Merge branch 'ia/ssl/seperate-clinet-server-session-table/OTP-11365'

* ia/ssl/seperate-clinet-server-session-table/OTP-11365:
  ssl: Separate session cache for client and server

6 files changed, 143 insertions, 63 deletions

diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 43cb3934f7..c8024548b5 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -4,7 +4,7 @@
 <appref>
   <header>
     <copyright>
-      <year>1999</year><year>2013</year>
+      <year>1999</year><year>2014</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -75,10 +75,10 @@
           </p>
       </item>
 
-      <tag><c><![CDATA[session_cb_init_args = list() <optional>]]></c></tag>
+      <tag><c><![CDATA[session_cb_init_args = proplist:proplist() <optional>]]></c></tag>
       <item>
 	<p>
-	  List of arguments to the init function in session cache
+	  List of additional user defined arguments to the init function in session cache
 	  callback module, defaults to [].
 	</p>
       </item>
diff --git a/lib/ssl/doc/src/ssl_session_cache_api.xml b/lib/ssl/doc/src/ssl_session_cache_api.xml
index 82de1784ca..cb97bbfbb2 100644
--- a/lib/ssl/doc/src/ssl_session_cache_api.xml
+++ b/lib/ssl/doc/src/ssl_session_cache_api.xml
@@ -4,7 +4,7 @@
 <erlref>
   <header>
     <copyright>
-      <year>1999</year><year>2013</year>
+      <year>1999</year><year>2014</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -79,17 +79,25 @@
     </func>
 
     <func>
-      <name>init() -> opaque() </name>
+      <name>init(Args) -> opaque() </name>
       <fsummary>Return cache reference</fsummary>
       <type>
-	<v></v>
+	<v>Args = proplists:proplist()</v>
+	<d>Will always include the property {role, client | server}. Currently this
+	is the only predefined property, there may also be user defined properties.
+	<seealso marker="ssl_app"> See also application environment variable
+	session_cb_init_args</seealso>
+	</d>
       </type>
       <desc>
 	<p>Performs possible initializations of the cache and returns
 	a reference to it that will be used as parameter to the other
-	api functions. Will be called by the cache handling processes
-	init function, hence putting the same requirements on it as
-	a normal process init function.
+	API functions. Will be called by the cache handling processes
+	init function, hence putting the same requirements on it as a
+	normal process init function. Note that this function will be
+	called twice when starting the ssl application, once with the
+	role client and once with the role server, as the ssl application
+	must be prepared to take on both roles.
 	</p>
       </desc>
     </func>
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index d6e5064c39..5553fc9220 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -44,7 +44,8 @@
 -include_lib("kernel/include/file.hrl").
 
 -record(state, {
-	  session_cache,
+	  session_cache_client,
+	  session_cache_server,
 	  session_cache_cb,
 	  session_lifetime,
 	  certificate_db,
@@ -209,12 +210,16 @@ init([Name, Opts]) ->
     SessionLifeTime =  
 	proplists:get_value(session_lifetime, Opts, ?'24H_in_sec'),
     CertDb = ssl_pkix_db:create(),
-    SessionCache = CacheCb:init(proplists:get_value(session_cb_init_args, Opts, [])),
+    ClientSessionCache = CacheCb:init([{role, client} | 
+				       proplists:get_value(session_cb_init_args, Opts, [])]),
+    ServerSessionCache = CacheCb:init([{role, server} | 
+				       proplists:get_value(session_cb_init_args, Opts, [])]),
     Timer = erlang:send_after(SessionLifeTime * 1000 + 5000, 
 			      self(), validate_sessions),
     erlang:send_after(?CLEAR_PEM_CACHE, self(), clear_pem_cache),
     {ok, #state{certificate_db = CertDb,
-		session_cache = SessionCache,
+		session_cache_client = ClientSessionCache,
+		session_cache_server = ServerSessionCache,
 		session_cache_cb = CacheCb,
 		session_lifetime = SessionLifeTime,
 		session_validation_timer = Timer}}.
@@ -230,15 +235,32 @@ init([Name, Opts]) ->
 %%
 %% Description: Handling call messages
 %%--------------------------------------------------------------------
-handle_call({{connection_init, <<>>, _Role}, _Pid}, _From,
+handle_call({{connection_init, <<>>, client}, _Pid}, _From,
 	    #state{certificate_db = [CertDb, FileRefDb, PemChace],
-		   session_cache = Cache} = State) ->
+		   session_cache_client = Cache} = State) ->
+    Result = {ok, make_ref(),CertDb, FileRefDb, PemChace, Cache},
+    {reply, Result, State};
+handle_call({{connection_init, <<>>, server}, _Pid}, _From,
+	    #state{certificate_db = [CertDb, FileRefDb, PemChace],
+		   session_cache_server = Cache} = State) ->
     Result = {ok, make_ref(),CertDb, FileRefDb, PemChace, Cache},
     {reply, Result, State};
 
-handle_call({{connection_init, Trustedcerts, _Role}, Pid}, _From,
+handle_call({{connection_init, Trustedcerts, client}, Pid}, _From,
+	    #state{certificate_db = [CertDb, FileRefDb, PemChace] = Db,
+		   session_cache_client = Cache} = State) ->
+    Result = 
+	try
+	    {ok, Ref} = ssl_pkix_db:add_trusted_certs(Pid, Trustedcerts, Db),
+	    {ok, Ref, CertDb, FileRefDb, PemChace, Cache}
+	catch
+	    _:Reason ->
+		{error, Reason}
+	end,
+    {reply, Result, State};
+handle_call({{connection_init, Trustedcerts, server}, Pid}, _From,
 	    #state{certificate_db = [CertDb, FileRefDb, PemChace] = Db,
-		   session_cache = Cache} = State) ->
+		   session_cache_server = Cache} = State) ->
     Result = 
 	try
 	    {ok, Ref} = ssl_pkix_db:add_trusted_certs(Pid, Trustedcerts, Db),
@@ -249,9 +271,10 @@ handle_call({{connection_init, Trustedcerts, _Role}, Pid}, _From,
 	end,
     {reply, Result, State};
 
+
 handle_call({{new_session_id,Port}, _},
 	    _, #state{session_cache_cb = CacheCb,
-		      session_cache = Cache} = State) ->
+		      session_cache_server = Cache} = State) ->
     Id = new_id(Port, ?GEN_UNIQUE_ID_MAX_TRIES, Cache, CacheCb),
     {reply, Id, State};
 
@@ -278,16 +301,22 @@ handle_call({unconditionally_clear_pem_cache, _},_, #state{certificate_db = [_,_
 %% Description: Handling cast messages
 %%--------------------------------------------------------------------
 handle_cast({register_session, Host, Port, Session}, 
-	    #state{session_cache = Cache,
+	    #state{session_cache_client = Cache,
 		   session_cache_cb = CacheCb} = State) ->
     TimeStamp = calendar:datetime_to_gregorian_seconds({date(), time()}),
     NewSession = Session#session{time_stamp = TimeStamp},
-    CacheCb:update(Cache, {{Host, Port}, 
-		   NewSession#session.session_id}, NewSession),
+    
+    case CacheCb:select_session(Cache, {Host, Port}) of
+	no_session ->
+	    CacheCb:update(Cache, {{Host, Port}, 
+				   NewSession#session.session_id}, NewSession);
+	Sessions ->
+	    register_unique_session(Sessions, NewSession, CacheCb, Cache, {Host, Port})
+    end,
     {noreply, State};
 
 handle_cast({register_session, Port, Session},  
-	    #state{session_cache = Cache,
+	    #state{session_cache_server = Cache,
 		   session_cache_cb = CacheCb} = State) ->    
     TimeStamp = calendar:datetime_to_gregorian_seconds({date(), time()}),
     NewSession = Session#session{time_stamp = TimeStamp},
@@ -296,12 +325,12 @@ handle_cast({register_session, Port, Session},
 
 handle_cast({invalidate_session, Host, Port,
 	     #session{session_id = ID} = Session},
-	    #state{session_cache = Cache,
+	    #state{session_cache_client = Cache,
 		   session_cache_cb = CacheCb} = State) ->
     invalidate_session(Cache, CacheCb, {{Host, Port}, ID}, Session, State);
 
 handle_cast({invalidate_session, Port, #session{session_id = ID} = Session},
-	    #state{session_cache = Cache,
+	    #state{session_cache_server = Cache,
 		   session_cache_cb = CacheCb} = State) ->
     invalidate_session(Cache, CacheCb, {Port, ID}, Session, State).
 
@@ -314,17 +343,18 @@ handle_cast({invalidate_session, Port, #session{session_id = ID} = Session},
 %% Description: Handling all non call/cast messages
 %%-------------------------------------------------------------------
 handle_info(validate_sessions, #state{session_cache_cb = CacheCb,
-				      session_cache = Cache,
+				      session_cache_client = ClientCache,
+				      session_cache_server = ServerCache,
 				      session_lifetime = LifeTime
 				     } = State) ->
     Timer = erlang:send_after(?SESSION_VALIDATION_INTERVAL, 
 			      self(), validate_sessions),
-    start_session_validator(Cache, CacheCb, LifeTime),
+    start_session_validator(ClientCache, CacheCb, LifeTime),
+    start_session_validator(ServerCache, CacheCb, LifeTime),
     {noreply, State#state{session_validation_timer = Timer}};
 
-handle_info({delayed_clean_session, Key}, #state{session_cache = Cache,
-                   session_cache_cb = CacheCb
-                   } = State) ->
+handle_info({delayed_clean_session, Key, Cache}, #state{session_cache_cb = CacheCb
+						       } = State) ->
     CacheCb:delete(Cache, Key),
     {noreply, State};
 
@@ -367,12 +397,14 @@ handle_info(_Info, State) ->
 %% The return value is ignored.
 %%--------------------------------------------------------------------
 terminate(_Reason, #state{certificate_db = Db,
-			  session_cache = SessionCache,
+			  session_cache_client = ClientSessionCache,
+			  session_cache_server = ServerSessionCache,
 			  session_cache_cb = CacheCb,
 			  session_validation_timer = Timer}) ->
     erlang:cancel_timer(Timer),
     ssl_pkix_db:remove(Db),
-    CacheCb:terminate(SessionCache),
+    catch CacheCb:terminate(ClientSessionCache),
+    catch CacheCb:terminate(ServerSessionCache),
     ok.
 
 %%--------------------------------------------------------------------
@@ -445,7 +477,7 @@ invalidate_session(Cache, CacheCb, Key, Session, #state{last_delay_timer = LastT
 	    %% up the session data but new connections should not get to use this session.
 	    CacheCb:update(Cache, Key, Session#session{is_resumable = false}),
 	    TRef =
-		erlang:send_after(delay_time(), self(), {delayed_clean_session, Key}),
+		erlang:send_after(delay_time(), self(), {delayed_clean_session, Key, Cache}),
 	    {noreply, State#state{last_delay_timer = last_delay_timer(Key, TRef, LastTimer)}}
     end.
 
@@ -494,3 +526,34 @@ clean_cert_db(Ref, CertDb, RefDb, PemCache, File) ->
 	_ ->
 	    ok
     end.
+
+%% Do not let dumb clients create a gigantic session table
+%% for itself creating big delays at connection time. 
+register_unique_session(Sessions, Session, CacheCb, Cache, PartialKey) ->
+    case exists_equivalent(Session , Sessions) of
+	true ->
+	    ok;
+	false ->
+	    CacheCb:update(Cache, {PartialKey, 
+				   Session#session.session_id}, Session)
+    end.
+
+exists_equivalent(_, []) ->
+    false;
+exists_equivalent(#session{
+		     peer_certificate = PeerCert,
+		     own_certificate = OwnCert,
+		     compression_method = Compress,
+		     cipher_suite = CipherSuite,
+		     srp_username = SRP,
+		     ecc = ECC} , 
+		  [#session{
+		      peer_certificate = PeerCert,
+		      own_certificate = OwnCert,
+		      compression_method = Compress,
+		      cipher_suite = CipherSuite,
+		      srp_username = SRP,
+		      ecc = ECC} | _]) ->
+    true;
+exists_equivalent(Session, [ _ | Rest]) ->
+    exists_equivalent(Session, Rest).
diff --git a/lib/ssl/src/ssl_session_cache.erl b/lib/ssl/src/ssl_session_cache.erl
index 5c6ee3c54c..b011732f2c 100644
--- a/lib/ssl/src/ssl_session_cache.erl
+++ b/lib/ssl/src/ssl_session_cache.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -31,8 +31,8 @@
 %%--------------------------------------------------------------------
 %% Description: Return table reference. Called by ssl_manager process. 
 %%--------------------------------------------------------------------
-init(_) ->
-    ets:new(cache_name(), [ordered_set, protected]).
+init(Options) ->
+    ets:new(cache_name(proplists:get_value(role, Options)), [ordered_set, protected]).
 
 %%--------------------------------------------------------------------
 %% Description: Handles cache table at termination of ssl manager. 
@@ -87,5 +87,5 @@ select_session(Cache, PartialKey) ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-cache_name() ->
-    ssl_otp_session_cache.
+cache_name(Name) ->
+    list_to_atom(atom_to_list(Name) ++ "_ssl_otp_session_cache").
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 1da4e88077..dc9e8934e6 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -629,7 +629,7 @@ clear_pem_cache(Config) when is_list(Config) ->
     {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)),
     [_, _,_, _, Prop] = StatusInfo,
     State = ssl_test_lib:state(Prop),
-    [_,FilRefDb, _] = element(5, State),
+    [_,FilRefDb, _] = element(6, State),
     {Server, Client} = basic_verify_test_no_close(Config),
     2 = ets:info(FilRefDb, size), 
     ssl:clear_pem_cache(),
@@ -2339,7 +2339,7 @@ der_input(Config) when is_list(Config) ->
     {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)),
     [_, _,_, _, Prop] = StatusInfo,
     State = ssl_test_lib:state(Prop),
-    [CADb | _] = element(5, State),
+    [CADb | _] = element(6, State),
     [] = ets:tab2list(CADb).
     
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/test/ssl_session_cache_SUITE.erl b/lib/ssl/test/ssl_session_cache_SUITE.erl
index c31f6c2d7d..06a41f1260 100644
--- a/lib/ssl/test/ssl_session_cache_SUITE.erl
+++ b/lib/ssl/test/ssl_session_cache_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2010-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2010-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -108,8 +108,12 @@ init_customized_session_cache(Type, Config0) ->
     ssl:stop(),
     application:load(ssl),
     application:set_env(ssl, session_cb, ?MODULE),
-    application:set_env(ssl, session_cb_init_args, [Type]),
+    application:set_env(ssl, session_cb_init_args, [{type, Type}]),
     ssl:start(),
+    catch (end_per_testcase(list_to_atom("session_cache_process" ++ atom_to_list(Type)),
+	   Config)),
+    ets:new(ssl_test, [named_table, public, set]),
+    ets:insert(ssl_test, {type, Type}),
     [{watchdog, Dog} | Config].
 
 end_per_testcase(session_cache_process_list, Config) ->
@@ -126,7 +130,11 @@ end_per_testcase(session_cleanup, Config) ->
     application:unset_env(ssl, session_delay_cleanup_time),
     application:unset_env(ssl, session_lifetime),
     end_per_testcase(default_action, Config);
-end_per_testcase(_TestCase, Config) ->
+end_per_testcase(Case, Config) when Case == session_cache_process_list;
+				    Case == session_cache_process_mnesia ->
+    ets:delete(ssl_test),
+    Config;
+end_per_testcase(_, Config) ->
     Config.
 
 %%--------------------------------------------------------------------
@@ -164,12 +172,13 @@ session_cleanup(Config)when is_list(Config) ->
     {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)),
     [_, _,_, _, Prop] = StatusInfo,
     State = ssl_test_lib:state(Prop),
-    Cache = element(2, State),
-    SessionTimer = element(6, State),
+    ClientCache = element(2, State),
+    ServerCache = element(3, State),
+    SessionTimer = element(7, State),
 
     Id = proplists:get_value(session_id, SessionInfo),
-    CSession = ssl_session_cache:lookup(Cache, {{Hostname, Port}, Id}),
-    SSession = ssl_session_cache:lookup(Cache, {Port, Id}),
+    CSession = ssl_session_cache:lookup(ClientCache, {{Hostname, Port}, Id}),
+    SSession = ssl_session_cache:lookup(ServerCache, {Port, Id}),
 
     true = CSession =/= undefined,
     true = SSession =/= undefined,
@@ -185,8 +194,8 @@ session_cleanup(Config)when is_list(Config) ->
 
     ct:sleep(?SLEEP),  %% Make sure clean has had time to run
 
-    undefined = ssl_session_cache:lookup(Cache, {{Hostname, Port}, Id}),
-    undefined = ssl_session_cache:lookup(Cache, {Port, Id}),
+    undefined = ssl_session_cache:lookup(ClientCache, {{Hostname, Port}, Id}),
+    undefined = ssl_session_cache:lookup(ServerCache, {Port, Id}),
 
     process_flag(trap_exit, false),
     ssl_test_lib:close(Server),
@@ -208,7 +217,7 @@ get_delay_timers() ->
     {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)),
     [_, _,_, _, Prop] = StatusInfo,
     State = ssl_test_lib:state(Prop),
-    case element(7, State) of
+    case element(8, State) of
 	{undefined, undefined} ->
 	    ct:sleep(?SLEEP),
 	    get_delay_timers();
@@ -236,16 +245,16 @@ session_cache_process_mnesia(Config) when is_list(Config) ->
 %%% Session cache API callbacks
 %%--------------------------------------------------------------------
 
-init([Type]) ->
-    ets:new(ssl_test, [named_table, public, set]),
-    ets:insert(ssl_test, {type, Type}),
-    case Type of
+init(Opts) ->
+    case proplists:get_value(type, Opts) of
 	list ->
 	    spawn(fun() -> session_loop([]) end);
 	mnesia ->
 	    mnesia:start(),
-	    {atomic,ok} = mnesia:create_table(sess_cache, []),
-	    sess_cache
+	    Name = atom_to_list(proplists:get_value(role, Opts)),
+	    TabName = list_to_atom(Name ++ "sess_cache"),
+	    {atomic,ok} = mnesia:create_table(TabName, []),
+	    TabName
     end.
 
 session_cb() ->
@@ -258,7 +267,7 @@ terminate(Cache) ->
 	    Cache ! terminate;
 	mnesia ->
 	    catch {atomic,ok} =
-		mnesia:delete_table(sess_cache)
+		mnesia:delete_table(Cache)
     end.
 
 lookup(Cache, Key) ->
@@ -268,10 +277,10 @@ lookup(Cache, Key) ->
 	    receive {Cache, Res} -> Res end;
 	mnesia ->
 	    case mnesia:transaction(fun() ->
-					    mnesia:read(sess_cache,
+					    mnesia:read(Cache,
 							Key, read)
 				    end) of
-		{atomic, [{sess_cache, Key, Value}]} ->
+		{atomic, [{Cache, Key, Value}]} ->
 		    Value;
 		_ ->
 		    undefined
@@ -285,8 +294,8 @@ update(Cache, Key, Value) ->
 	mnesia ->
 	    {atomic, ok} =
 		mnesia:transaction(fun() ->
-					   mnesia:write(sess_cache,
-							{sess_cache, Key, Value}, write)
+					   mnesia:write(Cache,
+							{Cache, Key, Value}, write)
 				   end)
     end.
 
@@ -297,7 +306,7 @@ delete(Cache, Key) ->
 	mnesia ->
 	    {atomic, ok} =
 		mnesia:transaction(fun() ->
-					   mnesia:delete(sess_cache, Key)
+					   mnesia:delete(Cache, Key)
 				   end)
     end.
 
@@ -308,7 +317,7 @@ foldl(Fun, Acc, Cache) ->
 	    receive {Cache, Res} -> Res end;
 	mnesia ->
 	    Foldl = fun() ->
-			    mnesia:foldl(Fun, Acc, sess_cache)
+			    mnesia:foldl(Fun, Acc, Cache)
 		    end,
 	    {atomic, Res} = mnesia:transaction(Foldl),
 	    Res
@@ -325,7 +334,7 @@ select_session(Cache, PartialKey) ->
 	mnesia ->
 	    Sel = fun() ->
 			  mnesia:select(Cache,
-					[{{sess_cache,{PartialKey,'$1'}, '$2'},
+					[{{Cache,{PartialKey,'$1'}, '$2'},
 					  [],['$$']}])
 		  end,
 	    {atomic, Res} = mnesia:transaction(Sel),