| Age | Commit message (Collapse) | Author |
|---|
|
|
|
* peterdmv/inets/fix_http_client/OTP-15242:
inets: Prepare for release
inets: Robust handling of 204, 304, 1xx responses
Change-Id: I12dced982907c3462fefb8a4ffaae8b365821f97
|
|
* peterdmv/inets/fix_http_server/OTP-15241:
inets: Do not use chunked encoding with 1xx, 204, 304
Change-Id: I4dc1cb6dc62cc5a090d49248c5fbfbb23f33004f
|
|
Change-Id: I891cc997475780f22a60119778984739d560f203
|
|
All 1xx (informational), 204 (no content), and 304 (not modified)
responses MUST NOT include a message-body, and thus are always
terminated by the first empty line after the header fields.
This implies that chunked encoding MUST NOT be used for these
status codes.
This commit updates the client to gracefully handle responses from
faulty server implementations that can send chunked encoded 204,
304 or 1xx responses.
Change-Id: I2dd502e28b3c6e121640083118fa5c3e479f5194
|
|
|
|
* lars/crypto/multiple-engine-load/OTP-15233:
Updated the engine load functionality
|
|
All 1xx (informational), 204 (no content), and 304 (not modified)
responses MUST NOT include a message-body, and thus are always
terminated by the first empty line after the header fields.
This implies that chunked encoding MUST NOT be used for these
status codes.
Change-Id: If6778165c947e64bc20d1ecab7a669e0b096f1a9
|
|
- engine_load/3/4 can be called multiple times for same engine
if it allows it (eg doesn't contain global data)
- ensure_engine_loaded/2/3 is new functions that guarantees that the engine
is just loaded once by adding it to OpenSSL internal engine list and check that
before loading.
- ensure_engine_unloaded/1/2 is new functions that is used to unload engines loaded with
ensure_engine_loaded (remove it from OpenSSL internal engine list and then unload).
- new utility functions engine_by_id/1, engine_add/1, engine_remove/1,
engine_get_id/1 and engine_get_name/1
|
|
Index records for bag tables with ram_copies was not deleted
after "real" objects where deleted and thus a memory leak.
|
|
A test case unrelated to the patch was accidentally added
when backporting the solution.
|
|
|
|
maint-20
* ingela/inets/maint-20/status-501/ERIERL-218/OTP-15215:
inets: Prepare for release
inets: Use status code 501 when no mod_* handles the request
# Conflicts:
# lib/inets/test/httpd_SUITE.erl
# lib/inets/vsn.mk
|
|
|
|
Conflicts:
lib/inets/test/httpd_SUITE.erl
|
|
|
|
|
|
* dgud/mnesia/add_table_copy_ram/OTP-15226:
Relax add_table_copy restriction
|
|
maint-20
* john/crypto/fix-segfault-on-badarg/OTP-15194/ERL-673:
crypto: Fix crash in compute_key(ecdh, ...) on badarg
|
|
* ingela/ssl/empty-sni/OTP-15168:
ssl: Correct handling of empty server SNI extension
|
|
* ingela/ssl/ECC/ERIERL-210/OTP-15203:
ssl: Make sure that a correct cipher suite is selected
|
|
'john/compiler/fix-deterministic-include-paths/OTP-15204/ERL-679' into maint-20
* john/compiler/fix-deterministic-include-paths/OTP-15204/ERL-679:
Omit include path debug info for +deterministic builds
|
|
* dgud/mnesia/master-nodes/OTP-15221:
Do NOT disc_load from ram_copies when master_node is set
|
|
When term2point was passed a non-binary argument, `my_ecpoint`
would be left uninitialized and the cleanup code would free a
garbage pointer.
|
|
Allow to add replicas even if all other replicas are down when the
other replicase are not stored on disk.
|
|
Compiling the same file with different include paths resulted in
different files with the `+deterministic` flag even if everything
but the paths were identical. This was caused by the absolute path
of each include directory being unconditionally included in a
debug information chunk.
This commit fixes this by only including this information in
non-deterministic builds.
|
|
Setting master_nodes to a node with ram_copies replica and
that node had not loaded the table, could cause it load an
empty table, even though (non master) nodes had disc_replicas.
This meant that tables where unexpected empty after multiple failures
happened. When this happen do not load the table and wait for user
to force_load it on some node, preferably with a disk copy.
|
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
|
|
|
Fix recursion bug when decoding Constructed value within another
value - here the allowed buffer for the recursed decode shall
only be the size of the enclosing value, not the whole buffer.
Return ASN1_ERROR if BER decode recurses more than about 8 kWords.
|
|
|
|
'ingela/inets/error-handling-eisdir-mod-get/ERIERL-207/OTP-15192' into maint-20
* ingela/inets/error-handling-eisdir-mod-get/ERIERL-207/OTP-15192:
inets: Prepare for release
inets: Improve error handling
|
|
* sverker/ic/encode-long-buffer-overflow/OTP-15179:
ic: Tweak tests to provoke more outbuf reallocations
ic: Fix memory leak in oe_ei_decode_wstring
ic: Fix correct external format sizes
|
|
* ingela/ssl/engine-vs-certfile/ERLERL-211/OTP-15193:
ssl: Engine key trumps certfile option
|
|
* ingela/maint-20/chipher-suite-handling/OTP-15178:
ssl: Prepare for release
ssl: Fix test case to only check relevant info for the test
ssl: Correct connection_information on ECC-curves
ssl: No cipher suite sign restriction in TLS-1.2
ssl: Add psk as anonymous key exchange in ssl_handshake:select_hashsign/5
ssl: anon test should use dh or ecdh anon keyexchange
ssl: Correct key_usage check
ssl: Fix ECDSA key decode clause
ssl: Avoid hardcoding of cipher suites and fix ECDH suite handling
ssl: Run all test case combinations
ssl: Correct ECC suite and DTLS ECC handling
|
|
|
|
|
|
|
|
Docs says min _memchunk is 32, so lets use that.
|
|
|
|
longs, longlongs and wchar were too small on 64-bit
which could lead to potential buffer overflow at encoding.
__OE_DOUBLESZ__ was too big, probably due to old text format.
|
|
|
|
Conflicts:
lib/ssl/test/ssl_basic_SUITE.erl
|
|
|
|
Conflicts:
lib/ssl/test/ssl_ECC_SUITE.erl
|
|
Failing to recognize psk as an anonymous key exchange would fail the connection
when trying to decode an undefined certificate.
|
|
|
|
The Key Usage extension is described in section 4.2.1.3 of X.509, with the following possible flags:
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to contentCommitment
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
In SSL/TLS, when the server certificate contains a RSA key, then:
either a DHE or ECDHE cipher suite is used, in which case the RSA key
is used for a signature (see section 7.4.3 of RFC 5246: the "Server
Key Exchange" message); this exercises the digitalSignature key usage;
or "plain RSA" is used, with a random value (the 48-byte pre-master
secret) being encrypted by the client with the server's public key
(see section 7.4.7.1 of RFC 5246); this is right in the definition of
the keyEncipherment key usage flag.
dataEncipherment does not apply, because what is encrypted is not
directly meaningful data, but a value which is mostly generated
randomly and used to derive symmetric keys. keyAgreement does not
apply either, because that one is for key agreement algorithms which
are not a case of asymmetric encryption (e.g. Diffie-Hellman). The
keyAgreement usage flag would appear in a certificate which contains a
DH key, not a RSA key. nonRepudiation is not used, because whatever is
signed as part of a SSL/TLS key exchange cannot be used as proof for a
third party (there is nothing in a SSL/TLS tunnel that the client
could record and then use to convince a judge when tring to sue the
server itself; the data which is exchanged within the tunnel is not
signed by the server).
When a ECDSA key is used then "keyAgreement" flag is needed for beeing
ECDH "capable" (as opposed to ephemeral ECDHE)
|
|
|
|
ECDH suite handling did not use the EC parameters form the certs
as expected.
Conflicts:
lib/ssl/src/ssl_cipher.erl
|
