{restart_application, ssl}]},
-  {"5.1",        [{restart_application, ssl}]},
-  {<<"5.0\\*">>, [{restart_application, ssl}]},
+  {<<"5\\.*">>, [{restart_application, ssl}]},
   {<<"4\\.*">>, [{restart_application, ssl}]},
   {<<"3\\.*">>, [{restart_application, ssl}]}
  ], 
  [
-  {"5.1.2",      [{restart_application, ssl}]},
-  {"5.1.1",      [{restart_application, ssl}]},
-  {"5.1",        [{restart_application, ssl}]},
-  {<<"5.0\\*">>, [{restart_application, ssl}]},
+  {<<"5\\.*">>, [{restart_application, ssl}]},
   {<<"4\\.*">>, [{restart_application, ssl}]},
   {<<"3\\.*">>, [{restart_application, ssl}]}
  ]}.
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index b52470b988..ac69ed847d 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 1999-2012. All Rights Reserved.
+%% Copyright Ericsson AB 1999-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -572,8 +572,15 @@ handle_options(Opts0, _Role) ->
 
     CertFile = handle_option(certfile, Opts, <<>>),
     
+    Versions = case handle_option(versions, Opts, []) of
+		   [] ->
+		       ssl_record:supported_protocol_versions();  
+		   Vsns  ->
+		       [ssl_record:protocol_version(Vsn) || Vsn <- Vsns]
+	       end,  
+
     SSLOptions = #ssl_options{
-      versions   = handle_option(versions, Opts, []),
+      versions   = Versions,
       verify     = validate_option(verify, Verify),
       verify_fun = VerifyFun,
       fail_if_no_peer_cert = FailIfNoPeerCert,
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 567690a413..81354721b7 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -668,14 +668,12 @@ generic_stream_cipher_from_bin(T, HashSz) ->
     #generic_stream_cipher{content=Content,
 			   mac=Mac}.
 
-%% For interoperability reasons we do not check the padding content in
-%% SSL 3.0 and TLS 1.0 as it is not strictly required and breaks
-%% interopability with for instance Google. 
+%% SSL 3.0 has no padding check
 is_correct_padding(#generic_block_cipher{padding_length = Len,
 										 padding = Padding}, {3, N})
-  when N == 0; N == 1 ->
+  when N == 0 ->
     Len == byte_size(Padding); 
-%% Padding must be check in TLS 1.1 and after  
+%% Padding should/must be check in TLS-1.0/TLS 1.1 and after  
 is_correct_padding(#generic_block_cipher{padding_length = Len,
 										 padding = Padding}, _) ->
     Len == byte_size(Padding) andalso
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 73857bccbb..eb71212dcc 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -74,7 +74,6 @@
 	  session_cache,        % 
 	  session_cache_cb,     %
           negotiated_version,   % tls_version()
-          supported_protocol_versions, % [atom()]
           client_certificate_requested = false,
 	  key_algorithm,       % atom as defined by cipher_suite
 	  hashsign_algorithm,  % atom as defined by cipher_suite
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index bb26302fff..c6eda03e71 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -61,11 +61,7 @@ client_hello(Host, Port, ConnectionStates,
 			  ciphers = UserSuites
 			 } = SslOpts,
 	     Cache, CacheCb, Renegotiation, OwnCert) ->
-
-    Fun = fun(Version) ->
-		  ssl_record:protocol_version(Version)
-	  end,
-    Version = ssl_record:highest_protocol_version(lists:map(Fun, Versions)),
+    Version = ssl_record:highest_protocol_version(Versions),
     Pending = ssl_record:pending_connection_state(ConnectionStates, read),
     SecParams = Pending#connection_state.security_parameters,
     Ciphers = available_suites(UserSuites, Version),
@@ -124,10 +120,11 @@ hello(#server_hello{cipher_suite = CipherSuite, server_version = Version,
 		    compression_method = Compression, random = Random,
 		    session_id = SessionId, renegotiation_info = Info,
 		    hash_signs = _HashSigns},
-      #ssl_options{secure_renegotiate = SecureRenegotation},
+      #ssl_options{secure_renegotiate = SecureRenegotation, 
+		   versions = SupportedVersions},
       ConnectionStates0, Renegotiation) ->
-%%TODO: select hash and signature algorigthm
-    case ssl_record:is_acceptable_version(Version) of
+    %%TODO: select hash and signature algorigthm
+    case ssl_record:is_acceptable_version(Version, SupportedVersions) of
 	true ->
 	    case handle_renegotiation_info(client, Info, ConnectionStates0, 
 					   Renegotiation, SecureRenegotation, []) of
@@ -152,7 +149,7 @@ hello(#client_hello{client_version = ClientVersion, random = Random,
       {Port, Session0, Cache, CacheCb, ConnectionStates0, Cert}, Renegotiation) ->
 %% TODO: select hash and signature algorithm
     Version = select_version(ClientVersion, Versions),
-    case ssl_record:is_acceptable_version(Version) of
+    case ssl_record:is_acceptable_version(Version, Versions) of
 	true ->
 	    {Type, #session{cipher_suite = CipherSuite,
 			    compression_method = Compression} = Session} 
@@ -767,11 +764,7 @@ hello_security_parameters(server, Version, ConnectionState, CipherSuite, Random,
      }.
 
 select_version(ClientVersion, Versions) ->   
-    Fun = fun(Version) ->
-		  ssl_record:protocol_version(Version)
-	  end,
-    ServerVersion = ssl_record:highest_protocol_version(lists:map(Fun,
-								  Versions)),
+    ServerVersion = ssl_record:highest_protocol_version(Versions),
     ssl_record:lowest_protocol_version(ClientVersion, ServerVersion).
 
 select_cipher_suite([], _) ->
diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl
index 8e93ce4634..9f764908a1 100644
--- a/lib/ssl/src/ssl_record.erl
+++ b/lib/ssl/src/ssl_record.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -56,7 +56,7 @@
 %% Misc.
 -export([protocol_version/1, lowest_protocol_version/2,
 	 highest_protocol_version/1, supported_protocol_versions/0,
-	 is_acceptable_version/1]).
+	 is_acceptable_version/1, is_acceptable_version/2]).
 
 -export([compressions/0]).
 
@@ -476,8 +476,10 @@ supported_protocol_versions([_|_] = Vsns) ->
 
 %%--------------------------------------------------------------------
 -spec is_acceptable_version(tls_version()) -> boolean().
+-spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean().
 %%     
 %% Description: ssl version 2 is not acceptable security risks are too big.
+%% 
 %%--------------------------------------------------------------------
 is_acceptable_version({N,_}) 
   when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
@@ -485,6 +487,12 @@ is_acceptable_version({N,_})
 is_acceptable_version(_) ->
     false.
 
+is_acceptable_version({N,_} = Version, Versions)   
+  when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+    lists:member(Version, Versions);
+is_acceptable_version(_,_) ->
+    false.
+
 %%--------------------------------------------------------------------
 -spec compressions() -> [binary()].
 %%
author	Erlang/OTP <[email protected]>	2015-03-13 16:35:40 +0100
committer	Erlang/OTP <[email protected]>	2015-03-13 16:35:40 +0100
commit	6e2268e187c84908572e2e6a1fb282a7ba8dc45a (patch)
tree	e7aca7375e491169ff6a3ec79da163c21614d15e /lib/ssl/src
parent	5a137003f1eb045a39c18438ecc1b22081747487 (diff)
parent	90e3fdf7a7ed036d51fcd0477141343af9f1cc30 (diff)
download	otp-6e2268e187c84908572e2e6a1fb282a7ba8dc45a.tar.gz otp-6e2268e187c84908572e2e6a1fb282a7ba8dc45a.tar.bz2 otp-6e2268e187c84908572e2e6a1fb282a7ba8dc45a.zip