dtls: Add DTLS handling to utility functions

author: Ingela Anderton Andin <[email protected]> 2017-12-08 15:17:41 +0100
committer: Ingela Anderton Andin <[email protected]> 2018-01-17 17:03:27 +0100
commit: f4901ebdeb3556897f309348ad5571abd3cb9421 (patch)
tree: e069265f04aa24a3dd0859f3c94483eb88afac8a /lib
parent: 9a67fbf96da78df54bd18d487c6237256b8bef60 (diff)
download: otp-f4901ebdeb3556897f309348ad5571abd3cb9421.tar.gz
otp-f4901ebdeb3556897f309348ad5571abd3cb9421.tar.bz2
otp-f4901ebdeb3556897f309348ad5571abd3cb9421.zip
5 files changed, 108 insertions, 40 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index ebef8bd69a..80b639155b 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -104,7 +104,7 @@
       corresponding to <c>inet:setopts/2</c>, <c>inet:getopts/2</c>,
       <c>inet:peername/1</c>, <c>inet:sockname/1</c>, and <c>inet:port/1</c>.
       The callback <c>gen_tcp</c> is treated specially and calls <c>inet</c>
-      directly.</p> For DTLS this feature must be considered exprimental.
+      directly. For DTLS this feature must be considered exprimental.</p>
       <taglist>
 	<tag><c>CallbackModule =</c></tag>
 	<item><p><c>atom()</c></p></item>
@@ -140,10 +140,16 @@
 
       <tag><c>sslsocket() =</c></tag>
       <item><p>opaque()</p></item>
-
-      <tag><marker id="type-protocol"/><c>protocol() =</c></tag>
+      
+      <tag><marker id="type-protocol"/><c> protocol_versions() =</c></tag>
+      <item><p><c> ssl_tls_protocol() |  dtls_protocol() </c></p></item>
+      
+      <tag><marker id="type-protocol"/><c> ssl_tls_protocol() =</c></tag>
       <item><p><c>sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2'</c></p></item>
 
+      <tag><marker id="type-protocol"/><c> dtls_protocol() =</c></tag>
+      <item><p><c>'dtlsv1' | 'dtlsv1.2'</c></p></item>
+
       <tag><c>ciphers() =</c></tag>
       <item><p><c>= [ciphersuite()] | string()</c></p>
       <p>According to old API.</p></item>
@@ -459,10 +465,10 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid
       marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_validation/3</seealso>
       with the selected CA as trusted anchor and the rest of the chain.</p></item>
 
-      <tag><c>{versions, [protocol()]}</c></tag>
+      <tag><c>{versions, [protocol_versions()]}</c></tag>
       <item><p>TLS protocol versions supported by started clients and servers.
       This option overrides the application environment option
-      <c>protocol_version</c>. If the environment option is not set, it defaults
+      <c>protocol_version</c> and  <c>dtls_protocol_version</c>. If the environment option is not set, it defaults
       to all versions, except SSL-3.0, supported by the SSL application.
       See also <seealso marker="ssl:ssl_app">ssl(6).</seealso></p></item>
 
@@ -835,6 +841,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
     <func>
       <name>cipher_suites() -></name>
       <name>cipher_suites(Type) -> ciphers()</name>
+      <name>cipher_suites(Type, protocol_version()) -> ciphers()</name>
       <fsummary>Returns a list of supported cipher suites.</fsummary>
       <type>
         <v>Type = erlang | openssl | all</v>
@@ -846,13 +853,14 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	all available cipher suites. The cipher suites not present
 	in <c>cipher_suites(erlang)</c> but included in
 	<c>cipher_suites(all)</c> are not used unless explicitly configured
-	by the user.</p>
+	by the user. If the version option is not specified, the highest supported
+	TLS version will be used to determine the supported cipher suites</p>
     </desc>
     </func>
 
     <func>
       <name>eccs() -></name>
-      <name>eccs(protocol()) -> [named_curve()]</name>
+      <name>eccs(protocol_version()) -> [named_curve()]</name>
       <fsummary>Returns a list of supported ECCs.</fsummary>
 
       <desc><p>Returns a list of supported ECCs. <c>eccs()</c>
@@ -860,7 +868,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
       supported protocols and then deduplicating the output.</p>
       </desc>
     </func>
-
+    
     <func>
       <name>clear_pem_cache() -> ok </name>
       <fsummary> Clears the pem cache</fsummary>
@@ -917,7 +925,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
       <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso> 
       will be performed in addition to the usual x509-path validation checks. If the check fails the error {bad_cert, hostname_check_failed} will
       be propagated to the path validation fun <seealso marker="#verify_fun">verify_fun</seealso>, where it is possible to do customized
-      checks by using the full possibilitis of the <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso> API.
+      checks by using the full possibilities of the <seealso marker="public_key:public_key#pkix_verify_hostname-3">public_key:pkix_verify_hostname/3</seealso> API.
       
       When the option <c>server_name_indication</c> is provided, its value (the DNS name) will be used as <c>ReferenceID</c>
       to <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso>.
@@ -1335,7 +1343,8 @@ fun(srp, Username :: string(), UserState :: term()) ->
       <fsummary>Returns version information relevant for the
 	SSL application.</fsummary>
       <type>
-	<v>versions_info() = {app_vsn, string()} | {supported | available, [protocol()] </v>
+	<v>versions_info() = {app_vsn, string()} | {supported | available, [ssl_tls_protocol()]} |
+	{supported_dtls | available_dtls, [dtls_protocol()]}	</v>
       </type>
       <desc>
 	<p>Returns version information relevant for the SSL
@@ -1345,19 +1354,35 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	  <item>The application version of the SSL application.</item>
 
 	  <tag><c>supported</c></tag>
-	  <item>SSL/TLS/DTLS versions supported by default.
+	  <item>SSL/TLS versions supported by default.
 	  Overridden by a version option on
 	  <seealso marker="#connect-2"> connect/[2,3,4]</seealso>,
 	  <seealso marker="#listen-2"> listen/2</seealso>, and <seealso
 	  marker="#ssl_accept-2">ssl_accept/[1,2,3]</seealso>.
-	  For the negotiated SSL/TLS/DTLS version, see <seealso
+	  For the negotiated SSL/TLS version, see <seealso
 	  marker="#connection_information-1">ssl:connection_information/1
 	  </seealso>.</item>
-  
+	  
+	  <tag><c>supported_dtls</c></tag>
+	  <item>DTLS versions supported by default.
+	  Overridden by a version option on
+	  <seealso marker="#connect-2"> connect/[2,3,4]</seealso>,
+	  <seealso marker="#listen-2"> listen/2</seealso>, and <seealso
+	  marker="#ssl_accept-2">ssl_accept/[1,2,3]</seealso>.
+	  For the negotiated DTLS version, see <seealso
+	  marker="#connection_information-1">ssl:connection_information/1
+	  </seealso>.</item>
+
 	  <tag><c>available</c></tag>
-	  <item>All SSL/TLS/DTLS versions supported by the SSL application.
+	  <item>All SSL/TLS versions supported by the SSL application.
 	  TLS 1.2 requires sufficient support from the Crypto
 	  application.</item>
+
+	  <tag><c>available_dtls</c></tag>
+	  <item>All DTLS versions supported by the SSL application.
+	  DTLS 1.2 requires sufficient support from the Crypto
+	  application.</item>
+	  
 	</taglist>
       </desc>
     </func>
diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index e79b79a434..fb395f8ffa 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -35,7 +35,7 @@
 
   <description>
     <p>
-      The ssl application is an implementation of the SSL/TLS protocol in Erlang.
+      The ssl application is an implementation of the SSL/TLS/DTLS protocol in Erlang.
     </p>
     <list type="bulleted">
       <item>Supported SSL/TLS/DTLS-versions are SSL-3.0, TLS-1.0,
@@ -94,13 +94,20 @@
     <p><c>erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"</c></p>
 
     <taglist>
-      <tag><c>protocol_version = </c><seealso marker="ssl#type-protocol">ssl:protocol()</seealso><c><![CDATA[<optional>]]></c></tag>
+      <tag><c>protocol_version = </c><seealso marker="ssl#type-protocol">ssl:ssl_tls_protocol()</seealso><c><![CDATA[<optional>]]></c></tag>
       <item><p>Protocol supported by started clients and
       servers. If this option is not set, it defaults to all
-      protocols currently supported by the SSL application.
+      TLS protocols currently supported by the SSL application.
       This option can be overridden by the version option
       to <c>ssl:connect/[2,3]</c> and <c>ssl:listen/2</c>.</p></item>
 
+      <tag><c>dtls_protocol_version = </c><seealso marker="ssl#type-protocol">ssl:dtls_protocol()</seealso><c><![CDATA[<optional>]]></c></tag>
+      <item><p>Protocol supported by started clients and
+      servers. If this option is not set, it defaults to all
+      DTLS protocols currently supported by the SSL application.
+      This option can be overridden by the version option
+      to <c>ssl:connect/[2,3]</c> and <c>ssl:listen/2</c>.</p></item>
+      
       <tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag>
       <item><p>Maximum lifetime of the session data in seconds. Defaults to 24 hours which is the maximum
       recommended lifetime by <url href="http://www.ietf.org/rfc/5246rfc.txt">RFC 5246</url>. However
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 656ed94ea5..a298012f26 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -39,7 +39,7 @@
 	]).
 %% SSL/TLS protocol handling
 
--export([cipher_suites/0, cipher_suites/1, eccs/0, eccs/1, versions/0, 
+-export([cipher_suites/0, cipher_suites/1, cipher_suites/2, eccs/0, eccs/1, versions/0, 
          format_error/1, renegotiate/1, prf/5, negotiated_protocol/1, 
 	 connection_information/1, connection_information/2]).
 %% Misc
@@ -383,13 +383,31 @@ cipher_suites() ->
 %% Description: Returns all supported cipher suites.
 %%--------------------------------------------------------------------
 cipher_suites(erlang) ->
-    [ssl_cipher:erl_suite_definition(Suite) || Suite <- available_suites(default)];
-
+    Version = tls_record:highest_protocol_version([]),			  
+    cipher_suites(erlang, Version);
 cipher_suites(openssl) ->
-    [ssl_cipher:openssl_suite_name(Suite) || Suite <- available_suites(default)];
-
+    Version = tls_record:highest_protocol_version([]),			  
+    cipher_suites(openssl, Version);
 cipher_suites(all) ->
-    [ssl_cipher:erl_suite_definition(Suite) || Suite <- available_suites(all)].
+    Version = tls_record:highest_protocol_version([]),			  
+    cipher_suites(all, Version).
+
+%%--------------------------------------------------------------------
+-spec cipher_suites(erlang | openssl | all, tls_record:tls_version() |
+                    dtls_record:dtls_version()) -> [ssl_cipher:old_erl_cipher_suite() | string()].
+%% Description: Returns all supported cipher suites.
+%%--------------------------------------------------------------------
+cipher_suites(Type, Version) when Version == 'dtlsv1';
+                                  Version == 'dtlsv1.2' ->
+    cipher_suites(Type, dtls_record:protocol_version(Version));
+cipher_suites(Type, Version) when is_atom(Version) ->
+    cipher_suites(Type, tls_record:protocol_version(Version));
+cipher_suites(erlang, Version) ->
+    [ssl_cipher:erl_suite_definition(Suite) || Suite <- available_suites(default, Version)];
+cipher_suites(openssl, Version) ->
+    [ssl_cipher:openssl_suite_name(Suite) || Suite <- available_suites(default, Version)];
+cipher_suites(all, Version) ->
+    [ssl_cipher:erl_suite_definition(Suite) || Suite <- available_suites(all, Version)].
 
 %%--------------------------------------------------------------------
 -spec eccs() -> tls_v1:curves().
@@ -410,6 +428,11 @@ eccs({3,0}) ->
 eccs({3,_}) ->
     Curves = tls_v1:ecc_curves(all),
     eccs_filter_supported(Curves);
+eccs({_,_} = DTLSVersion) ->
+    eccs(dtls_v1:corresponding_tls_version(DTLSVersion));
+eccs(DTLSAtomVersion) when DTLSAtomVersion == 'dtlsv1';
+                           DTLSAtomVersion == 'dtlsv2' ->
+    eccs(dtls_record:protocol_version(DTLSAtomVersion));
 eccs(AtomVersion) when is_atom(AtomVersion) ->
     eccs(tls_record:protocol_version(AtomVersion)).
 
@@ -542,16 +565,23 @@ sockname(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}) when is_pid(Pid)
 
 %%---------------------------------------------------------------
 -spec versions() -> [{ssl_app, string()} | {supported, [tls_record:tls_atom_version()]} |
-		     {available, [tls_record:tls_atom_version()]}].
+                     {supported_dtls, [dtls_record:dtls_atom_version()]} |
+		     {available, [tls_record:tls_atom_version()]} |
+                     {available_dtls, [dtls_record:dtls_atom_version()]}].
 %%
 %% Description: Returns a list of relevant versions.
 %%--------------------------------------------------------------------
 versions() ->
-    Vsns = tls_record:supported_protocol_versions(),
-    SupportedVsns = [tls_record:protocol_version(Vsn) || Vsn <- Vsns],
-    AvailableVsns = ?ALL_AVAILABLE_VERSIONS,
-    %% TODO Add DTLS versions when supported
-    [{ssl_app, ?VSN}, {supported, SupportedVsns}, {available, AvailableVsns}].
+    TLSVsns = tls_record:supported_protocol_versions(),
+    DTLSVsns = dtls_record:supported_protocol_versions(),
+    SupportedTLSVsns = [tls_record:protocol_version(Vsn) || Vsn <- TLSVsns],
+    SupportedDTLSVsns = [dtls_record:protocol_version(Vsn) || Vsn <- DTLSVsns],
+    AvailableTLSVsns = ?ALL_AVAILABLE_VERSIONS,
+    AvailableDTLSVsns = ?ALL_AVAILABLE_DATAGRAM_VERSIONS,
+    [{ssl_app, ?VSN}, {supported, SupportedTLSVsns}, 
+     {supported_dtls, SupportedDTLSVsns}, 
+     {available, AvailableTLSVsns}, 
+     {available_dtls, AvailableDTLSVsns}].
 
 
 %%---------------------------------------------------------------
@@ -633,12 +663,10 @@ tls_version({254, _} = Version) ->
 %%%--------------------------------------------------------------------
 
 %% Possible filters out suites not supported by crypto 
-available_suites(default) ->  
-    Version = tls_record:highest_protocol_version([]),			  
+available_suites(default, Version) ->  
     ssl_cipher:filter_suites(ssl_cipher:suites(Version));
 
-available_suites(all) ->  
-    Version = tls_record:highest_protocol_version([]),			  
+available_suites(all, Version) ->  
     ssl_cipher:filter_suites(ssl_cipher:all_suites(Version)).
 
 do_listen(Port, #config{transport_info = {Transport, _, _, _}} = Config, tls_connection) ->
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 9bb1cbaeb0..bbe1374fec 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -73,6 +73,7 @@
 %% sslv3 is considered insecure due to lack of padding check (Poodle attack)
 %% Keep as interop with legacy software but do not support as default 
 -define(ALL_AVAILABLE_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
+-define(ALL_AVAILABLE_DATAGRAM_VERSIONS, ['dtlsv1.2', dtlsv1]).
 -define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
 -define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
 -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 3b4ca40058..488be15242 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -3137,18 +3137,25 @@ no_reuses_session_server_restart_new_cert_file(Config) when is_list(Config) ->
 
 %%--------------------------------------------------------------------
 defaults(Config) when is_list(Config)->
-    [_, 
-     {supported, Supported},
-     {available, Available}]
-	= ssl:versions(),
-    true = lists:member(sslv3, Available),
-    false = lists:member(sslv3, Supported),
+    Versions = ssl:versions(),
+    true = lists:member(sslv3, proplists:get_value(available, Versions)),
+    false = lists:member(sslv3,  proplists:get_value(supported, Versions)),
+    true = lists:member('tlsv1', proplists:get_value(available, Versions)),
+    true = lists:member('tlsv1',  proplists:get_value(supported, Versions)),
+    true = lists:member('tlsv1.1', proplists:get_value(available, Versions)),
+    true = lists:member('tlsv1.1',  proplists:get_value(supported, Versions)),
+    true = lists:member('tlsv1.2', proplists:get_value(available, Versions)),
+    true = lists:member('tlsv1.2',  proplists:get_value(supported, Versions)),    
     false = lists:member({rsa,rc4_128,sha}, ssl:cipher_suites()),
     true = lists:member({rsa,rc4_128,sha}, ssl:cipher_suites(all)),
     false = lists:member({rsa,des_cbc,sha}, ssl:cipher_suites()),
     true = lists:member({rsa,des_cbc,sha}, ssl:cipher_suites(all)),
     false = lists:member({dhe_rsa,des_cbc,sha}, ssl:cipher_suites()),
-    true = lists:member({dhe_rsa,des_cbc,sha}, ssl:cipher_suites(all)).
+    true = lists:member({dhe_rsa,des_cbc,sha}, ssl:cipher_suites(all)),
+    true = lists:member('dtlsv1.2', proplists:get_value(available_dtls, Versions)),
+    true = lists:member('dtlsv1', proplists:get_value(available_dtls, Versions)),
+    true = lists:member('dtlsv1.2', proplists:get_value(supported_dtls, Versions)),
+    true = lists:member('dtlsv1', proplists:get_value(supported_dtls, Versions)).
 
 %%--------------------------------------------------------------------
 reuseaddr() ->
author	Ingela Anderton Andin <[email protected]>	2017-12-08 15:17:41 +0100
committer	Ingela Anderton Andin <[email protected]>	2018-01-17 17:03:27 +0100
commit	f4901ebdeb3556897f309348ad5571abd3cb9421 (patch)
tree	e069265f04aa24a3dd0859f3c94483eb88afac8a /lib
parent	9a67fbf96da78df54bd18d487c6237256b8bef60 (diff)
download	otp-f4901ebdeb3556897f309348ad5571abd3cb9421.tar.gz otp-f4901ebdeb3556897f309348ad5571abd3cb9421.tar.bz2 otp-f4901ebdeb3556897f309348ad5571abd3cb9421.zip