aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/kernel/src/inet6_tcp_dist.erl35
-rw-r--r--lib/public_key/src/pubkey_cert.erl35
-rw-r--r--lib/public_key/src/pubkey_pem.erl12
-rw-r--r--lib/public_key/src/public_key.erl11
-rw-r--r--lib/ssl/doc/src/new_ssl.xml7
-rw-r--r--lib/ssl/src/ssl.erl6
-rw-r--r--lib/ssl/src/ssl_certificate.erl53
-rw-r--r--lib/ssl/src/ssl_connection.erl269
-rw-r--r--lib/ssl/src/ssl_handshake.erl31
-rw-r--r--lib/ssl/src/ssl_internal.hrl2
-rw-r--r--lib/ssl/test/ssl_basic_SUITE.erl215
-rw-r--r--lib/ssl/test/ssl_test_lib.erl11
-rw-r--r--lib/ssl/test/ssl_to_openssl_SUITE.erl60
-rw-r--r--lib/ssl/vsn.mk3
-rw-r--r--lib/stdlib/doc/src/ets.xml8
-rw-r--r--lib/stdlib/src/c.erl10
-rw-r--r--lib/stdlib/src/dets_sup.erl10
-rw-r--r--lib/stdlib/src/ets.erl10
-rw-r--r--lib/stdlib/src/gen_event.erl10
-rw-r--r--lib/stdlib/src/gen_fsm.erl10
-rw-r--r--lib/stdlib/src/gen_server.erl10
21 files changed, 492 insertions, 326 deletions
diff --git a/lib/kernel/src/inet6_tcp_dist.erl b/lib/kernel/src/inet6_tcp_dist.erl
index 34cf582af7..fab00bbb9f 100644
--- a/lib/kernel/src/inet6_tcp_dist.erl
+++ b/lib/kernel/src/inet6_tcp_dist.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 1997-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 1997-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
-module(inet6_tcp_dist).
@@ -87,7 +87,7 @@ accept(Listen) ->
accept_loop(Kernel, Listen) ->
case inet6_tcp:accept(Listen) of
{ok, Socket} ->
- Kernel ! {accept,self(),Socket,inet,tcp},
+ Kernel ! {accept,self(),Socket,inet6,tcp},
controller(Kernel, Socket),
accept_loop(Kernel, Listen);
Error ->
@@ -236,8 +236,8 @@ do_setup(Kernel, Node, Type, MyNode, LongOrShortNames,SetupTime) ->
timer = Timer,
this_flags = 0,
other_version = Version,
- f_send = fun inet_tcp:send/2,
- f_recv = fun inet_tcp:recv/3,
+ f_send = fun inet6_tcp:send/2,
+ f_recv = fun inet6_tcp:recv/3,
f_setopts_pre_nodeup =
fun(S) ->
inet:setopts
@@ -262,7 +262,7 @@ do_setup(Kernel, Node, Type, MyNode, LongOrShortNames,SetupTime) ->
address = {Ip,TcpPort},
host = Address,
protocol = tcp,
- family = inet}
+ family = inet6}
end,
mf_tick = fun ?MODULE:tick/1,
mf_getstat = fun ?MODULE:getstat/1,
@@ -302,12 +302,17 @@ splitnode(Node, LongOrShortNames) ->
Host = lists:append(Tail),
case split_node(Host, $., []) of
[_] when LongOrShortNames =:= longnames ->
- error_msg("** System running to use "
- "fully qualified "
- "hostnames **~n"
- "** Hostname ~s is illegal **~n",
- [Host]),
- ?shutdown(Node);
+ case inet_parse:ipv6strict_address(Host) of
+ {ok, _} ->
+ [Name, Host];
+ _ ->
+ error_msg("** System running to use "
+ "fully qualified "
+ "hostnames **~n"
+ "** Hostname ~s is illegal **~n",
+ [Host]),
+ ?shutdown(Node)
+ end;
L when length(L) > 1, LongOrShortNames =:= shortnames ->
error_msg("** System NOT running to use fully qualified "
"hostnames **~n"
diff --git a/lib/public_key/src/pubkey_cert.erl b/lib/public_key/src/pubkey_cert.erl
index 0ccc74799c..8f7dfa8352 100644
--- a/lib/public_key/src/pubkey_cert.erl
+++ b/lib/public_key/src/pubkey_cert.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 2008-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
@@ -455,24 +455,6 @@ validate_extensions([#'Extension'{extnID = ?'id-ce-keyUsage',
AccErr)
end;
-validate_extensions([#'Extension'{extnID = ?'id-ce-extKeyUsage',
- extnValue = KeyUse,
- critical = true} | Rest],
- #path_validation_state{} = ValidationState,
- ExistBasicCon, SelfSigned, UnknownExtensions, Verify,
- AccErr0) ->
- case is_valid_extkey_usage(KeyUse) of
- true ->
- validate_extensions(Rest, ValidationState, ExistBasicCon,
- SelfSigned, UnknownExtensions,
- Verify, AccErr0);
- false ->
- AccErr =
- not_valid({bad_cert, invalid_ext_key_usage}, Verify, AccErr0),
- validate_extensions(Rest, ValidationState, ExistBasicCon,
- SelfSigned, UnknownExtensions, Verify, AccErr)
- end;
-
validate_extensions([#'Extension'{extnID = ?'id-ce-subjectAltName',
extnValue = Names} | Rest],
ValidationState, ExistBasicCon,
@@ -590,13 +572,6 @@ validate_extensions([Extension | Rest], ValidationState,
is_valid_key_usage(KeyUse, Use) ->
lists:member(Use, KeyUse).
-is_valid_extkey_usage(?'id-kp-clientAuth') ->
- true;
-is_valid_extkey_usage(?'id-kp-serverAuth') ->
- true;
-is_valid_extkey_usage(_) ->
- false.
-
validate_subject_alt_names([]) ->
true;
validate_subject_alt_names([AltName | Rest]) ->
diff --git a/lib/public_key/src/pubkey_pem.erl b/lib/public_key/src/pubkey_pem.erl
index abd46fa00e..9fc17b6f73 100644
--- a/lib/public_key/src/pubkey_pem.erl
+++ b/lib/public_key/src/pubkey_pem.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2008-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 2008-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
@@ -155,7 +155,7 @@ unhex(S) ->
unhex(S, []).
unhex("", Acc) ->
- lists:reverse(Acc);
+ list_to_binary(lists:reverse(Acc));
unhex([D1, D2 | Rest], Acc) ->
unhex(Rest, [erlang:list_to_integer([D1, D2], 16) | Acc]).
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index 9a90ffe888..157e76bb21 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -28,7 +28,7 @@
encrypt_public/3, decrypt_public/2, decrypt_public/3,
encrypt_private/2, encrypt_private/3, gen_key/1, sign/2, sign/3,
verify_signature/3, verify_signature/4, verify_signature/5,
- pem_to_der/1, pem_to_der/2,
+ pem_to_der/1, pem_to_der/2, der_to_pem/2,
pkix_decode_cert/2, pkix_encode_cert/1, pkix_transform/2,
pkix_is_self_signed/1, pkix_is_fixed_dh_cert/1,
pkix_issuer_id/2,
@@ -163,6 +163,10 @@ pem_to_der(File, Password) when is_list(File) ->
pubkey_pem:read_file(File, Password);
pem_to_der(PemBin, Password) when is_binary(PemBin) ->
pubkey_pem:decode(PemBin, Password).
+
+der_to_pem(File, TypeDerList) ->
+ pubkey_pem:write_file(File, TypeDerList).
+
%%--------------------------------------------------------------------
%% Function: pkix_decode_cert(BerCert, Type) -> {ok, Cert} | {error, Reason}
%%
@@ -314,9 +318,10 @@ sign(Msg, #'RSAPrivateKey'{} = Key) when is_binary(Msg) ->
sign(Msg, #'DSAPrivateKey'{} = Key) when is_binary(Msg) ->
pubkey_crypto:sign(Msg, Key);
-sign(#'OTPTBSCertificate'{signature = SigAlg} = TBSCert, Key) ->
+sign(#'OTPTBSCertificate'{signature = #'SignatureAlgorithm'{algorithm = Alg}
+ = SigAlg} = TBSCert, Key) ->
Msg = pubkey_cert_records:encode_tbs_cert(TBSCert),
- DigestType = pubkey_cert:digest_type(SigAlg),
+ DigestType = pubkey_cert:digest_type(Alg),
Signature = pubkey_crypto:sign(DigestType, Msg, Key),
Cert = #'OTPCertificate'{tbsCertificate= TBSCert,
signatureAlgorithm = SigAlg,
diff --git a/lib/ssl/doc/src/new_ssl.xml b/lib/ssl/doc/src/new_ssl.xml
index a83c2d1383..08868a1b3c 100644
--- a/lib/ssl/doc/src/new_ssl.xml
+++ b/lib/ssl/doc/src/new_ssl.xml
@@ -495,12 +495,15 @@ end
</func>
<func>
- <name>renegotiate(Socket) -> ok</name>
+ <name>renegotiate(Socket) -> ok | {error, Reason}</name>
<fsummary> Initiates a new handshake.</fsummary>
<type>
<v>Socket = sslsocket()</v>
</type>
- <desc><p>Initiates a new handshake.</p>
+ <desc><p>Initiates a new handshake. A notable return value is
+ <c>{error, renegotiation_rejected}</c> indicating that the peer
+ refused to go through with the renegotiation but the connection
+ is still active using the previously negotiated session.</p>
</desc>
</func>
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index da5f750762..95133cb216 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -547,6 +547,7 @@ handle_options(Opts0, Role) ->
fail_if_no_peer_cert = validate_option(fail_if_no_peer_cert,
FailIfNoPeerCert),
verify_client_once = handle_option(verify_client_once, Opts, false),
+ validate_extensions_fun = handle_option(validate_extensions_fun, Opts, undefined),
depth = handle_option(depth, Opts, 1),
certfile = CertFile,
keyfile = handle_option(keyfile, Opts, CertFile),
@@ -563,7 +564,7 @@ handle_options(Opts0, Role) ->
},
CbInfo = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed}),
- SslOptions = [versions, verify, verify_fun,
+ SslOptions = [versions, verify, verify_fun, validate_extensions_fun,
fail_if_no_peer_cert, verify_client_once,
depth, certfile, keyfile,
key, password, cacertfile, dhfile, ciphers,
@@ -598,6 +599,9 @@ validate_option(fail_if_no_peer_cert, Value)
validate_option(verify_client_once, Value)
when Value == true; Value == false ->
Value;
+
+validate_option(validate_extensions_fun, Value) when Value == undefined; is_function(Value) ->
+ Value;
validate_option(depth, Value) when is_integer(Value),
Value >= 0, Value =< 255->
Value;
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index d97b61a5ce..686e90a70c 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2007-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
@@ -29,10 +29,12 @@
-include("ssl_alert.hrl").
-include("ssl_internal.hrl").
-include("ssl_debug.hrl").
+-include_lib("public_key/include/public_key.hrl").
-export([trusted_cert_and_path/3,
certificate_chain/2,
- file_to_certificats/1]).
+ file_to_certificats/1,
+ validate_extensions/6]).
%%====================================================================
%% Internal application API
@@ -87,6 +89,30 @@ file_to_certificats(File) ->
{ok, List} = ssl_manager:cache_pem_file(File),
[Bin || {cert, Bin, not_encrypted} <- List].
+
+%% Validates ssl/tls specific extensions
+validate_extensions([], ValidationState, UnknownExtensions, _, AccErr, _) ->
+ {UnknownExtensions, ValidationState, AccErr};
+
+validate_extensions([#'Extension'{extnID = ?'id-ce-extKeyUsage',
+ extnValue = KeyUse,
+ critical = true} | Rest],
+ ValidationState, UnknownExtensions, Verify, AccErr0, Role) ->
+ case is_valid_extkey_usage(KeyUse, Role) of
+ true ->
+ validate_extensions(Rest, ValidationState, UnknownExtensions,
+ Verify, AccErr0, Role);
+ false ->
+ AccErr =
+ not_valid_extension({bad_cert, invalid_ext_key_usage}, Verify, AccErr0),
+ validate_extensions(Rest, ValidationState, UnknownExtensions, Verify, AccErr, Role)
+ end;
+
+validate_extensions([Extension | Rest], ValidationState, UnknownExtensions,
+ Verify, AccErr, Role) ->
+ validate_extensions(Rest, ValidationState, [Extension | UnknownExtensions],
+ Verify, AccErr, Role).
+
%%--------------------------------------------------------------------
%%% Internal functions
%%--------------------------------------------------------------------
@@ -154,3 +180,18 @@ not_valid(Alert, true, _) ->
throw(Alert);
not_valid(_, false, {ErlCert, Path}) ->
{ErlCert, Path, [{bad_cert, unknown_ca}]}.
+
+is_valid_extkey_usage(KeyUse, client) ->
+ %% Client wants to verify server
+ is_valid_key_usage(KeyUse,?'id-kp-serverAuth');
+is_valid_extkey_usage(KeyUse, server) ->
+ %% Server wants to verify client
+ is_valid_key_usage(KeyUse, ?'id-kp-clientAuth').
+
+is_valid_key_usage(KeyUse, Use) ->
+ lists:member(Use, KeyUse).
+
+not_valid_extension(Error, true, _) ->
+ throw(Error);
+not_valid_extension(Error, false, AccErrors) ->
+ [Error | AccErrors].
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index e04e2dea42..8ff001b172 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -87,7 +87,7 @@
user_data_buffer, % binary()
%% tls_buffer, % Keeps a lookahead one packet if available
log_alert, % boolean()
- renegotiation, % boolean()
+ renegotiation, % {boolean(), From | internal | peer}
recv_during_renegotiation, %boolean()
send_queue % queue()
}).
@@ -222,7 +222,7 @@ peer_certificate(ConnectionPid) ->
%% Description:
%%--------------------------------------------------------------------
renegotiation(ConnectionPid) ->
- send_all_state_event(ConnectionPid, renegotiate).
+ sync_send_all_state_event(ConnectionPid, renegotiate).
%%====================================================================
%% ssl_connection_sup API
@@ -383,32 +383,33 @@ abbreviated(Finished = #finished{},
#state{role = server,
negotiated_version = Version,
tls_handshake_hashes = Hashes,
- session = #session{master_secret = MasterSecret}} = State) ->
+ session = #session{master_secret = MasterSecret}} =
+ State0) ->
case ssl_handshake:verify_connection(Version, Finished, client,
MasterSecret, Hashes) of
verified ->
- ack_connection(State),
+ State = ack_connection(State0),
next_state_connection(State);
#alert{} = Alert ->
- handle_own_alert(Alert, Version, abbreviated, State),
- {stop, normal, State}
+ handle_own_alert(Alert, Version, abbreviated, State0),
+ {stop, normal, State0}
end;
abbreviated(Finished = #finished{},
#state{role = client, tls_handshake_hashes = Hashes0,
session = #session{master_secret = MasterSecret},
- negotiated_version = Version} = State) ->
+ negotiated_version = Version} = State0) ->
case ssl_handshake:verify_connection(Version, Finished, server,
MasterSecret, Hashes0) of
verified ->
- {ConnectionStates, Hashes} = finalize_client_handshake(State),
- ack_connection(State),
+ {ConnectionStates, Hashes} = finalize_client_handshake(State0),
+ State = ack_connection(State0),
next_state_connection(State#state{tls_handshake_hashes = Hashes,
connection_states =
ConnectionStates});
#alert{} = Alert ->
- handle_own_alert(Alert, Version, abbreviated, State),
- {stop, normal, State}
+ handle_own_alert(Alert, Version, abbreviated, State0),
+ {stop, normal, State0}
end.
certify(socket_control, #state{role = server} = State) ->
@@ -435,11 +436,13 @@ certify(#certificate{asn1_certificates = []},
certify(#certificate{} = Cert,
#state{negotiated_version = Version,
+ role = Role,
cert_db_ref = CertDbRef,
ssl_options = Opts} = State) ->
case ssl_handshake:certify(Cert, CertDbRef, Opts#ssl_options.depth,
Opts#ssl_options.verify,
- Opts#ssl_options.verify_fun) of
+ Opts#ssl_options.verify_fun,
+ Opts#ssl_options.validate_extensions_fun, Role) of
{PeerCert, PublicKeyInfo} ->
handle_peer_cert(PeerCert, PublicKeyInfo,
State#state{client_certificate_requested = false});
@@ -464,7 +467,7 @@ certify(#server_key_exchange{} = KeyExchangeMsg,
certify(#server_key_exchange{},
State = #state{role = client, negotiated_version = Version,
key_algorithm = Alg})
- when Alg == rsa; Alg == dh_dss; Alg == dh_rsa ->
+ when Alg == rsa; Alg == dh_dss; Alg == dh_rsa ->
Alert = ?ALERT_REC(?FATAL, ?UNEXPECTED_MESSAGE),
handle_own_alert(Alert, Version, certify_server_key_exchange, State),
{stop, normal, State};
@@ -606,19 +609,19 @@ cipher(#certificate_verify{signature = Signature},
end;
cipher(#finished{} = Finished,
- State = #state{negotiated_version = Version,
- host = Host,
- port = Port,
- role = Role,
- session = #session{master_secret = MasterSecret}
- = Session0,
- tls_handshake_hashes = Hashes}) ->
-
+ #state{negotiated_version = Version,
+ host = Host,
+ port = Port,
+ role = Role,
+ session = #session{master_secret = MasterSecret}
+ = Session0,
+ tls_handshake_hashes = Hashes} = State0) ->
+
case ssl_handshake:verify_connection(Version, Finished,
opposite_role(Role),
MasterSecret, Hashes) of
verified ->
- ack_connection(State),
+ State = ack_connection(State0),
Session = register_session(Role, Host, Port, Session0),
case Role of
client ->
@@ -627,15 +630,15 @@ cipher(#finished{} = Finished,
{NewConnectionStates, NewHashes} =
finalize_server_handshake(State#state{
session = Session}),
- NewState =
- State#state{connection_states = NewConnectionStates,
- session = Session,
- tls_handshake_hashes = NewHashes},
- next_state_connection(NewState)
+ next_state_connection(State#state{connection_states =
+ NewConnectionStates,
+ session = Session,
+ tls_handshake_hashes =
+ NewHashes})
end;
#alert{} = Alert ->
- handle_own_alert(Alert, Version, cipher, State),
- {stop, normal, State}
+ handle_own_alert(Alert, Version, cipher, State0),
+ {stop, normal, State0}
end.
connection(socket_control, #state{role = server} = State) ->
@@ -655,8 +658,7 @@ connection(#hello_request{}, State = #state{host = Host, port = Port,
Transport:send(Socket, BinMsg),
{next_state, hello, next_record(State#state{connection_states =
ConnectionStates1,
- tls_handshake_hashes = Hashes1,
- renegotiation = true})};
+ tls_handshake_hashes = Hashes1})};
connection(#client_hello{} = Hello, #state{role = server} = State) ->
hello(Hello, State).
@@ -681,16 +683,17 @@ handle_event(#ssl_tls{type = ?HANDSHAKE, fragment = Data},
%% This message should not be included in handshake
%% message hashes. Starts new handshake (renegotiation)
Hs0 = ssl_handshake:init_hashes(),
- ?MODULE:SName(Packet, State#state{tls_handshake_hashes=Hs0});
+ ?MODULE:SName(Packet, State#state{tls_handshake_hashes=Hs0,
+ renegotiation = {true, peer}});
({#hello_request{} = Packet, _}, {next_state, SName, State}) ->
%% This message should not be included in handshake
- %% message hashes. If allready in negotiation it will be ignored!
+ %% message hashes. Already in negotiation so it will be ignored!
?MODULE:SName(Packet, State);
({#client_hello{} = Packet, Raw}, {next_state, connection = SName, State}) ->
Hs0 = ssl_handshake:init_hashes(),
Hs1 = ssl_handshake:update_hashes(Hs0, Raw),
?MODULE:SName(Packet, State#state{tls_handshake_hashes=Hs1,
- renegotiation = true});
+ renegotiation = {true, peer}});
({Packet, Raw}, {next_state, SName, State = #state{tls_handshake_hashes=Hs0}}) ->
Hs1 = ssl_handshake:update_hashes(Hs0, Raw),
?MODULE:SName(Packet, State#state{tls_handshake_hashes=Hs1});
@@ -758,18 +761,23 @@ handle_event(#alert{level = ?WARNING, description = ?CLOSE_NOTIFY} = Alert,
_, #state{from = From, role = Role} = State) ->
alert_user(From, Alert, Role),
{stop, normal, State};
-handle_event(#alert{level = ?WARNING} = Alert, StateName,
+
+handle_event(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert, StateName,
+ #state{log_alert = Log, renegotiation = {true, internal}} = State) ->
+ log_alert(Log, StateName, Alert),
+ {stop, normal, State};
+
+handle_event(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert, StateName,
+ #state{log_alert = Log, renegotiation = {true, From}} = State) ->
+ log_alert(Log, StateName, Alert),
+ gen_fsm:reply(From, {error, renegotiation_rejected}),
+ {next_state, connection, next_record(State)};
+
+handle_event(#alert{level = ?WARNING, description = ?USER_CANCELED} = Alert, StateName,
#state{log_alert = Log} = State) ->
log_alert(Log, StateName, Alert),
-%%TODO: Could be user_canceled or no_negotiation should the latter be
- %% treated as fatal?!
- {next_state, StateName, next_record(State)};
-
-handle_event(renegotiate, connection, State) ->
- renegotiate(State);
-handle_event(renegotiate, StateName, State) ->
- %% Already in renegotiate ignore
- {next_state, StateName, State}.
+ {next_state, StateName, next_record(State)}.
+
%%--------------------------------------------------------------------
%% Function:
%% handle_sync_event(Event, From, StateName,
@@ -812,7 +820,8 @@ handle_sync_event({application_data, Data0}, From, connection,
ok
end,
renegotiate(State#state{connection_states = ConnectionStates,
- send_queue = queue:in_r({From, RestData}, SendQueue)})
+ send_queue = queue:in_r({From, RestData}, SendQueue),
+ renegotiation = {true, internal}})
end
catch throw:Error ->
{reply, Error, connection, State}
@@ -892,6 +901,12 @@ handle_sync_event({set_opts, Opts0}, _From, StateName,
end
end;
+handle_sync_event(renegotiate, From, connection, State) ->
+ renegotiate(State#state{renegotiation = {true, From}});
+
+handle_sync_event(renegotiate, _, StateName, State) ->
+ {reply, {error, already_renegotiating}, StateName, State};
+
handle_sync_event(info, _, StateName,
#state{negotiated_version = Version,
session = #session{cipher_suite = Suite}} = State) ->
@@ -940,34 +955,6 @@ handle_info({Protocol, _, Data}, StateName, State =
{stop, normal, State}
end;
-%% %% This is the code for {packet,ssl} removed because it was slower
-%% %% than handling it in erlang.
-%% handle_info(Data = #ssl_tls{}, StateName,
-%% State = #state{tls_buffer = Buffer,
-%% socket = Socket,
-%% connection_states = ConnectionStates0}) ->
-%% case Buffer of
-%% buffer ->
-%% {next_state, StateName, State#state{tls_buffer = [Data]}};
-%% continue ->
-%% inet:setopts(Socket, [{active,once}]),
-%% {Plain, ConnectionStates} =
-%% ssl_record:decode_cipher_text(Data, ConnectionStates0),
-%% gen_fsm:send_all_state_event(self(), Plain),
-%% {next_state, StateName,
-%% State#state{tls_buffer = buffer,
-%% connection_states = ConnectionStates}};
-%% List when is_list(List) ->
-%% {next_state, StateName,
-%% State#state{tls_buffer = Buffer ++ [Data]}}
-%% end;
-
-%% handle_info(CloseMsg = {_, Socket}, StateName0,
-%% #state{socket = Socket,tls_buffer = [Msg]} = State0) ->
-%% %% Hmm we have a ssl_tls msg buffered, handle that first
-%% %% and it proberbly is a close alert
-%% {next_state, StateName0, State0#state{tls_buffer=[Msg,{ssl_close,CloseMsg}]}};
-
handle_info({CloseTag, Socket}, _StateName,
#state{socket = Socket, close_tag = CloseTag,
negotiated_version = Version, host = Host,
@@ -1001,18 +988,23 @@ handle_info(A, StateName, State) ->
%% necessary cleaning up. When it returns, the gen_fsm terminates with
%% Reason. The return value is ignored.
%%--------------------------------------------------------------------
-terminate(_Reason, connection, _S=#state{negotiated_version = Version,
+terminate(_Reason, connection, #state{negotiated_version = Version,
connection_states = ConnectionStates,
transport_cb = Transport,
- socket = Socket}) ->
+ socket = Socket, send_queue = SendQueue,
+ renegotiation = Renegotiate}) ->
+ notify_senders(SendQueue),
+ notify_renegotiater(Renegotiate),
{BinAlert, _} = encode_alert(?ALERT_REC(?WARNING,?CLOSE_NOTIFY),
Version, ConnectionStates),
Transport:send(Socket, BinAlert),
Transport:close(Socket);
-terminate(_Reason, _StateName, _S=#state{transport_cb = Transport,
- socket = Socket}) ->
- Transport:close(Socket),
- ok.
+terminate(_Reason, _StateName, #state{transport_cb = Transport,
+ socket = Socket, send_queue = SendQueue,
+ renegotiation = Renegotiate}) ->
+ notify_senders(SendQueue),
+ notify_renegotiater(Renegotiate),
+ Transport:close(Socket).
%%--------------------------------------------------------------------
%% Function:
@@ -1161,37 +1153,9 @@ sync_send_all_state_event(FsmPid, Event, Timeout) ->
alert_event(Alert) ->
send_all_state_event(self(), Alert).
-
-%% TODO: This clause is not yet supported. Do we need
-%% to support it, not supported by openssl!
-handle_peer_cert(PeerCert, {Algorithm, _, _} = PublicKeyInfo,
- #state{negotiated_version = Version,
- session = Session} =
- State0) when Algorithm == dh_rsa;
- Algorithm == dh_dss ->
- case public_key:pkix_is_fixed_dh_cert(PeerCert) of
- true ->
- %% TODO: extract DH-params from cert and save
- %% Keys and SharedSecret in state.
- %% {P, G, ServerPublicDhKey}= extract .....
- %% Keys = {ClientDhPublicKey, _} =
- %% public_key:gen_key(#'DHParameter'{prime = P, base = G}),
- %%SharedSecret = dh_shared_secret(ServerPublicDhKey,
- %% ClientDhPublicKey,
- %% [P, G]),
- %% ssl_handshake:master_secret ...
- State = State0#state{session =
- Session#session{peer_certificate
- = PeerCert},
- public_key_info = PublicKeyInfo},
- {next_state, certify, next_record(State)};
-
- false ->
- Alert = ?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE),
- handle_own_alert(Alert, Version, certify_certificate, State0),
- {stop, normal, State0}
- end;
-
+%% We do currently not support cipher suites that use fixed DH.
+%% If we want to implement that we should add a code
+%% here to extract DH parameters form cert.
handle_peer_cert(PeerCert, PublicKeyInfo,
#state{session = Session} = State0) ->
State = State0#state{session =
@@ -1374,11 +1338,11 @@ key_exchange(#state{role = server, key_algorithm = Algo} = State)
Algo == dh_rsa ->
State;
-key_exchange(#state{role = server, key_algorithm = rsa_export} = State) ->
+%key_exchange(#state{role = server, key_algorithm = rsa_export} = State) ->
%% TODO when the public key in the server certificate is
%% less than or equal to 512 bits in length dont send key_exchange
%% but do it otherwise
- State;
+% State;
key_exchange(#state{role = server, key_algorithm = Algo,
diffie_hellman_params = Params,
@@ -1411,20 +1375,10 @@ key_exchange(#state{role = server, key_algorithm = Algo,
diffie_hellman_keys = Keys,
tls_handshake_hashes = Hashes1};
-%% TODO: Not yet supported should be by default disabled when supported.
-%% key_exchange(#state{role = server, key_algorithm = dh_anon,
-%% connection_states = ConnectionStates0,
-%% negotiated_version = Version,
-%% tls_handshake_hashes = Hashes0,
-%% socket = Socket,
-%% transport_cb = Transport
-%% } = State) ->
-%% Msg = ssl_handshake:key_exchange(server, anonymous),
-%% {BinMsg, ConnectionStates1, Hashes1} =
-%% encode_handshake(Msg, Version, ConnectionStates0, Hashes0),
-%% Transport:send(Socket, BinMsg),
-%% State#state{connection_states = ConnectionStates1,
-%% tls_handshake_hashes = Hashes1};
+
+%% key_algorithm = dh_anon is not supported. Should be by default disabled
+%% if support is implemented and then we need a key_exchange clause for it
+%% here.
key_exchange(#state{role = client,
connection_states = ConnectionStates0,
@@ -1609,9 +1563,6 @@ handle_server_key(
?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE)
end.
-%%handle_clinet_key(_KeyExchangeMsg, State) ->
-%% State.
-
verify_dh_params(Signed, Hash, {?rsaEncryption, PubKey, _PubKeyparams}) ->
case public_key:decrypt_public(Signed, PubKey,
[{rsa_pad, rsa_pkcs1_padding}]) of
@@ -1815,34 +1766,6 @@ opposite_role(server) ->
send_user(Pid, Msg) ->
Pid ! Msg.
-%% %% This is the code for {packet,ssl} removed because it was slower
-%% %% than handling it in erlang.
-%% next_record(#state{socket = Socket,
-%% tls_buffer = [Msg|Rest],
-%% connection_states = ConnectionStates0} = State) ->
-%% Buffer =
-%% case Rest of
-%% [] ->
-%% inet:setopts(Socket, [{active,once}]),
-%% buffer;
-%% _ -> Rest
-%% end,
-%% case Msg of
-%% #ssl_tls{} ->
-%% {Plain, ConnectionStates} =
-%% ssl_record:decode_cipher_text(Msg, ConnectionStates0),
-%% gen_fsm:send_all_state_event(self(), Plain),
-%% State#state{tls_buffer=Buffer, connection_states = ConnectionStates};
-%% {ssl_close, Msg} ->
-%% self() ! Msg,
-%% State#state{tls_buffer=Buffer}
-%% end;
-%% next_record(#state{socket = Socket, tls_buffer = undefined} = State) ->
-%% inet:setopts(Socket, [{active,once}]),
-%% State#state{tls_buffer=continue};
-%% next_record(State) ->
-%% State#state{tls_buffer=continue}.
-
next_record(#state{tls_cipher_texts = [], socket = Socket} = State) ->
inet:setopts(Socket, [{active,once}]),
State;
@@ -1887,7 +1810,8 @@ next_state_connection(#state{send_queue = Queue0,
ok
end,
renegotiate(State#state{connection_states = ConnectionStates,
- send_queue = queue:in_r({From, RestData}, Queue)})
+ send_queue = queue:in_r({From, RestData}, Queue),
+ renegotiation = {true, internal}})
end;
{empty, Queue0} ->
next_state_is_connection(State)
@@ -1952,7 +1876,7 @@ initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions}, User,
user_data_buffer = <<>>,
log_alert = true,
session_cache_cb = SessionCacheCb,
- renegotiation = false,
+ renegotiation = {false, first},
recv_during_renegotiation = false,
send_queue = queue:new()
}.
@@ -2065,11 +1989,16 @@ mpint_binary(Binary) ->
<<?UINT32(Size), Binary/binary>>.
-ack_connection(#state{renegotiation = true}) ->
- ok;
-ack_connection(#state{renegotiation = false, from = From}) ->
- gen_fsm:reply(From, connected).
-
+ack_connection(#state{renegotiation = {true, Initiater}} = State)
+ when Initiater == internal;
+ Initiater == peer ->
+ State#state{renegotiation = undefined};
+ack_connection(#state{renegotiation = {true, From}} = State) ->
+ gen_fsm:reply(From, ok),
+ State#state{renegotiation = undefined};
+ack_connection(#state{renegotiation = {false, first}, from = From} = State) ->
+ gen_fsm:reply(From, connected),
+ State#state{renegotiation = undefined}.
renegotiate(#state{role = client} = State) ->
%% Handle same way as if server requested
@@ -2089,5 +2018,13 @@ renegotiate(#state{role = server,
Transport:send(Socket, BinMsg),
{next_state, hello, next_record(State#state{connection_states =
ConnectionStates,
- tls_handshake_hashes = Hs0,
- renegotiation = true})}.
+ tls_handshake_hashes = Hs0})}.
+notify_senders(SendQueue) ->
+ lists:foreach(fun({From, _}) ->
+ gen_fsm:reply(From, {error, closed})
+ end, queue:to_list(SendQueue)).
+
+notify_renegotiater({true, From}) when not is_atom(From) ->
+ gen_fsm:reply(From, {error, closed});
+notify_renegotiater(_) ->
+ ok.
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index ff78375b9f..9f5ac7106a 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -32,7 +32,7 @@
-include_lib("public_key/include/public_key.hrl").
-export([master_secret/4, client_hello/4, server_hello/3, hello/2,
- hello_request/0, certify/5, certificate/3,
+ hello_request/0, certify/7, certificate/3,
client_certificate_verify/6,
certificate_verify/6, certificate_request/2,
key_exchange/2, server_key_exchange_hash/2, finished/4,
@@ -161,10 +161,25 @@ hello(#client_hello{client_version = ClientVersion, random = Random} = Hello,
%% Description: Handles a certificate handshake message
%%--------------------------------------------------------------------
certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,
- MaxPathLen, Verify, VerifyFun) ->
+ MaxPathLen, Verify, VerifyFun, ValidateFun, Role) ->
[PeerCert | _] = ASN1Certs,
VerifyBool = verify_bool(Verify),
-
+
+ ValidateExtensionFun =
+ case ValidateFun of
+ undefined ->
+ fun(Extensions, ValidationState, Verify0, AccError) ->
+ ssl_certificate:validate_extensions(Extensions, ValidationState,
+ [], Verify0, AccError, Role)
+ end;
+ Fun ->
+ fun(Extensions, ValidationState, Verify0, AccError) ->
+ {NewExtensions, NewValidationState, NewAccError}
+ = ssl_certificate:validate_extensions(Extensions, ValidationState,
+ [], Verify0, AccError, Role),
+ Fun(NewExtensions, NewValidationState, Verify0, NewAccError)
+ end
+ end,
try
%% Allow missing root_cert and check that with VerifyFun
ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef, false) of
@@ -174,6 +189,8 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,
[{max_path_length,
MaxPathLen},
{verify, VerifyBool},
+ {validate_extensions_fun,
+ ValidateExtensionFun},
{acc_errors,
VerifyErrors}]),
case Result of
@@ -455,7 +472,7 @@ get_tls_handshake_aux(<<?BYTE(Type), ?UINT24(Length),
Body:Length/binary,Rest/binary>>, KeyAlg,
Version, Acc) ->
Raw = <<?BYTE(Type), ?UINT24(Length), Body/binary>>,
- H = dec_hs(Type, Body, key_excahange_alg(KeyAlg), Version),
+ H = dec_hs(Type, Body, key_exchange_alg(KeyAlg), Version),
get_tls_handshake_aux(Rest, KeyAlg, Version, [{H,Raw} | Acc]);
get_tls_handshake_aux(Data, _KeyAlg, _Version, Acc) ->
{lists:reverse(Acc), Data}.
@@ -960,10 +977,10 @@ sig_alg(Alg) when Alg == dh_dss; Alg == dhe_dss ->
sig_alg(_) ->
?NULL.
-key_excahange_alg(rsa) ->
+key_exchange_alg(rsa) ->
?KEY_EXCHANGE_RSA;
-key_excahange_alg(Alg) when Alg == dhe_rsa; Alg == dhe_dss;
+key_exchange_alg(Alg) when Alg == dhe_rsa; Alg == dhe_dss;
Alg == dh_dss; Alg == dh_rsa; Alg == dh_anon ->
?KEY_EXCHANGE_DIFFIE_HELLMAN;
-key_excahange_alg(_) ->
+key_exchange_alg(_) ->
?NULL.
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index ab24c28b2f..8d19abfe1e 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -57,6 +57,8 @@
verify_fun, % fun(CertVerifyErrors) -> boolean()
fail_if_no_peer_cert, % boolean()
verify_client_once, % boolean()
+ %% fun(Extensions, State, Verify, AccError) -> {Extensions, State, AccError}
+ validate_extensions_fun,
depth, % integer()
certfile, % file()
keyfile, % file()
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 7ccd5b617c..ea9796b285 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -26,12 +26,14 @@
-include("test_server.hrl").
-include("test_server_line.hrl").
+-include_lib("public_key/include/public_key.hrl").
-define('24H_in_sec', 86400).
-define(TIMEOUT, 60000).
-define(EXPIRE, 10).
-define(SLEEP, 500).
+
-behaviour(ssl_session_cache_api).
%% For the session cache tests
@@ -166,7 +168,8 @@ all(suite) ->
%%, session_cache_process_list, session_cache_process_mnesia
,reuse_session, reuse_session_expired, server_does_not_want_to_reuse_session,
client_renegotiate, server_renegotiate,
- client_no_wrap_sequence_number, server_no_wrap_sequence_number
+ client_no_wrap_sequence_number, server_no_wrap_sequence_number,
+ extended_key_usage, validate_extensions_fun
].
%% Test cases starts here.
@@ -878,9 +881,8 @@ tcp_connect(suite) ->
[];
tcp_connect(Config) when is_list(Config) ->
- ClientOpts = ?config(client_opts, Config),
ServerOpts = ?config(server_opts, Config),
- {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
TcpOpts = [binary, {reuseaddr, true}],
Server = ssl_test_lib:start_upgrade_server([{node, ServerNode}, {port, 0},
@@ -905,7 +907,7 @@ tcp_connect(Config) when is_list(Config) ->
ssl_test_lib:close(Server).
-dummy(Socket) ->
+dummy(_Socket) ->
%% Should not happen as the ssl connection will not be established
%% due to fatal handshake failiure
exit(kill).
@@ -966,6 +968,7 @@ ekeyfile(Config) when is_list(Config) ->
ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
{from, self()},
{options, BadOpts}]),
+
Client =
ssl_test_lib:start_client_error([{node, ClientNode},
{port, Port}, {host, Hostname},
@@ -1013,6 +1016,7 @@ ecacertfile(Config) when is_list(Config) ->
ClientOpts = [{reuseaddr, true}|?config(client_opts, Config)],
ServerBadOpts = [{reuseaddr, true}|?config(server_bad_ca, Config)],
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
Port = ssl_test_lib:inet_port(ServerNode),
Server0 =
@@ -1059,27 +1063,28 @@ eoptions(Config) when is_list(Config) ->
ClientOpts = ?config(client_opts, Config),
ServerOpts = ?config(server_opts, Config),
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
- Port = ssl_test_lib:inet_port(ServerNode),
+
%% Emulated opts
Server0 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{active, trice} | ServerOpts]}]),
+
Client0 =
ssl_test_lib:start_client_error([{node, ClientNode},
- {port, Port}, {host, Hostname},
- {from, self()},
- {options, [{active, trice} | ClientOpts]}]),
+ {port, 0}, {host, Hostname},
+ {from, self()},
+ {options, [{active, trice} | ClientOpts]}]),
ssl_test_lib:check_result(Server0, {error, {eoptions, {active,trice}}},
- Client0, {error, {eoptions, {active,trice}}}),
+ Client0, {error, {eoptions, {active,trice}}}),
Server1 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{header, a} | ServerOpts]}]),
Client1 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()},
{options, [{header, a} | ClientOpts]}]),
@@ -1087,25 +1092,25 @@ eoptions(Config) when is_list(Config) ->
Client1, {error, {eoptions, {header, a}}}),
Server2 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{mode, a} | ServerOpts]}]),
-
Client2 =
ssl_test_lib:start_client_error([{node, ClientNode},
- {port, Port}, {host, Hostname},
+ {port, 0}, {host, Hostname},
{from, self()},
{options, [{mode, a} | ClientOpts]}]),
ssl_test_lib:check_result(Server2, {error, {eoptions, {mode, a}}},
Client2, {error, {eoptions, {mode, a}}}),
Server3 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{packet, 8.0} | ServerOpts]}]),
+
Client3 =
ssl_test_lib:start_client_error([{node, ClientNode},
- {port, Port}, {host, Hostname},
+ {port, 0}, {host, Hostname},
{from, self()},
{options, [{packet, 8.0} | ClientOpts]}]),
ssl_test_lib:check_result(Server3, {error, {eoptions, {packet, 8.0}}},
@@ -1113,11 +1118,12 @@ eoptions(Config) when is_list(Config) ->
%% ssl
Server4 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{verify, 4} | ServerOpts]}]),
+
Client4 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()},
{options, [{verify, 4} | ClientOpts]}]),
@@ -1125,11 +1131,12 @@ eoptions(Config) when is_list(Config) ->
Client4, {error, {eoptions, {verify, 4}}}),
Server5 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{depth, four} | ServerOpts]}]),
+
Client5 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()},
{options, [{depth, four} | ClientOpts]}]),
@@ -1137,11 +1144,12 @@ eoptions(Config) when is_list(Config) ->
Client5, {error, {eoptions, {depth, four}}}),
Server6 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{cacertfile, ""} | ServerOpts]}]),
+
Client6 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()},
{options, [{cacertfile, ""} | ClientOpts]}]),
@@ -1149,11 +1157,12 @@ eoptions(Config) when is_list(Config) ->
Client6, {error, {eoptions, {cacertfile, ""}}}),
Server7 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{certfile, 'cert.pem'} | ServerOpts]}]),
+
Client7 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()},
{options, [{certfile, 'cert.pem'} | ClientOpts]}]),
@@ -1162,11 +1171,12 @@ eoptions(Config) when is_list(Config) ->
Client7, {error, {eoptions, {certfile, 'cert.pem'}}}),
Server8 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{keyfile,'key.pem' } | ServerOpts]}]),
+
Client8 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()}, {options, [{keyfile, 'key.pem'}
| ClientOpts]}]),
@@ -1175,11 +1185,12 @@ eoptions(Config) when is_list(Config) ->
Client8, {error, {eoptions, {keyfile, 'key.pem'}}}),
Server9 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{key, 'key.pem' } | ServerOpts]}]),
+
Client9 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()}, {options, [{key, 'key.pem'}
| ClientOpts]}]),
@@ -1187,11 +1198,12 @@ eoptions(Config) when is_list(Config) ->
Client9, {error, {eoptions, {key, 'key.pem'}}}),
Server10 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{password, foo} | ServerOpts]}]),
+
Client10 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()},
{options, [{password, foo} | ClientOpts]}]),
@@ -1199,11 +1211,12 @@ eoptions(Config) when is_list(Config) ->
Client10, {error, {eoptions, {password, foo}}}),
%% Misc
Server11 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{ssl_imp, cool} | ServerOpts]}]),
+
Client11 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()},
{options, [{ssl_imp, cool} | ClientOpts]}]),
@@ -1211,11 +1224,12 @@ eoptions(Config) when is_list(Config) ->
Client11, {error, {eoptions, {ssl_imp, cool}}}),
Server12 =
- ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
{from, self()},
{options, [{debug, cool} | ServerOpts]}]),
+
Client12 =
- ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0},
{host, Hostname},
{from, self()},
{options, [{debug, cool} | ClientOpts]}]),
@@ -1874,17 +1888,19 @@ server_require_peer_cert_fail(Config) when is_list(Config) ->
| ?config(server_verification_opts, Config)],
BadClientOpts = ?config(client_opts, Config),
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
- Port = ssl_test_lib:inet_port(ServerNode),
+ Port = ssl_test_lib:inet_port(ServerNode),
+
Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
{from, self()},
{mfa, {?MODULE, send_recv_result, []}},
{options, [{active, false} | ServerOpts]}]),
- Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
- {host, Hostname},
- {from, self()},
- {mfa, {?MODULE, send_recv_result, []}},
- {options, [{active, false} | BadClientOpts]}]),
+
+ Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ {host, Hostname},
+ {from, self()},
+ {mfa, {?MODULE, send_recv_result, []}},
+ {options, [{active, false} | BadClientOpts]}]),
ssl_test_lib:check_result(Server, {error, esslaccept},
Client, {error, esslconnect}),
@@ -2146,6 +2162,99 @@ server_no_wrap_sequence_number(Config) when is_list(Config) ->
ok.
%%--------------------------------------------------------------------
+extended_key_usage(doc) ->
+ ["Test cert that has a critical extended_key_usage extension"];
+
+extended_key_usage(suite) ->
+ [];
+
+extended_key_usage(Config) when is_list(Config) ->
+ ClientOpts = ?config(client_opts, Config),
+ ServerOpts = ?config(server_opts, Config),
+ DataDir = ?config(data_dir, Config),
+ PrivDir = ?config(priv_dir, Config),
+
+ CertFile = proplists:get_value(certfile, ServerOpts),
+ KeyFile = proplists:get_value(keyfile, ServerOpts),
+ NewCertFile = filename:join(PrivDir, "cert.pem"),
+
+ {ok, [{cert, DerCert, _}]} = public_key:pem_to_der(CertFile),
+
+ {ok, [KeyInfo]} = public_key:pem_to_der(KeyFile),
+
+ {ok, Key} = public_key:decode_private_key(KeyInfo),
+
+ {ok, OTPCert} = public_key:pkix_decode_cert(DerCert, otp),
+
+ ExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-serverAuth']},
+
+ OTPTbsCert = OTPCert#'OTPCertificate'.tbsCertificate,
+
+ Extensions = OTPTbsCert#'OTPTBSCertificate'.extensions,
+
+ NewOTPTbsCert = OTPTbsCert#'OTPTBSCertificate'{extensions = [ExtKeyUsageExt |Extensions]},
+
+ NewDerCert = public_key:sign(NewOTPTbsCert, Key),
+
+ public_key:der_to_pem(NewCertFile, [{cert, NewDerCert}]),
+
+ NewServerOpts = [{certfile, NewCertFile} | proplists:delete(certfile, ServerOpts)],
+
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+ Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+ {from, self()},
+ {mfa, {?MODULE, send_recv_result_active, []}},
+ {options, NewServerOpts}]),
+ Port = ssl_test_lib:inet_port(Server),
+ Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+ {host, Hostname},
+ {from, self()},
+ {mfa, {?MODULE, send_recv_result_active, []}},
+ {options, ClientOpts}]),
+
+ ssl_test_lib:check_result(Server, ok, Client, ok),
+
+ ssl_test_lib:close(Server),
+ ssl_test_lib:close(Client).
+
+%%--------------------------------------------------------------------
+validate_extensions_fun(doc) ->
+ ["Test that it is possible to specify a validate_extensions_fun"];
+
+validate_extensions_fun(suite) ->
+ [];
+
+validate_extensions_fun(Config) when is_list(Config) ->
+ ClientOpts = ?config(client_verification_opts, Config),
+ ServerOpts = ?config(server_verification_opts, Config),
+ DataDir = ?config(data_dir, Config),
+
+ Fun = fun(Extensions, State, _, AccError) ->
+ {Extensions, State, AccError}
+ end,
+
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+ Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+ {from, self()},
+ {mfa, {?MODULE, send_recv_result_active, []}},
+ {options, [{validate_extensions_fun, Fun},
+ {verify, verify_peer} | ServerOpts]}]),
+ Port = ssl_test_lib:inet_port(Server),
+
+ Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+ {host, Hostname},
+ {from, self()},
+ {mfa, {?MODULE, send_recv_result_active, []}},
+ {options,[{validate_extensions_fun, Fun} | ClientOpts]}]),
+
+ ssl_test_lib:check_result(Server, ok, Client, ok),
+
+ ssl_test_lib:close(Server),
+ ssl_test_lib:close(Client).
+
+%%--------------------------------------------------------------------
%%% Internal functions
%%--------------------------------------------------------------------
send_recv_result(Socket) ->
@@ -2169,18 +2278,22 @@ send_recv_result_active_once(Socket) ->
renegotiate(Socket, Data) ->
- [{session_id, Id} | _ ] = ssl:session_info(Socket),
- ssl:renegotiate(Socket),
+ test_server:format("Renegotiating ~n", []),
+ Result = ssl:renegotiate(Socket),
+ test_server:format("Result ~p~n", [Result]),
ssl:send(Socket, Data),
- test_server:sleep(1000),
- case ssl:session_info(Socket) of
- [{session_id, Id} | _ ] ->
- fail_session_not_renegotiated;
- _ ->
- ok
+ case Result of
+ ok ->
+ ok;
+ %% It is not an error in erlang ssl
+ %% if peer rejects renegotiation.
+ %% Connection will stay up
+ {error, renegotiation_rejected} ->
+ ok;
+ Other ->
+ Other
end.
-
session_cache_process_list(doc) ->
["Test reuse of sessions (short handshake)"];
@@ -2426,7 +2539,7 @@ erlang_ssl_receive(Socket, Data) ->
ok;
Other ->
test_server:fail({unexpected_message, Other})
- after 4000 ->
+ after ?SLEEP * 3 ->
test_server:fail({did_not_get, Data})
end.
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 466e987e3e..63a9bb8d87 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -129,7 +129,11 @@ remove_close_msg(ReconnectTimes) ->
start_client(Args) ->
- spawn_link(?MODULE, run_client, [Args]).
+ Result = spawn_link(?MODULE, run_client, [Args]),
+ receive
+ connected ->
+ Result
+ end.
run_client(Opts) ->
Node = proplists:get_value(node, Opts),
@@ -140,6 +144,7 @@ run_client(Opts) ->
test_server:format("ssl:connect(~p, ~p, ~p)~n", [Host, Port, Options]),
case rpc:call(Node, ssl, connect, [Host, Port, Options]) of
{ok, Socket} ->
+ Pid ! connected,
test_server:format("Client: connected~n", []),
case proplists:get_value(port, Options) of
0 ->
@@ -271,7 +276,7 @@ cert_options(Config) ->
"badcert.pem"]),
BadKeyFile = filename:join([?config(priv_dir, Config),
"badkey.pem"]),
- [{client_opts, [{ssl_imp, new}]},
+ [{client_opts, [{ssl_imp, new},{reuseaddr, true}]},
{client_verification_opts, [{cacertfile, ClientCaCertFile},
{certfile, ClientCertFile},
{keyfile, ClientKeyFile},
@@ -370,7 +375,7 @@ run_upgrade_client(Opts) ->
test_server:format("gen_tcp:connect(~p, ~p, ~p)~n",
[Host, Port, TcpOptions]),
{ok, Socket} = rpc:call(Node, gen_tcp, connect, [Host, Port, TcpOptions]),
-
+
case proplists:get_value(port, Opts) of
0 ->
{ok, {_, NewPort}} = inet:sockname(Socket),
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 624404b556..06e5d2ef18 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -32,6 +32,7 @@
-define(SLEEP, 1000).
-define(OPENSSL_RENEGOTIATE, "r\n").
-define(OPENSSL_QUIT, "Q\n").
+-define(OPENSSL_GARBAGE, "P\n").
%% Test server callback functions
%%--------------------------------------------------------------------
@@ -131,7 +132,8 @@ all(suite) ->
tls1_erlang_client_openssl_server_client_cert,
tls1_erlang_server_openssl_client_client_cert,
tls1_erlang_server_erlang_client_client_cert,
- ciphers
+ ciphers,
+ erlang_client_bad_openssl_server
].
%% Test cases starts here.
@@ -945,6 +947,52 @@ cipher(CipherSuite, Version, Config) ->
Return.
%%--------------------------------------------------------------------
+erlang_client_bad_openssl_server(doc) ->
+ [""];
+erlang_client_bad_openssl_server(suite) ->
+ [];
+erlang_client_bad_openssl_server(Config) when is_list(Config) ->
+ process_flag(trap_exit, true),
+ ServerOpts = ?config(server_verification_opts, Config),
+ ClientOpts = ?config(client_verification_opts, Config),
+
+ {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config),
+
+ Port = ssl_test_lib:inet_port(node()),
+ CertFile = proplists:get_value(certfile, ServerOpts),
+ KeyFile = proplists:get_value(keyfile, ServerOpts),
+
+ Cmd = "openssl s_server -accept " ++ integer_to_list(Port) ++
+ " -cert " ++ CertFile ++ " -key " ++ KeyFile ++ "",
+
+ test_server:format("openssl cmd: ~p~n", [Cmd]),
+
+ OpensslPort = open_port({spawn, Cmd}, [stderr_to_stdout]),
+
+ test_server:sleep(?SLEEP),
+
+ Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+ {host, Hostname},
+ {from, self()},
+ {mfa, {?MODULE, server_sent_garbage, []}},
+ {options,
+ [{versions, [tlsv1]} | ClientOpts]}]),
+
+ %% Send garbage
+ port_command(OpensslPort, ?OPENSSL_GARBAGE),
+
+ test_server:sleep(?SLEEP),
+
+ Client ! server_sent_garbage,
+
+ ssl_test_lib:check_result(Client, true),
+
+ ssl_test_lib:close(Client),
+ %% Clean close down!
+ close_port(OpensslPort),
+ process_flag(trap_exit, false),
+ ok.
+%%--------------------------------------------------------------------
erlang_ssl_receive(Socket, Data) ->
test_server:format("Connection info: ~p~n",
@@ -1014,3 +1062,13 @@ close_loop(Port, Time, SentClose) ->
io:format("Timeout~n",[])
end
end.
+
+
+server_sent_garbage(Socket) ->
+ receive
+ server_sent_garbage ->
+ {error, closed} == ssl:send(Socket, "data")
+ end.
+
+
+
diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk
index f259e15d68..d385064ae9 100644
--- a/lib/ssl/vsn.mk
+++ b/lib/ssl/vsn.mk
@@ -22,7 +22,8 @@ SSL_VSN = 3.11
TICKETS = OTP-8517 \
OTP-7046 \
OTP-8557 \
- OTP-8560
+ OTP-8560 \
+ OTP-8545
#TICKETS_3.10.9 = OTP-8510
diff --git a/lib/stdlib/doc/src/ets.xml b/lib/stdlib/doc/src/ets.xml
index 7b9f0e7772..ee1befc882 100644
--- a/lib/stdlib/doc/src/ets.xml
+++ b/lib/stdlib/doc/src/ets.xml
@@ -4,7 +4,7 @@
<erlref>
<header>
<copyright>
- <year>1996</year><year>2009</year>
+ <year>1996</year><year>2010</year>
<holder>Ericsson AB. All Rights Reserved.</holder>
</copyright>
<legalnotice>
@@ -13,12 +13,12 @@
compliance with the License. You should have received a copy of the
Erlang Public License along with this software. If not, it can be
retrieved online at http://www.erlang.org/.
-
+
Software distributed under the License is distributed on an "AS IS"
basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
the License for the specific language governing rights and limitations
under the License.
-
+
</legalnotice>
<title>ets</title>
@@ -1686,7 +1686,7 @@ true</pre>
</desc>
</func>
<func>
- <name>to_dets(Tab, DetsTab) -> Tab</name>
+ <name>to_dets(Tab, DetsTab) -> DetsTab</name>
<fsummary>Fill a Dets table with objects from an ETS table.</fsummary>
<type>
<v>Tab = tid() | atom()</v>
diff --git a/lib/stdlib/src/c.erl b/lib/stdlib/src/c.erl
index 26ab344e72..e05a1c787f 100644
--- a/lib/stdlib/src/c.erl
+++ b/lib/stdlib/src/c.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 1996-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 1996-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
-module(c).
diff --git a/lib/stdlib/src/dets_sup.erl b/lib/stdlib/src/dets_sup.erl
index 43499a7ad5..8ea2ba9b3f 100644
--- a/lib/stdlib/src/dets_sup.erl
+++ b/lib/stdlib/src/dets_sup.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2002-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 2002-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
-module(dets_sup).
diff --git a/lib/stdlib/src/ets.erl b/lib/stdlib/src/ets.erl
index 5b5723c137..6fc234a16a 100644
--- a/lib/stdlib/src/ets.erl
+++ b/lib/stdlib/src/ets.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 1996-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 1996-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
-module(ets).
diff --git a/lib/stdlib/src/gen_event.erl b/lib/stdlib/src/gen_event.erl
index eb86a6e0fe..27ff9441e6 100644
--- a/lib/stdlib/src/gen_event.erl
+++ b/lib/stdlib/src/gen_event.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 1996-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 1996-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
-module(gen_event).
diff --git a/lib/stdlib/src/gen_fsm.erl b/lib/stdlib/src/gen_fsm.erl
index 1b3854c495..9961646418 100644
--- a/lib/stdlib/src/gen_fsm.erl
+++ b/lib/stdlib/src/gen_fsm.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 1996-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 1996-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
-module(gen_fsm).
diff --git a/lib/stdlib/src/gen_server.erl b/lib/stdlib/src/gen_server.erl
index c1959deeb0..1c9e5270b6 100644
--- a/lib/stdlib/src/gen_server.erl
+++ b/lib/stdlib/src/gen_server.erl
@@ -1,19 +1,19 @@
%%
%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 1996-2009. All Rights Reserved.
-%%
+%%
+%% Copyright Ericsson AB 1996-2010. All Rights Reserved.
+%%
%% The contents of this file are subject to the Erlang Public License,
%% Version 1.1, (the "License"); you may not use this file except in
%% compliance with the License. You should have received a copy of the
%% Erlang Public License along with this software. If not, it can be
%% retrieved online at http://www.erlang.org/.
-%%
+%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and limitations
%% under the License.
-%%
+%%
%% %CopyrightEnd%
%%
-module(gen_server).