diff options
| -rw-r--r-- | erts/emulator/beam/time.c | 62 | ||||
| -rw-r--r-- | erts/emulator/test/port_SUITE.erl | 10 | ||||
| -rw-r--r-- | erts/emulator/test/port_SUITE_data/Makefile.src | 2 | ||||
| -rw-r--r-- | erts/emulator/test/port_SUITE_data/dead_port.c | 102 | ||||
| -rw-r--r-- | lib/erl_interface/configure.in | 8 | ||||
| -rw-r--r-- | lib/erl_interface/src/connect/ei_connect.c | 14 | ||||
| -rw-r--r-- | lib/erl_interface/test/ei_accept_SUITE.erl | 42 | ||||
| -rw-r--r-- | lib/erl_interface/test/ei_connect_SUITE.erl | 7 | ||||
| -rw-r--r-- | lib/kernel/test/gen_udp_SUITE.erl | 18 | ||||
| -rw-r--r-- | lib/public_key/include/public_key.hrl | 6 | ||||
| -rw-r--r-- | lib/public_key/src/pubkey_cert.erl | 90 | ||||
| -rw-r--r-- | lib/public_key/src/public_key.erl | 5 | ||||
| -rw-r--r-- | lib/public_key/test/public_key_SUITE.erl | 8 | ||||
| -rw-r--r-- | lib/ssl/doc/src/ssl.xml | 55 | ||||
| -rw-r--r-- | lib/ssl/src/ssl.erl | 8 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 10 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_basic_SUITE.erl | 10 |
17 files changed, 284 insertions, 173 deletions
diff --git a/erts/emulator/beam/time.c b/erts/emulator/beam/time.c index a07d6a5327..53d39aef0e 100644 --- a/erts/emulator/beam/time.c +++ b/erts/emulator/beam/time.c @@ -83,24 +83,8 @@ #define ASSERT_NO_LOCKED_LOCKS #endif +static erts_smp_mtx_t tiw_lock; -#if defined(ERTS_TIMER_THREAD) || 1 -/* I don't yet know why, but using a mutex instead of a spinlock - or spin-based rwlock avoids excessive delays at startup. */ -static erts_smp_rwmtx_t tiw_lock; -#define tiw_read_lock() erts_smp_rwmtx_rlock(&tiw_lock) -#define tiw_read_unlock() erts_smp_rwmtx_runlock(&tiw_lock) -#define tiw_write_lock() erts_smp_rwmtx_rwlock(&tiw_lock) -#define tiw_write_unlock() erts_smp_rwmtx_rwunlock(&tiw_lock) -#define tiw_init_lock() erts_smp_rwmtx_init(&tiw_lock, "timer_wheel") -#else -static erts_smp_rwlock_t tiw_lock; -#define tiw_read_lock() erts_smp_read_lock(&tiw_lock) -#define tiw_read_unlock() erts_smp_read_unlock(&tiw_lock) -#define tiw_write_lock() erts_smp_write_lock(&tiw_lock) -#define tiw_write_unlock() erts_smp_write_unlock(&tiw_lock) -#define tiw_init_lock() erts_smp_rwlock_init(&tiw_lock, "timer_wheel") -#endif /* BEGIN tiw_lock protected variables ** @@ -224,10 +208,10 @@ int next_time(void) { int ret; - tiw_write_lock(); + erts_smp_mtx_lock(&tiw_lock); (void)do_time_update(); ret = next_time_internal(); - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); return ret; } #endif @@ -241,7 +225,7 @@ static ERTS_INLINE void bump_timer_internal(long dt) /* PRE: tiw_lock is write-l /* no need to bump the position if there aren't any timeouts */ if (tiw_nto == 0) { - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); return; } @@ -278,7 +262,7 @@ static ERTS_INLINE void bump_timer_internal(long dt) /* PRE: tiw_lock is write-l } tiw_pos = keep_pos; - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); /* Call timedout timers callbacks */ while (timeout_head) { @@ -299,13 +283,13 @@ static ERTS_INLINE void bump_timer_internal(long dt) /* PRE: tiw_lock is write-l #if defined(ERTS_TIMER_THREAD) static void timer_thread_bump_timer(void) { - tiw_write_lock(); + erts_smp_mtx_lock(&tiw_lock); bump_timer_internal(do_time_reset()); } #else void bump_timer(long dt) /* dt is value from do_time */ { - tiw_write_lock(); + erts_smp_mtx_lock(&tiw_lock); bump_timer_internal(dt); } #endif @@ -324,7 +308,7 @@ static int timer_thread_setup_delay(SysTimeval *rem_time) long elapsed; int ticks; - tiw_write_lock(); + erts_smp_mtx_lock(&tiw_lock); elapsed = do_time_update(); ticks = next_time_internal(); if (ticks == -1) /* timer queue empty */ @@ -336,7 +320,7 @@ static int timer_thread_setup_delay(SysTimeval *rem_time) rem_time->tv_sec = ticks / 1000; rem_time->tv_usec = 1000 * (ticks % 1000); ticks_end = ticks; - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); return ticks; } @@ -399,7 +383,7 @@ init_time(void) if timer thread is enabled */ itime = erts_init_time_sup(); - tiw_init_lock(); + erts_smp_mtx_init(&tiw_lock, "timer_wheel"); tiw = (ErlTimer**) erts_alloc(ERTS_ALC_T_TIMER_WHEEL, TIW_SIZE * sizeof(ErlTimer*)); @@ -451,9 +435,9 @@ erl_set_timer(ErlTimer* p, ErlTimeoutProc timeout, ErlCancelProc cancel, void* arg, Uint t) { erts_deliver_time(); - tiw_write_lock(); + erts_smp_mtx_lock(&tiw_lock); if (p->active) { /* XXX assert ? */ - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); return; } p->timeout = timeout; @@ -461,7 +445,7 @@ erl_set_timer(ErlTimer* p, ErlTimeoutProc timeout, ErlCancelProc cancel, p->arg = arg; p->active = 1; insert_timer(p, t); - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); #if defined(ERTS_SMP) && !defined(ERTS_TIMER_THREAD) if (t <= (Uint) LONG_MAX) erts_sys_schedule_interrupt_timed(1, (long) t); @@ -474,9 +458,9 @@ erl_cancel_timer(ErlTimer* p) ErlTimer *tp; ErlTimer **prev; - tiw_write_lock(); + erts_smp_mtx_lock(&tiw_lock); if (!p->active) { /* allow repeated cancel (drivers) */ - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); return; } /* find p in linked list at slot p->slot and remove it */ @@ -489,17 +473,17 @@ erl_cancel_timer(ErlTimer* p) p->slot = p->count = 0; p->active = 0; if (p->cancel != NULL) { - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); (*p->cancel)(p->arg); } else { - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); } return; } else { prev = &tp->next; } } - tiw_write_unlock(); + erts_smp_mtx_unlock(&tiw_lock); } /* @@ -514,10 +498,10 @@ time_left(ErlTimer *p) Uint left; long dt; - tiw_read_lock(); + erts_smp_mtx_lock(&tiw_lock); if (!p->active) { - tiw_read_unlock(); + erts_smp_mtx_unlock(&tiw_lock); return 0; } @@ -531,7 +515,7 @@ time_left(ErlTimer *p) else left -= dt; - tiw_read_unlock(); + erts_smp_mtx_unlock(&tiw_lock); return left * itime; } @@ -543,7 +527,7 @@ void p_slpq() int i; ErlTimer* p; - tiw_read_lock(); + erts_smp_mtx_lock(&tiw_lock); /* print the whole wheel, starting at the current position */ erts_printf("\ntiw_pos = %d tiw_nto %d\n", tiw_pos, tiw_nto); @@ -565,7 +549,7 @@ void p_slpq() } } - tiw_read_unlock(); + erts_smp_mtx_unlock(&tiw_lock); } #endif /* DEBUG */ diff --git a/erts/emulator/test/port_SUITE.erl b/erts/emulator/test/port_SUITE.erl index 77fa75b78f..a7476ca9bb 100644 --- a/erts/emulator/test/port_SUITE.erl +++ b/erts/emulator/test/port_SUITE.erl @@ -2305,7 +2305,11 @@ load_driver(Dir, Driver) -> close_deaf_port(doc) -> ["Send data to port program that does not read it, then close port."]; close_deaf_port(suite) -> []; close_deaf_port(Config) when is_list(Config) -> - Port = open_port({spawn,"sleep 999999"},[]), - erlang:port_command(Port,"Hello, can you hear me!?!?"), - port_close(Port), + ?line Dog = test_server:timetrap(test_server:seconds(100)), + ?line DataDir = ?config(data_dir, Config), + ?line DeadPort = os:find_executable("dead_port", DataDir), + + ?line Port = open_port({spawn,DeadPort++" 60"},[]), + ?line erlang:port_command(Port,"Hello, can you hear me!?!?"), + ?line port_close(Port), ok. diff --git a/erts/emulator/test/port_SUITE_data/Makefile.src b/erts/emulator/test/port_SUITE_data/Makefile.src index d97b37c9ae..ff822ae720 100644 --- a/erts/emulator/test/port_SUITE_data/Makefile.src +++ b/erts/emulator/test/port_SUITE_data/Makefile.src @@ -3,7 +3,7 @@ LD = @LD@ CFLAGS = @CFLAGS@ -I@erl_include@ @DEFS@ CROSSLDFLAGS = @CROSSLDFLAGS@ -PROGS = port_test@exe@ echo_args@exe@ +PROGS = port_test@exe@ echo_args@exe@ dead_port@exe@ DRIVERS = echo_drv@dll@ exit_drv@dll@ failure_drv@dll@ all: $(PROGS) $(DRIVERS) port_test.@EMULATOR@ diff --git a/erts/emulator/test/port_SUITE_data/dead_port.c b/erts/emulator/test/port_SUITE_data/dead_port.c new file mode 100644 index 0000000000..6fa77112be --- /dev/null +++ b/erts/emulator/test/port_SUITE_data/dead_port.c @@ -0,0 +1,102 @@ +/* + * %CopyrightBegin% + * + * Copyright Ericsson AB 2001-2010. All Rights Reserved. + * + * The contents of this file are subject to the Erlang Public License, + * Version 1.1, (the "License"); you may not use this file except in + * compliance with the License. You should have received a copy of the + * Erlang Public License along with this software. If not, it can be + * retrieved online at http://www.erlang.org/. + * + * Software distributed under the License is distributed on an "AS IS" + * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + * the License for the specific language governing rights and limitations + * under the License. + * + * %CopyrightEnd% + */ + +#ifdef VXWORKS +#include <vxWorks.h> +#include <taskVarLib.h> +#include <taskLib.h> +#include <sysLib.h> +#include <string.h> +#include <ioLib.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> + +#ifndef __WIN32__ +#include <unistd.h> + +#ifdef VXWORKS +#include "reclaim.h" +#include <sys/times.h> +#else +#include <sys/time.h> +#endif + +#define O_BINARY 0 +#define _setmode(fd, mode) +#endif + +#ifdef __WIN32__ +#include "windows.h" +#include "winbase.h" +#endif + + +#ifdef VXWORKS +#define MAIN(argc, argv) port_test(argc, argv) +#else +#define MAIN(argc, argv) main(argc, argv) +#endif + + +extern int errno; + +static void delay(unsigned ms); + + +MAIN(argc, argv) +int argc; +char *argv[]; +{ + int x; + if (argc < 2) { + fprintf(stderr,"Usage %s <seconds>\n",argv[0]); + return 1; + } + if ((x = atoi(argv[1])) <= 0) { + fprintf(stderr,"Usage %s <seconds>\n",argv[0]); + return 1; + } + delay(x*1000); + return 0; +} + +static void +delay(unsigned ms) +{ +#ifdef VXWORKS + taskDelay((sysClkRateGet() * ms) / 1000); +#else +#ifdef __WIN32__ + Sleep(ms); +#else + struct timeval t; + t.tv_sec = ms/1000; + t.tv_usec = (ms % 1000) * 1000; + + select(0, NULL, NULL, NULL, &t); +#endif +#endif +} diff --git a/lib/erl_interface/configure.in b/lib/erl_interface/configure.in index 7728cb97be..72ac8c7bbf 100644 --- a/lib/erl_interface/configure.in +++ b/lib/erl_interface/configure.in @@ -288,13 +288,7 @@ case "$threads_disabled" in ;; win32_threads) EI_THREADS="true" - AC_MSG_CHECKING([for __declspec(thread) usability]) - if test "X$GCC" = "Xyes"; then - AC_MSG_RESULT([no]) - else - THR_DEFS="$THR_DEFS -DUSE_DECLSPEC_THREAD" - AC_MSG_RESULT([yes]) - fi + THR_DEFS="$THR_DEFS -D_WIN32_WINNT=0x0500 -DWINVER=0x0500" ;; pthread) EI_THREADS="true" diff --git a/lib/erl_interface/src/connect/ei_connect.c b/lib/erl_interface/src/connect/ei_connect.c index e191f3fbf0..99ccba0686 100644 --- a/lib/erl_interface/src/connect/ei_connect.c +++ b/lib/erl_interface/src/connect/ei_connect.c @@ -366,16 +366,16 @@ static int initWinSock(void) WORD wVersionRequested; WSADATA wsaData; int i; - /* FIXME problem for threaded ? */ - static int initialized = 0; + + static LONG volatile initialized = 0; wVersionRequested = MAKEWORD(1, 1); - if (!initialized) { - initialized = 1; + if (InterlockedCompareExchange((LPLONG) &initialized,1L,0L) == 0L) { /* FIXME not terminate, just a message?! */ if ((i = WSAStartup(wVersionRequested, &wsaData))) { EI_TRACE_ERR1("ei_connect_init", "ERROR: can't initialize windows sockets: %d",i); + initialized = 2L; return 0; } @@ -383,10 +383,14 @@ static int initWinSock(void) EI_TRACE_ERR0("initWinSock","ERROR: this version of windows " "sockets not supported"); WSACleanup(); + initialized = 2L; return 0; } + initialized = 3L; + } else while (initialized < 2) { + SwitchToThread(); } - return 1; + return (int) (initialized - 2); } #endif diff --git a/lib/erl_interface/test/ei_accept_SUITE.erl b/lib/erl_interface/test/ei_accept_SUITE.erl index bc83d6a62e..31781fe377 100644 --- a/lib/erl_interface/test/ei_accept_SUITE.erl +++ b/lib/erl_interface/test/ei_accept_SUITE.erl @@ -31,7 +31,7 @@ all(suite) -> [ei_accept, ei_threaded_accept]. init_per_testcase(_Case, Config) -> - Dog = ?t:timetrap(?t:minutes(0.25)), + Dog = ?t:timetrap(?t:seconds(30)), [{watchdog, Dog}|Config]. fin_per_testcase(_Case, Config) -> @@ -43,8 +43,6 @@ ei_accept(Config) when is_list(Config) -> ?line P = runner:start(?interpret), ?line 0 = ei_connect_init(P, 42, erlang:get_cookie(), 0), -% ?line AMsg={a,[message, with], " strings in it!", [-12, -23], 1.001}, - %% shouldn't this be a bif or function or something? ?line Myname= hd(tl(string:tokens(atom_to_list(node()), "@"))), ?line io:format("Myname ~p ~n", [Myname]), ?line EINode= list_to_atom("c42@"++Myname), @@ -52,9 +50,13 @@ ei_accept(Config) when is_list(Config) -> ?line Self= self(), ?line TermToSend= {call, Self, "Test"}, ?line F= fun() -> - timer:sleep(500), - {any, EINode} ! TermToSend, - Self ! sent_ok, + case waitfornode("c42",20) of + true -> + {any, EINode} ! TermToSend, + Self ! sent_ok; + false -> + Self ! never_published + end, ok end, @@ -90,12 +92,29 @@ ei_threaded_accept(Config) when is_list(Config) -> || I <- lists:seq(0, N-1) ], ok. +waitfornode(String,0) -> + io:format("~s never published itself.~n",[String]), + false; +waitfornode(String,N) -> + Registered = [X || {X,_} <- element(2,erl_epmd:names())], + case lists:member(String,Registered) of + true -> + true; + false -> + timer:sleep(1000), + waitfornode(String,N-1) + end. + send_rec_einode(N, TestServerPid) -> ?line Myname= hd(tl(string:tokens(atom_to_list(node()), "@"))), - ?line EINode= list_to_atom("eiacc" ++ integer_to_list(N) ++ "@" ++ Myname), + ?line FirstPart = "eiacc" ++ integer_to_list(N), + ?line EINode= list_to_atom(FirstPart ++ "@" ++ Myname), ?line io:format("EINode ~p ~n", [EINode]), ?line Self= self(), - ?line timer:sleep(10*1000), + ?line case waitfornode(FirstPart,20) of + true -> ok; + false -> test_server:fail({never_published,EINode}) + end, ?line {any, EINode} ! Self, ?line receive {N,_}=X -> @@ -136,13 +155,6 @@ ei_receive(P, Fd) -> {term, T}= get_term(P), T. -ei_unpublish(P) -> - send_command(P, ei_unpublish, []), - case get_term(P) of - {term,{0, _}} -> ok; - {term,{_X, Errno}} -> {error,Errno} - end. - send_command(P, Name, Args) -> runner:send_term(P, {Name,list_to_tuple(Args)}). diff --git a/lib/erl_interface/test/ei_connect_SUITE.erl b/lib/erl_interface/test/ei_connect_SUITE.erl index 56f478edad..fe82a73ef9 100644 --- a/lib/erl_interface/test/ei_connect_SUITE.erl +++ b/lib/erl_interface/test/ei_connect_SUITE.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2001-2009. All Rights Reserved. +%% Copyright Ericsson AB 2001-2010. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -103,10 +103,12 @@ ei_threaded_send(Config) when is_list(Config) -> ?line Einode = filename:join(?config(data_dir, Config), "einode"), ?line N = 15, ?line Host = atom_to_list(node()), - ?line spawn_link(fun() -> start_einode(Einode, N, Host) end), ?line TestServerPid = self(), ?line [ spawn_link(fun() -> rec_einode(I, TestServerPid) end) || I <- lists:seq(0, N-1) ], + ?line [ receive {I,registered} -> ok end + || I <- lists:seq(0, N-1) ], + ?line spawn_link(fun() -> start_einode(Einode, N, Host) end), ?line [ receive I -> ok end || I <- lists:seq(0, N-1) ], ok. @@ -114,6 +116,7 @@ ei_threaded_send(Config) when is_list(Config) -> rec_einode(N, TestServerPid) -> ?line Regname = list_to_atom("mth"++integer_to_list(N)), ?line register(Regname, self()), + ?line TestServerPid ! {N, registered}, ?line io:format("~p waiting~n", [Regname]), ?line receive X -> diff --git a/lib/kernel/test/gen_udp_SUITE.erl b/lib/kernel/test/gen_udp_SUITE.erl index 44dd8607b9..bbdfbd3cb0 100644 --- a/lib/kernel/test/gen_udp_SUITE.erl +++ b/lib/kernel/test/gen_udp_SUITE.erl @@ -415,15 +415,15 @@ connect(suite) -> connect(doc) -> ["Test that connect/3 has effect"]; connect(Config) when is_list(Config) -> - Addr = {127,0,0,1}, - {ok,S1} = gen_udp:open(0), - {ok,P1} = inet:port(S1), - {ok,S2} = gen_udp:open(0), - ok = inet:setopts(S2, [{active,false}]), - ok = gen_udp:close(S1), - ok = gen_udp:connect(S2, Addr, P1), - ok = gen_udp:send(S2, <<16#deadbeef:32>>), - {error,econnrefused} = gen_udp:recv(S2, 0, 5), + ?line Addr = {127,0,0,1}, + ?line {ok,S1} = gen_udp:open(0), + ?line {ok,P1} = inet:port(S1), + ?line {ok,S2} = gen_udp:open(0), + ?line ok = inet:setopts(S2, [{active,false}]), + ?line ok = gen_udp:close(S1), + ?line ok = gen_udp:connect(S2, Addr, P1), + ?line ok = gen_udp:send(S2, <<16#deadbeef:32>>), + ?line {error,econnrefused} = gen_udp:recv(S2, 0, 5), ok. implicit_inet6(Config) when is_list(Config) -> diff --git a/lib/public_key/include/public_key.hrl b/lib/public_key/include/public_key.hrl index 82681502ab..a16eb10fe6 100644 --- a/lib/public_key/include/public_key.hrl +++ b/lib/public_key/include/public_key.hrl @@ -31,8 +31,10 @@ -define(DEFAULT_VERIFYFUN, {fun(_,{bad_cert, _} = Reason, _) -> {fail, Reason}; - (_,{extension, _}, UserState) -> - {unknown, UserState} + (_,{extension, _}, UserState) -> + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, []}). -record(path_validation_state, { diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl index b3c230df25..e704c168f1 100644 --- a/lib/public_key/src/pubkey_cert.erl +++ b/lib/public_key/src/pubkey_cert.erl @@ -29,7 +29,7 @@ validate_revoked_status/3, validate_extensions/4, normalize_general_name/1, digest_type/1, is_self_signed/1, is_issuer/2, issuer_id/2, is_fixed_dh_cert/1, - verify_data/1]). + verify_data/1, verify_fun/4]). -define(NULL, 0). @@ -288,6 +288,35 @@ is_fixed_dh_cert(#'OTPCertificate'{tbsCertificate = Extensions}}) -> is_fixed_dh_cert(SubjectPublicKeyInfo, extensions_list(Extensions)). + +%%-------------------------------------------------------------------- +-spec verify_fun(#'OTPTBSCertificate'{}, {bad_cert, atom()} | {extension, #'Extension'{}}| + valid, term(), fun()) -> term(). +%% +%% Description: Gives the user application the opportunity handle path +%% validation errors and unknown extensions and optional do other +%% things with a validated certificate. +%% -------------------------------------------------------------------- +verify_fun(Otpcert, Result, UserState0, VerifyFun) -> + case VerifyFun(Otpcert, Result, UserState0) of + {valid,UserState} -> + UserState; + {fail, Reason} -> + case Result of + {bad_cert, _} -> + throw(Result); + _ -> + throw({bad_cert, Reason}) + end; + {unknown, UserState} -> + case Result of + {extension, #'Extension'{critical = true}} -> + throw({bad_cert, unknown_critical_extension}); + _ -> + UserState + end + end. + %%-------------------------------------------------------------------- %%% Internal functions %%-------------------------------------------------------------------- @@ -315,25 +344,6 @@ extensions_list(asn1_NOVALUE) -> extensions_list(Extensions) -> Extensions. -verify_fun(Otpcert, Result, UserState0, VerifyFun) -> - case VerifyFun(Otpcert, Result, UserState0) of - {valid,UserState} -> - UserState; - {fail, Reason} -> - case Result of - {bad_cert, _} -> - throw(Result); - _ -> - throw({bad_cert, Reason}) - end; - {unknown, UserState} -> - case Result of - {extension, #'Extension'{critical = true}} -> - throw({bad_cert, unknown_critical_extension}); - _ -> - UserState - end - end. extract_verify_data(OtpCert, DerCert) -> {0, Signature} = OtpCert#'OTPCertificate'.signature, @@ -538,42 +548,21 @@ validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-keyUsage', end; validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-subjectAltName', - extnValue = Names} | Rest], + extnValue = Names, + critical = true} = Ext | Rest], ValidationState, ExistBasicCon, SelfSigned, UserState0, VerifyFun) -> case validate_subject_alt_names(Names) of - true when Names =/= [] -> + true -> validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, SelfSigned, UserState0, VerifyFun); - _ -> - UserState = verify_fun(OtpCert, {bad_cert, invalid_subject_altname}, + false -> + UserState = verify_fun(OtpCert, {extension, Ext}, UserState0, VerifyFun), validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, SelfSigned, UserState, VerifyFun) end; -%% This extension SHOULD NOT be marked critical. Its value -%% does not have to be further validated at this point. -validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-issuerAltName', - extnValue = _} | Rest], - ValidationState, ExistBasicCon, - SelfSigned, UserState, VerifyFun) -> - validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, - SelfSigned, UserState, VerifyFun); - -%% This extension MUST NOT be marked critical.Its value -%% does not have to be further validated at this point. -validate_extensions(OtpCert, [#'Extension'{extnID = Id, - extnValue = _, - critical = false} | Rest], - ValidationState, - ExistBasicCon, SelfSigned, - UserState, VerifyFun) - when Id == ?'id-ce-subjectKeyIdentifier'; - Id == ?'id-ce-authorityKeyIdentifier'-> - validate_extensions(OtpCert, Rest, ValidationState, ExistBasicCon, - SelfSigned, UserState, VerifyFun); - validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-nameConstraints', extnValue = NameConst} | Rest], ValidationState, @@ -587,7 +576,6 @@ validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-nameConstraints', validate_extensions(OtpCert, Rest, NewValidationState, ExistBasicCon, SelfSigned, UserState, VerifyFun); - validate_extensions(OtpCert, [#'Extension'{extnID = ?'id-ce-certificatePolicies', critical = true} = Ext| Rest], ValidationState, ExistBasicCon, SelfSigned, UserState0, VerifyFun) -> @@ -648,13 +636,13 @@ is_valid_key_usage(KeyUse, Use) -> lists:member(Use, KeyUse). validate_subject_alt_names([]) -> - true; + false; validate_subject_alt_names([AltName | Rest]) -> case is_valid_subject_alt_name(AltName) of true -> - validate_subject_alt_names(Rest); + true; false -> - false + validate_subject_alt_names(Rest) end. is_valid_subject_alt_name({Name, Value}) when Name == rfc822Name; @@ -682,6 +670,8 @@ is_valid_subject_alt_name({directoryName, _}) -> true; is_valid_subject_alt_name({_, [_|_]}) -> true; +is_valid_subject_alt_name({otherName, #'AnotherName'{}}) -> + false; is_valid_subject_alt_name({_, _}) -> false. diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl index 68bf04eeff..9c7817fa8e 100644 --- a/lib/public_key/src/public_key.erl +++ b/lib/public_key/src/public_key.erl @@ -539,6 +539,7 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer, user_state = UserState0, verify_fun = VerifyFun} = ValidationState0) -> + OtpCert = pkix_decode_cert(DerCert, otp), UserState1 = pubkey_cert:validate_time(OtpCert, UserState0, VerifyFun), @@ -556,10 +557,12 @@ validate(DerCert, #path_validation_state{working_issuer_name = Issuer, %% We want the key_usage extension to be checked before we validate %% the signature. - UserState = pubkey_cert:validate_signature(OtpCert, DerCert, + UserState0 = pubkey_cert:validate_signature(OtpCert, DerCert, Key, KeyParams, UserState5, VerifyFun), + UserState = pubkey_cert:verify_fun(OtpCert, valid, UserState0, VerifyFun), ValidationState = ValidationState1#path_validation_state{user_state = UserState}, + pubkey_cert:prepare_for_next_cert(OtpCert, ValidationState). sized_binary(Binary) when is_binary(Binary) -> diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl index 46b8c3db8b..ea6a925139 100644 --- a/lib/public_key/test/public_key_SUITE.erl +++ b/lib/public_key/test/public_key_SUITE.erl @@ -377,7 +377,9 @@ pkix_path_validation(Config) when is_list(Config) -> (_,{bad_cert, _} = Reason, _) -> {fail, Reason}; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, []}, {ok, _} = public_key:pkix_path_validation(Trusted, [Cert1, Cert3,Cert4], @@ -392,7 +394,9 @@ pkix_path_validation(Config) when is_list(Config) -> (_,{bad_cert, _} = Reason, _) -> {fail, Reason}; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, []}, {ok, _} = diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 0f3054aec3..d5b7253ef3 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -202,16 +202,19 @@ <p>The verification fun should be defined as:</p> <code> - fun(OtpCert :: #'OtpCertificate'{}, - Event :: {bad_cert, Reason :: atom()} | - {extension, #'Extension'{}}, InitialUserState :: term()) -> - {valid, UserState :: term()} | {fail, Reason :: term()} | - {unknown, UserState :: term()}. +fun(OtpCert :: #'OtpCertificate'{}, Event :: {bad_cert, Reason :: atom()} | + {extension, #'Extension'{}}, InitialUserState :: term()) -> + {valid, UserState :: term()} | {fail, Reason :: term()} | + {unknown, UserState :: term()}. </code> <p>The verify fun will be called during the X509-path validation when an error or an extension unknown to the ssl - application is encountered. See + application is encountered. Additionally it will be called + when a certificate is considered valid by the path validation + to allow access to each certificate in the path to the user + application. + See <seealso marker="public_key:application">public_key(3)</seealso> for definition of #'OtpCertificate'{} and #'Extension'{}.</p> @@ -229,34 +232,32 @@ <p>The default verify_fun option in verify_peer mode:</p> <code> - {fun(_,{bad_cert, _} = Reason, _) -> - {fail, Reason}; - (_,{extension, _}, UserState) -> - {unknown, UserState} - end, []} +{fun(_,{bad_cert, _} = Reason, _) -> + {fail, Reason}; + (_,{extension, _}, UserState) -> + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} + end, []} </code> <p>The default verify_fun option in verify_none mode:</p> <code> - {fun(_,{bad_cert, unknown_ca}, UserState) -> - {valid, UserState}; - (_,{bad_cert, _} = Reason, _) -> - {fail, Reason}; - (_,{extension, _}, UserState) -> - {unknown, UserState} - end, []} +{fun(_,{bad_cert, unknown_ca}, UserState) -> + {valid, UserState}; + (_,{bad_cert, _} = Reason, _) -> + {fail, Reason}; + (_,{extension, _}, UserState) -> + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} + end, []} </code> - <p> Possible path validation errors: - {bad_cert, cert_expired}, - {bad_cert, invalid_issuer}, - {bad_cert, invalid_signature}, - {bad_cert, unknown_ca}, - {bad_cert, name_not_permitted}, - {bad_cert, missing_basic_constraint}, - {bad_cert, invalid_key_usage}, - {bad_cert, invalid_subject_altname}</p> +<p>Possible path validation errors: </p> + +<p> {bad_cert, cert_expired}, {bad_cert, invalid_issuer}, {bad_cert, invalid_signature}, {bad_cert, unknown_ca}, {bad_cert, name_not_permitted}, {bad_cert, missing_basic_constraint}, {bad_cert, invalid_key_usage}</p> </item> </taglist> diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index cc01b35b64..12dffb413c 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -535,7 +535,9 @@ handle_options(Opts0, _Role) -> (_,{bad_cert, _} = Reason, _) -> {fail, Reason}; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, []}, UserFailIfNoPeerCert = handle_option(fail_if_no_peer_cert, Opts, false), @@ -631,7 +633,9 @@ validate_option(verify_fun, Fun) when is_function(Fun) -> {fail, Reason} end; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, Fun}; validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) -> Value; diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 6cf57ced81..206024315e 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -34,7 +34,6 @@ -export([trusted_cert_and_path/2, certificate_chain/2, file_to_certificats/1, - %validate_extensions/6, validate_extension/3, is_valid_extkey_usage/2, is_valid_key_usage/2, @@ -118,8 +117,7 @@ file_to_certificats(File) -> %% Description: Validates ssl/tls specific extensions %%-------------------------------------------------------------------- validate_extension(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage', - extnValue = KeyUse, - critical = true}}, Role) -> + extnValue = KeyUse}}, Role) -> case is_valid_extkey_usage(KeyUse, Role) of true -> {valid, Role}; @@ -128,8 +126,10 @@ validate_extension(_,{extension, #'Extension'{extnID = ?'id-ce-extKeyUsage', end; validate_extension(_, {bad_cert, _} = Reason, _) -> {fail, Reason}; -validate_extension(_, _, Role) -> - {unknown, Role}. +validate_extension(_, {extension, _}, Role) -> + {unknown, Role}; +validate_extension(_, valid, Role) -> + {valid, Role}. %%-------------------------------------------------------------------- -spec is_valid_key_usage(list(), term()) -> boolean(). diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index 1e96880801..3cb9337775 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -2860,7 +2860,9 @@ unknown_server_ca_fail(Config) when is_list(Config) -> FunAndState = {fun(_,{bad_cert, _} = Reason, _) -> {fail, Reason}; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, []}, Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, @@ -2926,7 +2928,9 @@ unknown_server_ca_accept_verify_peer(Config) when is_list(Config) -> (_,{bad_cert, _} = Reason, _) -> {fail, Reason}; (_,{extension, _}, UserState) -> - {unknown, UserState} + {unknown, UserState}; + (_, valid, UserState) -> + {valid, UserState} end, []}, Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, @@ -3095,7 +3099,7 @@ session_cache_process_mnesia(suite) -> session_cache_process_mnesia(Config) when is_list(Config) -> session_cache_process(mnesia,Config). -session_cache_process(Type,Config) when is_list(Config) -> +session_cache_process(_Type,Config) when is_list(Config) -> reuse_session(Config). init([Type]) -> |