aboutsummaryrefslogtreecommitdiffstats
path: root/lib
AgeCommit message (Collapse)Author
2015-08-25Add service_opt() strict_mbitAnders Svensson
There are differing opinions on whether or not reception of an arbitrary AVP setting the M-bit is an error. 1.3.4 of RFC 6733 says this about how an existing Diameter application may be modified: o The M-bit allows the sender to indicate to the receiver whether or not understanding the semantics of an AVP and its content is mandatory. If the M-bit is set by the sender and the receiver does not understand the AVP or the values carried within that AVP, then a failure is generated (see Section 7). It is the decision of the protocol designer when to develop a new Diameter application rather than extending Diameter in other ways. However, a new Diameter application MUST be created when one or more of the following criteria are met: M-bit Setting An AVP with the M-bit in the MUST column of the AVP flag table is added to an existing Command/Application. An AVP with the M-bit in the MAY column of the AVP flag table is added to an existing Command/Application. The point here is presumably interoperability: that the command grammar should specify explicitly what mandatory AVPs much be understood, and that anything more is an error. On the other hand, 3.2 says thus about command grammars: avp-name = avp-spec / "AVP" ; The string "AVP" stands for *any* arbitrary AVP ; Name, not otherwise listed in that Command Code ; definition. The inclusion of this string ; is recommended for all CCFs to allow for ; extensibility. This renders 1.3.4 pointless unless "*any* AVP" is qualified by "not setting the M-bit", since the sender can effectively violate 1.3.4 without this necessitating an error at the receiver. If clients add arbitrary AVPs setting the M-bit then request handling becomes more implementation-dependent. The current interpretation in diameter is strict: if a command grammar doesn't explicitly allow an AVP setting the M-bit then reception of such an AVP is regarded as an error. The strict_mbit option now allows this behaviour to be changed, false turning all responsibility for the M-bit over to the user.
2015-08-13Update release notesErlang/OTP
2015-08-13Merge branch 'anders/diameter/17.5.6.3/OTP-12927' into maint-17Erlang/OTP
* anders/diameter/17.5.6.3/OTP-12927: vsn -> 1.9.2.1 Update appup for 17.5.6.3
2015-08-13Merge branch 'anders/diameter/17/time/OTP-12926' into maint-17Erlang/OTP
* anders/diameter/17/time/OTP-12926: Simplify time manipulation Remove use of monotonic time in pre-18 code Remove unnecessary redefinition of erlang:max/2
2015-08-13Merge branch 'anders/diameter/grouped_errors/OTP-12930' into maint-17Erlang/OTP
* anders/diameter/grouped_errors/OTP-12930: Fix decode of Grouped AVPs containing errors Simplify logic Simplify logic
2015-08-13Merge branch 'anders/diameter/transport/OTP-12929' into maint-17Erlang/OTP
* anders/diameter/transport/OTP-12929: Fix start order of alternate transports Log discarded answers
2015-08-13Merge branch 'anders/diameter/lcnt/OTP-12912' into maint-17Erlang/OTP
* anders/diameter/lcnt/OTP-12912: Make ets diameter_stats a set Remove unnecessary sorting in stats suite Set ets {write_concurrency, true} on diameter_stats Don't start watchdog timers unnecessarily Remove unnecessary erlang:monitor/2 qualification Add missing watchdog suite clause
2015-08-13Merge branch 'anders/diameter/caseless/OTP-12902' into maint-17Erlang/OTP
* anders/diameter/caseless/OTP-12902: Match allowable peer addresses case insensitively Replace calls to module inet_parse to equivalents in inet
2015-08-13Merge branch 'anders/diameter/grouped_decode/OTP-12879' into maint-17Erlang/OTP
* anders/diameter/grouped_decode/OTP-12879: Fix relay encode of decoded diameter_avp lists
2015-08-13Merge branch 'anders/diameter/decode/OTP-12891' into maint-17Erlang/OTP
* anders/diameter/decode/OTP-12891: Don't compute AVP list length unnecessarily at AVP decode
2015-08-13Merge branch 'anders/diameter/decode/OTP-12871' into maint-17Erlang/OTP
* anders/diameter/decode/OTP-12871: Don't traverse errors list unnecessarily when detecting missing AVPs Don't flag AVP as missing as a consequence of decode error Correct inaccurate doc Truncate potentially large terms passed to diameter_lib:log/4
2015-08-07Make ets diameter_stats a setAnders Svensson
There's no need for it to be ordered, and the ordering has been seen to have an unexpectedly negative impact on performance in some cases. Order when retrieving statistics instead, so as not to change the presentation in diameter:service_info/2.
2015-08-07Remove unnecessary sorting in stats suiteAnders Svensson
The ordering of (ets) diameter_stats (also unnecessary) ensures the sorting.
2015-08-05Simplify time manipulationAnders Svensson
By doing away with more wrapping that the parent commit started to remove.
2015-08-05Remove use of monotonic time in pre-18 codeAnders Svensson
This has been seen to be a bottleneck at high load: each undef results in a loop out to the code server. Originally implemented as suggested in the erts user's guide, in commits e6d19a18 and d4386254.
2015-08-05vsn -> 1.9.2.1Anders Svensson
2015-08-05Update appup for 17.5.6.3Anders Svensson
OTP-12871: 5005 decode OTP-12791: decode performance OTP-12879: grouped decode OTP-12902: caseless address match OTP-12912: fewer timers OTP-12926: pre-18 time diameter_lib must be loaded after modules calling its time-related functions (that have been removed).
2015-08-05Fix start order of alternate transportsAnders Svensson
A transport configured with diameter:add_transport/2 can be passed multiple transport_module/transport_config tuples in order to specify alternate configuration, modules being attempted in order until one succeeds. This is primarily for the connecting case, to allow a transport to be configured to first attempt connection over SCTP, and then TCP in case SCTP fails, with configuration like that documented: {transport_module, diameter_sctp}, {transport_config, [...], 5000}, {transport_module, diameter_tcp}, {transport_config, [...]} If the options are the same in both cases, another possibility would be configuration like this, which attaches the same transport_config to both modules: {transport_module, diameter_sctp}, {transport_module, diameter_tcp}, {transport_config, [...], 5000}, However, in this case the start order was reversed relative to the documented order: first tcp, then sctp. This commit restores the intended order.
2015-08-05Log discarded answersAnders Svensson
To diameter_lib:log/4, which was last motivated in commit 39acfdb0.
2015-08-04Remove unnecessary redefinition of erlang:max/2Anders Svensson
The function already operates on arbitrary terms.
2015-08-04Fix relay encode of decoded diameter_avp listsAnders Svensson
Commit c74b593a fixed the problem that a decoded deep diameter_avp list couldn't be encoded, but did so in the wrong way: there's no need to reencode component AVPs since the Grouped AVP itself already contains the encoded binary. The blunder caused diameter_codec:pack_avp/1 to fail if the first element of the AVP list to be encoded was itself a list. Thanks to Andrzej TrawiƄski for reporting the problem.
2015-08-04Match allowable peer addresses case insensitivelyAnders Svensson
Both diameter_tcp and diameter_sctp can be configured with one or more IP addresses from which connections should be accepted (an 'accept' tuple), specified either as a tuple-valued address or as a regular expression. In the latter case, peer addresses are mapped to string using inet:ntoa/1 and the result matched against the regexp. Since (ipv6) addresses are case insensitive, this should also be the case with the match, but was not.
2015-08-04Replace calls to module inet_parse to equivalents in inetAnders Svensson
Commits b563c796 (R16B) and 0fad6449 (R16B02) added parse_address/1 and ntoa/1 to module inet, providing documented alternatives to address/1 and ntoa/1 in the undocumented (save comments in inet(3)) inet_parse.
2015-08-04Don't compute AVP list length unnecessarily at AVP decodeAnders Svensson
This has had a hugely negative impact on performance when decoding messages containing many AVP: each decode of an AVP having variable arity computed the length of the list of previously decoded AVPs when checking that the allowed arity was not exceeded, even if the allowed arity was infinite, making for O(n^2) cost. Here are some execution times, for diameter_codec:decode/2 on a representative message with n integer AVPs in the Common application (on the host at hand): Before After ------- --------- n = 1K 5 ms 2 ms n = 10K 500 ms 25 ms n = 100K 75 sec 225 ms n = 1M 2.6 sec Note the nearly linear increase following the change. Remove the dire documentation warning for incoming_maxlen as a consequence. It can still be useful to set, but not doing so won't have the same consequences as previously.
2015-08-04Don't traverse errors list unnecessarily when detecting missing AVPsAnders Svensson
Since the list can potentially be long.
2015-08-04Don't flag AVP as missing as a consequence of decode errorAnders Svensson
The decode of an incoming Diameter message uses the record representation to determine whether or not an AVP has been received with the expected arity, the number of AVPs in each field following decode being compared with the arity specified in the message grammar. The problem with this is that decode failure isn't reflected in the record representation, so that an AVP can be appended to the errors field of a diameter_packet record despite an entry for the same AVP already existing. This isn't a fault as much as a misleading error indication, but now only append AVPs that aren't already represented.
2015-08-04Correct inaccurate docAnders Svensson
The warning report was removed in commit 00584303.
2015-08-04Truncate potentially large terms passed to diameter_lib:log/4Anders Svensson
Last visited in commit 00584303.
2015-08-04Set ets {write_concurrency, true} on diameter_statsAnders Svensson
lcnt:inspect/1 recently showed this: lock id #tries collisions [%] time [us] ----- --- ------- --------------- ---------- db_tab diameter_stats 932920 92.9326 330332554
2015-07-19Don't start watchdog timers unnecessarilyAnders Svensson
In particular, restart the timer with each incoming Diameter message, only when the previous timer has expired. Doing so has been seen to result in high lock contention at load, as in the example below: (diameter@test)9> lcnt:conflicts([{print, [name, tries, ratio, time]}]). lock #tries collisions [%] time [us] ----- ------- --------------- ---------- bif_timers 7844528 99.4729 1394434884 db_tab 17240988 1.7947 6286664 timeofday 7358692 5.6729 1399624 proc_link 4814938 2.2736 482985 drv_ev_state 2324012 0.5951 98920 run_queue 21768213 0.2091 63516 pollset 1190174 1.7170 42499 pix_lock 1956 2.5562 39770 make_ref 4697067 0.3669 20211 proc_msgq 9475944 0.0295 5200 timer_wheel 5325966 0.0568 2654 proc_main 10005332 2.8190 1079 pollset_rm_list 59768 1.7752 480
2015-07-19Remove unnecessary erlang:monitor/2 qualificationAnders Svensson
The function has been auto-exported since R14B.
2015-07-19Add missing watchdog suite clauseAnders Svensson
The suite pretends to be gen_tcp-ish in configuring itself to diameter_tcp. The function close/1 can be called as a result.
2015-07-06Prepare releaseErlang/OTP
2015-07-06Handle EINTR in trace_file_drvRickard Green
2015-06-18Fix decode of Grouped AVPs containing errorsAnders Svensson
RFC 6733 says this of Failed-AVP in 7.5: In the case where the offending AVP is embedded within a Grouped AVP, the Failed-AVP MAY contain the grouped AVP, which in turn contains the single offending AVP. The same method MAY be employed if the grouped AVP itself is embedded in yet another grouped AVP and so on. In this case, the Failed-AVP MAY contain the grouped AVP hierarchy up to the single offending AVP. This enables the recipient to detect the location of the offending AVP when embedded in a group. It says this of DIAMETER_INVALID_AVP_LENGTH in 7.1.5: The request contained an AVP with an invalid length. A Diameter message indicating this error MUST include the offending AVPs within a Failed-AVP AVP. In cases where the erroneous AVP length value exceeds the message length or is less than the minimum AVP header length, it is sufficient to include the offending AVP header and a zero filled payload of the minimum required length for the payloads data type. If the AVP is a Grouped AVP, the Grouped AVP header with an empty payload would be sufficient to indicate the offending AVP. In the case where the offending AVP header cannot be fully decoded when the AVP length is less than the minimum AVP header length, it is sufficient to include an offending AVP header that is formulated by padding the incomplete AVP header with zero up to the minimum AVP header length. The AVPs placed in the errors field of a diameter_packet record are intended to be appropriate for inclusion in a Failed-AVP, but neither of the above paragraphs has been followed in the Grouped case: the entire faulty AVP (non-faulty components and all) has been included. This made it impossible to identify the actual faulty AVP in all but simple case. This commit adapts the decode to the RFC, and implements the suggested single faulty AVP, nested in as many Grouped containers as required. The best-effort decode of Failed-AVP in answer messages, initially implemented in commit 0f9cdbaf, is also applied.
2015-06-17Simplify logicAnders Svensson
Testing is_failed() is unnecessary since put/2 a second time will return a previously put 'true'.
2015-06-17Simplify logicAnders Svensson
Failed == undefined implies is_failed() == true. This was true even when the code was written, in commit c2c00fdd.
2015-06-01Update release notesErlang/OTP
2015-06-01Merge branch 'hans/ssh/codenomicon_degradation/OTP-12784' into maint-17Erlang/OTP
* hans/ssh/codenomicon_degradation/OTP-12784: ssh: update ssh version ssh: Plain text message returned for invalid version exchange ssh: Implement keyboard_interactive on server side ssh: Check e and f parameters in kexdh ssh: Set max num algoritms in msg_kexinit negotiation
2015-06-01Merge branch 'ia/ssl/crypto-bad-input/OTP-12783' into maint-17Erlang/OTP
* ia/ssl/crypto-bad-input/OTP-12783: ssl: Prepare for release ssl: Correct handling of bad input to premaster_secret calculation
2015-06-01Merge branch 'ia/ssh/recvbuf/OTP-12782' into maint-17Erlang/OTP
* ia/ssh/recvbuf/OTP-12782: ssh: handle that inet:getopts(Socket, [recbuf]) may return {ok, []}
2015-05-29ssl: Prepare for releaseIngela Anderton Andin
2015-05-29ssl: Correct handling of bad input to premaster_secret calculationIngela Anderton Andin
alert records needs to be thrown from ssl_handshake:premaster_secret/[2/3] so that operations will end up in the catch clause of the invokation of certify_client_key_exchange/3 in ssl_connection.erl, and hence terminate gracefully and not continue to try and calculate the master secret with invalid inputs and crash.
2015-05-29ssh: update ssh versionHans
2015-05-29ssh: Plain text message returned for invalid version exchangeHans
This is how OpenSSH does. The bytes returned will be put on the user's tty, so it is better with text than a ssh_msg_disconnect
2015-05-29ssh: Implement keyboard_interactive on server sideHans
2015-05-29ssh: Check e and f parameters in kexdhHans Nilsson
rfc 4253 says in section 8 that: "Values of 'e' or 'f' that are not in the range [1, p-1] MUST NOT be sent or accepted by either side. If this condition is violated, the key exchange fails." This commit implements the reception check.
2015-05-29ssh: Set max num algoritms in msg_kexinit negotiationHans
This is to prevent some dos-attac scenarios. The limit is hard-coded.
2015-05-29ssh: handle that inet:getopts(Socket, [recbuf]) may return {ok, []}Ingela Anderton Andin
If something bad happens and the socket is closed the call inet:getopts(Socket, [recbuf]) may return {ok, []}. We want to treat this as a fatal error and terminate gracefully. The same goes for the case that inet:getopts returns {error, Reason} that was not handled either.
2015-05-29inets: Prepare for releaseIngela Anderton Andin