Merge branch 'ferd/bypass-pem-cache/PR-1143/OTP-13883' into maint

* ferd/bypass-pem-cache/PR-1143/OTP-13883: ssl: Add documentation of bypass_pem_cache application environment configuration ssl: Add new benchmarks to skip file for normal testing Adding PEM cache bypass benchmark entries Fixing CRL searching in cache bypass Add option to bypass SSL PEM cache
author: Ingela Anderton Andin <[email protected]> 2016-09-12 16:26:12 +0200
committer: Ingela Anderton Andin <[email protected]> 2016-09-12 16:26:12 +0200
commit: 9f12c01ed52555a2a6218b86929a2b2f36c93a0e (patch)
tree: 25ad3b5501650fc9db8b2f72dcfd990a682643bf /lib/ssl/test
parent: 44aba0af8d1ddbccf8a7911f307681fc0d726d77 (diff)
parent: 3cad56eb508fb703d036e704bae77a3b3ae05086 (diff)
download: otp-9f12c01ed52555a2a6218b86929a2b2f36c93a0e.tar.gz
otp-9f12c01ed52555a2a6218b86929a2b2f36c93a0e.tar.bz2
otp-9f12c01ed52555a2a6218b86929a2b2f36c93a0e.zip
2 files changed, 97 insertions, 8 deletions
diff --git a/lib/ssl/test/ssl.spec b/lib/ssl/test/ssl.spec
index 86e14c033e..0ad94e22bc 100644
--- a/lib/ssl/test/ssl.spec
+++ b/lib/ssl/test/ssl.spec
@@ -1,4 +1,5 @@
 {suites,"../ssl_test",all}.
 {skip_cases, "../ssl_test",
-    ssl_bench_SUITE, [setup_sequential, setup_concurrent, payload_simple],
+    ssl_bench_SUITE, [setup_sequential, setup_concurrent, payload_simple,
+	use_pem_cache, bypass_pem_cache],
     "Benchmarks run separately"}.
diff --git a/lib/ssl/test/ssl_bench_SUITE.erl b/lib/ssl/test/ssl_bench_SUITE.erl
index ed439a425f..21989f8d99 100644
--- a/lib/ssl/test/ssl_bench_SUITE.erl
+++ b/lib/ssl/test/ssl_bench_SUITE.erl
@@ -25,11 +25,12 @@
 
 suite() -> [{ct_hooks,[{ts_install_cth,[{nodenames,2}]}]}].
 
-all() -> [{group, setup}, {group, payload}].
+all() -> [{group, setup}, {group, payload}, {group, pem_cache}].
 
 groups() ->
     [{setup, [{repeat, 3}], [setup_sequential, setup_concurrent]},
-     {payload, [{repeat, 3}], [payload_simple]}
+     {payload, [{repeat, 3}], [payload_simple]},
+     {pem_cache, [{repeat, 3}], [use_pem_cache, bypass_pem_cache]}
     ].
 
 init_per_group(_GroupName, Config) ->
@@ -49,9 +50,33 @@ init_per_suite(Config) ->
 end_per_suite(_Config) ->
     ok.
 
+init_per_testcase(use_pem_cache, Conf) ->
+    case bypass_pem_cache_supported() of
+        false -> {skipped, "PEM cache bypass support required"};
+        true ->
+            application:set_env(ssl, bypass_pem_cache, false),
+            Conf
+    end;
+init_per_testcase(bypass_pem_cache, Conf) ->
+    case bypass_pem_cache_supported() of
+        false -> {skipped, "PEM cache bypass support required"};
+        true ->
+            application:set_env(ssl, bypass_pem_cache, true),
+            Conf
+    end;
 init_per_testcase(_Func, Conf) ->
     Conf.
 
+end_per_testcase(use_pem_cache, _Config) ->
+    case bypass_pem_cache_supported() of
+        false -> ok;
+        true -> application:set_env(ssl, bypass_pem_cache, false)
+    end;
+end_per_testcase(bypass_pem_cache, _Config) ->
+    case bypass_pem_cache_supported() of
+        false -> ok;
+        true -> application:set_env(ssl, bypass_pem_cache, false)
+    end;
 end_per_testcase(_Func, _Conf) ->
     ok.
 
@@ -94,6 +119,18 @@ payload_simple(Config) ->
 				 {suite, "ssl"}, {name, "Payload simple"}]}),
     ok.
 
+use_pem_cache(_Config) ->
+    {ok, Result} = do_test(ssl, pem_cache, 100, 500, node()),
+    ct_event:notify(#event{name = benchmark_data,
+                           data=[{value, Result},
+                                 {suite, "ssl"}, {name, "Use PEM cache"}]}).
+
+bypass_pem_cache(_Config) ->
+    {ok, Result} = do_test(ssl, pem_cache, 100, 500, node()),
+    ct_event:notify(#event{name = benchmark_data,
+                           data=[{value, Result},
+                                 {suite, "ssl"}, {name, "Bypass PEM cache"}]}).
+
 
 ssl() ->
     test(ssl, ?COUNT, node()).
@@ -172,6 +209,18 @@ server_init(ssl, payload, Loop, _, Server) ->
 		   ssl:close(TSocket)
 	   end,
     setup_server_connection(Socket, Test);
+server_init(ssl, pem_cache, Loop, _, Server) ->
+    {ok, Socket} = ssl:listen(0, ssl_opts(listen_der)),
+    {ok, {_Host, Port}} = ssl:sockname(Socket),
+    {ok, Host} = inet:gethostname(),
+    Server ! {self(), {init, Host, Port}},
+    Test = fun(TSocket) ->
+		   ok = ssl:ssl_accept(TSocket),
+		   Size = byte_size(msg()),
+		   server_echo(TSocket, Size, Loop),
+		   ssl:close(TSocket)
+	   end,
+    setup_server_connection(Socket, Test);
 
 server_init(Type, Tc, _, _, Server) ->
     io:format("No server init code for ~p ~p~n",[Type, Tc]),
@@ -185,6 +234,11 @@ client_init(Master, ssl, payload, Host, Port) ->
     Master ! {self(), init},
     Size = byte_size(msg()),
     {Sock, Size};
+client_init(Master, ssl, pem_cache, Host, Port) ->
+    {ok, Sock} = ssl:connect(Host, Port, ssl_opts(connect_der)),
+    Master ! {self(), init},
+    Size = byte_size(msg()),
+    {Sock, Size};
 client_init(_Me, Type, Tc, Host, Port) ->
     io:format("No client init code for ~p ~p~n",[Type, Tc]),
     {Host, Port}.
@@ -228,6 +282,13 @@ payload(Loop, ssl, D = {Socket, Size}) when Loop > 0 ->
 payload(_, _, {Socket, _}) ->
     ssl:close(Socket).
 
+pem_cache(N, ssl, Data = {Socket, Size}) when N > 0 ->
+    ok = ssl:send(Socket, msg()),
+    {ok, _} = ssl:recv(Socket, Size),
+    pem_cache(N-1, ssl, Data);
+pem_cache(_, _, {Socket, _}) ->
+    ssl:close(Socket).
+
 msg() ->
     <<"Hello", 
       0:(512*8), 
@@ -352,16 +413,43 @@ stop_profile(fprof, File) ->
 ssl_opts(listen) ->
     [{backlog, 500} | ssl_opts("server")];
 ssl_opts(connect) ->
-    [{verify, verify_peer}
-     | ssl_opts("client")];
+    [{verify, verify_peer} | ssl_opts("client")];
+ssl_opts(listen_der) ->
+    [{backlog, 500} | ssl_opts("server_der")];
+ssl_opts(connect_der) ->
+    [{verify, verify_peer} | ssl_opts("client_der")];
 ssl_opts(Role) ->
-    Dir = filename:join([code:lib_dir(ssl), "examples", "certs", "etc"]),
+    CertData = cert_data(Role),
     [{active, false},
      {depth, 2},
      {reuseaddr, true},
      {mode,binary},
      {nodelay, true},
-     {ciphers, [{dhe_rsa,aes_256_cbc,sha}]},
-     {cacertfile, filename:join([Dir, Role, "cacerts.pem"])},
+     {ciphers, [{dhe_rsa,aes_256_cbc,sha}]}
+    |CertData].
+
+cert_data(Der) when Der =:= "server_der"; Der =:= "client_der" ->
+    [Role,_] = string:tokens(Der, "_"),
+    Dir = filename:join([code:lib_dir(ssl), "examples", "certs", "etc"]),
+    {ok, CaCert0} = file:read_file(filename:join([Dir, Role, "cacerts.pem"])),
+    {ok, Cert0} = file:read_file(filename:join([Dir, Role, "cert.pem"])),
+    {ok, Key0} = file:read_file(filename:join([Dir, Role, "key.pem"])),
+    [{_, Cert, _}] = public_key:pem_decode(Cert0),
+    CaCert1 = public_key:pem_decode(CaCert0),
+    CaCert = [CCert || {_, CCert, _} <- CaCert1],
+    [{KeyType, Key, _}] = public_key:pem_decode(Key0),
+    [{cert, Cert},
+     {cacerts, CaCert},
+     {key, {KeyType, Key}}];
+cert_data(Role) ->
+    Dir = filename:join([code:lib_dir(ssl), "examples", "certs", "etc"]),
+    [{cacertfile, filename:join([Dir, Role, "cacerts.pem"])},
      {certfile, filename:join([Dir, Role, "cert.pem"])},
      {keyfile, filename:join([Dir, Role, "key.pem"])}].
+
+bypass_pem_cache_supported() ->
+    %% This function is currently critical to support cache bypass
+    %% and did not exist in prior versions.
+    catch ssl_pkix_db:module_info(), % ensure module is loaded
+    erlang:function_exported(ssl_pkix_db, extract_trusted_certs, 1).
+
author	Ingela Anderton Andin <[email protected]>	2016-09-12 16:26:12 +0200
committer	Ingela Anderton Andin <[email protected]>	2016-09-12 16:26:12 +0200
commit	9f12c01ed52555a2a6218b86929a2b2f36c93a0e (patch)
tree	25ad3b5501650fc9db8b2f72dcfd990a682643bf /lib/ssl/test
parent	44aba0af8d1ddbccf8a7911f307681fc0d726d77 (diff)
parent	3cad56eb508fb703d036e704bae77a3b3ae05086 (diff)
download	otp-9f12c01ed52555a2a6218b86929a2b2f36c93a0e.tar.gz otp-9f12c01ed52555a2a6218b86929a2b2f36c93a0e.tar.bz2 otp-9f12c01ed52555a2a6218b86929a2b2f36c93a0e.zip