1 files changed, 103 insertions, 38 deletions

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index fb4448e180..5b6d92ebf4 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -32,7 +32,9 @@
 %% Socket handling
 -export([connect/3, connect/2, connect/4,
 	 listen/2, transport_accept/1, transport_accept/2,
-	 ssl_accept/1, ssl_accept/2, ssl_accept/3,
+	 handshake/1, handshake/2, handshake/3, 
+         handshake_continue/3, handshake_cancel/1,
+         ssl_accept/1, ssl_accept/2, ssl_accept/3,
 	 controlling_process/2, peername/1, peercert/1, sockname/1,
 	 close/1, close/2, shutdown/2, recv/2, recv/3, send/2,
 	 getopts/2, setopts/2, getstat/1, getstat/2
@@ -45,7 +47,7 @@
          format_error/1, renegotiate/1, prf/5, negotiated_protocol/1, 
 	 connection_information/1, connection_information/2]).
 %% Misc
--export([handle_options/2, tls_version/1]).
+-export([handle_options/2, tls_version/1, new_ssl_options/3]).
 
 -include("ssl_api.hrl").
 -include("ssl_internal.hrl").
@@ -170,23 +172,54 @@ transport_accept(#sslsocket{pid = {ListenSocket,
 			ok | {ok, #sslsocket{}} | {error, reason()}.
 
 -spec ssl_accept(#sslsocket{} | port(), [ssl_option()] | [ssl_option()| transport_option()], timeout()) ->
-			{ok, #sslsocket{}} | {error, reason()}.
+			ok | {ok, #sslsocket{}} | {error, reason()}.
 %%
 %% Description: Performs accept on an ssl listen socket. e.i. performs
 %%              ssl handshake.
 %%--------------------------------------------------------------------
 ssl_accept(ListenSocket) ->
-    ssl_accept(ListenSocket, infinity).
+    ssl_accept(ListenSocket, [], infinity).
+ssl_accept(Socket, Timeout)  when  (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
+    ssl_accept(Socket, [], Timeout);
+ssl_accept(ListenSocket, SslOptions) when is_port(ListenSocket) ->
+    ssl_accept(ListenSocket, SslOptions, infinity);
+ssl_accept(Socket, Timeout) ->
+    ssl_accept(Socket, [], Timeout).
+ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket) ->
+    handshake(Socket, SslOptions, Timeout);
+ssl_accept(Socket, SslOptions, Timeout) ->
+     case handshake(Socket, SslOptions, Timeout) of
+        {ok, _} ->
+            ok;
+        Error ->
+            Error
+     end.
+%%--------------------------------------------------------------------
+-spec handshake(#sslsocket{}) -> {ok, #sslsocket{}} | {error, reason()}.
+-spec handshake(#sslsocket{} | port(), timeout()| [ssl_option()
+						    | transport_option()]) ->
+                       {ok, #sslsocket{}} | {error, reason()}.
+
+-spec handshake(#sslsocket{} | port(), [ssl_option()] | [ssl_option()| transport_option()], timeout()) ->
+			{ok, #sslsocket{}} | {error, reason()}.
+%%
+%% Description: Performs accept on an ssl listen socket. e.i. performs
+%%              ssl handshake.
+%%--------------------------------------------------------------------
+handshake(ListenSocket) ->
+    handshake(ListenSocket, infinity).
 
-ssl_accept(#sslsocket{} = Socket, Timeout) when  (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
+handshake(#sslsocket{} = Socket, Timeout) when  (is_integer(Timeout) andalso Timeout >= 0) or 
+                                                (Timeout == infinity) ->
     ssl_connection:handshake(Socket, Timeout);
 
-ssl_accept(ListenSocket, SslOptions)  when is_port(ListenSocket) ->
-    ssl_accept(ListenSocket, SslOptions, infinity).
+handshake(ListenSocket, SslOptions)  when is_port(ListenSocket) ->
+    handshake(ListenSocket, SslOptions, infinity).
 
-ssl_accept(#sslsocket{} = Socket, [], Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
-    ssl_accept(Socket, Timeout);
-ssl_accept(#sslsocket{fd = {_, _, _, Tracker}} = Socket, SslOpts, Timeout) when
+handshake(#sslsocket{} = Socket, [], Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or 
+                                                    (Timeout == infinity)->
+    handshake(Socket, Timeout);
+handshake(#sslsocket{fd = {_, _, _, Tracker}} = Socket, SslOpts, Timeout) when
       (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
     try
 	{ok, EmOpts, _} = tls_socket:get_all_opts(Tracker),
@@ -195,7 +228,7 @@ ssl_accept(#sslsocket{fd = {_, _, _, Tracker}} = Socket, SslOpts, Timeout) when
     catch
 	Error = {error, _Reason} -> Error
     end;
-ssl_accept(#sslsocket{pid = Pid, fd = {_, _, _}} = Socket, SslOpts, Timeout) when
+handshake(#sslsocket{pid = Pid, fd = {_, _, _}} = Socket, SslOpts, Timeout) when
       (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
     try
         {ok, EmOpts, _} = dtls_udp_listener:get_all_opts(Pid),
@@ -204,8 +237,8 @@ ssl_accept(#sslsocket{pid = Pid, fd = {_, _, _}} = Socket, SslOpts, Timeout) whe
     catch
 	Error = {error, _Reason} -> Error
     end;
-ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket),
-					     (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
+handshake(Socket, SslOptions, Timeout) when is_port(Socket),
+                                            (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
     {Transport,_,_,_} =
 	proplists:get_value(cb_info, SslOptions, {gen_tcp, tcp, tcp_closed, tcp_error}),
     EmulatedOptions = tls_socket:emulated_options(),
@@ -215,13 +248,31 @@ ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket),
 	{ok, #config{transport_info = CbInfo, ssl = SslOpts, emulated = EmOpts}} ->
 	    ok = tls_socket:setopts(Transport, Socket, tls_socket:internal_inet_values()),
 	    {ok, Port} = tls_socket:port(Transport, Socket),
-	    ssl_connection:ssl_accept(ConnetionCb, Port, Socket,
-				      {SslOpts, 
-				       tls_socket:emulated_socket_options(EmOpts, #socket_options{}), undefined},
-				      self(), CbInfo, Timeout)
+	    ssl_connection:handshake(ConnetionCb, Port, Socket,
+                                     {SslOpts, 
+                                      tls_socket:emulated_socket_options(EmOpts, #socket_options{}), undefined},
+                                     self(), CbInfo, Timeout)
     catch
 	Error = {error, _Reason} -> Error
     end.
+
+%%--------------------------------------------------------------------
+-spec handshake_continue(#sslsocket{}, [ssl_option()], timeout()) -> 
+                                {ok, #sslsocket{}} | {error, reason()}.
+%%
+%%
+%% Description: Continues the handshke possible with newly supplied options.
+%%--------------------------------------------------------------------
+handshake_continue(Socket, SSLOptions, Timeout) ->
+    ssl_connection:handshake_continue(Socket, SSLOptions, Timeout).
+%%--------------------------------------------------------------------
+-spec  handshake_cancel(#sslsocket{}) -> term().
+%%
+%% Description: Cancels the handshakes sending a close alert.
+%%--------------------------------------------------------------------
+handshake_cancel(Socket) ->
+    ssl_connection:handshake_cancel(Socket).
+
 %%--------------------------------------------------------------------
 -spec  close(#sslsocket{}) -> term().
 %%
@@ -476,8 +527,9 @@ eccs() ->
     eccs_filter_supported(Curves).
 
 %%--------------------------------------------------------------------
--spec eccs(tls_record:tls_version() | tls_record:tls_atom_version()) ->
-    tls_v1:curves().
+-spec eccs(tls_record:tls_version() | tls_record:tls_atom_version() |
+           dtls_record:dtls_version() | dtls_record:dtls_atom_version()) ->
+                  tls_v1:curves().
 %% Description: returns the curves supported for a given version of
 %% ssl/tls.
 %%--------------------------------------------------------------------
@@ -486,8 +538,16 @@ eccs({3,0}) ->
 eccs({3,_}) ->
     Curves = tls_v1:ecc_curves(all),
     eccs_filter_supported(Curves);
-eccs(AtomVersion) when is_atom(AtomVersion) ->
-    eccs(tls_record:protocol_version(AtomVersion)).
+eccs({254,_} = Version) ->
+    eccs(dtls_v1:corresponding_tls_version(Version));
+eccs(Version) when Version == 'tlsv1.2';
+                   Version == 'tlsv1.1';
+                   Version == tlsv1;
+                   Version == sslv3 ->
+    eccs(tls_record:protocol_version(Version));
+eccs(Version) when Version == 'dtlsv1.2';
+                   Version == 'dtlsv1'->
+    eccs(dtls_v1:corresponding_tls_version(dtls_record:protocol_version(Version))).
 
 eccs_filter_supported(Curves) ->
     CryptoCurves = crypto:ec_curves(),
@@ -618,16 +678,23 @@ sockname(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}) when is_pid(Pid)
 
 %%---------------------------------------------------------------
 -spec versions() -> [{ssl_app, string()} | {supported, [tls_record:tls_atom_version()]} |
-		     {available, [tls_record:tls_atom_version()]}].
+                     {supported_dtls, [dtls_record:dtls_atom_version()]} |
+		     {available, [tls_record:tls_atom_version()]} |
+                     {available_dtls, [dtls_record:dtls_atom_version()]}].
 %%
 %% Description: Returns a list of relevant versions.
 %%--------------------------------------------------------------------
 versions() ->
-    Vsns = tls_record:supported_protocol_versions(),
-    SupportedVsns = [tls_record:protocol_version(Vsn) || Vsn <- Vsns],
-    AvailableVsns = ?ALL_AVAILABLE_VERSIONS,
-    %% TODO Add DTLS versions when supported
-    [{ssl_app, ?VSN}, {supported, SupportedVsns}, {available, AvailableVsns}].
+    TLSVsns = tls_record:supported_protocol_versions(),
+    DTLSVsns = dtls_record:supported_protocol_versions(),
+    SupportedTLSVsns = [tls_record:protocol_version(Vsn) || Vsn <- TLSVsns],
+    SupportedDTLSVsns = [dtls_record:protocol_version(Vsn) || Vsn <- DTLSVsns],
+    AvailableTLSVsns = ?ALL_AVAILABLE_VERSIONS,
+    AvailableDTLSVsns = ?ALL_AVAILABLE_DATAGRAM_VERSIONS,
+    [{ssl_app, ?VSN}, {supported, SupportedTLSVsns}, 
+     {supported_dtls, SupportedDTLSVsns}, 
+     {available, AvailableTLSVsns}, 
+     {available_dtls, AvailableDTLSVsns}].
 
 
 %%---------------------------------------------------------------
@@ -707,7 +774,6 @@ tls_version({254, _} = Version) ->
 %%%--------------------------------------------------------------
 %%% Internal functions
 %%%--------------------------------------------------------------------
-
 %% Possible filters out suites not supported by crypto 
 available_suites(default) ->  
     Version = tls_record:highest_protocol_version([]),			  
@@ -832,7 +898,7 @@ handle_options(Opts0, Role, Host) ->
 		    %% Server side option
 		    reuse_session = handle_option(reuse_session, Opts, ReuseSessionFun),
 		    reuse_sessions = handle_option(reuse_sessions, Opts, true),
-		    secure_renegotiate = handle_option(secure_renegotiate, Opts, false),
+		    secure_renegotiate = handle_option(secure_renegotiate, Opts, true),
 		    client_renegotiation = handle_option(client_renegotiation, Opts, 
 							 default_option_role(server, true, Role), 
 							 server, Role),
@@ -870,8 +936,8 @@ handle_options(Opts0, Role, Host) ->
 					     client, Role),
 		    crl_check = handle_option(crl_check, Opts, false),
 		    crl_cache = handle_option(crl_cache, Opts, {ssl_crl_cache, {internal, []}}),
-		    v2_hello_compatible = handle_option(v2_hello_compatible, Opts, false),
-                    max_handshake_size = handle_option(max_handshake_size, Opts, ?DEFAULT_MAX_HANDSHAKE_SIZE)
+                    max_handshake_size = handle_option(max_handshake_size, Opts, ?DEFAULT_MAX_HANDSHAKE_SIZE),
+                    handshake = handle_option(handshake, Opts, full)
 		   },
 
     CbInfo  = proplists:get_value(cb_info, Opts, default_cb_info(Protocol)),
@@ -886,9 +952,8 @@ handle_options(Opts0, Role, Host) ->
 		  alpn_preferred_protocols, next_protocols_advertised,
 		  client_preferred_next_protocols, log_alert,
 		  server_name_indication, honor_cipher_order, padding_check, crl_check, crl_cache,
-		  fallback, signature_algs, eccs, honor_ecc_order, beast_mitigation, v2_hello_compatible,
-                  max_handshake_size],
-
+		  fallback, signature_algs, eccs, honor_ecc_order, beast_mitigation,
+                  max_handshake_size, handshake],
     SockOpts = lists:foldl(fun(Key, PropList) ->
 				   proplists:delete(Key, PropList)
 			   end, Opts, SslOptions),
@@ -900,8 +965,6 @@ handle_options(Opts0, Role, Host) ->
 		 inet_user = Sock, transport_info = CbInfo, connection_cb = ConnetionCb
 		}}.
 
-
-
 handle_option(OptionName, Opts, Default, Role, Role) ->
     handle_option(OptionName, Opts, Default);
 handle_option(_, _, undefined = Value, _, _) ->
@@ -1123,14 +1186,16 @@ validate_option(beast_mitigation, Value) when Value == one_n_minus_one orelse
                                               Value == zero_n orelse
                                               Value == disabled ->
   Value;
-validate_option(v2_hello_compatible, Value) when is_boolean(Value)  ->
-    Value;
 validate_option(max_handshake_size, Value) when is_integer(Value)  andalso Value =< ?MAX_UNIT24 ->
     Value;
 validate_option(protocol, Value = tls) ->
     Value;
 validate_option(protocol, Value = dtls) ->
     Value;
+validate_option(handshake, hello = Value) ->
+    Value;
+validate_option(handshake, full = Value) ->
+    Value;
 validate_option(Opt, Value) ->
     throw({error, {options, {Opt, Value}}}).