Merge remote-tracking branch 'upstream/maint'

7 files changed, 100 insertions, 43 deletions

diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index c090b6ebfb..3a64841976 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -1,7 +1,11 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
-  {<<"5.3\\*">>, [{restart_application, ssl}]},
+  {<<"5.3.2">>, [{load_module, ssl, soft_purge, soft_purge, []},
+		 {load_module, ssl_connection, soft_purge, soft_purge, []},
+		 {load_module, ssl_handshake, soft_purge, soft_purge, []},
+		 {load_module, tls_connection, soft_purge, soft_purge, []}]},
+  {<<"5.3.1">>, [{restart_application, ssl}]},
   {<<"5.2\\*">>, [{restart_application, ssl}]},
   {<<"5.1\\*">>, [{restart_application, ssl}]},
   {<<"5.0\\*">>, [{restart_application, ssl}]},
@@ -9,7 +13,11 @@
   {<<"3\\.*">>, [{restart_application, ssl}]}
  ], 
  [
-  {<<"5.3\\*">>, [{restart_application, ssl}]},
+  {<<"5.3.2">>, [{load_module, ssl, soft_purge, soft_purge, []},
+		 {load_module, ssl_connection, soft_purge, soft_purge, []},
+		 {load_module, ssl_handshake, soft_purge, soft_purge, []},
+		 {load_module, tls_connection, soft_purge, soft_purge, []}]},
+  {<<"5.3.1">>, [{restart_application, ssl}]},
   {<<"5.2\\*">>, [{restart_application, ssl}]},
   {<<"5.1\\*">>, [{restart_application, ssl}]},
   {<<"5.0\\*">>, [{restart_application, ssl}]},
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index cff842cb2f..a7fd9f5f81 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 1999-2013. All Rights Reserved.
+%% Copyright Ericsson AB 1999-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -608,39 +608,40 @@ handle_options(Opts0, _Role) ->
 	       end,
 
     SSLOptions = #ssl_options{
-      versions   = Versions,
-      verify     = validate_option(verify, Verify),
-      verify_fun = VerifyFun,
-      fail_if_no_peer_cert = FailIfNoPeerCert,
-      verify_client_once =  handle_option(verify_client_once, Opts, false),
-      depth      = handle_option(depth,  Opts, 1),
-      cert       = handle_option(cert, Opts, undefined),
-      certfile   = CertFile,
-      key        = handle_option(key, Opts, undefined),
-      keyfile    = handle_option(keyfile,  Opts, CertFile),
-      password   = handle_option(password, Opts, ""),
-      cacerts    = CaCerts,
-      cacertfile = handle_option(cacertfile, Opts, CaCertDefault),
-      dh         = handle_option(dh, Opts, undefined),
-      dhfile     = handle_option(dhfile, Opts, undefined),
-      user_lookup_fun = handle_option(user_lookup_fun, Opts, undefined),
-      psk_identity = handle_option(psk_identity, Opts, undefined),
-      srp_identity = handle_option(srp_identity, Opts, undefined),
-      ciphers    = handle_option(ciphers, Opts, []),
-      %% Server side option
-      reuse_session = handle_option(reuse_session, Opts, ReuseSessionFun),
-      reuse_sessions = handle_option(reuse_sessions, Opts, true),
-      secure_renegotiate = handle_option(secure_renegotiate, Opts, false),
-      renegotiate_at = handle_option(renegotiate_at, Opts, ?DEFAULT_RENEGOTIATE_AT),
-      hibernate_after = handle_option(hibernate_after, Opts, undefined),
-      erl_dist = handle_option(erl_dist, Opts, false),
-      next_protocols_advertised =
+		    versions   = Versions,
+		    verify     = validate_option(verify, Verify),
+		    verify_fun = VerifyFun,
+		    fail_if_no_peer_cert = FailIfNoPeerCert,
+		    verify_client_once =  handle_option(verify_client_once, Opts, false),
+		    depth      = handle_option(depth,  Opts, 1),
+		    cert       = handle_option(cert, Opts, undefined),
+		    certfile   = CertFile,
+		    key        = handle_option(key, Opts, undefined),
+		    keyfile    = handle_option(keyfile,  Opts, CertFile),
+		    password   = handle_option(password, Opts, ""),
+		    cacerts    = CaCerts,
+		    cacertfile = handle_option(cacertfile, Opts, CaCertDefault),
+		    dh         = handle_option(dh, Opts, undefined),
+		    dhfile     = handle_option(dhfile, Opts, undefined),
+		    user_lookup_fun = handle_option(user_lookup_fun, Opts, undefined),
+		    psk_identity = handle_option(psk_identity, Opts, undefined),
+		    srp_identity = handle_option(srp_identity, Opts, undefined),
+		    ciphers    = handle_option(ciphers, Opts, []),
+		    %% Server side option
+		    reuse_session = handle_option(reuse_session, Opts, ReuseSessionFun),
+		    reuse_sessions = handle_option(reuse_sessions, Opts, true),
+		    secure_renegotiate = handle_option(secure_renegotiate, Opts, false),
+		    renegotiate_at = handle_option(renegotiate_at, Opts, ?DEFAULT_RENEGOTIATE_AT),
+		    hibernate_after = handle_option(hibernate_after, Opts, undefined),
+		    erl_dist = handle_option(erl_dist, Opts, false),
+		    next_protocols_advertised =
 			handle_option(next_protocols_advertised, Opts, undefined),
-      next_protocol_selector =
+		    next_protocol_selector =
 			make_next_protocol_selector(
 			  handle_option(client_preferred_next_protocols, Opts, undefined)),
-      log_alert = handle_option(log_alert, Opts, true)
-     },
+		    log_alert = handle_option(log_alert, Opts, true),
+		    server_name_indication = handle_option(server_name_indication, Opts, undefined)
+		   },
 
     CbInfo  = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed, tcp_error}),
     SslOptions = [protocol, versions, verify, verify_fun,
@@ -651,7 +652,7 @@ handle_options(Opts0, _Role) ->
 		  reuse_session, reuse_sessions, ssl_imp,
 		  cb_info, renegotiate_at, secure_renegotiate, hibernate_after,
 		  erl_dist, next_protocols_advertised,
-		  client_preferred_next_protocols, log_alert],
+		  client_preferred_next_protocols, log_alert, server_name_indication],
 
     SockOpts = lists:foldl(fun(Key, PropList) ->
 				   proplists:delete(Key, PropList)
@@ -833,6 +834,12 @@ validate_option(next_protocols_advertised = Opt, Value) when is_list(Value) ->
 
 validate_option(next_protocols_advertised, undefined) ->
     undefined;
+validate_option(server_name_indication, Value) when is_list(Value) ->
+    Value;
+validate_option(server_name_indication, disable) ->
+    disable;
+validate_option(server_name_indication, undefined) ->
+    undefined;
 validate_option(Opt, Value) ->
     throw({error, {options, {Opt, Value}}}).
 
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index b7c1b9e8d0..82106935cb 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1597,7 +1597,7 @@ default_hashsign(_Version, KeyExchange)
 select_curve(#state{client_ecc = {[Curve|_], _}}) ->
     {namedCurve, Curve};
 select_curve(_) ->
-    {namedCurve, ?secp256k1}.
+    {namedCurve, ?secp256r1}.
 
 is_anonymous(Algo) when Algo == dh_anon;
 			Algo == ecdh_anon;
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index da72ffc043..f5c0034f1b 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1287,7 +1287,7 @@ select_curve(#elliptic_curves{elliptic_curve_list = ClientCurves},
 select_curve(undefined, _) ->
     %% Client did not send ECC extension use default curve if 
     %% ECC cipher is negotiated
-    {namedCurve, ?secp256k1};
+    {namedCurve, ?secp256r1};
 select_curve(_, []) ->
     no_curve;
 select_curve(Curves, [Curve| Rest]) ->
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 8e6f80da1e..ffa04ee8ba 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -199,7 +199,9 @@ hello(start, #state{host = Host, port = Port, role = client,
     next_state(hello, hello, Record, State);
 
 hello(Hello = #client_hello{client_version = ClientVersion,
-			    extensions = #hello_extensions{hash_signs = HashSigns}},
+			    extensions = #hello_extensions{hash_signs = HashSigns,
+							   ec_point_formats = EcPointFormats,
+							   elliptic_curves = EllipticCurves}},
       State = #state{connection_states = ConnectionStates0,
 		     port = Port, session = #session{own_certificate = Cert} = Session0,
 		     renegotiation = {Renegotiation, _},
@@ -210,9 +212,7 @@ hello(Hello = #client_hello{client_version = ClientVersion,
     case tls_handshake:hello(Hello, SslOpts, {Port, Session0, Cache, CacheCb,
 					      ConnectionStates0, Cert}, Renegotiation) of
         {Version, {Type, Session},
-	 ConnectionStates,
-	 #hello_extensions{ec_point_formats = EcPointFormats,
-			   elliptic_curves = EllipticCurves} = ServerHelloExt} ->
+	 ConnectionStates, ServerHelloExt} ->
             ssl_connection:hello({common_client_hello, Type, ServerHelloExt, HashSign},
 				 State#state{connection_states  = ConnectionStates,
 					     negotiated_version = Version,
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 54029ebe6d..bc7e68a86c 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -130,7 +130,8 @@ api_tests() ->
      listen_socket,
      ssl_accept_timeout,
      ssl_recv_timeout,
-     versions_option
+     versions_option,
+     server_name_indication_option
     ].
 
 session_tests() ->
@@ -2804,6 +2805,47 @@ versions_option(Config) when is_list(Config) ->
     end,	    
    
     ssl_test_lib:check_result(ErrClient, {error, {tls_alert, "protocol version"}}).
+
+
+%%--------------------------------------------------------------------
+
+server_name_indication_option() ->
+    [{doc,"Test API server_name_indication option to connect."}].
+server_name_indication_option(Config) when is_list(Config) ->
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),  
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+					{from, self()}, 
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    
+    Client0 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					 {host, Hostname},
+					 {from, self()}, 
+					 {mfa, {ssl_test_lib, send_recv_result_active, []}},
+					 {options,  
+					  [{server_name_indication, disable} | 
+					   ClientOpts]}
+					]),
+    
+    ssl_test_lib:check_result(Server, ok, Client0, ok),
+    Server ! listen,				       
+    
+    Client1 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					 {host, Hostname},
+					 {from, self()}, 
+					 {mfa, {ssl_test_lib, send_recv_result_active, []}},
+					 {options,
+					  [{server_name_indication, Hostname} | ClientOpts]
+					 }]),    
+    ssl_test_lib:check_result(Server, ok, Client1, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client0),
+    ssl_test_lib:close(Client1).
+
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk
index a2dd3f5930..a6e0efed25 100644
--- a/lib/ssl/vsn.mk
+++ b/lib/ssl/vsn.mk
@@ -1 +1 @@
-SSL_VSN = 5.3.2
+SSL_VSN = 5.3.3