ssl: Check that negotiated version is a supported version.

5 files changed, 63 insertions, 19 deletions

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 0ba59cede2..fc06b5f1b0 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -612,8 +612,15 @@ handle_options(Opts0, _Role) ->
 
     CertFile = handle_option(certfile, Opts, <<>>),
     
+    Versions = case handle_option(versions, Opts, []) of
+		   [] ->
+		       ssl_record:supported_protocol_versions();  
+		   Vsns  ->
+		       [ssl_record:protocol_version(Vsn) || Vsn <- Vsns]
+	       end,  
+
     SSLOptions = #ssl_options{
-      versions   = handle_option(versions, Opts, []),
+      versions   = Versions,
       verify     = validate_option(verify, Verify),
       verify_fun = VerifyFun,
       fail_if_no_peer_cert = FailIfNoPeerCert,
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 8f4fd88d42..bab0bb907a 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -73,7 +73,6 @@
 	  session_cache,        % 
 	  session_cache_cb,     %
           negotiated_version,   % tls_version()
-          supported_protocol_versions, % [atom()]
           client_certificate_requested = false,
 	  key_algorithm,       % atom as defined by cipher_suite
 	  hashsign_algorithm,  % atom as defined by cipher_suite
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 1929370991..889d310ca8 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -61,11 +61,7 @@ client_hello(Host, Port, ConnectionStates,
 			  ciphers = UserSuites
 			 } = SslOpts,
 	     Cache, CacheCb, Renegotiation, OwnCert) ->
-
-    Fun = fun(Version) ->
-		  ssl_record:protocol_version(Version)
-	  end,
-    Version = ssl_record:highest_protocol_version(lists:map(Fun, Versions)),
+    Version = ssl_record:highest_protocol_version(Versions),
     Pending = ssl_record:pending_connection_state(ConnectionStates, read),
     SecParams = Pending#connection_state.security_parameters,
     Ciphers = available_suites(UserSuites, Version),
@@ -139,10 +135,11 @@ hello(#server_hello{cipher_suite = CipherSuite, server_version = Version,
 		    compression_method = Compression, random = Random,
 		    session_id = SessionId, renegotiation_info = Info,
 		    hash_signs = _HashSigns} = Hello,
-      #ssl_options{secure_renegotiate = SecureRenegotation, next_protocol_selector = NextProtocolSelector},
+      #ssl_options{secure_renegotiate = SecureRenegotation, next_protocol_selector = NextProtocolSelector,
+		   versions = SupportedVersions},
       ConnectionStates0, Renegotiation) ->
     %%TODO: select hash and signature algorigthm
-    case ssl_record:is_acceptable_version(Version) of
+    case ssl_record:is_acceptable_version(Version, SupportedVersions) of
 	true ->
 	    case handle_renegotiation_info(client, Info, ConnectionStates0, 
 					   Renegotiation, SecureRenegotation, []) of
@@ -171,7 +168,7 @@ hello(#client_hello{client_version = ClientVersion, random = Random,
       {Port, Session0, Cache, CacheCb, ConnectionStates0, Cert}, Renegotiation) ->
 %% TODO: select hash and signature algorithm
     Version = select_version(ClientVersion, Versions),
-    case ssl_record:is_acceptable_version(Version) of
+    case ssl_record:is_acceptable_version(Version, Versions) of
 	true ->
 	    {Type, #session{cipher_suite = CipherSuite,
 			    compression_method = Compression} = Session} 
@@ -869,11 +866,7 @@ hello_security_parameters(server, Version, ConnectionState, CipherSuite, Random,
      }.
 
 select_version(ClientVersion, Versions) ->   
-    Fun = fun(Version) ->
-		  ssl_record:protocol_version(Version)
-	  end,
-    ServerVersion = ssl_record:highest_protocol_version(lists:map(Fun,
-								  Versions)),
+    ServerVersion = ssl_record:highest_protocol_version(Versions),
     ssl_record:lowest_protocol_version(ClientVersion, ServerVersion).
 
 select_cipher_suite([], _) ->
diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl
index 173b9611c6..26aca56739 100644
--- a/lib/ssl/src/ssl_record.erl
+++ b/lib/ssl/src/ssl_record.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -56,7 +56,7 @@
 %% Misc.
 -export([protocol_version/1, lowest_protocol_version/2,
 	 highest_protocol_version/1, supported_protocol_versions/0,
-	 is_acceptable_version/1]).
+	 is_acceptable_version/1, is_acceptable_version/2]).
 
 -export([compressions/0]).
 
@@ -475,8 +475,10 @@ supported_protocol_versions([_|_] = Vsns) ->
 
 %%--------------------------------------------------------------------
 -spec is_acceptable_version(tls_version()) -> boolean().
+-spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean().
 %%     
 %% Description: ssl version 2 is not acceptable security risks are too big.
+%% 
 %%--------------------------------------------------------------------
 is_acceptable_version({N,_}) 
   when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
@@ -484,6 +486,12 @@ is_acceptable_version({N,_})
 is_acceptable_version(_) ->
     false.
 
+is_acceptable_version({N,_} = Version, Versions)   
+  when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+    lists:member(Version, Versions);
+is_acceptable_version(_,_) ->
+    false.
+
 %%--------------------------------------------------------------------
 -spec compressions() -> [binary()].
 %%     
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index fafd97f839..6b8f226a77 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -126,7 +126,8 @@ api_tests() ->
      hibernate,
      listen_socket,
      ssl_accept_timeout,
-     ssl_recv_timeout
+     ssl_recv_timeout,
+     versions_option
     ].
 
 session_tests() ->
@@ -2659,6 +2660,42 @@ session_cache_process_mnesia(Config) when is_list(Config) ->
     session_cache_process(mnesia,Config).
 
 %%--------------------------------------------------------------------
+
+versions_option() ->
+    [{doc,"Test API versions option to connect/listen."}].
+versions_option(Config) when is_list(Config) ->
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),  
+
+    Supported = proplists:get_value(supported, ssl:versions()),
+    Available = proplists:get_value(available, ssl:versions()),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+					{from, self()}, 
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, [{versions, Supported} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
+					{host, Hostname},
+					{from, self()}, 
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ClientOpts}]),
+    
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    Server ! listen,				       
+    
+    ErrClient = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, 
+						 {host, Hostname},
+						 {from, self()},
+						 {options, [{versions , Available -- Supported} | ClientOpts]}]),
+    receive
+	{Server, _} ->
+	    ok
+    end,	    
+   
+    ssl_test_lib:check_result(ErrClient, {error, {tls_alert, "protocol version"}}).
+%%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
 %%--------------------------------------------------------------------
 send_recv_result(Socket) ->