1 files changed, 65 insertions, 21 deletions

diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index 00e95f5c5b..5bd9521de7 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2016. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -67,6 +67,7 @@
 -define(CLEAN_SESSION_DB, 60000).
 -define(CLEAN_CERT_DB, 500).
 -define(DEFAULT_MAX_SESSION_CACHE, 1000).
+-define(LOAD_MITIGATION, 10).
 
 %%====================================================================
 %% API
@@ -114,13 +115,25 @@ start_link_dist(Opts) ->
 %% Description: Do necessary initializations for a new connection.
 %%--------------------------------------------------------------------
 connection_init({der, _} = Trustedcerts, Role, CRLCache) ->
-    call({connection_init, Trustedcerts, Role, CRLCache});
+    case bypass_pem_cache() of
+	true ->
+	    {ok, Extracted} = ssl_pkix_db:extract_trusted_certs(Trustedcerts),
+	    call({connection_init, Extracted, Role, CRLCache});
+	false ->
+	    call({connection_init, Trustedcerts, Role, CRLCache})
+    end;
 
 connection_init(<<>> = Trustedcerts, Role, CRLCache) ->
     call({connection_init, Trustedcerts, Role, CRLCache});
 
 connection_init(Trustedcerts, Role, CRLCache) ->
-    call({connection_init, Trustedcerts, Role, CRLCache}).
+    case bypass_pem_cache() of
+	true ->
+	    {ok, Extracted} = ssl_pkix_db:extract_trusted_certs(Trustedcerts),
+	    call({connection_init, Extracted, Role, CRLCache});
+	false ->
+	    call({connection_init, Trustedcerts, Role, CRLCache})
+    end.
 
 %%--------------------------------------------------------------------
 -spec cache_pem_file(binary(), term()) -> {ok, term()} | {error, reason()}.
@@ -128,13 +141,18 @@ connection_init(Trustedcerts, Role, CRLCache) ->
 %% Description: Cache a pem file and return its content.
 %%--------------------------------------------------------------------
 cache_pem_file(File, DbHandle) ->
-    case ssl_pkix_db:lookup_cached_pem(DbHandle, File) of
-	[{Content,_}] ->
-	    {ok, Content};
-	[Content] ->
-	    {ok, Content};
-	undefined ->
-	    call({cache_pem, File})
+    case bypass_pem_cache() of
+	true ->
+	    ssl_pkix_db:decode_pem_file(File);
+	false ->
+	    case ssl_pkix_db:lookup_cached_pem(DbHandle, File) of
+		[{Content,_}] ->
+		    {ok, Content};
+		[Content] ->
+		    {ok, Content};
+		undefined ->
+		    call({cache_pem, File})
+	    end
     end.
 
 %%--------------------------------------------------------------------
@@ -196,10 +214,12 @@ register_session(Port, Session) ->
 %%--------------------------------------------------------------------
 -spec invalidate_session(host(), inet:port_number(), #session{}) -> ok.
 invalidate_session(Host, Port, Session) ->
+    load_mitigation(),
     cast({invalidate_session, Host, Port, Session}).
 
 -spec invalidate_session(inet:port_number(), #session{}) -> ok.
 invalidate_session(Port, Session) ->
+    load_mitigation(),
     cast({invalidate_session, Port, Session}).
 
 -spec invalidate_pem(File::binary()) -> ok.
@@ -263,7 +283,9 @@ init([Name, Opts]) ->
 		session_cache_client_max = 
 		    max_session_cache_size(session_cache_client_max),
 		session_cache_server_max = 
-		    max_session_cache_size(session_cache_server_max)
+		    max_session_cache_size(session_cache_server_max),
+		session_client_invalidator = undefined,
+		session_server_invalidator = undefined
 	       }}.
 
 %%--------------------------------------------------------------------
@@ -378,13 +400,17 @@ handle_cast({invalidate_pem, File},
 handle_info(validate_sessions, #state{session_cache_cb = CacheCb,
 				      session_cache_client = ClientCache,
 				      session_cache_server = ServerCache,
-				      session_lifetime = LifeTime
+				      session_lifetime = LifeTime,
+				      session_client_invalidator = Client,
+				      session_server_invalidator = Server				      
 				     } = State) ->
     Timer = erlang:send_after(?SESSION_VALIDATION_INTERVAL, 
 			      self(), validate_sessions),
-    start_session_validator(ClientCache, CacheCb, LifeTime),
-    start_session_validator(ServerCache, CacheCb, LifeTime),
-    {noreply, State#state{session_validation_timer = Timer}};
+    CPid = start_session_validator(ClientCache, CacheCb, LifeTime, Client),
+    SPid = start_session_validator(ServerCache, CacheCb, LifeTime, Server),
+    {noreply, State#state{session_validation_timer = Timer, 
+			  session_client_invalidator = CPid,
+			  session_server_invalidator = SPid}};
 
 
 handle_info({delayed_clean_session, Key, Cache}, #state{session_cache_cb = CacheCb
@@ -471,9 +497,11 @@ validate_session(Port, Session, LifeTime) ->
 	    invalidate_session(Port, Session)
     end.
 		    
-start_session_validator(Cache, CacheCb, LifeTime) ->
+start_session_validator(Cache, CacheCb, LifeTime, undefined) ->
     spawn_link(?MODULE, init_session_validator, 
-	       [[get(ssl_manager), Cache, CacheCb, LifeTime]]).
+	       [[get(ssl_manager), Cache, CacheCb, LifeTime]]);
+start_session_validator(_,_,_, Pid) ->
+    Pid.
 
 init_session_validator([SslManagerName, Cache, CacheCb, LifeTime]) ->
     put(ssl_manager, SslManagerName),
@@ -495,6 +523,14 @@ delay_time() ->
 	   ?CLEAN_SESSION_DB
     end.
 
+bypass_pem_cache() ->
+    case application:get_env(ssl, bypass_pem_cache) of
+	{ok, Bool} when is_boolean(Bool) ->
+	    Bool;
+	_ ->
+	    false
+    end.
+
 max_session_cache_size(CacheType) ->
     case application:get_env(ssl, CacheType) of
 	{ok, Size} when is_integer(Size) ->
@@ -543,7 +579,7 @@ last_delay_timer({_,_}, TRef, {_, LastClient}) ->
 new_id(_, 0, _, _) ->
     <<>>;
 new_id(Port, Tries, Cache, CacheCb) ->
-    Id = crypto:rand_bytes(?NUM_OF_SESSION_ID_BYTES),
+    Id = ssl_cipher:random_bytes(?NUM_OF_SESSION_ID_BYTES),
     case CacheCb:lookup(Cache, {Port, Id}) of
 	undefined ->
 	    Now = erlang:monotonic_time(),
@@ -602,8 +638,8 @@ server_register_session(Port, Session, #state{session_cache_server_max = Max,
 
 do_register_session(Key, Session, Max, Pid, Cache, CacheCb) ->
     try CacheCb:size(Cache) of
-	N when N > Max  ->
-	  invalidate_session_cache(Pid, CacheCb, Cache);
+	Max ->
+	    invalidate_session_cache(Pid, CacheCb, Cache);
 	_ ->	
 	    CacheCb:update(Cache, Key, Session),
 	    Pid
@@ -708,6 +744,14 @@ crl_db_info(_, UserCRLDb) ->
 %% Only start a session invalidator if there is not
 %% one already active
 invalidate_session_cache(undefined, CacheCb, Cache) ->
-    start_session_validator(Cache, CacheCb, {invalidate_before, erlang:monotonic_time()});
+    start_session_validator(Cache, CacheCb, {invalidate_before, erlang:monotonic_time()}, undefined);
 invalidate_session_cache(Pid, _CacheCb, _Cache) ->
     Pid.
+
+load_mitigation() ->
+    MSec = rand:uniform(?LOAD_MITIGATION),
+    receive 
+    after 
+	MSec ->
+	    continue
+    end.