1 files changed, 37 insertions, 22 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index be1041ca13..4b7f49547b 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 1999-2014. All Rights Reserved.
+%% Copyright Ericsson AB 1999-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -339,14 +339,10 @@ negotiated_next_protocol(#sslsocket{pid = Pid}) ->
     ssl_connection:negotiated_next_protocol(Pid).
 
 %%--------------------------------------------------------------------
--spec cipher_suites() -> [ssl_cipher:erl_cipher_suite()].
--spec cipher_suites(erlang | openssl | all) -> [ssl_cipher:erl_cipher_suite()] | [string()].
-			   
+-spec cipher_suites(erlang | openssl | all) -> [ssl_cipher:erl_cipher_suite()] |
+					       [string()].
 %% Description: Returns all supported cipher suites.
 %%--------------------------------------------------------------------
-cipher_suites() ->
-    cipher_suites(erlang).
-
 cipher_suites(erlang) ->
     Version = tls_record:highest_protocol_version([]),
     ssl_cipher:filter_suites([suite_definition(S)
@@ -358,11 +354,14 @@ cipher_suites(openssl) ->
 cipher_suites(all) ->
     Version = tls_record:highest_protocol_version([]),
     Supported = ssl_cipher:all_suites(Version)
-	++ ssl_cipher:anonymous_suites(Version)
+	++ ssl_cipher:anonymous_suites()
 	++ ssl_cipher:psk_suites(Version)
 	++ ssl_cipher:srp_suites(),
     ssl_cipher:filter_suites([suite_definition(S) || S <- Supported]).
 
+cipher_suites() ->
+    cipher_suites(erlang).
+
 %%--------------------------------------------------------------------
 -spec getopts(#sslsocket{}, [gen_tcp:option_name()]) ->
 		     {ok, [gen_tcp:option()]} | {error, reason()}.
@@ -570,21 +569,24 @@ handle_options(Opts0, #ssl_options{protocol = Protocol, cacerts = CaCerts0,
 				   cacertfile = CaCertFile0} = InheritedSslOpts) ->
     RecordCB = record_cb(Protocol),
     CaCerts = handle_option(cacerts, Opts0, CaCerts0),
-    {Verify, FailIfNoPeerCert, CaCertDefault, VerifyFun} = handle_verify_options(Opts0, CaCerts),
+    {Verify, FailIfNoPeerCert, CaCertDefault, VerifyFun, PartialChainHanlder} = handle_verify_options(Opts0, CaCerts),
     CaCertFile = case proplists:get_value(cacertfile, Opts0, CaCertFile0) of
 		     undefined ->
 			 CaCertDefault;
 		     CAFile ->
 			 CAFile
 		 end,
+
     NewVerifyOpts = InheritedSslOpts#ssl_options{cacerts = CaCerts,
 						 cacertfile = CaCertFile,
 						 verify = Verify,
 						 verify_fun = VerifyFun,
+						 partial_chain = PartialChainHanlder,
 						 fail_if_no_peer_cert = FailIfNoPeerCert},
     SslOpts1 = lists:foldl(fun(Key, PropList) ->
 				   proplists:delete(Key, PropList)
-			   end, Opts0, [cacerts, cacertfile, verify, verify_fun, fail_if_no_peer_cert]),
+			   end, Opts0, [cacerts, cacertfile, verify, verify_fun, partial_chain,
+					fail_if_no_peer_cert]),
     case handle_option(versions, SslOpts1, []) of
 	[] ->
 	    new_ssl_options(SslOpts1, NewVerifyOpts, RecordCB);
@@ -604,10 +606,10 @@ handle_options(Opts0) ->
     ReuseSessionFun = fun(_, _, _, _) -> true end,
     CaCerts = handle_option(cacerts, Opts, undefined),
 
-    {Verify, FailIfNoPeerCert, CaCertDefault, VerifyFun} = handle_verify_options(Opts, CaCerts),
+    {Verify, FailIfNoPeerCert, CaCertDefault, VerifyFun, PartialChainHanlder} =
+	handle_verify_options(Opts, CaCerts),
     
     CertFile = handle_option(certfile, Opts, <<>>),
-    
     RecordCb = record_cb(Opts),
     
     Versions = case handle_option(versions, Opts, []) of
@@ -621,6 +623,7 @@ handle_options(Opts0) ->
 		    versions   = Versions,
 		    verify     = validate_option(verify, Verify),
 		    verify_fun = VerifyFun,
+		    partial_chain = PartialChainHanlder,
 		    fail_if_no_peer_cert = FailIfNoPeerCert,
 		    verify_client_once =  handle_option(verify_client_once, Opts, false),
 		    depth      = handle_option(depth,  Opts, 1),
@@ -653,11 +656,12 @@ handle_options(Opts0) ->
 		    log_alert = handle_option(log_alert, Opts, true),
 		    server_name_indication = handle_option(server_name_indication, Opts, undefined),
 		    honor_cipher_order = handle_option(honor_cipher_order, Opts, false),
-		    protocol = proplists:get_value(protocol, Opts, tls)
+		    protocol = proplists:get_value(protocol, Opts, tls),
+		    padding_check =  proplists:get_value(padding_check, Opts, true)
 		   },
 
     CbInfo  = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed, tcp_error}),
-    SslOptions = [protocol, versions, verify, verify_fun,
+    SslOptions = [protocol, versions, verify, verify_fun, partial_chain,
 		  fail_if_no_peer_cert, verify_client_once,
 		  depth, cert, certfile, key, keyfile,
 		  password, cacerts, cacertfile, dh, dhfile,
@@ -666,7 +670,7 @@ handle_options(Opts0) ->
 		  cb_info, renegotiate_at, secure_renegotiate, hibernate_after,
 		  erl_dist, next_protocols_advertised,
 		  client_preferred_next_protocols, log_alert,
-		  server_name_indication, honor_cipher_order],
+		  server_name_indication, honor_cipher_order, padding_check],
 
     SockOpts = lists:foldl(fun(Key, PropList) ->
 				   proplists:delete(Key, PropList)
@@ -709,6 +713,8 @@ validate_option(verify_fun, Fun) when is_function(Fun) ->
      end, Fun};
 validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) ->
    Value;
+validate_option(partial_chain, Value) when is_function(Value) ->
+    Value;
 validate_option(fail_if_no_peer_cert, Value) when is_boolean(Value) ->
     Value;
 validate_option(verify_client_once, Value) when is_boolean(Value) ->
@@ -842,6 +848,8 @@ validate_option(server_name_indication, undefined) ->
     undefined;
 validate_option(honor_cipher_order, Value) when is_boolean(Value) ->
     Value;
+validate_option(padding_check, Value) when is_boolean(Value) ->
+    Value;
 validate_option(Opt, Value) ->
     throw({error, {options, {Opt, Value}}}).
 
@@ -1148,25 +1156,32 @@ handle_verify_options(Opts, CaCerts) ->
 
     UserFailIfNoPeerCert = handle_option(fail_if_no_peer_cert, Opts, false),
     UserVerifyFun = handle_option(verify_fun, Opts, undefined),
-
     
+    PartialChainHanlder = handle_option(partial_chain, Opts,
+					fun(_) -> unknown_ca end),
+
     %% Handle 0, 1, 2 for backwards compatibility
     case proplists:get_value(verify, Opts, verify_none) of
 	0 ->
 	    {verify_none, false,
-		 ca_cert_default(verify_none, VerifyNoneFun, CaCerts), VerifyNoneFun};
+		 ca_cert_default(verify_none, VerifyNoneFun, CaCerts),
+	     VerifyNoneFun, PartialChainHanlder};
 	1  ->
 	    {verify_peer, false,
-	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts), UserVerifyFun};
+	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts),
+	     UserVerifyFun, PartialChainHanlder};
 	2 ->
 	    {verify_peer, true,
-	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts), UserVerifyFun};
-	    verify_none ->
+	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts),
+	     UserVerifyFun, PartialChainHanlder};
+	verify_none ->
 	    {verify_none, false,
-	     ca_cert_default(verify_none, VerifyNoneFun, CaCerts), VerifyNoneFun};
+	     ca_cert_default(verify_none, VerifyNoneFun, CaCerts),
+	     VerifyNoneFun, PartialChainHanlder};
 	verify_peer ->
 	    {verify_peer, UserFailIfNoPeerCert,
-	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts), UserVerifyFun};
+	     ca_cert_default(verify_peer, UserVerifyFun, CaCerts),
+	     UserVerifyFun, PartialChainHanlder};
 	Value ->
 	    throw({error, {options, {verify, Value}}})
     end.