OTP-8568 RFC -5746

New ssl now supports secure renegotiation as described by RFC 5746.

3 files changed, 112 insertions, 21 deletions

diff --git a/lib/ssl/test/ssl.cover b/lib/ssl/test/ssl.cover
index 138bf96b9d..e8daa363c5 100644
--- a/lib/ssl/test/ssl.cover
+++ b/lib/ssl/test/ssl.cover
@@ -3,5 +3,17 @@
 	   'PKIX1Explicit88',
 	   'PKIX1Implicit88',
 	   'PKIXAttributeCertificate',
-	   'SSL-PKIX']}.
+	   'SSL-PKIX',
+	   ssl_pem,
+	   ssl_pkix,
+	   ssl_base64,
+	   ssl_broker,
+           ssl_broker_int,
+	   ssl_broker_sup,
+	   ssl_debug,
+	   ssl_server,		
+	   ssl_prim,
+	   inet_ssl_dist,
+	   'OTP-PKIX'	
+		]}.
 
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 3ee82d990b..9afcbd9113 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -171,7 +171,8 @@ all(suite) ->
      client_verify_none_active, client_verify_none_active_once
      %%, session_cache_process_list, session_cache_process_mnesia
      ,reuse_session, reuse_session_expired, server_does_not_want_to_reuse_session,
-     client_renegotiate, server_renegotiate,
+     client_renegotiate, server_renegotiate, client_renegotiate_reused_session,
+     server_renegotiate_reused_session,
      client_no_wrap_sequence_number, server_no_wrap_sequence_number,
      extended_key_usage, validate_extensions_fun
     ].
@@ -665,7 +666,7 @@ misc_ssl_options(Config) when is_list(Config) ->
 		{password, []},
 		{reuse_session, fun(_,_,_,_) -> true end},
 		{debug, []}, 
-		{cb_info, {gen_tcp, tcp, tcp_closed}}],
+		{cb_info, {gen_tcp, tcp, tcp_closed, tcp_error}}],
     
    Server = 
 	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
@@ -2112,6 +2113,76 @@ server_renegotiate(Config) when is_list(Config) ->
     ok.
 
 %%--------------------------------------------------------------------
+client_renegotiate_reused_session(doc) -> 
+    ["Test ssl:renegotiate/1 on client when the ssl session will be reused."];
+
+client_renegotiate_reused_session(suite) -> 
+    [];
+
+client_renegotiate_reused_session(Config) when is_list(Config) ->
+    process_flag(trap_exit, true),
+    ServerOpts = ?config(server_opts, Config),  
+    ClientOpts = ?config(client_opts, Config),  
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    
+    Data = "From erlang to erlang",
+
+    Server = 
+	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+				   {from, self()},
+				   {mfa, {?MODULE, erlang_ssl_receive, [Data]}},
+				   {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+ 
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					{host, Hostname},
+					{from, self()}, 
+					{mfa, {?MODULE, 
+					       renegotiate_reuse_session, [Data]}},
+					{options, [{reuse_sessions, true} | ClientOpts]}]),
+    
+    ssl_test_lib:check_result(Client, ok, Server, ok), 
+
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client),
+    process_flag(trap_exit, false),
+    ok.
+%%--------------------------------------------------------------------
+server_renegotiate_reused_session(doc) -> 
+    ["Test ssl:renegotiate/1 on server when the ssl session will be reused."];
+
+server_renegotiate_reused_session(suite) -> 
+    [];
+
+server_renegotiate_reused_session(Config) when is_list(Config) ->
+    process_flag(trap_exit, true),
+    ServerOpts = ?config(server_opts, Config),  
+    ClientOpts = ?config(client_opts, Config),  
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    
+    Data = "From erlang to erlang",
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+					{from, self()}, 
+					{mfa, {?MODULE, 
+					       renegotiate_reuse_session, [Data]}},
+					{options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					{host, Hostname},
+					{from, self()}, 
+					{mfa, {?MODULE, erlang_ssl_receive, [Data]}},
+					{options, [{reuse_sessions, true} | ClientOpts]}]),
+    
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client),
+    ok.
+
+%%--------------------------------------------------------------------
 client_no_wrap_sequence_number(doc) -> 
     ["Test that erlang client will renegotiate session when",  
      "max sequence number celing is about to be reached. Although"
@@ -2314,14 +2385,14 @@ renegotiate(Socket, Data) ->
     case Result of
 	ok ->
 	    ok;
-	%% It is not an error in erlang ssl
-	%% if peer rejects renegotiation.
-	%% Connection will stay up
-	{error, renegotiation_rejected} ->
-	    ok;
 	Other ->
 	    Other
     end.
+
+renegotiate_reuse_session(Socket, Data) ->
+    %% Make sure session is registerd
+    test_server:sleep(?SLEEP),
+    renegotiate(Socket, Data).
  
 session_cache_process_list(doc) -> 
     ["Test reuse of sessions (short handshake)"];
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 186bf52ff6..03466aec6f 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -81,11 +81,20 @@ end_per_suite(_Config) ->
 %% variable, but should NOT alter/remove any existing entries.
 %% Description: Initialization before each test case
 %%--------------------------------------------------------------------
-init_per_testcase(_TestCase, Config0) ->
+init_per_testcase(TestCase, Config0) ->
     Config = lists:keydelete(watchdog, 1, Config0),
     Dog = ssl_test_lib:timetrap(?TIMEOUT),
-    [{watchdog, Dog} | Config].
+    special_init(TestCase, [{watchdog, Dog} | Config]).
 
+special_init(TestCase, Config) 
+  when TestCase == erlang_client_openssl_server_renegotiate;
+       TestCase == erlang_client_openssl_server_no_wrap_sequence_number;
+       TestCase == erlang_server_openssl_client_no_wrap_sequence_number ->
+    check_sane_openssl_renegotaite(Config);
+
+special_init(_, Config) ->
+    Config.
+    
 %%--------------------------------------------------------------------
 %% Function: end_per_testcase(TestCase, Config) -> _
 %% Case - atom()
@@ -297,12 +306,8 @@ erlang_client_openssl_server_renegotiate(Config) when is_list(Config) ->
     test_server:sleep(?SLEEP),
     port_command(OpensslPort, OpenSslData),
     
-    %%ssl_test_lib:check_result(Client, ok), 
-    %% Currently allow test case to not fail
-    %% if server requires secure renegotiation from RFC-5746 
-    %% This should be removed as soon as we have implemented it.
-    ssl_test_lib:check_result_ignore_renegotiation_reject(Client, ok),
-
+    ssl_test_lib:check_result(Client, ok), 
+   
     %% Clean close down!   Server needs to be closed first !!
     close_port(OpensslPort),
 
@@ -350,11 +355,7 @@ erlang_client_openssl_server_no_wrap_sequence_number(Config) when is_list(Config
 					{options, [{reuse_sessions, false},
 						   {renegotiate_at, N} | ClientOpts]}]),
     
-    %%ssl_test_lib:check_result(Client, ok), 
-    %% Currently allow test case to not fail
-    %% if server requires secure renegotiation from RFC-5746 
-    %% This should be removed as soon as we have implemented it.
-    ssl_test_lib:check_result_ignore_renegotiation_reject(Client, ok),
+    ssl_test_lib:check_result(Client, ok), 
 
     %% Clean close down!   Server needs to be closed first !!
     close_port(OpensslPort),
@@ -1080,3 +1081,10 @@ wait_for_openssl_server() ->
 	    test_server:sleep(?SLEEP)
     end.
 	    
+check_sane_openssl_renegotaite(Config) ->
+    case os:cmd("openssl version") of
+	"OpenSSL 0.9.8l" ++ _ ->
+	    {skip, "Known renegotiation bug in OppenSSL"};
+	_ ->
+	    Config
+    end.