| Age | Commit message (Collapse) | Author |
|---|
|
* lars/crypto/multiple-engine-load/OTP-15233:
Updated the engine load functionality
|
|
- engine_load/3/4 can be called multiple times for same engine
if it allows it (eg doesn't contain global data)
- ensure_engine_loaded/2/3 is new functions that guarantees that the engine
is just loaded once by adding it to OpenSSL internal engine list and check that
before loading.
- ensure_engine_unloaded/1/2 is new functions that is used to unload engines loaded with
ensure_engine_loaded (remove it from OpenSSL internal engine list and then unload).
- new utility functions engine_by_id/1, engine_add/1, engine_remove/1,
engine_get_id/1 and engine_get_name/1
|
|
Index records for bag tables with ram_copies was not deleted
after "real" objects where deleted and thus a memory leak.
|
|
A test case unrelated to the patch was accidentally added
when backporting the solution.
|
|
|
|
maint-20
* ingela/inets/maint-20/status-501/ERIERL-218/OTP-15215:
inets: Prepare for release
inets: Use status code 501 when no mod_* handles the request
# Conflicts:
# lib/inets/test/httpd_SUITE.erl
# lib/inets/vsn.mk
|
|
|
|
Conflicts:
lib/inets/test/httpd_SUITE.erl
|
|
|
|
|
|
* dgud/mnesia/add_table_copy_ram/OTP-15226:
Relax add_table_copy restriction
|
|
maint-20
* john/crypto/fix-segfault-on-badarg/OTP-15194/ERL-673:
crypto: Fix crash in compute_key(ecdh, ...) on badarg
|
|
* ingela/ssl/empty-sni/OTP-15168:
ssl: Correct handling of empty server SNI extension
|
|
* ingela/ssl/ECC/ERIERL-210/OTP-15203:
ssl: Make sure that a correct cipher suite is selected
|
|
'john/compiler/fix-deterministic-include-paths/OTP-15204/ERL-679' into maint-20
* john/compiler/fix-deterministic-include-paths/OTP-15204/ERL-679:
Omit include path debug info for +deterministic builds
|
|
* dgud/mnesia/master-nodes/OTP-15221:
Do NOT disc_load from ram_copies when master_node is set
|
|
When term2point was passed a non-binary argument, `my_ecpoint`
would be left uninitialized and the cleanup code would free a
garbage pointer.
|
|
Allow to add replicas even if all other replicas are down when the
other replicase are not stored on disk.
|
|
Compiling the same file with different include paths resulted in
different files with the `+deterministic` flag even if everything
but the paths were identical. This was caused by the absolute path
of each include directory being unconditionally included in a
debug information chunk.
This commit fixes this by only including this information in
non-deterministic builds.
|
|
Setting master_nodes to a node with ram_copies replica and
that node had not loaded the table, could cause it load an
empty table, even though (non master) nodes had disc_replicas.
This meant that tables where unexpected empty after multiple failures
happened. When this happen do not load the table and wait for user
to force_load it on some node, preferably with a disk copy.
|
|
The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.
Alas test code was also wrong hiding the error.
|
|
|
|
Fix recursion bug when decoding Constructed value within another
value - here the allowed buffer for the recursed decode shall
only be the size of the enclosing value, not the whole buffer.
Return ASN1_ERROR if BER decode recurses more than about 8 kWords.
|
|
|
|
'ingela/inets/error-handling-eisdir-mod-get/ERIERL-207/OTP-15192' into maint-20
* ingela/inets/error-handling-eisdir-mod-get/ERIERL-207/OTP-15192:
inets: Prepare for release
inets: Improve error handling
|
|
* sverker/ic/encode-long-buffer-overflow/OTP-15179:
ic: Tweak tests to provoke more outbuf reallocations
ic: Fix memory leak in oe_ei_decode_wstring
ic: Fix correct external format sizes
|
|
* ingela/ssl/engine-vs-certfile/ERLERL-211/OTP-15193:
ssl: Engine key trumps certfile option
|
|
* ingela/maint-20/chipher-suite-handling/OTP-15178:
ssl: Prepare for release
ssl: Fix test case to only check relevant info for the test
ssl: Correct connection_information on ECC-curves
ssl: No cipher suite sign restriction in TLS-1.2
ssl: Add psk as anonymous key exchange in ssl_handshake:select_hashsign/5
ssl: anon test should use dh or ecdh anon keyexchange
ssl: Correct key_usage check
ssl: Fix ECDSA key decode clause
ssl: Avoid hardcoding of cipher suites and fix ECDH suite handling
ssl: Run all test case combinations
ssl: Correct ECC suite and DTLS ECC handling
|
|
|
|
|
|
|
|
Docs says min _memchunk is 32, so lets use that.
|
|
|
|
longs, longlongs and wchar were too small on 64-bit
which could lead to potential buffer overflow at encoding.
__OE_DOUBLESZ__ was too big, probably due to old text format.
|
|
|
|
Conflicts:
lib/ssl/test/ssl_basic_SUITE.erl
|
|
|
|
Conflicts:
lib/ssl/test/ssl_ECC_SUITE.erl
|
|
Failing to recognize psk as an anonymous key exchange would fail the connection
when trying to decode an undefined certificate.
|
|
|
|
The Key Usage extension is described in section 4.2.1.3 of X.509, with the following possible flags:
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to contentCommitment
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
In SSL/TLS, when the server certificate contains a RSA key, then:
either a DHE or ECDHE cipher suite is used, in which case the RSA key
is used for a signature (see section 7.4.3 of RFC 5246: the "Server
Key Exchange" message); this exercises the digitalSignature key usage;
or "plain RSA" is used, with a random value (the 48-byte pre-master
secret) being encrypted by the client with the server's public key
(see section 7.4.7.1 of RFC 5246); this is right in the definition of
the keyEncipherment key usage flag.
dataEncipherment does not apply, because what is encrypted is not
directly meaningful data, but a value which is mostly generated
randomly and used to derive symmetric keys. keyAgreement does not
apply either, because that one is for key agreement algorithms which
are not a case of asymmetric encryption (e.g. Diffie-Hellman). The
keyAgreement usage flag would appear in a certificate which contains a
DH key, not a RSA key. nonRepudiation is not used, because whatever is
signed as part of a SSL/TLS key exchange cannot be used as proof for a
third party (there is nothing in a SSL/TLS tunnel that the client
could record and then use to convince a judge when tring to sue the
server itself; the data which is exchanged within the tunnel is not
signed by the server).
When a ECDSA key is used then "keyAgreement" flag is needed for beeing
ECDH "capable" (as opposed to ephemeral ECDHE)
|
|
|
|
ECDH suite handling did not use the EC parameters form the certs
as expected.
Conflicts:
lib/ssl/src/ssl_cipher.erl
|
|
Fix test case code to use keyAgreement for ECDH_ECDSA
Conflicts:
lib/ssl/test/ssl_ECC.erl
lib/ssl/test/ssl_ECC_openssl_SUITE.erl
lib/ssl/test/ssl_to_openssl_SUITE.erl
|
|
When test handling was corrected it was obvious that DTLS ECC handling
was not compleated.
Conflicts:
lib/ssl/src/ssl.erl
lib/ssl/test/Makefile
lib/ssl/test/ssl_ECC.erl
lib/ssl/test/ssl_ECC_SUITE.erl
lib/ssl/test/ssl_ECC_openssl_SUITE.erl
|
|
|
|
|
|
|
|
* sverker/ic/encode-atom-overrun/ERIERL-191/OTP-15160:
ic: Fix buffer overrun bug in oe_ei_encode_atom
|
|
maint-20
* sverker/erl_interface/simultaneous-connect/OTP-15161:
erl_interface: Fix simultaneous connection setup
|
