diff options
Diffstat (limited to 'lib/ssl')
| -rw-r--r-- | lib/ssl/doc/src/ssl.xml | 4 | ||||
| -rw-r--r-- | lib/ssl/src/ssl.erl | 54 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_certificate.erl | 54 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_certificate_db.erl | 49 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_connection.erl | 142 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 44 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_internal.hrl | 4 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_manager.erl | 50 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_record.erl | 16 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_session.erl | 6 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_session_cache.erl | 16 | ||||
| -rw-r--r-- | lib/ssl/test/Makefile | 4 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_basic_SUITE.erl | 307 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_session_cache_SUITE.erl | 56 | ||||
| -rw-r--r-- | lib/ssl/vsn.mk | 2 | 
15 files changed, 609 insertions, 199 deletions
| diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 0da6bbee5b..566068beaf 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -480,7 +480,6 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |      </func>      <func> -      <name>getopts(Socket) -> </name>        <name>getopts(Socket, OptionNames) ->  	{ok, [socketoption()]} | {error, Reason}</name>        <fsummary>Get the value of the specified options.</fsummary> @@ -489,8 +488,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |  	<v>OptionNames = [atom()]</v>        </type>        <desc> -	<p>Get the value of the specified socket options, if no -	  options are specified all options are returned. +	<p>Get the value of the specified socket options.  	</p>        </desc>      </func> diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index a5e8e7e5c2..a0aedbbbee 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -112,7 +112,7 @@ connect(Socket, SslOptions) when is_port(Socket) ->  connect(Socket, SslOptions0, Timeout) when is_port(Socket) ->      EmulatedOptions = emulated_options(),      {ok, InetValues} = inet:getopts(Socket, EmulatedOptions), -    inet:setopts(Socket, internal_inet_values()),  +    ok = inet:setopts(Socket, internal_inet_values()),      try handle_options(SslOptions0 ++ InetValues, client) of  	{ok, #config{cb=CbInfo, ssl=SslOptions, emulated=EmOpts}} ->  	    case inet:peername(Socket) of @@ -238,7 +238,7 @@ ssl_accept(#sslsocket{} = Socket, Timeout)  ->  ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket) ->       EmulatedOptions = emulated_options(),      {ok, InetValues} = inet:getopts(Socket, EmulatedOptions), -    inet:setopts(Socket, internal_inet_values()),  +    ok = inet:setopts(Socket, internal_inet_values()),      try handle_options(SslOptions ++ InetValues, server) of  	{ok, #config{cb=CbInfo,ssl=SslOpts, emulated=EmOpts}} ->  	    {ok, Port} = inet:port(Socket), @@ -406,25 +406,51 @@ cipher_suites(openssl) ->  %%   %% Description: Gets options  %%-------------------------------------------------------------------- -getopts(#sslsocket{fd = new_ssl, pid = Pid}, OptTags) when is_pid(Pid) -> -    ssl_connection:get_opts(Pid, OptTags); -getopts(#sslsocket{fd = new_ssl, pid = {ListenSocket, _}}, OptTags) -> -    inet:getopts(ListenSocket, OptTags); -getopts(#sslsocket{} = Socket, Options) -> +getopts(#sslsocket{fd = new_ssl, pid = Pid}, OptionTags) when is_pid(Pid), is_list(OptionTags) -> +    ssl_connection:get_opts(Pid, OptionTags); +getopts(#sslsocket{fd = new_ssl, pid = {ListenSocket, _}}, OptionTags) when is_list(OptionTags) -> +    try inet:getopts(ListenSocket, OptionTags) of +	{ok, _} = Result -> +	    Result; +	{error, InetError} -> +	    {error, {eoptions, {inet_options, OptionTags, InetError}}} +    catch +	_:_ -> +	    {error, {eoptions, {inet_options, OptionTags}}} +    end; +getopts(#sslsocket{fd = new_ssl}, OptionTags) -> +    {error, {eoptions, {inet_options, OptionTags}}}; +getopts(#sslsocket{} = Socket, OptionTags) ->      ensure_old_ssl_started(), -    ssl_broker:getopts(Socket, Options). +    ssl_broker:getopts(Socket, OptionTags).  %%--------------------------------------------------------------------  -spec setopts(#sslsocket{},  [proplists:property()]) -> ok | {error, reason()}.  %%   %% Description: Sets options  %%-------------------------------------------------------------------- -setopts(#sslsocket{fd = new_ssl, pid = Pid}, Opts0) when is_pid(Pid) -> -    Opts = proplists:expand([{binary, [{mode, binary}]}, -			     {list, [{mode, list}]}], Opts0), -    ssl_connection:set_opts(Pid, Opts); -setopts(#sslsocket{fd = new_ssl, pid = {ListenSocket, _}}, OptTags) -> -    inet:setopts(ListenSocket, OptTags); +setopts(#sslsocket{fd = new_ssl, pid = Pid}, Options0) when is_pid(Pid), is_list(Options0)  -> +    try proplists:expand([{binary, [{mode, binary}]}, +			  {list, [{mode, list}]}], Options0) of +	Options -> +	    ssl_connection:set_opts(Pid, Options) +    catch +	_:_ -> +	    {error, {eoptions, {not_a_proplist, Options0}}} +    end; + +setopts(#sslsocket{fd = new_ssl, pid = {ListenSocket, _}}, Options) when is_list(Options) -> +    try inet:setopts(ListenSocket, Options) of +	ok -> +	    ok; +	{error, InetError} -> +	    {error, {eoptions, {inet_options, Options, InetError}}} +    catch +	_:Error -> +	    {error, {eoptions, {inet_options, Options, Error}}} +    end; +setopts(#sslsocket{fd = new_ssl}, Options) -> +    {error, {eoptions,{not_a_proplist, Options}}};  setopts(#sslsocket{} = Socket, Options) ->      ensure_old_ssl_started(),      ssl_broker:setopts(Socket, Options). diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 8c0c2bfa5d..422ea6404b 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2007-2010. All Rights Reserved. +%% Copyright Ericsson AB 2007-2011. All Rights Reserved.  %%  %% The contents of this file are subject to the Erlang Public License,  %% Version 1.1, (the "License"); you may not use this file except in @@ -30,9 +30,9 @@  -include("ssl_internal.hrl").  -include_lib("public_key/include/public_key.hrl").  --export([trusted_cert_and_path/2, -	 certificate_chain/2,  -	 file_to_certificats/1, +-export([trusted_cert_and_path/3, +	 certificate_chain/3, +	 file_to_certificats/2,  	 validate_extension/3,  	 is_valid_extkey_usage/2,  	 is_valid_key_usage/2, @@ -46,14 +46,14 @@  %%====================================================================  %%-------------------------------------------------------------------- --spec trusted_cert_and_path([der_cert()], certdb_ref()) -> +-spec trusted_cert_and_path([der_cert()], db_handle(), certdb_ref()) ->  				   {der_cert() | unknown_ca, [der_cert()]}.  %%  %% Description: Extracts the root cert (if not presents tries to   %% look it up, if not found {bad_cert, unknown_ca} will be added verification  %% errors. Returns {RootCert, Path, VerifyErrors}  %%-------------------------------------------------------------------- -trusted_cert_and_path(CertChain, CertDbRef) -> +trusted_cert_and_path(CertChain, CertDbHandle, CertDbRef) ->      Path = [Cert | _] = lists:reverse(CertChain),      OtpCert = public_key:pkix_decode_cert(Cert, otp),      SignedAndIssuerID = @@ -66,7 +66,7 @@ trusted_cert_and_path(CertChain, CertDbRef) ->  		    {ok, IssuerId} ->  			{other, IssuerId};  		    {error, issuer_not_found} -> -			case find_issuer(OtpCert, no_candidate) of +			case find_issuer(OtpCert, no_candidate, CertDbHandle) of  			    {ok, IssuerId} ->  				{other, IssuerId};  			    Other -> @@ -82,7 +82,7 @@ trusted_cert_and_path(CertChain, CertDbRef) ->  	{self, _} when length(Path) == 1 ->  	    {selfsigned_peer, Path};  	{_ ,{SerialNr, Issuer}} -> -	    case ssl_manager:lookup_trusted_cert(CertDbRef, SerialNr, Issuer) of +	    case ssl_manager:lookup_trusted_cert(CertDbHandle, CertDbRef, SerialNr, Issuer) of  		{ok, {BinCert,_}} ->  		    {BinCert, Path};  		_ -> @@ -92,23 +92,23 @@ trusted_cert_and_path(CertChain, CertDbRef) ->      end.  %%-------------------------------------------------------------------- --spec certificate_chain(undefined | binary(), certdb_ref()) ->  +-spec certificate_chain(undefined | binary(), db_handle(), certdb_ref()) ->  			  {error, no_cert} | {ok, [der_cert()]}.  %%  %% Description: Return the certificate chain to send to peer.  %%-------------------------------------------------------------------- -certificate_chain(undefined, _CertsDbRef) -> +certificate_chain(undefined, _, _) ->      {error, no_cert}; -certificate_chain(OwnCert, CertsDbRef) -> +certificate_chain(OwnCert, CertDbHandle, CertsDbRef) ->      ErlCert = public_key:pkix_decode_cert(OwnCert, otp), -    certificate_chain(ErlCert, OwnCert, CertsDbRef, [OwnCert]). +    certificate_chain(ErlCert, OwnCert, CertDbHandle, CertsDbRef, [OwnCert]).  %%-------------------------------------------------------------------- --spec file_to_certificats(string()) -> [der_cert()]. +-spec file_to_certificats(string(), term()) -> [der_cert()].  %%  %% Description: Return list of DER encoded certificates.  %%-------------------------------------------------------------------- -file_to_certificats(File) ->  -    {ok, List} = ssl_manager:cache_pem_file(File), +file_to_certificats(File, DbHandle) -> +    {ok, List} = ssl_manager:cache_pem_file(File, DbHandle),      [Bin || {'Certificate', Bin, not_encrypted} <- List].  %%--------------------------------------------------------------------  -spec validate_extension(term(), #'Extension'{} | {bad_cert, atom()} | valid, @@ -180,7 +180,7 @@ signature_type(?'id-dsa-with-sha1') ->  %%--------------------------------------------------------------------  %%% Internal functions  %%-------------------------------------------------------------------- -certificate_chain(OtpCert, _Cert, CertsDbRef, Chain) ->     +certificate_chain(OtpCert, _Cert, CertDbHandle, CertsDbRef, Chain) ->      IssuerAndSelfSigned =   	case public_key:pkix_is_self_signed(OtpCert) of  	    true -> @@ -191,11 +191,11 @@ certificate_chain(OtpCert, _Cert, CertsDbRef, Chain) ->      case IssuerAndSelfSigned of   	{_, true = SelfSigned} -> -	    certificate_chain(CertsDbRef, Chain, ignore, ignore, SelfSigned); +	    certificate_chain(CertDbHandle, CertsDbRef, Chain, ignore, ignore, SelfSigned);  	{{error, issuer_not_found}, SelfSigned} -> -	    case find_issuer(OtpCert, no_candidate) of +	    case find_issuer(OtpCert, no_candidate, CertDbHandle) of  		{ok, {SerialNr, Issuer}} -> -		    certificate_chain(CertsDbRef, Chain,  +		    certificate_chain(CertDbHandle, CertsDbRef, Chain,  				      SerialNr, Issuer, SelfSigned);  		_ ->  		    %% Guess the the issuer must be the root @@ -205,19 +205,19 @@ certificate_chain(OtpCert, _Cert, CertsDbRef, Chain) ->  		    {ok, lists:reverse(Chain)}  	    end;  	{{ok, {SerialNr, Issuer}}, SelfSigned} ->  -	    certificate_chain(CertsDbRef, Chain, SerialNr, Issuer, SelfSigned) +	    certificate_chain(CertDbHandle, CertsDbRef, Chain, SerialNr, Issuer, SelfSigned)      end. -certificate_chain(_CertsDbRef, Chain, _SerialNr, _Issuer, true) -> +certificate_chain(_,_, Chain, _SerialNr, _Issuer, true) ->      {ok, lists:reverse(Chain)}; -certificate_chain(CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned) -> -    case ssl_manager:lookup_trusted_cert(CertsDbRef,  +certificate_chain(CertDbHandle, CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned) -> +    case ssl_manager:lookup_trusted_cert(CertDbHandle, CertsDbRef,  						SerialNr, Issuer) of  	{ok, {IssuerCert, ErlCert}} ->  	    ErlCert = public_key:pkix_decode_cert(IssuerCert, otp),  	    certificate_chain(ErlCert, IssuerCert,  -			      CertsDbRef, [IssuerCert | Chain]); +			      CertDbHandle, CertsDbRef, [IssuerCert | Chain]);  	_ ->  	    %% The trusted cert may be obmitted from the chain as the  	    %% counter part needs to have it anyway to be able to @@ -227,8 +227,8 @@ certificate_chain(CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned) ->  	    {ok, lists:reverse(Chain)}		            end. -find_issuer(OtpCert, PrevCandidateKey) -> -    case ssl_manager:issuer_candidate(PrevCandidateKey) of +find_issuer(OtpCert, PrevCandidateKey, CertDbHandle) -> +    case ssl_manager:issuer_candidate(PrevCandidateKey, CertDbHandle) of   	no_more_candidates ->   	    {error, issuer_not_found};   	{Key, {_Cert, ErlCertCandidate}} -> @@ -236,7 +236,7 @@ find_issuer(OtpCert, PrevCandidateKey) ->  		true ->  		    public_key:pkix_issuer_id(ErlCertCandidate, self);  		false -> -		    find_issuer(OtpCert, Key) +		    find_issuer(OtpCert, Key, CertDbHandle)  	    end      end. diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl index 3eceefa304..0560a02110 100644 --- a/lib/ssl/src/ssl_certificate_db.erl +++ b/lib/ssl/src/ssl_certificate_db.erl @@ -26,8 +26,8 @@  -include_lib("public_key/include/public_key.hrl").  -export([create/0, remove/1, add_trusted_certs/3,  -	 remove_trusted_certs/2, lookup_trusted_cert/3, issuer_candidate/1, -	 lookup_cached_certs/1, cache_pem_file/4, uncache_pem_file/2, lookup/2]). +	 remove_trusted_certs/2, lookup_trusted_cert/4, issuer_candidate/2, +	 lookup_cached_certs/2, cache_pem_file/4, uncache_pem_file/2, lookup/2]).  -type time()      :: {non_neg_integer(), non_neg_integer(), non_neg_integer()}. @@ -36,19 +36,19 @@  %%====================================================================  %%-------------------------------------------------------------------- --spec create() -> certdb_ref(). +-spec create() -> [db_handle()].  %%   %% Description: Creates a new certificate db. -%% Note: lookup_trusted_cert/3 may be called from any process but only +%% Note: lookup_trusted_cert/4 may be called from any process but only  %% the process that called create may call the other functions.  %%--------------------------------------------------------------------  create() -> -    [ets:new(certificate_db_name(), [named_table, set, protected]), -     ets:new(ssl_file_to_ref, [named_table, set, protected]), +    [ets:new(ssl_otp_certificate_db, [set, protected]), +     ets:new(ssl_file_to_ref, [set, protected]),       ets:new(ssl_pid_to_file, [bag, private])].   %%-------------------------------------------------------------------- --spec remove(certdb_ref()) -> term(). +-spec remove([db_handle()]) -> term().  %%  %% Description: Removes database db    %%-------------------------------------------------------------------- @@ -56,7 +56,7 @@ remove(Dbs) ->      lists:foreach(fun(Db) -> true = ets:delete(Db) end, Dbs).  %%-------------------------------------------------------------------- --spec lookup_trusted_cert(reference(), serialnumber(), issuer()) ->  +-spec lookup_trusted_cert(db_handle(), certdb_ref(), serialnumber(), issuer()) ->  				 undefined | {ok, {der_cert(), #'OTPCertificate'{}}}.  %% @@ -64,19 +64,19 @@ remove(Dbs) ->  %% <SerialNumber, Issuer>. Ref is used as it is specified    %% for each connection which certificates are trusted.  %%-------------------------------------------------------------------- -lookup_trusted_cert(Ref, SerialNumber, Issuer) -> -    case lookup({Ref, SerialNumber, Issuer}, certificate_db_name()) of +lookup_trusted_cert(DbHandle, Ref, SerialNumber, Issuer) -> +    case lookup({Ref, SerialNumber, Issuer}, DbHandle) of  	undefined ->  	    undefined;  	[Certs] ->  	    {ok, Certs}      end. -lookup_cached_certs(File) -> -    ets:lookup(certificate_db_name(), {file, File}). +lookup_cached_certs(DbHandle, File) -> +    ets:lookup(DbHandle, {file, File}).  %%-------------------------------------------------------------------- --spec add_trusted_certs(pid(), string() | {der, list()}, certdb_ref()) -> {ok, certdb_ref()}. +-spec add_trusted_certs(pid(), string() | {der, list()}, [db_handle()]) -> {ok, [db_handle()]}.  %%  %% Description: Adds the trusted certificates from file <File> to the  %% runtime database. Returns Ref that should be handed to lookup_trusted_cert @@ -100,7 +100,7 @@ add_trusted_certs(Pid, File, [CertsDb, FileToRefDb, PidToFileDb]) ->      insert(Pid, File, PidToFileDb),      {ok, Ref}.  %%-------------------------------------------------------------------- --spec cache_pem_file(pid(), string(), time(), certdb_ref()) -> term(). +-spec cache_pem_file(pid(), string(), time(), [db_handle()]) -> term().  %%  %% Description: Cache file as binary in DB  %%-------------------------------------------------------------------- @@ -112,7 +112,7 @@ cache_pem_file(Pid, File, Time, [CertsDb, _FileToRefDb, PidToFileDb]) ->      {ok, Content}.  %-------------------------------------------------------------------- --spec uncache_pem_file(string(), certdb_ref()) -> no_return(). +-spec uncache_pem_file(string(), [db_handle()]) -> no_return().  %%  %% Description: If a cached file is no longer valid (changed on disk)  %% we must terminate the connections using the old file content, and @@ -130,7 +130,7 @@ uncache_pem_file(File, [_CertsDb, _FileToRefDb, PidToFileDb]) ->  %%-------------------------------------------------------------------- --spec remove_trusted_certs(pid(), certdb_ref()) -> term(). +-spec remove_trusted_certs(pid(), [db_handle()]) -> term().  %%  %% Description: Removes trusted certs originating from  @@ -161,7 +161,7 @@ remove_trusted_certs(Pid, [CertsDb, FileToRefDb, PidToFileDb]) ->      end.  %%-------------------------------------------------------------------- --spec issuer_candidate(no_candidate | cert_key() | {file, term()}) ->  +-spec issuer_candidate(no_candidate | cert_key() | {file, term()}, term()) ->  			      {cert_key(),{der_cert(), #'OTPCertificate'{}}} | no_more_candidates.  %%  %% Description: If a certificat does not define its issuer through @@ -169,32 +169,30 @@ remove_trusted_certs(Pid, [CertsDb, FileToRefDb, PidToFileDb]) ->  %%              try to find the issuer in the database over known  %%              certificates.   %%-------------------------------------------------------------------- -issuer_candidate(no_candidate) -> -    Db = certificate_db_name(), +issuer_candidate(no_candidate, Db) ->      case ets:first(Db) of   	'$end_of_table' ->   	    no_more_candidates;  	{file, _} = Key -> -	    issuer_candidate(Key); +	    issuer_candidate(Key, Db);   	Key ->  	    [Cert] = lookup(Key, Db),   	    {Key, Cert}      end; -issuer_candidate(PrevCandidateKey) ->	     -    Db = certificate_db_name(), +issuer_candidate(PrevCandidateKey, Db) ->      case ets:next(Db, PrevCandidateKey) of   	'$end_of_table' ->   	    no_more_candidates;  	{file, _} = Key -> -	    issuer_candidate(Key); +	    issuer_candidate(Key, Db);   	Key ->  	    [Cert] = lookup(Key, Db),   	    {Key, Cert}      end.  %%-------------------------------------------------------------------- --spec lookup(term(), term()) -> term() | undefined. +-spec lookup(term(), db_handle()) -> term() | undefined.  %%  %% Description: Looks up an element in a certificat <Db>.  %%-------------------------------------------------------------------- @@ -212,9 +210,6 @@ lookup(Key, Db) ->  %%--------------------------------------------------------------------  %%% Internal functions  %%-------------------------------------------------------------------- -certificate_db_name() -> -    ssl_otp_certificate_db. -  insert(Key, Data, Db) ->      true = ets:insert(Db, {Key, Data}). diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 2c452837f8..21b021afb0 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -70,6 +70,7 @@  	  %% {{md5_hash, sha_hash}, {prev_md5, prev_sha}} (binary())            tls_handshake_hashes, % see above             tls_cipher_texts,     % list() received but not deciphered yet +	  cert_db,              %            session,              % #session{} from ssl_handshake.hrl  	  session_cache,        %   	  session_cache_cb,     % @@ -305,12 +306,13 @@ init([Role, Host, Port, Socket, {SSLOpts0, _} = Options,      Hashes0 = ssl_handshake:init_hashes(),          try ssl_init(SSLOpts0, Role) of -	{ok, Ref, CacheRef, OwnCert, Key, DHParams} ->	    +	{ok, Ref, CertDbHandle, CacheHandle, OwnCert, Key, DHParams} ->  	    Session = State0#state.session,  	    State = State0#state{tls_handshake_hashes = Hashes0,  				 session = Session#session{own_certificate = OwnCert},  				 cert_db_ref = Ref, -				 session_cache = CacheRef, +				 cert_db = CertDbHandle, +				 session_cache = CacheHandle,  				 private_key = Key,  				 diffie_hellman_params = DHParams},  	    {ok, hello, State, get_timeout(State)} @@ -500,9 +502,10 @@ certify(#certificate{asn1_certificates = []},  certify(#certificate{} = Cert,           #state{negotiated_version = Version,  	       role = Role, +	       cert_db = CertDbHandle,  	       cert_db_ref = CertDbRef,  	       ssl_options = Opts} = State) -> -    case ssl_handshake:certify(Cert, CertDbRef, Opts#ssl_options.depth,  +    case ssl_handshake:certify(Cert, CertDbHandle, CertDbRef, Opts#ssl_options.depth,  			       Opts#ssl_options.verify,  			       Opts#ssl_options.verify_fun, Role) of          {PeerCert, PublicKeyInfo} -> @@ -859,23 +862,23 @@ handle_sync_event({set_opts, Opts0}, _From, StateName,  		  #state{socket_options = Opts1,   			 socket = Socket,  			 user_data_buffer = Buffer} = State0) -> -    Opts   = set_socket_opts(Socket, Opts0, Opts1, []), +    {Reply, Opts} = set_socket_opts(Socket, Opts0, Opts1, []),      State1 = State0#state{socket_options = Opts},      if   	Opts#socket_options.active =:= false -> -	    {reply, ok, StateName, State1, get_timeout(State1)}; +	    {reply, Reply, StateName, State1, get_timeout(State1)};  	Buffer =:= <<>>, Opts1#socket_options.active =:= false ->              %% Need data, set active once  	    {Record, State2} = next_record_if_active(State1),  	    case next_state(StateName, Record, State2) of  		{next_state, StateName, State, Timeout} -> -		    {reply, ok, StateName, State, Timeout}; +		    {reply, Reply, StateName, State, Timeout};  		{stop, Reason, State} ->  		    {stop, Reason, State}  	    end;  	Buffer =:= <<>> ->              %% Active once already set  -	    {reply, ok, StateName, State1, get_timeout(State1)}; +	    {reply, Reply, StateName, State1, get_timeout(State1)};  	true ->  	    case application_data(<<>>, State1) of  		Stop = {stop,_,_} -> @@ -883,7 +886,7 @@ handle_sync_event({set_opts, Opts0}, _From, StateName,  		{Record, State2} ->  		    case next_state(StateName, Record, State2) of  			{next_state, StateName, State, Timeout} -> -			    {reply, ok, StateName, State, Timeout}; +			    {reply, Reply, StateName, State, Timeout};  			{stop, Reason, State} ->  			    {stop, Reason, State}  		    end @@ -1044,19 +1047,19 @@ start_fsm(Role, Host, Port, Socket, Opts,  User, {CbModule, _,_, _} = CbInfo,      end.  ssl_init(SslOpts, Role) -> -    {ok, CertDbRef, CacheRef, OwnCert} = init_certificates(SslOpts, Role), +    {ok, CertDbRef, CertDbHandle, CacheHandle, OwnCert} = init_certificates(SslOpts, Role),      PrivateKey = -	init_private_key(SslOpts#ssl_options.key, SslOpts#ssl_options.keyfile, +	init_private_key(CertDbHandle, SslOpts#ssl_options.key, SslOpts#ssl_options.keyfile,  			 SslOpts#ssl_options.password, Role), -    DHParams = init_diffie_hellman(SslOpts#ssl_options.dh, SslOpts#ssl_options.dhfile, Role), -    {ok, CertDbRef, CacheRef, OwnCert, PrivateKey, DHParams}. +    DHParams = init_diffie_hellman(CertDbHandle, SslOpts#ssl_options.dh, SslOpts#ssl_options.dhfile, Role), +    {ok, CertDbRef, CertDbHandle, CacheHandle, OwnCert, PrivateKey, DHParams}.  init_certificates(#ssl_options{cacerts = CaCerts,  			       cacertfile = CACertFile,  			       certfile = CertFile,  			       cert = Cert}, Role) -> -    {ok, CertDbRef, CacheRef} =  +    {ok, CertDbRef, CertDbHandle, CacheHandle} =  	try   	    Certs = case CaCerts of  			undefined -> @@ -1064,44 +1067,44 @@ init_certificates(#ssl_options{cacerts = CaCerts,  			_ ->  			    {der, CaCerts}  		    end, -	    {ok, _, _} = ssl_manager:connection_init(Certs, Role) +	    {ok, _, _, _} = ssl_manager:connection_init(Certs, Role)  	catch  	    Error:Reason ->  		handle_file_error(?LINE, Error, Reason, CACertFile, ecacertfile,  				  erlang:get_stacktrace())  	end, -    init_certificates(Cert, CertDbRef, CacheRef, CertFile, Role). +    init_certificates(Cert, CertDbRef, CertDbHandle, CacheHandle, CertFile, Role). -init_certificates(undefined, CertDbRef, CacheRef, "", _) -> -    {ok, CertDbRef, CacheRef, undefined}; +init_certificates(undefined, CertDbRef, CertDbHandle, CacheHandle, "", _) -> +    {ok, CertDbRef, CertDbHandle, CacheHandle, undefined}; -init_certificates(undefined, CertDbRef, CacheRef, CertFile, client) -> +init_certificates(undefined, CertDbRef, CertDbHandle, CacheHandle, CertFile, client) ->      try  -	[OwnCert] = ssl_certificate:file_to_certificats(CertFile), -	{ok, CertDbRef, CacheRef, OwnCert} +	[OwnCert] = ssl_certificate:file_to_certificats(CertFile, CertDbHandle), +	{ok, CertDbRef, CertDbHandle, CacheHandle, OwnCert}      catch _Error:_Reason  -> -	    {ok, CertDbRef, CacheRef, undefined} +	    {ok, CertDbRef, CertDbHandle, CacheHandle, undefined}      end; -init_certificates(undefined, CertDbRef, CacheRef, CertFile, server) -> +init_certificates(undefined, CertDbRef, CertDbHandle, CacheRef, CertFile, server) ->      try -	[OwnCert] = ssl_certificate:file_to_certificats(CertFile), -	{ok, CertDbRef, CacheRef, OwnCert} +	[OwnCert] = ssl_certificate:file_to_certificats(CertFile, CertDbHandle), +	{ok, CertDbRef, CertDbHandle, CacheRef, OwnCert}      catch  	Error:Reason ->  	    handle_file_error(?LINE, Error, Reason, CertFile, ecertfile,  			      erlang:get_stacktrace())      end; -init_certificates(Cert, CertDbRef, CacheRef, _, _) -> -    {ok, CertDbRef, CacheRef, Cert}. +init_certificates(Cert, CertDbRef, CertDbHandle, CacheRef, _, _) -> +    {ok, CertDbRef, CertDbHandle, CacheRef, Cert}. -init_private_key(undefined, "", _Password, _Client) -> +init_private_key(_, undefined, "", _Password, _Client) ->      undefined; -init_private_key(undefined, KeyFile, Password, _)  ->  +init_private_key(DbHandle, undefined, KeyFile, Password, _) ->      try -	{ok, List} = ssl_manager:cache_pem_file(KeyFile),  +	{ok, List} = ssl_manager:cache_pem_file(KeyFile, DbHandle),  	[PemEntry] = [PemEntry || PemEntry = {PKey, _ , _} <- List, -				  PKey =:= 'RSAPrivateKey' orelse  +				  PKey =:= 'RSAPrivateKey' orelse  				      PKey =:= 'DSAPrivateKey'],  	public_key:pem_entry_decode(PemEntry, Password)      catch  @@ -1110,9 +1113,9 @@ init_private_key(undefined, KeyFile, Password, _)  ->  			      erlang:get_stacktrace())       end; -init_private_key({rsa, PrivateKey}, _, _,_) -> +init_private_key(_,{rsa, PrivateKey}, _, _,_) ->      public_key:der_decode('RSAPrivateKey', PrivateKey); -init_private_key({dsa, PrivateKey},_,_,_) -> +init_private_key(_,{dsa, PrivateKey},_,_,_) ->      public_key:der_decode('DSAPrivateKey', PrivateKey).  -spec(handle_file_error(_,_,_,_,_,_) -> no_return()). @@ -1128,15 +1131,15 @@ file_error(Line, Error, Reason, File, Throw, Stack) ->      error_logger:error_report(Report),      throw(Throw). -init_diffie_hellman(Params, _,_) when is_binary(Params)-> +init_diffie_hellman(_,Params, _,_) when is_binary(Params)->      public_key:der_decode('DHParameter', Params); -init_diffie_hellman(_,_, client) -> +init_diffie_hellman(_,_,_, client) ->      undefined; -init_diffie_hellman(_,undefined, _) -> +init_diffie_hellman(_,_,undefined, _) ->      ?DEFAULT_DIFFIE_HELLMAN_PARAMS; -init_diffie_hellman(_, DHParamFile, server) -> +init_diffie_hellman(DbHandle,_, DHParamFile, server) ->      try -	{ok, List} = ssl_manager:cache_pem_file(DHParamFile),  +	{ok, List} = ssl_manager:cache_pem_file(DHParamFile,DbHandle),  	case [Entry || Entry = {'DHParameter', _ , _} <- List] of  	    [Entry] ->  		public_key:pem_entry_decode(Entry); @@ -1180,11 +1183,12 @@ certify_client(#state{client_certificate_requested = true, role = client,                        connection_states = ConnectionStates0,                        transport_cb = Transport,                        negotiated_version = Version, +		      cert_db = CertDbHandle,                        cert_db_ref = CertDbRef,  		      session = #session{own_certificate = OwnCert},                        socket = Socket,                        tls_handshake_hashes = Hashes0} = State) -> -    Certificate = ssl_handshake:certificate(OwnCert, CertDbRef, client), +    Certificate = ssl_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, client),      {BinCert, ConnectionStates1, Hashes1} =          encode_handshake(Certificate, Version, ConnectionStates0, Hashes0),      Transport:send(Socket, BinCert), @@ -1365,9 +1369,10 @@ certify_server(#state{transport_cb = Transport,  		      negotiated_version = Version,  		      connection_states = ConnectionStates,  		      tls_handshake_hashes = Hashes, +		      cert_db = CertDbHandle,  		      cert_db_ref = CertDbRef,  		      session = #session{own_certificate = OwnCert}} = State) -> -    case ssl_handshake:certificate(OwnCert, CertDbRef, server) of +    case ssl_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, server) of  	CertMsg = #certificate{} ->  	    {BinCertMsg, NewConnectionStates, NewHashes} =  		encode_handshake(CertMsg, Version, ConnectionStates, Hashes), @@ -1454,12 +1459,13 @@ rsa_key_exchange(_, _) ->  request_client_cert(#state{ssl_options = #ssl_options{verify = verify_peer},  			   connection_states = ConnectionStates0, +			   cert_db = CertDbHandle,  			   cert_db_ref = CertDbRef,  			   tls_handshake_hashes = Hashes0,  			   negotiated_version = Version,  			   socket = Socket,  			   transport_cb = Transport} = State) -> -    Msg = ssl_handshake:certificate_request(ConnectionStates0, CertDbRef), +    Msg = ssl_handshake:certificate_request(ConnectionStates0, CertDbHandle, CertDbRef),      {BinMsg, ConnectionStates1, Hashes1} =          encode_handshake(Msg, Version, ConnectionStates0, Hashes0),      Transport:send(Socket, BinMsg), @@ -2040,31 +2046,67 @@ get_socket_opts(Socket, [active | Tags], SockOpts, Acc) ->      get_socket_opts(Socket, Tags, SockOpts,   		    [{active, SockOpts#socket_options.active} | Acc]);  get_socket_opts(Socket, [Tag | Tags], SockOpts, Acc) -> -    case inet:getopts(Socket, [Tag]) of +    try inet:getopts(Socket, [Tag]) of  	{ok, [Opt]} ->  	    get_socket_opts(Socket, Tags, SockOpts, [Opt | Acc]);  	{error, Error} -> -	    {error, Error} -    end. +	    {error, {eoptions, {inet_option, Tag, Error}}} +    catch +	%% So that inet behavior does not crash our process +	_:Error -> {error, {eoptions, {inet_option, Tag, Error}}} +    end; +get_socket_opts(_,Opts, _,_) -> +    {error, {eoptions, {inet_option, Opts, function_clause}}}.  set_socket_opts(_, [], SockOpts, []) -> -    SockOpts; +    {ok, SockOpts};  set_socket_opts(Socket, [], SockOpts, Other) ->      %% Set non emulated options  -    inet:setopts(Socket, Other), -    SockOpts; -set_socket_opts(Socket, [{mode, Mode}| Opts], SockOpts, Other) -> +    try inet:setopts(Socket, Other) of +	ok -> +	    {ok, SockOpts}; +	{error, InetError} -> +	    {{error, {eoptions, {inet_options, Other, InetError}}}, SockOpts} +    catch +	_:Error -> +	    %% So that inet behavior does not crash our process +	    {{error, {eoptions, {inet_options, Other, Error}}}, SockOpts} +    end; + +set_socket_opts(Socket, [{mode, Mode}| Opts], SockOpts, Other) when Mode == list; Mode == binary ->      set_socket_opts(Socket, Opts,   		    SockOpts#socket_options{mode = Mode}, Other); -set_socket_opts(Socket, [{packet, Packet}| Opts], SockOpts, Other) -> +set_socket_opts(_, [{mode, _} = Opt| _], SockOpts, _) -> +    {{error, {eoptions, {inet_opt, Opt}}}, SockOpts}; +set_socket_opts(Socket, [{packet, Packet}| Opts], SockOpts, Other) when Packet == raw; +									Packet == 0; +									Packet == 1; +									Packet == 2; +									Packet == 4; +									Packet == asn1; +									Packet == cdr; +									Packet == sunrm; +									Packet == fcgi; +									Packet == tpkt; +									Packet == line; +									Packet == http; +									Packet == http_bin ->      set_socket_opts(Socket, Opts,   		    SockOpts#socket_options{packet = Packet}, Other); -set_socket_opts(Socket, [{header, Header}| Opts], SockOpts, Other) -> +set_socket_opts(_, [{packet, _} = Opt| _], SockOpts, _) -> +    {{error, {eoptions, {inet_opt, Opt}}}, SockOpts}; +set_socket_opts(Socket, [{header, Header}| Opts], SockOpts, Other) when is_integer(Header) ->      set_socket_opts(Socket, Opts,   		    SockOpts#socket_options{header = Header}, Other); -set_socket_opts(Socket, [{active, Active}| Opts], SockOpts, Other) -> +set_socket_opts(_, [{header, _} = Opt| _], SockOpts, _) -> +    {{error,{eoptions, {inet_opt, Opt}}}, SockOpts}; +set_socket_opts(Socket, [{active, Active}| Opts], SockOpts, Other) when Active == once; +									Active == true; +									Active == false ->      set_socket_opts(Socket, Opts,   		    SockOpts#socket_options{active = Active}, Other); +set_socket_opts(_, [{active, _} = Opt| _], SockOpts, _) -> +    {{error, {eoptions, {inet_opt, Opt}} }, SockOpts};  set_socket_opts(Socket, [Opt | Opts], SockOpts, Other) ->      set_socket_opts(Socket, Opts, SockOpts, [Opt | Other]). diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 1f4c44d115..4e74aec4ac 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -31,9 +31,9 @@  -include_lib("public_key/include/public_key.hrl").  -export([master_secret/4, client_hello/6, server_hello/4, hello/4, -	 hello_request/0, certify/6, certificate/3, +	 hello_request/0, certify/7, certificate/4,  	 client_certificate_verify/5, certificate_verify/5, -	 certificate_request/2, key_exchange/2, server_key_exchange_hash/2, +	 certificate_request/3, key_exchange/2, server_key_exchange_hash/2,  	 finished/4, verify_connection/5, get_tls_handshake/2,  	 decode_client_key/3, server_hello_done/0,  	 encode_handshake/2, init_hashes/0, update_hashes/2, @@ -106,7 +106,7 @@ hello_request() ->  %%--------------------------------------------------------------------  -spec hello(#server_hello{} | #client_hello{}, #ssl_options{}, - 	    #connection_states{} | {port_num(), #session{}, cache_ref(), +	    #connection_states{} | {port_num(), #session{}, db_handle(),   				    atom(), #connection_states{}, binary()},   	    boolean()) -> {tls_version(), session_id(), #connection_states{}}|    			  {tls_version(), {resumed | new, #session{}},  @@ -173,13 +173,13 @@ hello(#client_hello{client_version = ClientVersion, random = Random,      end.  %%-------------------------------------------------------------------- --spec certify(#certificate{}, term(), integer() | nolimit, +-spec certify(#certificate{}, db_handle(), certdb_ref(), integer() | nolimit,  	      verify_peer | verify_none, {fun(), term},  	      client | server) ->  {der_cert(), public_key_info()} | #alert{}.  %%  %% Description: Handles a certificate handshake message  %%-------------------------------------------------------------------- -certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef, +certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef,  	MaxPathLen, _Verify, VerifyFunAndState, Role) ->      [PeerCert | _] = ASN1Certs, @@ -208,7 +208,7 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,  	end,      {TrustedErlCert, CertPath}  = -	ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef), +	ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbHandle, CertDbRef),      case public_key:pkix_path_validation(TrustedErlCert,  					 CertPath, @@ -222,13 +222,13 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,      end.  %%-------------------------------------------------------------------- --spec certificate(der_cert(), term(), client | server) -> #certificate{} | #alert{}.  +-spec certificate(der_cert(), db_handle(), certdb_ref(), client | server) -> #certificate{} | #alert{}.  %%  %% Description: Creates a certificate message.  %%-------------------------------------------------------------------- -certificate(OwnCert, CertDbRef, client) -> +certificate(OwnCert, CertDbHandle, CertDbRef, client) ->      Chain = -	case ssl_certificate:certificate_chain(OwnCert, CertDbRef) of +	case ssl_certificate:certificate_chain(OwnCert, CertDbHandle, CertDbRef) of  	    {ok, CertChain} ->  		CertChain;  	    {error, _} ->  @@ -239,8 +239,8 @@ certificate(OwnCert, CertDbRef, client) ->  	end,      #certificate{asn1_certificates = Chain}; -certificate(OwnCert, CertDbRef, server) ->  -    case ssl_certificate:certificate_chain(OwnCert, CertDbRef) of +certificate(OwnCert, CertDbHandle, CertDbRef, server) -> +    case ssl_certificate:certificate_chain(OwnCert, CertDbHandle, CertDbRef) of  	{ok, Chain} ->  	    #certificate{asn1_certificates = Chain};  	{error, _} -> @@ -302,17 +302,17 @@ certificate_verify(Signature, {?'id-dsa' = Algorithm, PublicKey, PublicKeyParams  %%-------------------------------------------------------------------- --spec certificate_request(#connection_states{}, certdb_ref()) ->  +-spec certificate_request(#connection_states{}, db_handle(), certdb_ref()) ->      #certificate_request{}.  %%  %% Description: Creates a certificate_request message, called by the server.  %%-------------------------------------------------------------------- -certificate_request(ConnectionStates, CertDbRef) -> +certificate_request(ConnectionStates, CertDbHandle, CertDbRef) ->      #connection_state{security_parameters =   		      #security_parameters{cipher_suite = CipherSuite}} =  	ssl_record:pending_connection_state(ConnectionStates, read),      Types = certificate_types(CipherSuite), -    Authorities = certificate_authorities(CertDbRef), +    Authorities = certificate_authorities(CertDbHandle, CertDbRef),      #certificate_request{  		    certificate_types = Types,  		    certificate_authorities = Authorities @@ -1071,8 +1071,8 @@ certificate_types({KeyExchange, _, _, _})  certificate_types(_) ->      <<?BYTE(?RSA_SIGN)>>. -certificate_authorities(CertDbRef) -> -    Authorities = certificate_authorities_from_db(CertDbRef), +certificate_authorities(CertDbHandle, CertDbRef) -> +    Authorities = certificate_authorities_from_db(CertDbHandle, CertDbRef),      Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) ->  		  OTPSubj = TBSCert#'OTPTBSCertificate'.subject,  		  DNEncodedBin = public_key:pkix_encode('Name', OTPSubj, otp), @@ -1084,18 +1084,18 @@ certificate_authorities(CertDbRef) ->  	  end,      list_to_binary([Enc(Cert) || {_, Cert} <- Authorities]). -certificate_authorities_from_db(CertDbRef) -> -    certificate_authorities_from_db(CertDbRef, no_candidate, []). +certificate_authorities_from_db(CertDbHandle, CertDbRef) -> +    certificate_authorities_from_db(CertDbHandle, CertDbRef, no_candidate, []). -certificate_authorities_from_db(CertDbRef, PrevKey, Acc) -> -    case ssl_manager:issuer_candidate(PrevKey) of +certificate_authorities_from_db(CertDbHandle,CertDbRef, PrevKey, Acc) -> +    case ssl_manager:issuer_candidate(PrevKey, CertDbHandle) of  	no_more_candidates ->  	    lists:reverse(Acc);  	{{CertDbRef, _, _} = Key, Cert} -> -	    certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]); +	    certificate_authorities_from_db(CertDbHandle, CertDbRef, Key, [Cert|Acc]);  	{Key, _Cert} ->  	    %% skip certs not from this ssl connection -	    certificate_authorities_from_db(CertDbRef, Key, Acc) +	    certificate_authorities_from_db(CertDbHandle, CertDbRef, Key, Acc)      end.  digitally_signed(Hash, #'RSAPrivateKey'{} = Key) -> diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl index c28daa271e..cc66246068 100644 --- a/lib/ssl/src/ssl_internal.hrl +++ b/lib/ssl/src/ssl_internal.hrl @@ -33,8 +33,8 @@  -type session_id()        :: 0 | binary().  -type tls_version()       :: {integer(), integer()}.  -type tls_atom_version()  :: sslv3 | tlsv1. --type cache_ref()         :: term(). --type certdb_ref()        :: term(). +-type certdb_ref()        :: reference(). +-type db_handle()         :: term().  -type key_algo()          :: null | rsa | dhe_rsa | dhe_dss | dh_anon.  -type der_cert()          :: binary().  -type private_key()       :: #'RSAPrivateKey'{} | #'DSAPrivateKey'{}. diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl index 541ca1e918..b02815bfd8 100644 --- a/lib/ssl/src/ssl_manager.erl +++ b/lib/ssl/src/ssl_manager.erl @@ -28,8 +28,8 @@  %% Internal application API  -export([start_link/1,  -	 connection_init/2, cache_pem_file/1, -	 lookup_trusted_cert/3, issuer_candidate/1, client_session_id/4, +	 connection_init/2, cache_pem_file/2, +	 lookup_trusted_cert/4, issuer_candidate/2, client_session_id/4,  	 server_session_id/4,  	 register_session/2, register_session/3, invalidate_session/2,  	 invalidate_session/3]). @@ -50,7 +50,8 @@  	  session_cache_cb,  	  session_lifetime,  	  certificate_db, -	  session_validation_timer +	  session_validation_timer, +	  last_delay_timer %% Keep for testing purposes  	 }).  -define('24H_in_msec', 8640000). @@ -72,45 +73,45 @@ start_link(Opts) ->  %%--------------------------------------------------------------------  -spec connection_init(string()| {der, list()}, client | server) -> -			     {ok, reference(), cache_ref()}. +			     {ok, certdb_ref(), db_handle(), db_handle()}.  %%			       %% Description: Do necessary initializations for a new connection.  %%--------------------------------------------------------------------  connection_init(Trustedcerts, Role) ->      call({connection_init, Trustedcerts, Role}).  %%-------------------------------------------------------------------- --spec cache_pem_file(string()) -> {ok, term()} | {error, reason()}. +-spec cache_pem_file(string(), term()) -> {ok, term()} | {error, reason()}.  %%		      %% Description: Cach a pem file and return its content.  %%-------------------------------------------------------------------- -cache_pem_file(File) -> +cache_pem_file(File, DbHandle) ->      try file:read_file_info(File) of  	{ok, #file_info{mtime = LastWrite}} -> -	    cache_pem_file(File, LastWrite) +	    cache_pem_file(File, LastWrite, DbHandle)      catch  	_:Reason ->  	    {error, Reason}      end.  %%-------------------------------------------------------------------- --spec lookup_trusted_cert(reference(), serialnumber(), issuer()) ->  +-spec lookup_trusted_cert(term(), reference(), serialnumber(), issuer()) ->  				 undefined |   				 {ok, {der_cert(), #'OTPCertificate'{}}}.  %%				   %% Description: Lookup the trusted cert with Key = {reference(),  %% serialnumber(), issuer()}.  %% -------------------------------------------------------------------- -lookup_trusted_cert(Ref, SerialNumber, Issuer) -> -    ssl_certificate_db:lookup_trusted_cert(Ref, SerialNumber, Issuer). +lookup_trusted_cert(DbHandle, Ref, SerialNumber, Issuer) -> +    ssl_certificate_db:lookup_trusted_cert(DbHandle, Ref, SerialNumber, Issuer).  %%-------------------------------------------------------------------- --spec issuer_candidate(cert_key() | no_candidate) ->  +-spec issuer_candidate(cert_key() | no_candidate, term()) ->  			      {cert_key(),  			       {der_cert(),  				#'OTPCertificate'{}}} | no_more_candidates.  %%  %% Description: Return next issuer candidate.  %%-------------------------------------------------------------------- -issuer_candidate(PrevCandidateKey) -> -    ssl_certificate_db:issuer_candidate(PrevCandidateKey). +issuer_candidate(PrevCandidateKey, DbHandle) -> +    ssl_certificate_db:issuer_candidate(PrevCandidateKey, DbHandle).  %%--------------------------------------------------------------------  -spec client_session_id(host(), port_num(), #ssl_options{},  			der_cert() | undefined) -> session_id(). @@ -192,19 +193,20 @@ init([Opts]) ->  %% Description: Handling call messages  %%--------------------------------------------------------------------  handle_call({{connection_init, "", _Role}, Pid}, _From,  -	    #state{session_cache = Cache} = State) -> +	    #state{certificate_db = [CertDb |_], +		   session_cache = Cache} = State) ->      erlang:monitor(process, Pid), -    Result = {ok, make_ref(), Cache}, +    Result = {ok, make_ref(),CertDb, Cache},      {reply, Result, State};  handle_call({{connection_init, Trustedcerts, _Role}, Pid}, _From, -	    #state{certificate_db = Db, +	    #state{certificate_db = [CertDb|_] =Db,  		   session_cache = Cache} = State) ->      erlang:monitor(process, Pid),      Result =   	try  	    {ok, Ref} = ssl_certificate_db:add_trusted_certs(Pid, Trustedcerts, Db), -	    {ok, Ref, Cache} +	    {ok, Ref, CertDb, Cache}  	catch  	    _:Reason ->  		{error, Reason} @@ -273,15 +275,17 @@ handle_cast({invalidate_session, Host, Port,  	    #state{session_cache = Cache,  		   session_cache_cb = CacheCb} = State) ->      CacheCb:update(Cache, {{Host, Port}, ID}, Session#session{is_resumable = false}), -    timer:send_after(delay_time(), self(), {delayed_clean_session, {{Host, Port}, ID}}), -    {noreply, State}; +    TRef = +	erlang:send_after(delay_time(), self(), {delayed_clean_session, {{Host, Port}, ID}}), +    {noreply, State#state{last_delay_timer = TRef}};  handle_cast({invalidate_session, Port, #session{session_id = ID} = Session},  	    #state{session_cache = Cache,  		   session_cache_cb = CacheCb} = State) ->      CacheCb:update(Cache, {Port, ID}, Session#session{is_resumable = false}), -    timer:send_after(delay_time(), self(), {delayed_clean_session, {Port, ID}}), -    {noreply, State}; +    TRef = +	erlang:send_after(delay_time(), self(), {delayed_clean_session, {Port, ID}}), +    {noreply, State#state{last_delay_timer = TRef}};  handle_cast({recache_pem, File, LastWrite, Pid, From},  	    #state{certificate_db = [_, FileToRefDb, _]} = State0) -> @@ -408,8 +412,8 @@ session_validation({{Port, _}, Session}, LifeTime) ->      validate_session(Port, Session, LifeTime),      LifeTime. -cache_pem_file(File, LastWrite) -> -    case ssl_certificate_db:lookup_cached_certs(File) of +cache_pem_file(File, LastWrite, DbHandle) -> +    case ssl_certificate_db:lookup_cached_certs(DbHandle,File) of  	[{_, {Mtime, Content}}] ->  	    case LastWrite of  		Mtime -> diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl index f1c0073965..4c3c0b9c58 100644 --- a/lib/ssl/src/ssl_record.erl +++ b/lib/ssl/src/ssl_record.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %% -%% Copyright Ericsson AB 2007-2010. All Rights Reserved. +%% Copyright Ericsson AB 2007-2011. All Rights Reserved.  %%  %% The contents of this file are subject to the Erlang Public License,  %% Version 1.1, (the "License"); you may not use this file except in @@ -62,6 +62,8 @@  -compile(inline). +-define(INITIAL_BYTES, 5). +  %%====================================================================  %% Internal application API  %%==================================================================== @@ -360,16 +362,20 @@ get_tls_records_aux(<<1:1, Length0:15, Data0:Length0/binary, Rest/binary>>,  get_tls_records_aux(<<0:1, _CT:7, ?BYTE(_MajVer), ?BYTE(_MinVer),                       ?UINT16(Length), _/binary>>, -                    _Acc) when Length > ?MAX_CIPHER_TEXT_LENGTH-> +                    _Acc) when Length > ?MAX_CIPHER_TEXT_LENGTH ->      ?ALERT_REC(?FATAL, ?RECORD_OVERFLOW);  get_tls_records_aux(<<1:1, Length0:15, _/binary>>,_Acc)  -  when Length0 > ?MAX_CIPHER_TEXT_LENGTH-> +  when Length0 > ?MAX_CIPHER_TEXT_LENGTH ->      ?ALERT_REC(?FATAL, ?RECORD_OVERFLOW);  get_tls_records_aux(Data, Acc) -> -    {lists:reverse(Acc), Data}. - +    case size(Data) =< ?MAX_CIPHER_TEXT_LENGTH + ?INITIAL_BYTES of +	true -> +	    {lists:reverse(Acc), Data}; +	false -> +	    ?ALERT_REC(?FATAL, ?UNEXPECTED_MESSAGE) +	end.  %%--------------------------------------------------------------------  -spec protocol_version(tls_atom_version() | tls_version()) ->   			      tls_version() | tls_atom_version().		       diff --git a/lib/ssl/src/ssl_session.erl b/lib/ssl/src/ssl_session.erl index dc4b7a711c..85c9fcb61c 100644 --- a/lib/ssl/src/ssl_session.erl +++ b/lib/ssl/src/ssl_session.erl @@ -1,7 +1,7 @@  %%  %% %CopyrightBegin%  %%  -%% Copyright Ericsson AB 2007-2010. All Rights Reserved. +%% Copyright Ericsson AB 2007-2011. All Rights Reserved.  %%   %% The contents of this file are subject to the Erlang Public License,  %% Version 1.1, (the "License"); you may not use this file except in @@ -48,7 +48,7 @@ is_new(_ClientSuggestion, _ServerDecision) ->      true.  %%-------------------------------------------------------------------- --spec id({host(), port_num(), #ssl_options{}}, cache_ref(), atom(), +-spec id({host(), port_num(), #ssl_options{}}, db_handle(), atom(),  	 undefined | binary()) -> binary().  %%  %% Description: Should be called by the client side to get an id  @@ -63,7 +63,7 @@ id(ClientInfo, Cache, CacheCb, OwnCert) ->      end.  %%-------------------------------------------------------------------- --spec id(port_num(), binary(), #ssl_options{}, cache_ref(),  +-spec id(port_num(), binary(), #ssl_options{}, db_handle(),  	 atom(), seconds(), binary()) -> binary().  %%  %% Description: Should be called by the server side to get an id  diff --git a/lib/ssl/src/ssl_session_cache.erl b/lib/ssl/src/ssl_session_cache.erl index ae7c67bb98..66610817be 100644 --- a/lib/ssl/src/ssl_session_cache.erl +++ b/lib/ssl/src/ssl_session_cache.erl @@ -31,15 +31,15 @@  -type key() :: {{host(), port_num()}, session_id()} |  {port_num(), session_id()}.  %%-------------------------------------------------------------------- --spec init(list()) -> cache_ref(). %% Returns reference to the cache (opaque)     +-spec init(list()) -> db_handle(). %% Returns reference to the cache (opaque)  %%  %% Description: Return table reference. Called by ssl_manager process.   %%--------------------------------------------------------------------  init(_) -> -    ets:new(cache_name(), [named_table, set, protected]). +    ets:new(cache_name(), [set, protected]).  %%-------------------------------------------------------------------- --spec terminate(cache_ref()) -> any(). %%     +-spec terminate(db_handle()) -> any().  %%  %% Description: Handles cache table at termination of ssl manager.   %%-------------------------------------------------------------------- @@ -47,7 +47,7 @@ terminate(Cache) ->      ets:delete(Cache).  %%-------------------------------------------------------------------- --spec lookup(cache_ref(), key()) -> #session{} | undefined. +-spec lookup(db_handle(), key()) -> #session{} | undefined.  %%  %% Description: Looks up a cach entry. Should be callable from any  %% process. @@ -61,7 +61,7 @@ lookup(Cache, Key) ->      end.  %%-------------------------------------------------------------------- --spec update(cache_ref(), key(), #session{}) -> any(). +-spec update(db_handle(), key(), #session{}) -> any().  %%  %% Description: Caches a new session or updates a already cached one.  %% Will only be called from the ssl_manager process. @@ -70,7 +70,7 @@ update(Cache, Key, Session) ->      ets:insert(Cache, {Key, Session}).  %%-------------------------------------------------------------------- --spec delete(cache_ref(), key()) -> any(). +-spec delete(db_handle(), key()) -> any().  %%  %% Description: Delets a cache entry.  %% Will only be called from the ssl_manager process. @@ -79,7 +79,7 @@ delete(Cache, Key) ->      ets:delete(Cache, Key).  %%-------------------------------------------------------------------- --spec foldl(fun(), term(), cache_ref()) -> term(). +-spec foldl(fun(), term(), db_handle()) -> term().  %%  %% Description: Calls Fun(Elem, AccIn) on successive elements of the  %% cache, starting with AccIn == Acc0. Fun/2 must return a new @@ -91,7 +91,7 @@ foldl(Fun, Acc0, Cache) ->      ets:foldl(Fun, Acc0, Cache).  %%-------------------------------------------------------------------- --spec select_session(cache_ref(), {host(), port_num()} | port_num()) -> [#session{}]. +-spec select_session(db_handle(), {host(), port_num()} | port_num()) -> [#session{}].  %%  %% Description: Selects a session that could be reused. Should be callable  %% from any process. diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile index 53b2223035..5be07cad2c 100644 --- a/lib/ssl/test/Makefile +++ b/lib/ssl/test/Makefile @@ -61,8 +61,10 @@ HRL_FILES = ssl_test_MACHINE.hrl  HRL_FILES_SRC = \  	ssl_int.hrl \ +	ssl_internal.hrl\  	ssl_alert.hrl \ -	ssl_handshake.hrl +	ssl_handshake.hrl \ +	ssl_record.hrl  HRL_FILES_INC =  diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index ec287ed803..37a021e7cf 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -25,11 +25,12 @@  -compile(export_all).  -include_lib("common_test/include/ct.hrl"). --include("test_server_line.hrl").  -include_lib("public_key/include/public_key.hrl").  -include("ssl_alert.hrl").  -include("ssl_int.hrl"). +-include("ssl_internal.hrl"). +-include("ssl_record.hrl").  -define('24H_in_sec', 86400).    -define(TIMEOUT, 60000). @@ -208,8 +209,12 @@ all() ->       empty_protocol_versions, controlling_process,       controller_dies, client_closes_socket, peercert,       connect_dist, peername, sockname, socket_options, +     invalid_inet_get_option, invalid_inet_get_option_not_list, +     invalid_inet_get_option_improper_list, +     invalid_inet_set_option, invalid_inet_set_option_not_list, +     invalid_inet_set_option_improper_list,       misc_ssl_options, versions, cipher_suites, upgrade, -     upgrade_with_timeout, tcp_connect, ipv6, ekeyfile, +     upgrade_with_timeout, tcp_connect, tcp_connect_big, ipv6, ekeyfile,       ecertfile, ecacertfile, eoptions, shutdown,       shutdown_write, shutdown_both, shutdown_error,       ciphers_rsa_signed_certs, ciphers_rsa_signed_certs_ssl3, @@ -252,7 +257,7 @@ all() ->       %%different_ca_peer_sign,       no_reuses_session_server_restart_new_cert,       no_reuses_session_server_restart_new_cert_file, reuseaddr, -     hibernate +     hibernate, connect_twice      ].  groups() ->  @@ -808,8 +813,218 @@ socket_options_result(Socket, Options, DefaultValues, NewOptions, NewValues) ->      {ok,[{nodelay,false}]} = ssl:getopts(Socket, [nodelay]),        ssl:setopts(Socket, [{nodelay, true}]),      {ok,[{nodelay, true}]} = ssl:getopts(Socket, [nodelay]), +    {ok, All} = ssl:getopts(Socket, []), +    test_server:format("All opts ~p~n", [All]),      ok. + + +%%-------------------------------------------------------------------- +invalid_inet_get_option(doc) -> +    ["Test handling of invalid inet options in getopts"]; + +invalid_inet_get_option(suite) -> +    []; + +invalid_inet_get_option(Config) when is_list(Config) -> +    ClientOpts = ?config(client_opts, Config), +    ServerOpts = ?config(server_opts, Config), +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), +    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, +					{from, self()}, +			   {mfa, {?MODULE, get_invalid_inet_option, []}}, +			   {options, ServerOpts}]), +    Port = ssl_test_lib:inet_port(Server), +    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, +					{host, Hostname}, +			   {from, self()}, +			   {mfa, {ssl_test_lib, no_result, []}}, +			   {options, ClientOpts}]), + +    test_server:format("Testcase ~p, Client ~p  Server ~p ~n", +		       [self(), Client, Server]), + +    ssl_test_lib:check_result(Server, ok), +    ssl_test_lib:close(Server), +    ssl_test_lib:close(Client). + + +get_invalid_inet_option(Socket) -> +    {error, {eoptions, {inet_option, foo, _}}} = ssl:getopts(Socket, [foo]), +    ok. + +%%-------------------------------------------------------------------- +invalid_inet_get_option_not_list(doc) -> +    ["Test handling of invalid type in getopts"]; + +invalid_inet_get_option_not_list(suite) -> +    []; + +invalid_inet_get_option_not_list(Config) when is_list(Config) -> +    ClientOpts = ?config(client_opts, Config), +    ServerOpts = ?config(server_opts, Config), +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), +    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, +					{from, self()}, +			   {mfa, {?MODULE, get_invalid_inet_option_not_list, []}}, +			   {options, ServerOpts}]), +    Port = ssl_test_lib:inet_port(Server), +    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, +					{host, Hostname}, +			   {from, self()}, +			   {mfa, {ssl_test_lib, no_result, []}}, +			   {options, ClientOpts}]), + +    test_server:format("Testcase ~p, Client ~p  Server ~p ~n", +		       [self(), Client, Server]), +    ssl_test_lib:check_result(Server, ok), +    ssl_test_lib:close(Server), +    ssl_test_lib:close(Client). + + +get_invalid_inet_option_not_list(Socket) -> +    {error, {eoptions, {inet_options, some_invalid_atom_here}}} +     = ssl:getopts(Socket, some_invalid_atom_here), +     ok. + +%%-------------------------------------------------------------------- +invalid_inet_get_option_improper_list(doc) -> +    ["Test handling of invalid type in getopts"]; + +invalid_inet_get_option_improper_list(suite) -> +    []; + +invalid_inet_get_option_improper_list(Config) when is_list(Config) -> +    ClientOpts = ?config(client_opts, Config), +    ServerOpts = ?config(server_opts, Config), +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), +    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, +					{from, self()}, +			   {mfa, {?MODULE, get_invalid_inet_option_improper_list, []}}, +			   {options, ServerOpts}]), +    Port = ssl_test_lib:inet_port(Server), +    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, +					{host, Hostname}, +			   {from, self()}, +			   {mfa, {ssl_test_lib, no_result, []}}, +			   {options, ClientOpts}]), + +    test_server:format("Testcase ~p, Client ~p  Server ~p ~n", +		       [self(), Client, Server]), + +    ssl_test_lib:check_result(Server, ok), +    ssl_test_lib:close(Server), +    ssl_test_lib:close(Client). + + +get_invalid_inet_option_improper_list(Socket) -> +    {error, {eoptions, {inet_option, foo,_}}} = ssl:getopts(Socket, [packet | foo]), +    ok. + +%%-------------------------------------------------------------------- +invalid_inet_set_option(doc) -> +    ["Test handling of invalid inet options in setopts"]; + +invalid_inet_set_option(suite) -> +    []; + +invalid_inet_set_option(Config) when is_list(Config) -> +    ClientOpts = ?config(client_opts, Config), +    ServerOpts = ?config(server_opts, Config), +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), +    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, +					{from, self()}, +			   {mfa, {?MODULE, set_invalid_inet_option, []}}, +			   {options, ServerOpts}]), +    Port = ssl_test_lib:inet_port(Server), +    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, +					{host, Hostname}, +			   {from, self()}, +			   {mfa, {ssl_test_lib, no_result, []}}, +			   {options, ClientOpts}]), + +    test_server:format("Testcase ~p, Client ~p  Server ~p ~n", +		       [self(), Client, Server]), + +    ssl_test_lib:check_result(Server, ok), +    ssl_test_lib:close(Server), +    ssl_test_lib:close(Client). + +set_invalid_inet_option(Socket) -> +    {error, {eoptions, {inet_opt, {packet, foo}}}} = ssl:setopts(Socket, [{packet, foo}]), +    {error, {eoptions, {inet_opt, {header, foo}}}} = ssl:setopts(Socket, [{header, foo}]), +    {error, {eoptions, {inet_opt, {active, foo}}}} = ssl:setopts(Socket, [{active, foo}]), +    {error, {eoptions, {inet_opt, {mode, foo}}}}   = ssl:setopts(Socket, [{mode, foo}]), +    ok. +%%-------------------------------------------------------------------- +invalid_inet_set_option_not_list(doc) -> +    ["Test handling of invalid type in setopts"]; + +invalid_inet_set_option_not_list(suite) -> +    []; + +invalid_inet_set_option_not_list(Config) when is_list(Config) -> +    ClientOpts = ?config(client_opts, Config), +    ServerOpts = ?config(server_opts, Config), +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), +    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, +					{from, self()}, +			   {mfa, {?MODULE, set_invalid_inet_option_not_list, []}}, +			   {options, ServerOpts}]), +    Port = ssl_test_lib:inet_port(Server), +    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, +					{host, Hostname}, +			   {from, self()}, +			   {mfa, {ssl_test_lib, no_result, []}}, +			   {options, ClientOpts}]), + +    test_server:format("Testcase ~p, Client ~p  Server ~p ~n", +		       [self(), Client, Server]), + +    ssl_test_lib:check_result(Server, ok), +    ssl_test_lib:close(Server), +    ssl_test_lib:close(Client). + + +set_invalid_inet_option_not_list(Socket) -> +    {error, {eoptions, {not_a_proplist, some_invalid_atom_here}}} +	= ssl:setopts(Socket, some_invalid_atom_here), +    ok. + +%%-------------------------------------------------------------------- +invalid_inet_set_option_improper_list(doc) -> +    ["Test handling of invalid tye in setopts"]; + +invalid_inet_set_option_improper_list(suite) -> +    []; + +invalid_inet_set_option_improper_list(Config) when is_list(Config) -> +    ClientOpts = ?config(client_opts, Config), +    ServerOpts = ?config(server_opts, Config), +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), +    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, +					{from, self()}, +			   {mfa, {?MODULE, set_invalid_inet_option_improper_list, []}}, +			   {options, ServerOpts}]), +    Port = ssl_test_lib:inet_port(Server), +    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, +					{host, Hostname}, +			   {from, self()}, +			   {mfa, {ssl_test_lib, no_result, []}}, +			   {options, ClientOpts}]), + +    test_server:format("Testcase ~p, Client ~p  Server ~p ~n", +		       [self(), Client, Server]), + +    ssl_test_lib:check_result(Server, ok), +    ssl_test_lib:close(Server), +    ssl_test_lib:close(Client). + +set_invalid_inet_option_improper_list(Socket) -> +    {error, {eoptions, {not_a_proplist, [{packet, 0} | {foo, 2}]}}} = +	ssl:setopts(Socket, [{packet, 0} | {foo, 2}]), +    ok. +  %%--------------------------------------------------------------------  misc_ssl_options(doc) ->      ["Test what happens when we give valid options"]; @@ -1097,6 +1312,41 @@ tcp_connect(Config) when is_list(Config) ->  	    end      end. +tcp_connect_big(doc) -> +    ["Test what happens when a tcp tries to connect, i,e. a bad big (ssl) packet is sent first"]; + +tcp_connect_big(suite) -> +    []; + +tcp_connect_big(Config) when is_list(Config) -> +    ServerOpts = ?config(server_opts, Config), +    {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), +    TcpOpts = [binary, {reuseaddr, true}], + +    Server = ssl_test_lib:start_upgrade_server([{node, ServerNode}, {port, 0}, +						{from, self()}, +						{timeout, 5000}, +						{mfa, {?MODULE, dummy, []}}, +						{tcp_options, TcpOpts}, +						{ssl_options, ServerOpts}]), +    Port = ssl_test_lib:inet_port(Server), + +    {ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {packet, 0}]), +    test_server:format("Testcase ~p connected to Server ~p ~n", [self(), Server]), + +    Rand = crypto:rand_bytes(?MAX_CIPHER_TEXT_LENGTH+1), +    gen_tcp:send(Socket, <<?BYTE(0), +			   ?BYTE(3), ?BYTE(1), ?UINT16(?MAX_CIPHER_TEXT_LENGTH), Rand/binary>>), + +    receive +	{tcp_closed, Socket} -> +	    receive +		{Server, {error, timeout}} -> +		    test_server:fail("hangs"); +		{Server, {error, Error}} -> +		    test_server:format("Error ~p", [Error]) +	    end +    end.  dummy(_Socket) ->      %% Should not happen as the ssl connection will not be established @@ -3301,6 +3551,7 @@ reuseaddr(Config) when is_list(Config) ->  				   {options, [{active, false} | ClientOpts]}]),      test_server:sleep(?SLEEP),      ssl_test_lib:close(Server), +    ssl_test_lib:close(Client),      Server1 =  	ssl_test_lib:start_server([{node, ServerNode}, {port, Port}, @@ -3358,6 +3609,54 @@ hibernate(Config) ->      ssl_test_lib:close(Client).  %%-------------------------------------------------------------------- + +connect_twice(doc) -> +    [""]; +connect_twice(suite) -> +    []; +connect_twice(Config) when is_list(Config) -> +    ClientOpts = ?config(client_opts, Config), +    ServerOpts = ?config(server_opts, Config), + +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + +    Server = +	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, +				   {from, self()}, +				   {mfa, {?MODULE, send_recv_result, []}}, +				   {options,  [{keepalive, true},{active, false} +					       | ServerOpts]}]), +    Port = ssl_test_lib:inet_port(Server), +    Client = +	ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, +				   {host, Hostname}, +				   {from, self()}, +				   {mfa, {?MODULE, send_recv_result, []}}, +				   {options, [{keepalive, true},{active, false} +					      | ClientOpts]}]), +    Server ! listen, + +    {Client1, #sslsocket{}} = +	ssl_test_lib:start_client([return_socket, +				   {node, ClientNode}, {port, Port}, +				   {host, Hostname}, +				   {from, self()}, +				   {mfa, {?MODULE, send_recv_result, []}}, +				   {options, [{keepalive, true},{active, false} +					      | ClientOpts]}]), + +    test_server:format("Testcase ~p, Client ~p  Server ~p ~n", +			 [self(), Client, Server]), + +    ssl_test_lib:check_result(Server, ok, Client, ok), +    ssl_test_lib:check_result(Server, ok, Client1, ok), + +    ssl_test_lib:close(Server), +    ssl_test_lib:close(Client), +    ssl_test_lib:close(Client1). + + +%%--------------------------------------------------------------------  %%% Internal functions  %%--------------------------------------------------------------------  send_recv_result(Socket) -> @@ -3435,7 +3734,7 @@ session_cache_process_mnesia(suite) ->  session_cache_process_mnesia(Config) when is_list(Config) ->       session_cache_process(mnesia,Config). -session_cache_process(Type,Config) when is_list(Config) ->  +session_cache_process(_Type,Config) when is_list(Config) ->      reuse_session(Config).  init([Type]) -> diff --git a/lib/ssl/test/ssl_session_cache_SUITE.erl b/lib/ssl/test/ssl_session_cache_SUITE.erl index 62d404092f..5ea45018e6 100644 --- a/lib/ssl/test/ssl_session_cache_SUITE.erl +++ b/lib/ssl/test/ssl_session_cache_SUITE.erl @@ -26,6 +26,7 @@  -include_lib("common_test/include/ct.hrl"). +-define(DELAY, 500).  -define(SLEEP, 500).  -define(TIMEOUT, 60000).  -define(LONG_TIMEOUT, 600000). @@ -102,7 +103,7 @@ init_per_testcase(session_cleanup, Config0) ->      ssl:stop(),      application:load(ssl),      application:set_env(ssl, session_lifetime, 5), -    application:set_env(ssl, session_delay_cleanup_time, ?SLEEP), +    application:set_env(ssl, session_delay_cleanup_time, ?DELAY),      ssl:start(),      [{watchdog, Dog} | Config]; @@ -178,7 +179,7 @@ end_per_group(_GroupName, Config) ->  %%--------------------------------------------------------------------  session_cleanup(doc) ->      ["Test that sessions are cleand up eventually, so that the session table " -     "does grow and grow ..."]; +     "does not grow and grow ..."];  session_cleanup(suite) ->      [];  session_cleanup(Config)when is_list(Config) -> @@ -207,24 +208,62 @@ session_cleanup(Config)when is_list(Config) ->      %% Make sure session is registered      test_server:sleep(?SLEEP), +    {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)), +    [_, _,_, _, Prop] = StatusInfo, +    State = state(Prop), +    Cache = element(2, State), +    SessionTimer = element(6, State), +      Id = proplists:get_value(session_id, SessionInfo), -    CSession = ssl_session_cache:lookup(ssl_otp_session_cache, {{Hostname, Port}, Id}), -    SSession = ssl_session_cache:lookup(ssl_otp_session_cache, {Port, Id}), +    CSession = ssl_session_cache:lookup(Cache, {{Hostname, Port}, Id}), +    SSession = ssl_session_cache:lookup(Cache, {Port, Id}),      true = CSession =/= undefined,      true = SSession =/= undefined,      %% Make sure session has expired and been cleaned up -    test_server:sleep(5000), %% Expire time -    test_server:sleep(?SLEEP *4), %% Clean up delay +    check_timer(SessionTimer), +    test_server:sleep(?DELAY *2),  %% Delay time + some extra time + +    DelayTimer = get_delay_timer(), + +    check_timer(DelayTimer), -    undefined = ssl_session_cache:lookup(ssl_otp_session_cache, {{Hostname, Port}, Id}), -    undefined = ssl_session_cache:lookup(ssl_otp_session_cache, {Port, Id}), +    test_server:sleep(?SLEEP),  %% Make sure clean has had to run + +    undefined = ssl_session_cache:lookup(Cache, {{Hostname, Port}, Id}), +    undefined = ssl_session_cache:lookup(Cache, {Port, Id}),      process_flag(trap_exit, false),      ssl_test_lib:close(Server),      ssl_test_lib:close(Client). +state([{data,[{"State", State}]} | _]) -> +    State; +state([_ | Rest]) -> +    state(Rest). + +check_timer(Timer) -> +    case erlang:read_timer(Timer) of +	false -> +	    {status, _, _, _} = sys:get_status(whereis(ssl_manager)), +	    ok; +	Int -> +	    test_server:sleep(Int), +	    check_timer(Timer) +    end. + +get_delay_timer() -> +    {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)), +    [_, _,_, _, Prop] = StatusInfo, +    State = state(Prop), +    case element(7, State) of +	undefined -> +	    test_server:sleep(?SLEEP), +	    get_delay_timer(); +	DelayTimer -> +	    DelayTimer +    end.  %%--------------------------------------------------------------------  session_cache_process_list(doc) ->      ["Test reuse of sessions (short handshake)"]; @@ -242,7 +281,6 @@ session_cache_process_mnesia(suite) ->  session_cache_process_mnesia(Config) when is_list(Config) ->      session_cache_process(mnesia,Config). -  %%--------------------------------------------------------------------  %%% Session cache API callbacks  %%-------------------------------------------------------------------- diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index 64a7603c44..8286201df4 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -1 +1 @@ -SSL_VSN = 4.1.5.1 +SSL_VSN = 4.1.6 | 
