diff options
Diffstat (limited to 'lib/ssl/src')
| -rw-r--r-- | lib/ssl/src/dtls_connection.erl | 175 | ||||
| -rw-r--r-- | lib/ssl/src/dtls_record.erl | 8 | ||||
| -rw-r--r-- | lib/ssl/src/dtls_socket.erl | 31 | ||||
| -rw-r--r-- | lib/ssl/src/inet_tls_dist.erl | 2 | ||||
| -rw-r--r-- | lib/ssl/src/ssl.erl | 46 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_alert.erl | 6 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 38 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_connection.erl | 118 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_crl_cache.erl | 6 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 18 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_record.erl | 12 | ||||
| -rw-r--r-- | lib/ssl/src/tls_connection.erl | 33 | ||||
| -rw-r--r-- | lib/ssl/src/tls_socket.erl | 43 | 
13 files changed, 315 insertions, 221 deletions
| diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl index ff3e69bae5..7d2605e013 100644 --- a/lib/ssl/src/dtls_connection.erl +++ b/lib/ssl/src/dtls_connection.erl @@ -45,7 +45,7 @@  -export([renegotiate/2,   	 reinit_handshake_data/1,   	 send_handshake/2, queue_handshake/2, queue_change_cipher/2, -	 select_sni_extension/1]). +	 select_sni_extension/1, empty_connection_state/2]).  %% Alert and close handling  -export([encode_alert/3,send_alert/2, close/5, protocol_name/0]). @@ -79,9 +79,9 @@ start_fsm(Role, Host, Port, Socket, {#ssl_options{erl_dist = false},_, Tracker}  	    Error      end. -send_handshake(Handshake, #state{connection_states = ConnectionStates} = States) -> +send_handshake(Handshake, #state{connection_states = ConnectionStates} = State) ->      #{epoch := Epoch} = ssl_record:current_connection_state(ConnectionStates, write), -    send_handshake_flight(queue_handshake(Handshake, States), Epoch). +    send_handshake_flight(queue_handshake(Handshake, State), Epoch).  queue_handshake(Handshake0, #state{tls_handshake_history = Hist0,   				   negotiated_version = Version, @@ -114,8 +114,8 @@ send_handshake_flight(#state{socket = Socket,      %% TODO remove hardcoded Max size      {Encoded, ConnectionStates} =  	encode_handshake_flight(lists:reverse(Flight), Version, 1400, Epoch, ConnectionStates0), -    send(Transport, Socket, Encoded), -    {State0#state{connection_states = ConnectionStates}, []}; +    send(Transport, Socket, Encoded),  +   {State0#state{connection_states = ConnectionStates}, []};  send_handshake_flight(#state{socket = Socket,  			     transport_cb = Transport, @@ -188,9 +188,10 @@ reinit_handshake_data(#state{protocol_buffers = Buffers} = State) ->  		public_key_info = undefined,  		tls_handshake_history = ssl_handshake:init_handshake_history(),                  flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}, -		protocol_buffers = +		flight_buffer = new_flight(), +                protocol_buffers =  		    Buffers#protocol_buffers{ -		      dtls_handshake_next_seq = 0, +                      dtls_handshake_next_seq = 0,  		      dtls_handshake_next_fragments = [],  		      dtls_handshake_later_fragments = []  		     }}. @@ -199,6 +200,9 @@ select_sni_extension(#client_hello{extensions = HelloExtensions}) ->      HelloExtensions#hello_extensions.sni;  select_sni_extension(_) ->      undefined. +empty_connection_state(ConnectionEnd, BeastMitigation) -> +    Empty = ssl_record:empty_connection_state(ConnectionEnd, BeastMitigation), +    dtls_record:empty_connection_state(Empty).  socket(Pid,  Transport, Socket, Connection, _) ->      dtls_socket:socket(Pid, Transport, Socket, Connection). @@ -273,28 +277,28 @@ init({call, From}, {start, Timeout},      {Record, State} = next_record(State3),      next_event(hello, Record, State, Actions);  init({call, _} = Type, Event, #state{role = server, transport_cb = gen_udp} = State) -> -    Result = ssl_connection:init(Type, Event,  -                                 State#state{flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}, -                                             protocol_specific = #{current_cookie_secret => dtls_v1:cookie_secret(),  -                                                                   previous_cookie_secret => <<>>, -                                                                   ignored_alerts => 0, -                                                                   max_ignored_alerts => 10}}, -                                 ?MODULE), +    Result = ssl_connection:?FUNCTION_NAME(Type, Event,  +                                           State#state{flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}, +                                                       protocol_specific = #{current_cookie_secret => dtls_v1:cookie_secret(),  +                                                                             previous_cookie_secret => <<>>, +                                                                             ignored_alerts => 0, +                                                                             max_ignored_alerts => 10}}, +                                           ?MODULE),      erlang:send_after(dtls_v1:cookie_timeout(), self(), new_cookie_secret),      Result; -                                      +  init({call, _} = Type, Event, #state{role = server} = State) ->      %% I.E. DTLS over sctp -    ssl_connection:init(Type, Event, State#state{flight_state = reliable}, ?MODULE); +    ssl_connection:?FUNCTION_NAME(Type, Event, State#state{flight_state = reliable}, ?MODULE);  init(Type, Event, State) -> -    ssl_connection:init(Type, Event, State, ?MODULE). +    ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).  error(enter, _, State) ->      {keep_state, State};       error({call, From}, {start, _Timeout}, {Error, State}) ->      {stop_and_reply, normal, {reply, From, {error, Error}}, State};  error({call, From}, Msg, State) -> -    handle_call(Msg, From, error, State); +    handle_call(Msg, From, ?FUNCTION_NAME, State);  error(_, _, _) ->       {keep_state_and_data, [postpone]}. @@ -326,7 +330,7 @@ hello(internal, #client_hello{cookie = <<>>,      State1 = prepare_flight(State0#state{negotiated_version = Version}),      {State2, Actions} = send_handshake(VerifyRequest, State1),      {Record, State} = next_record(State2), -    next_event(hello, Record, State#state{tls_handshake_history = ssl_handshake:init_handshake_history()}, Actions); +    next_event(?FUNCTION_NAME, Record, State#state{tls_handshake_history = ssl_handshake:init_handshake_history()}, Actions);  hello(internal, #client_hello{cookie = Cookie} = Hello, #state{role = server,  							       transport_cb = Transport,  							       socket = Socket, @@ -355,19 +359,20 @@ hello(internal, #hello_verify_request{cookie = Cookie}, #state{role = client,  							       session_cache = Cache,  							       session_cache_cb = CacheCb  							      } = State0) -> -    State1 = prepare_flight(State0#state{tls_handshake_history = ssl_handshake:init_handshake_history()}), +        Hello = dtls_handshake:client_hello(Host, Port, Cookie, ConnectionStates0,  					SslOpts,  					Cache, CacheCb, Renegotiation, OwnCert),      Version = Hello#client_hello.client_version, -    HelloVersion = dtls_record:lowest_protocol_version(SslOpts#ssl_options.versions), -    {State2, Actions} = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}),  +    State1 = prepare_flight(State0#state{tls_handshake_history = ssl_handshake:init_handshake_history()}), +     +    {State2, Actions} = send_handshake(Hello, State1),       State3 = State2#state{negotiated_version = Version, %% Requested version  			  session =  			      Session0#session{session_id =   						   Hello#client_hello.session_id}},      {Record, State} = next_record(State3), -    next_event(hello, Record, State, Actions); +    next_event(?FUNCTION_NAME, Record, State, Actions);  hello(internal, #server_hello{} = Hello,        #state{connection_states = ConnectionStates0,  	     negotiated_version = ReqVersion, @@ -376,92 +381,97 @@ hello(internal, #server_hello{} = Hello,  	     ssl_options = SslOptions} = State) ->      case dtls_handshake:hello(Hello, SslOptions, ConnectionStates0, Renegotiation) of  	#alert{} = Alert -> -	    handle_own_alert(Alert, ReqVersion, hello, State); +	    handle_own_alert(Alert, ReqVersion, ?FUNCTION_NAME, State);  	{Version, NewId, ConnectionStates, ProtoExt, Protocol} ->  	    ssl_connection:handle_session(Hello,   					  Version, NewId, ConnectionStates, ProtoExt, Protocol, State)      end;  hello(internal, {handshake, {#client_hello{cookie = <<>>} = Handshake, _}}, State) ->      %% Initial hello should not be in handshake history -    {next_state, hello, State, [{next_event, internal, Handshake}]}; +    {next_state, ?FUNCTION_NAME, State, [{next_event, internal, Handshake}]};  hello(internal, {handshake, {#hello_verify_request{} = Handshake, _}}, State) ->      %% hello_verify should not be in handshake history -    {next_state, hello, State, [{next_event, internal, Handshake}]}; +    {next_state, ?FUNCTION_NAME, State, [{next_event, internal, Handshake}]};  hello(info, Event, State) -> -    handle_info(Event, hello, State); +    handle_info(Event, ?FUNCTION_NAME, State);  hello(state_timeout, Event, State) -> -    handle_state_timeout(Event, hello, State); +    handle_state_timeout(Event, ?FUNCTION_NAME, State);  hello(Type, Event, State) -> -    ssl_connection:hello(Type, Event, State, ?MODULE). +    ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).  abbreviated(enter, _, State0) ->      {State, Actions} = handle_flight_timer(State0),      {keep_state, State, Actions};   abbreviated(info, Event, State) -> -    handle_info(Event, abbreviated, State); +    handle_info(Event, ?FUNCTION_NAME, State);  abbreviated(internal = Type,   	    #change_cipher_spec{type = <<1>>} = Event,   	    #state{connection_states = ConnectionStates0} = State) ->      ConnectionStates1 = dtls_record:save_current_connection_state(ConnectionStates0, read),      ConnectionStates = dtls_record:next_epoch(ConnectionStates1, read), -    ssl_connection:abbreviated(Type, Event, State#state{connection_states = ConnectionStates}, ?MODULE); +    ssl_connection:?FUNCTION_NAME(Type, Event, State#state{connection_states = ConnectionStates}, ?MODULE);  abbreviated(internal = Type, #finished{} = Event, #state{connection_states = ConnectionStates} = State) -> -    ssl_connection:abbreviated(Type, Event,  -                               prepare_flight(State#state{connection_states = ConnectionStates, -                                                          flight_state = connection}), ?MODULE); +    ssl_connection:?FUNCTION_NAME(Type, Event,  +                                  prepare_flight(State#state{connection_states = ConnectionStates, +                                                             flight_state = connection}), ?MODULE);  abbreviated(state_timeout, Event, State) -> -    handle_state_timeout(Event, abbreviated, State); +    handle_state_timeout(Event, ?FUNCTION_NAME, State);  abbreviated(Type, Event, State) -> -    ssl_connection:abbreviated(Type, Event, State, ?MODULE). +    ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).  certify(enter, _, State0) ->      {State, Actions} = handle_flight_timer(State0),      {keep_state, State, Actions};   certify(info, Event, State) -> -    handle_info(Event, certify, State); +    handle_info(Event, ?FUNCTION_NAME, State);  certify(internal = Type, #server_hello_done{} = Event, State) ->      ssl_connection:certify(Type, Event, prepare_flight(State), ?MODULE);  certify(state_timeout, Event, State) -> -    handle_state_timeout(Event, certify, State); +    handle_state_timeout(Event, ?FUNCTION_NAME, State);  certify(Type, Event, State) -> -    ssl_connection:certify(Type, Event, State, ?MODULE). +    ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).  cipher(enter, _, State0) ->      {State, Actions} = handle_flight_timer(State0),      {keep_state, State, Actions};   cipher(info, Event, State) -> -    handle_info(Event, cipher, State); +    handle_info(Event, ?FUNCTION_NAME, State);  cipher(internal = Type, #change_cipher_spec{type = <<1>>} = Event,           #state{connection_states = ConnectionStates0} = State) ->      ConnectionStates1 = dtls_record:save_current_connection_state(ConnectionStates0, read),      ConnectionStates = dtls_record:next_epoch(ConnectionStates1, read), -    ssl_connection:cipher(Type, Event, State#state{connection_states = ConnectionStates}, ?MODULE); +    ssl_connection:?FUNCTION_NAME(Type, Event, State#state{connection_states = ConnectionStates}, ?MODULE);  cipher(internal = Type, #finished{} = Event, #state{connection_states = ConnectionStates} = State) -> -    ssl_connection:cipher(Type, Event,  -			  prepare_flight(State#state{connection_states = ConnectionStates, -                                                     flight_state = connection}),  -                          ?MODULE); +    ssl_connection:?FUNCTION_NAME(Type, Event,  +                                  prepare_flight(State#state{connection_states = ConnectionStates, +                                                             flight_state = connection}),  +                                  ?MODULE);  cipher(state_timeout, Event, State) -> -    handle_state_timeout(Event, cipher, State); +    handle_state_timeout(Event, ?FUNCTION_NAME, State);  cipher(Type, Event, State) -> -     ssl_connection:cipher(Type, Event, State, ?MODULE). +     ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).  connection(enter, _, State) ->      {keep_state, State};       connection(info, Event, State) -> -    handle_info(Event, connection, State); +    handle_info(Event, ?FUNCTION_NAME, State);  connection(internal, #hello_request{}, #state{host = Host, port = Port, -				    session = #session{own_certificate = Cert} = Session0, -				    session_cache = Cache, session_cache_cb = CacheCb, -				    ssl_options = SslOpts, -				    connection_states = ConnectionStates0, -				    renegotiation = {Renegotiation, _}} = State0) -> +                                              session = #session{own_certificate = Cert} = Session0, +                                              session_cache = Cache, session_cache_cb = CacheCb, +                                              ssl_options = SslOpts, +                                              connection_states = ConnectionStates0, +                                              renegotiation = {Renegotiation, _}} = State0) -> +          Hello = dtls_handshake:client_hello(Host, Port, ConnectionStates0, SslOpts,  					Cache, CacheCb, Renegotiation, Cert), -    {State1, Actions} = send_handshake(Hello, State0), +    Version = Hello#client_hello.client_version, +    HelloVersion = dtls_record:hello_version(Version, SslOpts#ssl_options.versions), +    State1 = prepare_flight(State0), +    {State2, Actions} = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}),      {Record, State} =  	next_record( -	  State1#state{session = Session0#session{session_id +	  State2#state{flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}, +                       session = Session0#session{session_id  						  = Hello#client_hello.session_id}}),      next_event(hello, Record, State, Actions);  connection(internal, #client_hello{} = Hello, #state{role = server, allow_renegotiate = true} = State) -> @@ -471,20 +481,21 @@ connection(internal, #client_hello{} = Hello, #state{role = server, allow_renego      %% initiated renegotiation we will disallow many client initiated      %% renegotiations immediately after each other.      erlang:send_after(?WAIT_TO_ALLOW_RENEGOTIATION, self(), allow_renegotiate), -    {next_state, hello, State#state{allow_renegotiate = false}, [{next_event, internal, Hello}]}; +    {next_state, hello, State#state{allow_renegotiate = false, renegotiation = {true, peer}}, +     [{next_event, internal, Hello}]};  connection(internal, #client_hello{}, #state{role = server, allow_renegotiate = false} = State0) ->      Alert = ?ALERT_REC(?WARNING, ?NO_RENEGOTIATION),      State1 = send_alert(Alert, State0),      {Record, State} = ssl_connection:prepare_connection(State1, ?MODULE), -    next_event(connection, Record, State); +    next_event(?FUNCTION_NAME, Record, State);  connection(Type, Event, State) -> -     ssl_connection:connection(Type, Event, State, ?MODULE). +     ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).  %%TODO does this make sense for DTLS ?  downgrade(enter, _, State) ->      {keep_state, State};  downgrade(Type, Event, State) -> -     ssl_connection:downgrade(Type, Event, State, ?MODULE). +     ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).  %%--------------------------------------------------------------------  %% Description: This function is called by a gen_fsm when it receives any @@ -542,7 +553,6 @@ handle_info(new_cookie_secret, StateName,  handle_info(Msg, StateName, State) ->      ssl_connection:handle_info(Msg, StateName, State). -  handle_call(Event, From, StateName, State) ->      ssl_connection:handle_call(Event, From, StateName, State, ?MODULE). @@ -796,7 +806,13 @@ next_event(connection = StateName, no_record,      case next_record_if_active(State0) of  	{no_record, State} ->              ssl_connection:hibernate_after(StateName, State, Actions); -	{#ssl_tls{epoch = CurrentEpoch} = Record, State} -> +        {#ssl_tls{epoch = CurrentEpoch, +                  type = ?HANDSHAKE, +                  version = Version} = Record, State1} -> +            State = dtls_version(StateName, Version, State1),  +	    {next_state, StateName, State, +	     [{next_event, internal, {protocol_record, Record}} | Actions]}; +        {#ssl_tls{epoch = CurrentEpoch} = Record, State} ->  	    {next_state, StateName, State, [{next_event, internal, {protocol_record, Record}} | Actions]};  	{#ssl_tls{epoch = Epoch,  		  type = ?HANDSHAKE, @@ -822,6 +838,12 @@ next_event(connection = StateName, no_record,  next_event(connection = StateName, Record,  	   #state{connection_states = #{current_read := #{epoch := CurrentEpoch}}} = State0, Actions) ->      case Record of +        #ssl_tls{epoch = CurrentEpoch, +                 type = ?HANDSHAKE, +                 version = Version} = Record -> +            State = dtls_version(StateName, Version, State0),  +	    {next_state, StateName, State, +	     [{next_event, internal, {protocol_record, Record}} | Actions]};  	#ssl_tls{epoch = CurrentEpoch} ->  	    {next_state, StateName, State0, [{next_event, internal, {protocol_record, Record}} | Actions]};  	#ssl_tls{epoch = Epoch, @@ -845,11 +867,11 @@ next_event(StateName, Record,      case Record of  	no_record ->  	    {next_state, StateName, State0, Actions}; -	#ssl_tls{epoch = CurrentEpoch, -		  version = Version} = Record -> -	    {next_state, StateName,  -	     dtls_version(StateName, Version, State0),  -	     [{next_event, internal, {protocol_record, Record}} | Actions]}; +        #ssl_tls{epoch = CurrentEpoch, +                 version = Version} = Record -> +            State = dtls_version(StateName, Version, State0), +            {next_state, StateName,  State, +         [{next_event, internal, {protocol_record, Record}} | Actions]};  	#ssl_tls{epoch = _Epoch,  		 version = _Version} = _Record ->  	    %% TODO maybe buffer later epoch @@ -895,7 +917,7 @@ next_flight(Flight) ->      Flight#{handshakes => [],  	    change_cipher_spec => undefined,  	    handshakes_after_change_cipher_spec => []}. -	 +         handle_flight_timer(#state{transport_cb = gen_udp,                            flight_state = {retransmit, Timeout}} = State) ->      start_retransmision_timer(Timeout, State); @@ -923,21 +945,15 @@ dtls_handshake_events(Packets) ->  renegotiate(#state{role = client} = State, Actions) ->      %% Handle same way as if server requested      %% the renegotiation -    Hs0 = ssl_handshake:init_handshake_history(), -    {next_state, connection, State#state{tls_handshake_history = Hs0, -					 protocol_buffers = #protocol_buffers{}}, +    %%    Hs0 = ssl_handshake:init_handshake_history(), +    {next_state, connection, State,       [{next_event, internal, #hello_request{}} | Actions]}; -renegotiate(#state{role = server, -		   connection_states = CS0} = State0, Actions) -> +renegotiate(#state{role = server} = State0, Actions) ->      HelloRequest = ssl_handshake:hello_request(), -    CS = CS0#{write_msg_seq => 0}, -    {State1, MoreActions} = send_handshake(HelloRequest,  -                                           State0#state{connection_states = -                                                        CS}), -    Hs0 = ssl_handshake:init_handshake_history(), -    {Record, State} = next_record(State1#state{tls_handshake_history = Hs0, -					       protocol_buffers = #protocol_buffers{}}), +    State1 = prepare_flight(State0), +    {State2, MoreActions} = send_handshake(HelloRequest, State1), +    {Record, State} = next_record(State2),      next_event(hello, Record, State, Actions ++ MoreActions).  handle_alerts([], Result) -> @@ -953,7 +969,6 @@ retransmit_epoch(_StateName, #state{connection_states = ConnectionStates}) ->      #{epoch := Epoch} =   	ssl_record:current_connection_state(ConnectionStates, write),      Epoch. -  update_handshake_history(#hello_verify_request{}, _, Hist) ->      Hist; diff --git a/lib/ssl/src/dtls_record.erl b/lib/ssl/src/dtls_record.erl index 8a7f8c1d0a..a8520717e5 100644 --- a/lib/ssl/src/dtls_record.erl +++ b/lib/ssl/src/dtls_record.erl @@ -30,7 +30,7 @@  -include("ssl_cipher.hrl").  %% Handling of incoming data --export([get_dtls_records/2,  init_connection_states/2]). +-export([get_dtls_records/2,  init_connection_states/2, empty_connection_state/1]).  %% Decoding  -export([decode_cipher_text/2]). @@ -75,7 +75,7 @@ init_connection_states(Role, BeastMitigation) ->      Initial = initial_connection_state(ConnectionEnd, BeastMitigation),      Current = Initial#{epoch := 0},      InitialPending = ssl_record:empty_connection_state(ConnectionEnd, BeastMitigation), -    Pending = InitialPending#{epoch => undefined, replay_window => init_replay_window(?REPLAY_WINDOW_SIZE)}, +    Pending = empty_connection_state(InitialPending),      #{saved_read  => Current,        current_read  => Current,        pending_read  => Pending, @@ -83,6 +83,10 @@ init_connection_states(Role, BeastMitigation) ->        current_write => Current,        pending_write => Pending}. +empty_connection_state(Empty) ->     +    Empty#{epoch => undefined, replay_window => init_replay_window(?REPLAY_WINDOW_SIZE)}. + +  %%--------------------------------------------------------------------  -spec save_current_connection_state(ssl_record:connection_states(), read | write) ->  				      ssl_record:connection_states(). diff --git a/lib/ssl/src/dtls_socket.erl b/lib/ssl/src/dtls_socket.erl index 5f854fbb4b..0e4ab089dc 100644 --- a/lib/ssl/src/dtls_socket.erl +++ b/lib/ssl/src/dtls_socket.erl @@ -24,7 +24,7 @@  -export([send/3, listen/3, accept/3, connect/4, socket/4, setopts/3, getopts/3, getstat/3,   	 peername/2, sockname/2, port/2, close/2]). --export([emulated_options/0, internal_inet_values/0, default_inet_values/0, default_cb_info/0]). +-export([emulated_options/0, emulated_options/1, internal_inet_values/0, default_inet_values/0, default_cb_info/0]).  send(Transport, {{IP,Port},Socket}, Data) ->      Transport:send(Socket, IP, Port, Data). @@ -133,6 +133,9 @@ port(Transport, Socket) ->  emulated_options() ->      [mode, active,  packet, packet_size]. +emulated_options(Opts) -> +      emulated_options(Opts, internal_inet_values(), default_inet_values()). +  internal_inet_values() ->      [{active, false}, {mode,binary}]. @@ -158,3 +161,29 @@ emulated_socket_options(InetValues, #socket_options{         packet_size = proplists:get_value(packet_size, InetValues, PacketSize),         active = proplists:get_value(active, InetValues, Active)        }. + +emulated_options([{mode, Value} = Opt |Opts], Inet, Emulated) -> +    validate_inet_option(mode, Value), +    emulated_options(Opts, Inet, [Opt | proplists:delete(mode, Emulated)]); +emulated_options([{header, _} = Opt | _], _, _) -> +    throw({error, {options, {not_supported, Opt}}}); +emulated_options([{active, Value} = Opt |Opts], Inet, Emulated) -> +    validate_inet_option(active, Value), +    emulated_options(Opts, Inet, [Opt | proplists:delete(active, Emulated)]); +emulated_options([{packet, _} = Opt | _], _, _) -> +    throw({error, {options, {not_supported, Opt}}}); +emulated_options([{packet_size, _} = Opt | _], _, _) -> +    throw({error, {options, {not_supported, Opt}}}); +emulated_options([Opt|Opts], Inet, Emulated) -> +    emulated_options(Opts, [Opt|Inet], Emulated); +emulated_options([], Inet,Emulated) -> +    {Inet, Emulated}. + +validate_inet_option(mode, Value) +  when Value =/= list, Value =/= binary -> +    throw({error, {options, {mode,Value}}}); +validate_inet_option(active, Value) +  when Value =/= true, Value =/= false, Value =/= once -> +    throw({error, {options, {active,Value}}}); +validate_inet_option(_, _) -> +    ok. diff --git a/lib/ssl/src/inet_tls_dist.erl b/lib/ssl/src/inet_tls_dist.erl index 0da4b3587f..78094c474b 100644 --- a/lib/ssl/src/inet_tls_dist.erl +++ b/lib/ssl/src/inet_tls_dist.erl @@ -93,7 +93,7 @@ do_setup(Driver, Kernel, Node, Type, MyNode, LongOrShortNames, SetupTime) ->  		    ?trace("port_please(~p) -> version ~p~n",   			   [Node,Version]),  		    dist_util:reset_timer(Timer), -		    case ssl_tls_dist_proxy:connect(Driver, Ip, TcpPort) of +		    case ssl_tls_dist_proxy:connect(Driver, Address, TcpPort) of  			{ok, Socket} ->  			    HSData = connect_hs_data(Kernel, Node, MyNode, Socket,   						     Timer, Version, Ip, TcpPort, Address, diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index 4e592c02ec..60118549e4 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -1003,7 +1003,7 @@ validate_option(server_name_indication = Opt, Value) when is_list(Value) ->  validate_option(server_name_indication, undefined = Value) ->      Value;  validate_option(server_name_indication, disable) -> -    undefined; +    disable;  validate_option(sni_hosts, []) ->      []; @@ -1113,24 +1113,6 @@ dtls_validate_versions([Version | Rest], Versions) when  Version == 'dtlsv1';  dtls_validate_versions([Ver| _], Versions) ->      throw({error, {options, {Ver, {versions, Versions}}}}). -validate_inet_option(mode, Value) -  when Value =/= list, Value =/= binary -> -    throw({error, {options, {mode,Value}}}); -validate_inet_option(packet, Value) -  when not (is_atom(Value) orelse is_integer(Value)) -> -    throw({error, {options, {packet,Value}}}); -validate_inet_option(packet_size, Value) -  when not is_integer(Value) -> -    throw({error, {options, {packet_size,Value}}}); -validate_inet_option(header, Value) -  when not is_integer(Value) -> -    throw({error, {options, {header,Value}}}); -validate_inet_option(active, Value) -  when Value =/= true, Value =/= false, Value =/= once -> -    throw({error, {options, {active,Value}}}); -validate_inet_option(_, _) -> -    ok. -  %% The option cacerts overrides cacertsfile  ca_cert_default(_,_, [_|_]) ->      undefined; @@ -1145,31 +1127,11 @@ ca_cert_default(verify_peer, undefined, _) ->  emulated_options(Protocol, Opts) ->      case Protocol of  	tls -> -	    emulated_options(Opts, tls_socket:internal_inet_values(), tls_socket:default_inet_values()); +	    tls_socket:emulated_options(Opts);  	dtls -> -	    emulated_options(Opts, dtls_socket:internal_inet_values(), dtls_socket:default_inet_values()) +	    dtls_socket:emulated_options(Opts)      end. -emulated_options([{mode, Value} = Opt |Opts], Inet, Emulated) -> -    validate_inet_option(mode, Value), -    emulated_options(Opts, Inet, [Opt | proplists:delete(mode, Emulated)]); -emulated_options([{header, Value} = Opt | Opts], Inet, Emulated) -> -    validate_inet_option(header, Value), -    emulated_options(Opts, Inet,  [Opt | proplists:delete(header, Emulated)]); -emulated_options([{active, Value} = Opt |Opts], Inet, Emulated) -> -    validate_inet_option(active, Value), -    emulated_options(Opts, Inet, [Opt | proplists:delete(active, Emulated)]); -emulated_options([{packet, Value} = Opt |Opts], Inet, Emulated) -> -    validate_inet_option(packet, Value), -    emulated_options(Opts, Inet, [Opt | proplists:delete(packet, Emulated)]); -emulated_options([{packet_size, Value} = Opt | Opts], Inet, Emulated) -> -    validate_inet_option(packet_size, Value), -    emulated_options(Opts, Inet, [Opt | proplists:delete(packet_size, Emulated)]); -emulated_options([Opt|Opts], Inet, Emulated) -> -    emulated_options(Opts, [Opt|Inet], Emulated); -emulated_options([], Inet,Emulated) -> -    {Inet, Emulated}. -  handle_cipher_option(Value, Version)  when is_list(Value) ->      try binary_cipher_suites(Version, Value) of  	Suites -> @@ -1205,7 +1167,7 @@ binary_cipher_suites(Version, [Head | _] = Ciphers0) when is_list(Head) ->      binary_cipher_suites(Version, Ciphers);  binary_cipher_suites(Version, Ciphers0)  ->      %% Format: "RC4-SHA:RC4-MD5" -    Ciphers = [ssl_cipher:openssl_suite(C) || C <- string:tokens(Ciphers0, ":")], +    Ciphers = [ssl_cipher:openssl_suite(C) || C <- string:lexemes(Ciphers0, ":")],      binary_cipher_suites(Version, Ciphers).  handle_eccs_option(Value, Version) when is_list(Value) -> diff --git a/lib/ssl/src/ssl_alert.erl b/lib/ssl/src/ssl_alert.erl index db415a3666..95ab955ad0 100644 --- a/lib/ssl/src/ssl_alert.erl +++ b/lib/ssl/src/ssl_alert.erl @@ -57,7 +57,7 @@ decode(Bin) ->  reason_code(#alert{description = ?CLOSE_NOTIFY}, _) ->      closed;  reason_code(#alert{description = Description}, _) -> -    {tls_alert, string:to_lower(description_txt(Description))}. +    {tls_alert, string:casefold(description_txt(Description))}.  %%--------------------------------------------------------------------  -spec own_alert_txt(#alert{}) -> string(). @@ -66,7 +66,7 @@ reason_code(#alert{description = Description}, _) ->  %% by the erlang implementation.  %%--------------------------------------------------------------------  own_alert_txt(#alert{level = Level, description = Description, where = {Mod,Line}, reason = undefined, role = Role}) -> -    "at " ++ Mod ++ ":" ++ integer_to_list(Line) ++ " generated " ++ string:to_upper(atom_to_list(Role)) ++ " ALERT: " ++ +    "at " ++ Mod ++ ":" ++ integer_to_list(Line) ++ " generated " ++ string:uppercase(atom_to_list(Role)) ++ " ALERT: " ++          level_txt(Level) ++ description_txt(Description);  own_alert_txt(#alert{reason = Reason} = Alert) ->      BaseTxt = own_alert_txt(Alert#alert{reason = undefined}), @@ -81,7 +81,7 @@ own_alert_txt(#alert{reason = Reason} = Alert) ->  %% the peer.   %%--------------------------------------------------------------------  alert_txt(#alert{level = Level, description = Description, reason = undefined, role = Role}) -> -    "received " ++ string:to_upper(atom_to_list(Role)) ++ " ALERT: " ++ +    "received " ++ string:uppercase(atom_to_list(Role)) ++ " ALERT: " ++          level_txt(Level) ++ description_txt(Description);  alert_txt(#alert{reason = Reason} = Alert) ->      BaseTxt = alert_txt(Alert#alert{reason = undefined}), diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 0dd5e5c5cf..a3333d35e9 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -138,13 +138,8 @@ validate(_, {bad_cert, _} = Reason, _) ->      {fail, Reason};  validate(_, valid, UserState) ->      {valid, UserState}; -validate(Cert, valid_peer, UserState = {client, _,_, Hostname, _, _}) when Hostname =/= undefined -> -    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of -        true -> -            {valid, UserState}; -        false -> -            {fail, {bad_cert, hostname_check_failed}} -    end; +validate(Cert, valid_peer, UserState = {client, _,_, Hostname, _, _}) when Hostname =/= disable -> +    verify_hostname(Hostname, Cert, UserState);    validate(_, valid_peer, UserState) ->         {valid, UserState}. @@ -337,3 +332,32 @@ new_trusteded_chain(DerCert, [_ | Rest]) ->      new_trusteded_chain(DerCert, Rest);  new_trusteded_chain(_, []) ->      unknown_ca. + +verify_hostname({fallback, Hostname}, Cert, UserState) when is_list(Hostname) -> +    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of +        true -> +            {valid, UserState}; +        false -> +            case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}]) of +                true -> +                    {valid, UserState}; +                false -> +                    {fail, {bad_cert, hostname_check_failed}} +            end +    end; + +verify_hostname({fallback, Hostname}, Cert, UserState) -> +    case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}]) of +        true -> +            {valid, UserState}; +        false -> +            {fail, {bad_cert, hostname_check_failed}} +    end; + +verify_hostname(Hostname, Cert, UserState) -> +    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of +        true -> +            {valid, UserState}; +        false -> +            {fail, {bad_cert, hostname_check_failed}} +    end. diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index b031d3d47b..2146a9272e 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -366,7 +366,7 @@ init({call, From}, {start, {Opts, EmOpts}, Timeout},  	    {stop_and_reply, normal, {reply, From, {error, Error}}}      end;  init({call, From}, Msg, State, Connection) -> -    handle_call(Msg, From, init, State, Connection); +    handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);  init(_Type, _Event, _State, _Connection) ->      {keep_state_and_data, [postpone]}. @@ -377,13 +377,13 @@ init(_Type, _Event, _State, _Connection) ->  		   gen_statem:state_function_result().  %%--------------------------------------------------------------------  hello({call, From}, Msg, State, Connection) -> -    handle_call(Msg, From, hello, State, Connection); +    handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);  hello(internal, {common_client_hello, Type, ServerHelloExt}, State, Connection) ->      do_server_hello(Type, ServerHelloExt, State, Connection);  hello(info, Msg, State, _) -> -    handle_info(Msg, hello, State); +    handle_info(Msg, ?FUNCTION_NAME, State);  hello(Type, Msg, State, Connection) -> -    handle_common_event(Type, Msg, hello, State, Connection). +    handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection).  %%--------------------------------------------------------------------  -spec abbreviated(gen_statem:event_type(), @@ -392,7 +392,7 @@ hello(Type, Msg, State, Connection) ->  			 gen_statem:state_function_result().  %%--------------------------------------------------------------------  abbreviated({call, From}, Msg, State, Connection) -> -    handle_call(Msg, From, abbreviated, State, Connection); +    handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);  abbreviated(internal, #finished{verify_data = Data} = Finished,  	    #state{role = server, @@ -412,7 +412,7 @@ abbreviated(internal, #finished{verify_data = Data} = Finished,  							      expecting_finished = false}, Connection),  	    Connection:next_event(connection, Record, State);  	#alert{} = Alert -> -	    handle_own_alert(Alert, Version, abbreviated, State0) +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0)      end;  abbreviated(internal, #finished{verify_data = Data} = Finished, @@ -428,11 +428,11 @@ abbreviated(internal, #finished{verify_data = Data} = Finished,  		ssl_record:set_server_verify_data(current_read, Data, ConnectionStates0),  	    {State1, Actions} =  		finalize_handshake(State0#state{connection_states = ConnectionStates1}, -				   abbreviated, Connection), +				   ?FUNCTION_NAME, Connection),  	    {Record, State} = prepare_connection(State1#state{expecting_finished = false}, Connection),  	    Connection:next_event(connection, Record, State, Actions);  	#alert{} = Alert -> -	    handle_own_alert(Alert, Version, abbreviated, State0) +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0)      end;  %% only allowed to send next_protocol message after change cipher spec @@ -442,20 +442,20 @@ abbreviated(internal, #next_protocol{selected_protocol = SelectedProtocol},  	    Connection) ->      {Record, State} =  	Connection:next_record(State0#state{negotiated_protocol = SelectedProtocol}), -    Connection:next_event(abbreviated, Record,  +    Connection:next_event(?FUNCTION_NAME, Record,   			  State#state{expecting_next_protocol_negotiation = false});  abbreviated(internal,   	    #change_cipher_spec{type = <<1>>},  #state{connection_states = ConnectionStates0} =  		State0, Connection) ->      ConnectionStates1 = -	ssl_record:activate_pending_connection_state(ConnectionStates0, read), +	ssl_record:activate_pending_connection_state(ConnectionStates0, read, Connection),      {Record, State} = Connection:next_record(State0#state{connection_states =   							      ConnectionStates1}), -    Connection:next_event(abbreviated, Record, State#state{expecting_finished = true}); +    Connection:next_event(?FUNCTION_NAME, Record, State#state{expecting_finished = true});  abbreviated(info, Msg, State, _) -> -    handle_info(Msg, abbreviated, State); +    handle_info(Msg, ?FUNCTION_NAME, State);  abbreviated(Type, Msg, State, Connection) -> -    handle_common_event(Type, Msg, abbreviated, State, Connection). +    handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection).  %%--------------------------------------------------------------------  -spec certify(gen_statem:event_type(), @@ -465,16 +465,16 @@ abbreviated(Type, Msg, State, Connection) ->  		     gen_statem:state_function_result().  %%--------------------------------------------------------------------  certify({call, From}, Msg, State, Connection) -> -    handle_call(Msg, From, certify, State, Connection); +    handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);  certify(info, Msg, State, _) -> -    handle_info(Msg, certify, State); +    handle_info(Msg, ?FUNCTION_NAME, State);  certify(internal, #certificate{asn1_certificates = []},  	#state{role = server, negotiated_version = Version,  	       ssl_options = #ssl_options{verify = verify_peer,  					  fail_if_no_peer_cert = true}} =  	    State, _) ->      Alert =  ?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE), -    handle_own_alert(Alert, Version, certify, State); +    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State);  certify(internal, #certificate{asn1_certificates = []},  	#state{role = server, @@ -483,7 +483,7 @@ certify(internal, #certificate{asn1_certificates = []},  	State0, Connection) ->      {Record, State} =   	Connection:next_record(State0#state{client_certificate_requested = false}), -    Connection:next_event(certify, Record, State); +    Connection:next_event(?FUNCTION_NAME, Record, State);  certify(internal, #certificate{},  	#state{role = server, @@ -491,22 +491,23 @@ certify(internal, #certificate{},  	       ssl_options = #ssl_options{verify = verify_none}} =  	    State, _) ->      Alert =  ?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE, unrequested_certificate), -    handle_own_alert(Alert, Version, certify, State); +    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State);  certify(internal, #certificate{} = Cert,          #state{negotiated_version = Version,  	       role = Role, +               host = Host,  	       cert_db = CertDbHandle,  	       cert_db_ref = CertDbRef,  	       crl_db = CRLDbInfo,  	       ssl_options = Opts} = State, Connection) ->      case ssl_handshake:certify(Cert, CertDbHandle, CertDbRef,  -			       Opts, CRLDbInfo, Role) of +			       Opts, CRLDbInfo, Role, Host) of          {PeerCert, PublicKeyInfo} ->  	    handle_peer_cert(Role, PeerCert, PublicKeyInfo,  			     State#state{client_certificate_requested = false}, Connection);  	#alert{} = Alert -> -            handle_own_alert(Alert, Version, certify, State) +            handle_own_alert(Alert, Version, ?FUNCTION_NAME, State)      end;  certify(internal, #server_key_exchange{exchange_keys = Keys}, @@ -538,7 +539,7 @@ certify(internal, #server_key_exchange{exchange_keys = Keys},  				     Connection);  		false ->  		    handle_own_alert(?ALERT_REC(?FATAL, ?DECRYPT_ERROR), -						Version, certify, State) +						Version, ?FUNCTION_NAME, State)  	    end      end; @@ -549,10 +550,10 @@ certify(internal, #certificate_request{} = CertRequest,  	       negotiated_version = Version} = State0, Connection) ->      case ssl_handshake:select_hashsign(CertRequest, Cert, SupportedHashSigns, ssl:tls_version(Version)) of  	#alert {} = Alert -> -	    handle_own_alert(Alert, Version, certify, State0); +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0);  	NegotiatedHashSign ->   	    {Record, State} = Connection:next_record(State0#state{client_certificate_requested = true}), -	    Connection:next_event(certify, Record, +	    Connection:next_event(?FUNCTION_NAME, Record,  				  State#state{cert_hashsign_algorithm = NegotiatedHashSign})      end; @@ -568,7 +569,7 @@ certify(internal, #server_hello_done{},    when Alg == psk ->      case ssl_handshake:premaster_secret({Alg, PSKIdentity}, PSKLookup) of  	#alert{} = Alert -> -	    handle_own_alert(Alert, Version, certify, State0); +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0);  	PremasterSecret ->  	    State = master_secret(PremasterSecret,  				  State0#state{premaster_secret = PremasterSecret}), @@ -589,7 +590,7 @@ certify(internal, #server_hello_done{},      case ssl_handshake:premaster_secret({Alg, PSKIdentity}, PSKLookup,   					RSAPremasterSecret) of  	#alert{} = Alert -> -	    handle_own_alert(Alert, Version, certify, State0); +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0);  	PremasterSecret ->  	    State = master_secret(PremasterSecret,   				  State0#state{premaster_secret = RSAPremasterSecret}), @@ -609,7 +610,7 @@ certify(internal, #server_hello_done{},  	    State = State0#state{connection_states = ConnectionStates},  	    client_certify_and_key_exchange(State, Connection);  	#alert{} = Alert -> -	    handle_own_alert(Alert, Version, certify, State0) +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0)      end;  %% Master secret is calculated from premaster_secret @@ -627,7 +628,7 @@ certify(internal, #server_hello_done{},  				 session = Session},  	    client_certify_and_key_exchange(State, Connection);  	#alert{} = Alert -> -	    handle_own_alert(Alert, Version, certify, State0) +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0)      end;  certify(internal = Type, #client_key_exchange{} = Msg, @@ -636,7 +637,7 @@ certify(internal = Type, #client_key_exchange{} = Msg,  	       ssl_options = #ssl_options{fail_if_no_peer_cert = true}} = State,   	Connection) ->      %% We expect a certificate here -    handle_common_event(Type, Msg, certify, State, Connection); +    handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection);  certify(internal, #client_key_exchange{exchange_keys = Keys},  	State = #state{key_algorithm = KeyAlg, negotiated_version = Version}, Connection) -> @@ -645,11 +646,11 @@ certify(internal, #client_key_exchange{exchange_keys = Keys},  				    State, Connection)      catch  	#alert{} = Alert -> -	    handle_own_alert(Alert, Version, certify, State) +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State)      end;  certify(Type, Msg, State, Connection) -> -    handle_common_event(Type, Msg, certify, State, Connection). +    handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection).  %%--------------------------------------------------------------------  -spec cipher(gen_statem:event_type(), @@ -658,10 +659,10 @@ certify(Type, Msg, State, Connection) ->  		    gen_statem:state_function_result().  %%--------------------------------------------------------------------  cipher({call, From}, Msg, State, Connection) -> -    handle_call(Msg, From, cipher, State, Connection); +    handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);  cipher(info, Msg, State, _) -> -    handle_info(Msg, cipher, State); +    handle_info(Msg, ?FUNCTION_NAME, State);  cipher(internal, #certificate_verify{signature = Signature,   				     hashsign_algorithm = CertHashSign}, @@ -680,10 +681,10 @@ cipher(internal, #certificate_verify{signature = Signature,  					  TLSVersion, HashSign, MasterSecret, Handshake) of  	valid ->  	    {Record, State} = Connection:next_record(State0), -	    Connection:next_event(cipher, Record, +	    Connection:next_event(?FUNCTION_NAME, Record,  				  State#state{cert_hashsign_algorithm = HashSign});  	#alert{} = Alert -> -	    handle_own_alert(Alert, Version, cipher, State0) +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0)      end;  %% client must send a next protocol message if we are expecting it @@ -691,7 +692,7 @@ cipher(internal, #finished{},         #state{role = server, expecting_next_protocol_negotiation = true,  	      negotiated_protocol = undefined, negotiated_version = Version} = State0,         _Connection) -> -    handle_own_alert(?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE), Version, cipher, State0); +    handle_own_alert(?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE), Version, ?FUNCTION_NAME, State0);  cipher(internal, #finished{verify_data = Data} = Finished,         #state{negotiated_version = Version, @@ -701,6 +702,7 @@ cipher(internal, #finished{verify_data = Data} = Finished,  	      expecting_finished = true,  	      session = #session{master_secret = MasterSecret}  	      = Session0, +              ssl_options = SslOpts,  	      connection_states = ConnectionStates0,  	      tls_handshake_history = Handshake0} = State, Connection) ->      case ssl_handshake:verify_connection(ssl:tls_version(Version), Finished, @@ -708,11 +710,11 @@ cipher(internal, #finished{verify_data = Data} = Finished,  					 get_current_prf(ConnectionStates0, read),  					 MasterSecret, Handshake0) of          verified -> -	    Session = register_session(Role, Host, Port, Session0), +	    Session = register_session(Role, host_id(Role, Host, SslOpts), Port, Session0),  	    cipher_role(Role, Data, Session,   			State#state{expecting_finished = false}, Connection);          #alert{} = Alert -> -	    handle_own_alert(Alert, Version, cipher, State) +	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State)      end;  %% only allowed to send next_protocol message after change cipher spec @@ -722,17 +724,17 @@ cipher(internal, #next_protocol{selected_protocol = SelectedProtocol},  	      expecting_finished = true} = State0, Connection) ->      {Record, State} =   	Connection:next_record(State0#state{negotiated_protocol = SelectedProtocol}), -    Connection:next_event(cipher, Record,  +    Connection:next_event(?FUNCTION_NAME, Record,   			  State#state{expecting_next_protocol_negotiation = false});  cipher(internal, #change_cipher_spec{type = <<1>>},  #state{connection_states = ConnectionStates0} =  	   State0, Connection) ->      ConnectionStates1 = -	ssl_record:activate_pending_connection_state(ConnectionStates0, read), +	ssl_record:activate_pending_connection_state(ConnectionStates0, read, Connection),      {Record, State} = Connection:next_record(State0#state{connection_states =   							      ConnectionStates1}), -    Connection:next_event(cipher, Record, State#state{expecting_finished = true}); +    Connection:next_event(?FUNCTION_NAME, Record, State#state{expecting_finished = true});  cipher(Type, Msg, State, Connection) -> -    handle_common_event(Type, Msg, cipher, State, Connection). +    handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection).  %%--------------------------------------------------------------------  -spec connection(gen_statem:event_type(), term(),  @@ -747,7 +749,7 @@ connection({call, From}, {application_data, Data},       try  	 write_application_data(Data, From, State)       catch throw:Error -> -	     hibernate_after(connection, State, [{reply, From, Error}]) +	     hibernate_after(?FUNCTION_NAME, State, [{reply, From, Error}])       end;  connection({call, RecvFrom}, {recv, N, Timeout},    	   #state{protocol_cb = Connection,  socket_options = @@ -755,34 +757,34 @@ connection({call, RecvFrom}, {recv, N, Timeout},      Timer = start_or_recv_cancel_timer(Timeout, RecvFrom),      Connection:passive_receive(State0#state{bytes_to_read = N,  					    start_or_recv_from = RecvFrom,  -					    timer = Timer}, connection); +					    timer = Timer}, ?FUNCTION_NAME);  connection({call, From}, renegotiate, #state{protocol_cb = Connection} = State,   	   Connection) ->      Connection:renegotiate(State#state{renegotiation = {true, From}}, []);  connection({call, From}, peer_certificate,   	   #state{session = #session{peer_certificate = Cert}} = State, _) -> -    hibernate_after(connection, State, [{reply, From,  {ok, Cert}}]);  +    hibernate_after(?FUNCTION_NAME, State, [{reply, From,  {ok, Cert}}]);   connection({call, From}, {connection_information, true}, State, _) ->      Info = connection_info(State) ++ security_info(State), -    hibernate_after(connection, State, [{reply, From, {ok, Info}}]); +    hibernate_after(?FUNCTION_NAME, State, [{reply, From, {ok, Info}}]);  connection({call, From}, {connection_information, false}, State, _) ->      Info = connection_info(State), -    hibernate_after(connection, State, [{reply, From, {ok, Info}}]); +    hibernate_after(?FUNCTION_NAME, State, [{reply, From, {ok, Info}}]);  connection({call, From}, negotiated_protocol,   	   #state{negotiated_protocol = undefined} = State, _) -> -    hibernate_after(connection, State, [{reply, From, {error, protocol_not_negotiated}}]); +    hibernate_after(?FUNCTION_NAME, State, [{reply, From, {error, protocol_not_negotiated}}]);  connection({call, From}, negotiated_protocol,   	   #state{negotiated_protocol = SelectedProtocol} = State, _) -> -    hibernate_after(connection, State, +    hibernate_after(?FUNCTION_NAME, State,  		    [{reply, From, {ok, SelectedProtocol}}]);  connection({call, From}, Msg, State, Connection) -> -    handle_call(Msg, From, connection, State, Connection); +    handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);  connection(info, Msg, State, _) -> -    handle_info(Msg, connection, State); +    handle_info(Msg, ?FUNCTION_NAME, State);  connection(internal, {recv, _}, State, Connection) -> -    Connection:passive_receive(State, connection); +    Connection:passive_receive(State, ?FUNCTION_NAME);  connection(Type, Msg, State, Connection) -> -    handle_common_event(Type, Msg, connection, State, Connection). +    handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection).  %%--------------------------------------------------------------------  -spec downgrade(gen_statem:event_type(), term(),  @@ -800,7 +802,7 @@ downgrade(timeout, downgrade, #state{downgrade = {_, From}} = State, _) ->      gen_statem:reply(From, {error, timeout}),      {stop, normal, State};  downgrade(Type, Event, State, Connection) -> -    handle_common_event(Type, Event, downgrade, State, Connection). +    handle_common_event(Type, Event, ?FUNCTION_NAME, State, Connection).  %%--------------------------------------------------------------------  %% Event handling functions called by state functions to handle @@ -1168,8 +1170,9 @@ handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert,      log_alert(SslOpts#ssl_options.log_alert,  Role,                Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),      gen_statem:reply(From, {error, renegotiation_rejected}), -    {Record, State} = Connection:next_record(State0), +    {Record, State1} = Connection:next_record(State0),      %% Go back to connection! +    State = Connection:reinit_handshake_data(State1#state{renegotiation = undefined}),      Connection:next_event(connection, Record, State);  %% Gracefully log and ignore all other warning alerts @@ -1721,7 +1724,7 @@ finalize_handshake(State0, StateName, Connection) ->      ConnectionStates =          ssl_record:activate_pending_connection_state(ConnectionStates0, -                                                     write), +                                                     write, Connection),      State2 = State1#state{connection_states = ConnectionStates},      State = next_protocol(State2, Connection), @@ -2096,6 +2099,11 @@ register_session(server, _, Port, #session{is_resumable = new} = Session0) ->  register_session(_, _, _, Session) ->      Session. %% Already registered +host_id(client, _Host, #ssl_options{server_name_indication = Hostname}) when is_list(Hostname) -> +    Hostname; +host_id(_, Host, _) -> +    Host. +  handle_new_session(NewId, CipherSuite, Compression,   		   #state{session = Session0,  			  protocol_cb = Connection} = State0) -> diff --git a/lib/ssl/src/ssl_crl_cache.erl b/lib/ssl/src/ssl_crl_cache.erl index 86c0207515..8817b0c884 100644 --- a/lib/ssl/src/ssl_crl_cache.erl +++ b/lib/ssl/src/ssl_crl_cache.erl @@ -94,7 +94,7 @@ delete({der, CRLs}) ->  delete(URI) ->      case http_uri:parse(URI) of  	{ok, {http, _, _ , _, Path,_}} ->  -	    ssl_manager:delete_crls(string:strip(Path, left, $/)); +	    ssl_manager:delete_crls(string:trim(Path, leading, "/"));  	_ ->  	    {error, {only_http_distribution_points_supported, URI}}      end. @@ -105,7 +105,7 @@ delete(URI) ->  do_insert(URI, CRLs) ->      case http_uri:parse(URI) of  	{ok, {http, _, _ , _, Path,_}} ->  -	    ssl_manager:insert_crls(string:strip(Path, left, $/), CRLs); +	    ssl_manager:insert_crls(string:trim(Path, leading, "/"), CRLs);  	_ ->  	    {error, {only_http_distribution_points_supported, URI}}      end. @@ -162,7 +162,7 @@ cache_lookup(_, undefined) ->      [];  cache_lookup(URL, {{Cache, _}, _}) ->      {ok, {_, _, _ , _, Path,_}} = http_uri:parse(URL),  -    case ssl_pkix_db:lookup(string:strip(Path, left, $/), Cache) of +    case ssl_pkix_db:lookup(string:trim(Path, leading, "/"), Cache) of  	undefined ->  	    [];  	CRLs -> diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index b1661624b5..0ee9ee3322 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -50,7 +50,7 @@  	 finished/5,  next_protocol/1]).  %% Handle handshake messages --export([certify/6, client_certificate_verify/6, certificate_verify/6, verify_signature/5, +-export([certify/7, client_certificate_verify/6, certificate_verify/6, verify_signature/5,  	 master_secret/4, server_key_exchange_hash/2, verify_connection/6,  	 init_handshake_history/0, update_handshake_history/3, verify_server_key/5  	]). @@ -389,21 +389,21 @@ verify_signature(_, Hash, {HashAlgo, _SignAlg}, Signature,  %%--------------------------------------------------------------------  -spec certify(#certificate{}, db_handle(), certdb_ref(), #ssl_options{}, term(), -	      client | server) ->  {der_cert(), public_key_info()} | #alert{}. +	      client | server, inet:hostname() | inet:ip_address()) ->  {der_cert(), public_key_info()} | #alert{}.  %%  %% Description: Handles a certificate handshake message  %%--------------------------------------------------------------------  certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef, -        Opts, CRLDbHandle, Role) ->     +        Opts, CRLDbHandle, Role, Host) ->     +    ServerName = server_name(Opts#ssl_options.server_name_indication, Host, Role),      [PeerCert | _] = ASN1Certs,             try  	{TrustedCert, CertPath}  =  	    ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbHandle, CertDbRef,                                                      Opts#ssl_options.partial_chain),          ValidationFunAndState = validation_fun_and_state(Opts#ssl_options.verify_fun, Role,  -                                                         CertDbHandle, CertDbRef,   -                                                         Opts#ssl_options.server_name_indication, +                                                         CertDbHandle, CertDbRef, ServerName,                                                           Opts#ssl_options.crl_check, CRLDbHandle, CertPath),  	case public_key:pkix_path_validation(TrustedCert,  					     CertPath, @@ -1528,6 +1528,8 @@ select_shared_curve([Curve | Rest], Curves) ->  sni(undefined) ->      undefined; +sni(disable) -> +    undefined;  sni(Hostname) ->      #sni{hostname = Hostname}. @@ -2353,3 +2355,9 @@ available_signature_algs(#hash_sign_algos{hash_sign_algos = ClientHashSigns}, Su  available_signature_algs(_, _, _, _) ->       undefined. +server_name(_, _, server) -> +    undefined; %% Not interesting to check your own name. +server_name(undefined, Host, client) -> +    {fallback, Host}; %% Fallback to Host argument to connect +server_name(SNI, _, client) -> +    SNI. %% If Server Name Indication is available diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl index 62c2ffce8b..003ad4994b 100644 --- a/lib/ssl/src/ssl_record.erl +++ b/lib/ssl/src/ssl_record.erl @@ -31,7 +31,7 @@  %% Connection state handling  -export([initial_security_params/1, current_connection_state/2, pending_connection_state/2, -	 activate_pending_connection_state/2, +	 activate_pending_connection_state/3,  	 set_security_params/3,           set_mac_secret/4,  	 set_master_secret/2, @@ -83,7 +83,7 @@ pending_connection_state(ConnectionStates, write) ->      maps:get(pending_write, ConnectionStates).  %%-------------------------------------------------------------------- --spec activate_pending_connection_state(connection_states(), read | write) -> +-spec activate_pending_connection_state(connection_states(), read | write, tls_connection | dtls_connection) ->  					       connection_states().  %%  %% Description: Creates a new instance of the connection_states record @@ -91,13 +91,13 @@ pending_connection_state(ConnectionStates, write) ->  %%--------------------------------------------------------------------  activate_pending_connection_state(#{current_read := Current,  				    pending_read := Pending} = States, -                                  read) -> +                                  read, Connection) ->      #{secure_renegotiation := SecureRenegotation} = Current,      #{beast_mitigation := BeastMitigation,        security_parameters := SecParams} = Pending,      NewCurrent = Pending#{sequence_number => 0},      ConnectionEnd = SecParams#security_parameters.connection_end, -    EmptyPending = empty_connection_state(ConnectionEnd, BeastMitigation), +    EmptyPending = Connection:empty_connection_state(ConnectionEnd, BeastMitigation),      NewPending = EmptyPending#{secure_renegotiation => SecureRenegotation},      States#{current_read => NewCurrent,  	    pending_read => NewPending @@ -105,13 +105,13 @@ activate_pending_connection_state(#{current_read := Current,  activate_pending_connection_state(#{current_write := Current,  				    pending_write := Pending} = States, -                                  write) -> +                                  write, Connection) ->      NewCurrent = Pending#{sequence_number => 0},      #{secure_renegotiation := SecureRenegotation} = Current,      #{beast_mitigation := BeastMitigation,        security_parameters := SecParams} = Pending,      ConnectionEnd = SecParams#security_parameters.connection_end, -    EmptyPending = empty_connection_state(ConnectionEnd, BeastMitigation), +    EmptyPending = Connection:empty_connection_state(ConnectionEnd, BeastMitigation),      NewPending = EmptyPending#{secure_renegotiation => SecureRenegotation},      States#{current_write => NewCurrent,  	    pending_write => NewPending diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl index e3ffbea3d3..ccda58e0a9 100644 --- a/lib/ssl/src/tls_connection.erl +++ b/lib/ssl/src/tls_connection.erl @@ -53,7 +53,7 @@  %% Handshake handling  -export([renegotiate/2, send_handshake/2,   	 queue_handshake/2, queue_change_cipher/2, -	 reinit_handshake_data/1,  select_sni_extension/1]). +	 reinit_handshake_data/1,  select_sni_extension/1, empty_connection_state/2]).  %% Alert and close handling  -export([send_alert/2, close/5, protocol_name/0]). @@ -152,6 +152,9 @@ select_sni_extension(#client_hello{extensions = HelloExtensions}) ->  select_sni_extension(_) ->      undefined. +empty_connection_state(ConnectionEnd, BeastMitigation) -> +    ssl_record:empty_connection_state(ConnectionEnd, BeastMitigation). +  encode_data(Data, Version, ConnectionStates0)->      tls_record:encode_data(Data, Version, ConnectionStates0). @@ -241,7 +244,7 @@ init({call, From}, {start, Timeout},      {Record, State} = next_record(State1),      next_event(hello, Record, State);  init(Type, Event, State) -> -    gen_handshake(ssl_connection, init, Type, Event, State). +    gen_handshake(ssl_connection, ?FUNCTION_NAME, Type, Event, State).  %%--------------------------------------------------------------------  -spec error(gen_statem:event_type(), @@ -252,7 +255,7 @@ init(Type, Event, State) ->  error({call, From}, {start, _Timeout}, {Error, State}) ->      {stop_and_reply, normal, {reply, From, {error, Error}}, State};  error({call, From}, Msg, State) -> -    handle_call(Msg, From, error, State); +    handle_call(Msg, From, ?FUNCTION_NAME, State);  error(_, _, _) ->       {keep_state_and_data, [postpone]}. @@ -304,36 +307,36 @@ hello(internal, #server_hello{} = Hello,  					  Version, NewId, ConnectionStates, ProtoExt, Protocol, State)      end;  hello(info, Event, State) -> -    gen_info(Event, hello, State); +    gen_info(Event, ?FUNCTION_NAME, State);  hello(Type, Event, State) -> -    gen_handshake(ssl_connection, hello, Type, Event, State). +    gen_handshake(ssl_connection, ?FUNCTION_NAME, Type, Event, State).  %%--------------------------------------------------------------------  -spec abbreviated(gen_statem:event_type(), term(), #state{}) ->  			 gen_statem:state_function_result().  %%--------------------------------------------------------------------  abbreviated(info, Event, State) -> -    gen_info(Event, abbreviated, State); +    gen_info(Event, ?FUNCTION_NAME, State);  abbreviated(Type, Event, State) -> -    gen_handshake(ssl_connection, abbreviated, Type, Event, State). +    gen_handshake(ssl_connection, ?FUNCTION_NAME, Type, Event, State).  %%--------------------------------------------------------------------  -spec certify(gen_statem:event_type(), term(), #state{}) ->  		     gen_statem:state_function_result().  %%--------------------------------------------------------------------  certify(info, Event, State) -> -    gen_info(Event, certify, State); +    gen_info(Event, ?FUNCTION_NAME, State);  certify(Type, Event, State) -> -    gen_handshake(ssl_connection, certify, Type, Event, State). +    gen_handshake(ssl_connection, ?FUNCTION_NAME, Type, Event, State).  %%--------------------------------------------------------------------  -spec cipher(gen_statem:event_type(), term(), #state{}) ->  		    gen_statem:state_function_result().  %%--------------------------------------------------------------------  cipher(info, Event, State) -> -    gen_info(Event, cipher, State); +    gen_info(Event, ?FUNCTION_NAME, State);  cipher(Type, Event, State) -> -     gen_handshake(ssl_connection, cipher, Type, Event, State). +     gen_handshake(ssl_connection, ?FUNCTION_NAME, Type, Event, State).  %%--------------------------------------------------------------------  -spec connection(gen_statem:event_type(),   @@ -341,7 +344,7 @@ cipher(Type, Event, State) ->  			gen_statem:state_function_result().  %%--------------------------------------------------------------------  connection(info, Event, State) -> -    gen_info(Event, connection, State); +    gen_info(Event, ?FUNCTION_NAME, State);  connection(internal, #hello_request{},  	   #state{role = client, host = Host, port = Port,  		  session = #session{own_certificate = Cert} = Session0, @@ -373,16 +376,16 @@ connection(internal, #client_hello{},      Alert = ?ALERT_REC(?WARNING, ?NO_RENEGOTIATION),      State1 = send_alert(Alert, State0),      {Record, State} = ssl_connection:prepare_connection(State1, ?MODULE), -    next_event(connection, Record, State); +    next_event(?FUNCTION_NAME, Record, State);  connection(Type, Event, State) -> -    ssl_connection:connection(Type, Event, State, ?MODULE). +    ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).  %%--------------------------------------------------------------------  -spec downgrade(gen_statem:event_type(), term(), #state{}) ->  		       gen_statem:state_function_result().  %%--------------------------------------------------------------------  downgrade(Type, Event, State) -> -     ssl_connection:downgrade(Type, Event, State, ?MODULE). +     ssl_connection:?FUNCTION_NAME(Type, Event, State, ?MODULE).  %%--------------------------------------------------------------------  %% Event handling functions called by state functions to handle diff --git a/lib/ssl/src/tls_socket.erl b/lib/ssl/src/tls_socket.erl index e76d9c100a..453a908401 100644 --- a/lib/ssl/src/tls_socket.erl +++ b/lib/ssl/src/tls_socket.erl @@ -27,7 +27,7 @@  -export([send/3, listen/3, accept/3, socket/5, connect/4, upgrade/3,  	 setopts/3, getopts/3, getstat/3, peername/2, sockname/2, port/2]).  -export([split_options/1, get_socket_opts/3]). --export([emulated_options/0, internal_inet_values/0, default_inet_values/0, +-export([emulated_options/0, emulated_options/1, internal_inet_values/0, default_inet_values/0,  	 init/1, start_link/3, terminate/2, inherit_tracker/3,   	 emulated_socket_options/2, get_emulated_opts/1,   	 set_emulated_opts/2, get_all_opts/1, handle_call/3, handle_cast/2, @@ -170,6 +170,9 @@ port(Transport, Socket) ->  emulated_options() ->      [mode, packet, active, header, packet_size]. +emulated_options(Opts) -> +      emulated_options(Opts, internal_inet_values(), default_inet_values()). +  internal_inet_values() ->      [{packet_size,0}, {packet, 0}, {header, 0}, {active, false}, {mode,binary}]. @@ -328,3 +331,41 @@ emulated_socket_options(InetValues, #socket_options{         packet = proplists:get_value(packet, InetValues, Packet),         packet_size = proplists:get_value(packet_size, InetValues, Size)        }. + +emulated_options([{mode, Value} = Opt |Opts], Inet, Emulated) -> +    validate_inet_option(mode, Value), +    emulated_options(Opts, Inet, [Opt | proplists:delete(mode, Emulated)]); +emulated_options([{header, Value} = Opt | Opts], Inet, Emulated) -> +    validate_inet_option(header, Value), +    emulated_options(Opts, Inet,  [Opt | proplists:delete(header, Emulated)]); +emulated_options([{active, Value} = Opt |Opts], Inet, Emulated) -> +    validate_inet_option(active, Value), +    emulated_options(Opts, Inet, [Opt | proplists:delete(active, Emulated)]); +emulated_options([{packet, Value} = Opt |Opts], Inet, Emulated) -> +    validate_inet_option(packet, Value), +    emulated_options(Opts, Inet, [Opt | proplists:delete(packet, Emulated)]); +emulated_options([{packet_size, Value} = Opt | Opts], Inet, Emulated) -> +    validate_inet_option(packet_size, Value), +    emulated_options(Opts, Inet, [Opt | proplists:delete(packet_size, Emulated)]); +emulated_options([Opt|Opts], Inet, Emulated) -> +    emulated_options(Opts, [Opt|Inet], Emulated); +emulated_options([], Inet,Emulated) -> +    {Inet, Emulated}. + +validate_inet_option(mode, Value) +  when Value =/= list, Value =/= binary -> +    throw({error, {options, {mode,Value}}}); +validate_inet_option(packet, Value) +  when not (is_atom(Value) orelse is_integer(Value)) -> +    throw({error, {options, {packet,Value}}}); +validate_inet_option(packet_size, Value) +  when not is_integer(Value) -> +    throw({error, {options, {packet_size,Value}}}); +validate_inet_option(header, Value) +  when not is_integer(Value) -> +    throw({error, {options, {header,Value}}}); +validate_inet_option(active, Value) +  when Value =/= true, Value =/= false, Value =/= once -> +    throw({error, {options, {active,Value}}}); +validate_inet_option(_, _) -> +    ok. | 
