From 7457930c63725776a57f3b1fbc002dbc48384f81 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 7 Jun 2016 16:23:48 +0200 Subject: inets: Handle multiple \t in mime types file --- lib/inets/src/http_server/httpd_conf.erl | 7 +- lib/inets/test/httpd_SUITE.erl | 112 ++++++++++++++++++++++++- lib/inets/test/httpd_SUITE_data/mime_types.txt | 100 ++++++++++++++++++++++ 3 files changed, 216 insertions(+), 3 deletions(-) create mode 100644 lib/inets/test/httpd_SUITE_data/mime_types.txt (limited to 'lib') diff --git a/lib/inets/src/http_server/httpd_conf.erl b/lib/inets/src/http_server/httpd_conf.erl index a7783bc1e9..132e1b5b7a 100644 --- a/lib/inets/src/http_server/httpd_conf.erl +++ b/lib/inets/src/http_server/httpd_conf.erl @@ -1004,7 +1004,8 @@ read_config_file(Stream, SoFar) -> %% Ignore commented lines for efficiency later .. read_config_file(Stream, SoFar); Line -> - NewLine = re:replace(clean(Line),"[\t\r\f ]"," ", [{return,list}]), + NewLine = re:replace(white_space_clean(Line), + "[\t\r\f ]"," ", [{return,list}, global]), case NewLine of [] -> %% Also ignore empty lines .. @@ -1020,7 +1021,7 @@ parse_mime_types(Stream,MimeTypesList) -> eof -> eof; String -> - white_space_clean(String) + re:replace(white_space_clean(String), "[\t\r\f ]"," ", [{return,list}, global]) end, parse_mime_types(Stream, MimeTypesList, Line). parse_mime_types(Stream, MimeTypesList, eof) -> @@ -1042,6 +1043,8 @@ parse_mime_types(Stream, MimeTypesList, Line) -> suffixes(_MimeType,[]) -> []; +suffixes(MimeType,[""|Rest]) -> + suffixes(MimeType, Rest); suffixes(MimeType,[Suffix|Rest]) -> [{Suffix,MimeType}|suffixes(MimeType,Rest)]. diff --git a/lib/inets/test/httpd_SUITE.erl b/lib/inets/test/httpd_SUITE.erl index 93520c1cb4..87c504af74 100644 --- a/lib/inets/test/httpd_SUITE.erl +++ b/lib/inets/test/httpd_SUITE.erl @@ -70,7 +70,8 @@ all() -> {group, https_security}, {group, http_reload}, {group, https_reload}, - {group, http_mime_types} + {group, http_mime_types}, + mime_types_format ]. groups() -> @@ -1291,6 +1292,115 @@ non_disturbing(Config) when is_list(Config)-> inets_test_lib:close(Type, Socket), [{server_name, "httpd_non_disturbing_" ++ Version}] = httpd:info(Server, [server_name]). +%%------------------------------------------------------------------------- +mime_types_format(Config) when is_list(Config) -> + DataDir = proplists:get_value(data_dir, Config), + MimeTypes = filename:join(DataDir, "mime_types.txt"), + {ok,[{"wrl","x-world/x-vrml"}, + {"vrml","x-world/x-vrml"}, + {"ice","x-conference/x-cooltalk"}, + {"movie","video/x-sgi-movie"}, + {"avi","video/x-msvideo"}, + {"qt","video/quicktime"}, + {"mov","video/quicktime"}, + {"mpeg","video/mpeg"}, + {"mpg","video/mpeg"}, + {"mpe","video/mpeg"}, + {"sgml","text/x-sgml"}, + {"sgm","text/x-sgml"}, + {"etx","text/x-setext"}, + {"tsv","text/tab-separated-values"}, + {"rtx","text/richtext"}, + {"txt","text/plain"}, + {"html","text/html"}, + {"htm","text/html"}, + {"css","text/css"}, + {"xwd","image/x-xwindowdump"}, + {"xpm","image/x-xpixmap"}, + {"xbm","image/x-xbitmap"}, + {"rgb","image/x-rgb"}, + {"ppm","image/x-portable-pixmap"}, + {"pgm","image/x-portable-graymap"}, + {"pbm","image/x-portable-bitmap"}, + {"pnm","image/x-portable-anymap"}, + {"ras","image/x-cmu-raster"}, + {"tiff","image/tiff"}, + {"tif","image/tiff"}, + {"png","image/png"}, + {"jpeg","image/jpeg"}, + {"jpg","image/jpeg"}, + {"jpe","image/jpeg"}, + {"ief","image/ief"}, + {"gif","image/gif"}, + {"pdb","chemical/x-pdb"}, + {"xyz","chemical/x-pdb"}, + {"wav","audio/x-wav"}, + {"ra","audio/x-realaudio"}, + {"rpm","audio/x-pn-realaudio-plugin"}, + {"ram","audio/x-pn-realaudio"}, + {"aif","audio/x-aiff"}, + {"aiff","audio/x-aiff"}, + {"aifc","audio/x-aiff"}, + {"mpga","audio/mpeg"}, + {"mp2","audio/mpeg"}, + {"au","audio/basic"}, + {"snd","audio/basic"}, + {"zip","application/zip"}, + {"src","application/x-wais-source"}, + {"ustar","application/x-ustar"}, + {"ms","application/x-troff-ms"}, + {"me","application/x-troff-me"}, + {"man","application/x-troff-man"}, + {"t","application/x-troff"}, + {"tr","application/x-troff"}, + {"roff","application/x-troff"}, + {"texinfo","application/x-texinfo"}, + {"texi","application/x-texinfo"}, + {"tex","application/x-tex"}, + {"tcl","application/x-tcl"}, + {"tar","application/x-tar"}, + {"sv4crc","application/x-sv4crc"}, + {"sv4cpio","application/x-sv4cpio"}, + {"sit","application/x-stuffit"}, + {"shar","application/x-shar"}, + {"sh","application/x-sh"}, + {"nc","application/x-netcdf"}, + {"cdf","application/x-netcdf"}, + {"mif","application/x-mif"}, + {"latex","application/x-latex"}, + {"skp","application/x-koan"}, + {"skd","application/x-koan"}, + {"skt","application/x-koan"}, + {"skm","application/x-koan"}, + {"cgi","application/x-httpd-cgi"}, + {"hdf","application/x-hdf"}, + {"gz","application/x-gzip"}, + {"gtar","application/x-gtar"}, + {"dvi","application/x-dvi"}, + {"dcr","application/x-director"}, + {"dir","application/x-director"}, + {"dxr","application/x-director"}, + {"csh","application/x-csh"}, + {"cpio","application/x-cpio"}, + {"Z","application/x-compress"}, + {"vcd","application/x-cdlink"}, + {"bcpio","application/x-bcpio"}, + {"rtf","application/rtf"}, + {"ppt","application/powerpoint"}, + {"ai","application/postscript"}, + {"eps","application/postscript"}, + {"ps","application/postscript"}, + {"pdf","application/pdf"}, + {"oda","application/oda"}, + {"bin","application/octet-stream"}, + {"dms","application/octet-stream"}, + {"lha","application/octet-stream"}, + {"lzh","application/octet-stream"}, + {"exe","application/octet-stream"}, + {"class","application/octet-stream"}, + {"doc","application/msword"}, + {"cpt","application/mac-compactpro"}, + {"hqx","application/mac-binhex40"}]} = httpd_conf:load_mime_types(MimeTypes). %%-------------------------------------------------------------------- %% Internal functions ----------------------------------- diff --git a/lib/inets/test/httpd_SUITE_data/mime_types.txt b/lib/inets/test/httpd_SUITE_data/mime_types.txt new file mode 100644 index 0000000000..3149a119d5 --- /dev/null +++ b/lib/inets/test/httpd_SUITE_data/mime_types.txt @@ -0,0 +1,100 @@ +# This is a comment. I love comments. + + +application/activemessage +application/andrew-inset +application/applefile +application/atomicmail +application/dca-rft +application/dec-dx +application/mac-binhex40 hqx +application/mac-compactpro cpt +application/macwriteii +application/msword doc +application/news-message-id +application/news-transmission +application/octet-stream bin dms lha lzh exe class +application/oda oda +application/pdf pdf +application/postscript ai eps ps +application/powerpoint ppt +application/remote-printing +application/rtf rtf +application/slate +application/wita +application/wordperfect5.1 +application/x-bcpio bcpio +application/x-cdlink vcd +application/x-compress Z +application/x-cpio cpio +application/x-csh csh +application/x-director dcr dir dxr +application/x-dvi dvi +application/x-gtar gtar +application/x-gzip gz +application/x-hdf hdf +application/x-httpd-cgi cgi +application/x-koan skp skd skt skm +application/x-latex latex +application/x-mif mif +application/x-netcdf nc cdf +application/x-sh sh +application/x-shar shar +application/x-stuffit sit +application/x-sv4cpio sv4cpio +application/x-sv4crc sv4crc +application/x-tar tar +application/x-tcl tcl +application/x-tex tex +application/x-texinfo texinfo texi +application/x-troff t tr roff +application/x-troff-man man +application/x-troff-me me +application/x-troff-ms ms +application/x-ustar ustar +application/x-wais-source src +application/zip zip +audio/basic au snd +audio/mpeg mpga mp2 +audio/x-aiff aif aiff aifc +audio/x-pn-realaudio ram +audio/x-pn-realaudio-plugin rpm +audio/x-realaudio ra +audio/x-wav wav +chemical/x-pdb pdb xyz +image/gif gif +image/ief ief +image/jpeg jpeg jpg jpe +image/png png +image/tiff tiff tif +image/x-cmu-raster ras +image/x-portable-anymap pnm +image/x-portable-bitmap pbm +image/x-portable-graymap pgm +image/x-portable-pixmap ppm +image/x-rgb rgb +image/x-xbitmap xbm +image/x-xpixmap xpm +image/x-xwindowdump xwd +message/external-body +message/news +message/partial +message/rfc822 +multipart/alternative +multipart/appledouble +multipart/digest +multipart/mixed +multipart/parallel +text/css css +text/html html htm +text/plain txt +text/richtext rtx +text/tab-separated-values tsv +text/x-setext etx +text/x-sgml sgml sgm +video/mpeg mpeg mpg mpe +video/quicktime qt mov +video/x-msvideo avi +video/x-sgi-movie movie +x-conference/x-cooltalk ice +x-world/x-vrml wrl vrml -- cgit v1.2.3 From 0f26c3a6f70d9de52199a470cce1163908c223ff Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 10 May 2016 12:00:15 +0200 Subject: ssl: ordsets:intersection/2 did not give the expected result Turns out we can not count on the "hashsigns" sent by the client and the supported "hashigns" sets to have required properties of ordsets. --- lib/ssl/src/tls_handshake.erl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl index 102dbba198..f34eebb0e4 100644 --- a/lib/ssl/src/tls_handshake.erl +++ b/lib/ssl/src/tls_handshake.erl @@ -283,7 +283,8 @@ available_signature_algs(undefined, SupportedHashSigns, _, {Major, Minor}) when SupportedHashSigns; available_signature_algs(#hash_sign_algos{hash_sign_algos = ClientHashSigns}, SupportedHashSigns, _, {Major, Minor}) when (Major >= 3) andalso (Minor >= 3) -> - ordsets:intersection(ClientHashSigns, SupportedHashSigns); + sets:to_list(sets:intersection(sets:from_list(ClientHashSigns), + sets:from_list(SupportedHashSigns))); available_signature_algs(_, _, _, _) -> undefined. -- cgit v1.2.3 From f6d9d94d022b61410c7b784ef95acbbcece65467 Mon Sep 17 00:00:00 2001 From: Joe DeVivo Date: Tue, 31 May 2016 11:08:02 +0200 Subject: ssl:recv timeout() can be 0 gen_tcp:recv allows this, and if you're doing something like Transport:recv(Socket, 0, 0), TCP will work and SSL will exit with function_clause There were other cases of this throughout the module. This PR cleans them all up. --- lib/ssl/src/ssl.erl | 40 ++++++++++++++++++++-------------------- lib/ssl/test/ssl_basic_SUITE.erl | 1 + 2 files changed, 21 insertions(+), 20 deletions(-) (limited to 'lib') diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index a97b888fd0..97a1e2b5a8 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -97,7 +97,7 @@ connect(Socket, SslOptions) when is_port(Socket) -> connect(Socket, SslOptions, infinity). connect(Socket, SslOptions0, Timeout) when is_port(Socket), - (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity) -> + (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) -> {Transport,_,_,_} = proplists:get_value(cb_info, SslOptions0, {gen_tcp, tcp, tcp_closed, tcp_error}), EmulatedOptions = ssl_socket:emulated_options(), @@ -123,7 +123,7 @@ connect(Socket, SslOptions0, Timeout) when is_port(Socket), connect(Host, Port, Options) -> connect(Host, Port, Options, infinity). -connect(Host, Port, Options, Timeout) when (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity) -> +connect(Host, Port, Options, Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) -> try handle_options(Options, client) of {ok, Config} -> do_connect(Host,Port,Config,Timeout) @@ -173,7 +173,7 @@ transport_accept(#sslsocket{pid = {ListenSocket, #config{transport_info = {Transport,_,_, _} =CbInfo, connection_cb = ConnectionCb, ssl = SslOpts, - emulated = Tracker}}}, Timeout) when (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity) -> + emulated = Tracker}}}, Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) -> case Transport:accept(ListenSocket, Timeout) of {ok, Socket} -> {ok, EmOpts} = ssl_socket:get_emulated_opts(Tracker), @@ -206,25 +206,25 @@ transport_accept(#sslsocket{pid = {ListenSocket, ssl_accept(ListenSocket) -> ssl_accept(ListenSocket, infinity). -ssl_accept(#sslsocket{} = Socket, Timeout) when (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity) -> +ssl_accept(#sslsocket{} = Socket, Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) -> ssl_connection:handshake(Socket, Timeout); - -ssl_accept(ListenSocket, SslOptions) when is_port(ListenSocket) -> + +ssl_accept(ListenSocket, SslOptions) when is_port(ListenSocket) -> ssl_accept(ListenSocket, SslOptions, infinity). -ssl_accept(#sslsocket{} = Socket, [], Timeout) when (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity)-> +ssl_accept(#sslsocket{} = Socket, [], Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)-> ssl_accept(#sslsocket{} = Socket, Timeout); -ssl_accept(#sslsocket{fd = {_, _, _, Tracker}} = Socket, SslOpts0, Timeout) when - (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity)-> - try - {ok, EmOpts, InheritedSslOpts} = ssl_socket:get_all_opts(Tracker), +ssl_accept(#sslsocket{fd = {_, _, _, Tracker}} = Socket, SslOpts0, Timeout) when + (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)-> + try + {ok, EmOpts, InheritedSslOpts} = ssl_socket:get_all_opts(Tracker), SslOpts = handle_options(SslOpts0, InheritedSslOpts), ssl_connection:handshake(Socket, {SslOpts, emulated_socket_options(EmOpts, #socket_options{})}, Timeout) catch Error = {error, _Reason} -> Error end; ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket), - (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity) -> + (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) -> {Transport,_,_,_} = proplists:get_value(cb_info, SslOptions, {gen_tcp, tcp, tcp_closed, tcp_error}), EmulatedOptions = ssl_socket:emulated_options(), @@ -252,17 +252,17 @@ close(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport,_, _, _} Transport:close(ListenSocket). %%-------------------------------------------------------------------- --spec close(#sslsocket{}, integer() | {pid(), integer()}) -> term(). +-spec close(#sslsocket{}, timeout() | {pid(), integer()}) -> term(). %% %% Description: Close an ssl connection %%-------------------------------------------------------------------- -close(#sslsocket{pid = TLSPid}, - {Pid, Timeout} = DownGrade) when is_pid(TLSPid), - is_pid(Pid), - (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity) -> +close(#sslsocket{pid = TLSPid}, + {Pid, Timeout} = DownGrade) when is_pid(TLSPid), + is_pid(Pid), + (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) -> ssl_connection:close(TLSPid, {close, DownGrade}); -close(#sslsocket{pid = TLSPid}, Timeout) when is_pid(TLSPid), - (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity) -> +close(#sslsocket{pid = TLSPid}, Timeout) when is_pid(TLSPid), + (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) -> ssl_connection:close(TLSPid, {close, Timeout}); close(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport,_, _, _}}}}, _) -> Transport:close(ListenSocket). @@ -286,7 +286,7 @@ send(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport, _, _, _} recv(Socket, Length) -> recv(Socket, Length, infinity). recv(#sslsocket{pid = Pid}, Length, Timeout) when is_pid(Pid), - (is_integer(Timeout) andalso Timeout > 0) or (Timeout == infinity)-> + (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)-> ssl_connection:recv(Pid, Length, Timeout); recv(#sslsocket{pid = {Listen, #config{transport_info = {Transport, _, _, _}}}}, _,_) when is_port(Listen)-> diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index 89cdd40b4c..a0ff7b677b 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -3664,6 +3664,7 @@ basic_test(Config) -> send_recv_result_timeout_client(Socket) -> {error, timeout} = ssl:recv(Socket, 11, 500), + {error, timeout} = ssl:recv(Socket, 11, 0), ssl:send(Socket, "Hello world"), receive Msg -> -- cgit v1.2.3 From 7001063d331e5702ba21bfec3b3d84c06a31fefb Mon Sep 17 00:00:00 2001 From: Kenneth Lakin Date: Sat, 30 Apr 2016 20:17:03 -0700 Subject: ssl: Use cipher suite's PRF in prf/5 Use the negotiated cipher suite's PRF algorithm in calls to ssl:prf/5, rather than a hard-coded one. For TLS 1.0 the PRF algorithm was hard-coded to MD5/SHA1. This was correct 100% of the time. For TLS 1.1 and 1.2 the PRF algorithm was hard-coded to SHA256. This was correct only some of the time for TLS 1.2 and none of the time for TLS 1.1. Because the TLS handshake code calls tls_v1:prf/5 through another path, the handshaking process used the negotiated PRF and did not encounter this bug. A new test (prf) has been added to ssl_basic_SUITE to guard against future breakage. --- lib/ssl/src/ssl_connection.erl | 5 +- lib/ssl/src/ssl_handshake.erl | 12 ++-- lib/ssl/test/ssl_basic_SUITE.erl | 122 ++++++++++++++++++++++++++++++++++++++- 3 files changed, 129 insertions(+), 10 deletions(-) (limited to 'lib') diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index f774873269..0f0072ba34 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -821,7 +821,8 @@ handle_sync_event({prf, Secret, Label, Seed, WantedLength}, _, StateName, SecParams = ConnectionState#connection_state.security_parameters, #security_parameters{master_secret = MasterSecret, client_random = ClientRandom, - server_random = ServerRandom} = SecParams, + server_random = ServerRandom, + prf_algorithm = PRFAlgorithm} = SecParams, Reply = try SecretToUse = case Secret of _ when is_binary(Secret) -> Secret; @@ -832,7 +833,7 @@ handle_sync_event({prf, Secret, Label, Seed, WantedLength}, _, StateName, (client_random, Acc) -> [ClientRandom|Acc]; (server_random, Acc) -> [ServerRandom|Acc] end, [], Seed)), - ssl_handshake:prf(Version, SecretToUse, Label, SeedToUse, WantedLength) + ssl_handshake:prf(Version, PRFAlgorithm, SecretToUse, Label, SeedToUse, WantedLength) catch exit:_ -> {error, badarg}; error:Reason -> {error, Reason} diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 644903cf4b..235d6efbb6 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -74,7 +74,7 @@ ]). %% MISC --export([select_version/3, prf/5, select_hashsign/5, +-export([select_version/3, prf/6, select_hashsign/5, select_hashsign_algs/3, premaster_secret/2, premaster_secret/3, premaster_secret/4]). @@ -564,17 +564,15 @@ server_key_exchange_hash(md5sha, Value) -> server_key_exchange_hash(Hash, Value) -> crypto:hash(Hash, Value). %%-------------------------------------------------------------------- --spec prf(ssl_record:ssl_version(), binary(), binary(), [binary()], non_neg_integer()) -> +-spec prf(ssl_record:ssl_version(), non_neg_integer(), binary(), binary(), [binary()], non_neg_integer()) -> {ok, binary()} | {error, undefined}. %% %% Description: use the TLS PRF to generate key material %%-------------------------------------------------------------------- -prf({3,0}, _, _, _, _) -> +prf({3,0}, _, _, _, _, _) -> {error, undefined}; -prf({3,1}, Secret, Label, Seed, WantedLength) -> - {ok, tls_v1:prf(?MD5SHA, Secret, Label, Seed, WantedLength)}; -prf({3,_N}, Secret, Label, Seed, WantedLength) -> - {ok, tls_v1:prf(?SHA256, Secret, Label, Seed, WantedLength)}. +prf({3,_N}, PRFAlgo, Secret, Label, Seed, WantedLength) -> + {ok, tls_v1:prf(PRFAlgo, Secret, Label, Seed, WantedLength)}. %%-------------------------------------------------------------------- diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index 89cdd40b4c..16211a54c1 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -145,7 +145,8 @@ api_tests() -> versions_option, server_name_indication_option, accept_pool, - new_options_in_accept + new_options_in_accept, + prf ]. session_tests() -> @@ -324,6 +325,31 @@ init_per_testcase(rizzo, Config) -> ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), ct:timetrap({seconds, 40}), Config; +init_per_testcase(prf, Config) -> + ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), + ct:timetrap({seconds, 40}), + case ?config(tc_group_path, Config) of + [] -> Prop = []; + [Prop] -> Prop + end, + case ?config(name, Prop) of + undefined -> TlsVersions = [sslv3, tlsv1, 'tlsv1.1', 'tlsv1.2']; + TlsVersion when is_atom(TlsVersion) -> + TlsVersions = [TlsVersion] + end, + PRFS=[md5, sha, sha256, sha384, sha512], + %All are the result of running tls_v1:prf(PrfAlgo, <<>>, <<>>, <<>>, 16) + %with the specified PRF algorithm + ExpectedPrfResults= + [{md5, <<96,139,180,171,236,210,13,10,28,32,2,23,88,224,235,199>>}, + {sha, <<95,3,183,114,33,169,197,187,231,243,19,242,220,228,70,151>>}, + {sha256, <<166,249,145,171,43,95,158,232,6,60,17,90,183,180,0,155>>}, + {sha384, <<153,182,217,96,186,130,105,85,65,103,123,247,146,91,47,106>>}, + {sha512, <<145,8,98,38,243,96,42,94,163,33,53,49,241,4,127,28>>}, + %TLS 1.0 and 1.1 PRF: + {md5sha, <<63,136,3,217,205,123,200,177,251,211,17,229,132,4,173,80>>}], + TestPlan = prf_create_plan(TlsVersions, PRFS, ExpectedPrfResults), + [{prf_test_plan, TestPlan} | Config]; init_per_testcase(TestCase, Config) when TestCase == ssl_accept_timeout; TestCase == client_closes_socket; @@ -429,6 +455,25 @@ new_options_in_accept(Config) when is_list(Config) -> ssl_test_lib:close(Server), ssl_test_lib:close(Client). %%-------------------------------------------------------------------- +prf() -> + [{doc,"Test that ssl:prf/5 uses the negotiated PRF."}]. +prf(Config) when is_list(Config) -> + TestPlan = ?config(prf_test_plan, Config), + case TestPlan of + [] -> ct:fail({error, empty_prf_test_plan}); + _ -> lists:foreach(fun(Suite) -> + lists:foreach( + fun(Test) -> + V = ?config(tls_ver, Test), + C = ?config(ciphers, Test), + E = ?config(expected, Test), + P = ?config(prf, Test), + prf_run_test(Config, V, C, E, P) + end, Suite) + end, TestPlan) + end. + +%%-------------------------------------------------------------------- connection_info() -> [{doc,"Test the API function ssl:connection_information/1"}]. @@ -3662,6 +3707,81 @@ basic_test(Config) -> ssl_test_lib:close(Server), ssl_test_lib:close(Client). +prf_create_plan(TlsVersions, PRFs, Results) -> + lists:foldl(fun(Ver, Acc) -> + A = prf_ciphers_and_expected(Ver, PRFs, Results), + [A|Acc] + end, [], TlsVersions). +prf_ciphers_and_expected(TlsVer, PRFs, Results) -> + case TlsVer of + TlsVer when TlsVer == sslv3 orelse TlsVer == tlsv1 + orelse TlsVer == 'tlsv1.1' -> + Ciphers = ssl:cipher_suites(), + {_, Expected} = lists:keyfind(md5sha, 1, Results), + [[{tls_ver, TlsVer}, {ciphers, Ciphers}, {expected, Expected}, {prf, md5sha}]]; + 'tlsv1.2' -> + lists:foldl( + fun(PRF, Acc) -> + Ciphers = prf_get_ciphers(TlsVer, PRF), + case Ciphers of + [] -> + ct:log("No ciphers for PRF algorithm ~p. Skipping.", [PRF]), + Acc; + Ciphers -> + {_, Expected} = lists:keyfind(PRF, 1, Results), + [[{tls_ver, TlsVer}, {ciphers, Ciphers}, {expected, Expected}, + {prf, PRF}] | Acc] + end + end, [], PRFs) + end. +prf_get_ciphers(TlsVer, PRF) -> + case TlsVer of + 'tlsv1.2' -> + lists:filter( + fun(C) when tuple_size(C) == 4 andalso + element(4, C) == PRF -> + true; + (_) -> false + end, ssl:cipher_suites()) + end. +prf_run_test(_, TlsVer, [], _, Prf) -> + ct:fail({error, cipher_list_empty, TlsVer, Prf}); +prf_run_test(Config, TlsVer, Ciphers, Expected, Prf) -> + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + BaseOpts = [{active, true}, {versions, [TlsVer]}, {ciphers, Ciphers}], + ServerOpts = BaseOpts ++ ?config(server_opts, Config), + ClientOpts = BaseOpts ++ ?config(client_opts, Config), + Server = ssl_test_lib:start_server( + [{node, ServerNode}, {port, 0}, {from, self()}, + {mfa, {?MODULE, prf_verify_value, [TlsVer, Expected, Prf]}}, + {options, ServerOpts}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_client( + [{node, ClientNode}, {port, Port}, + {host, Hostname}, {from, self()}, + {mfa, {?MODULE, prf_verify_value, [TlsVer, Expected, Prf]}}, + {options, ClientOpts}]), + ssl_test_lib:check_result(Server, ok, Client, ok), + ssl_test_lib:close(Server), + ssl_test_lib:close(Client). +prf_verify_value(Socket, TlsVer, Expected, Algo) -> + Ret = ssl:prf(Socket, <<>>, <<>>, [<<>>], 16), + case TlsVer of + sslv3 -> + case Ret of + {error, undefined} -> ok; + _ -> + {error, {expected, {error, undefined}, + got, Ret, tls_ver, TlsVer, prf_algorithm, Algo}} + end; + _ -> + case Ret of + {ok, Expected} -> ok; + {ok, Val} -> {error, {expected, Expected, got, Val, tls_ver, TlsVer, + prf_algorithm, Algo}} + end + end. + send_recv_result_timeout_client(Socket) -> {error, timeout} = ssl:recv(Socket, 11, 500), ssl:send(Socket, "Hello world"), -- cgit v1.2.3 From dacee91d9d2c53073c8af8db6c77a7bf9884ffd0 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Thu, 9 Jun 2016 18:09:45 +0200 Subject: ssl: Prepare for release --- lib/ssl/vsn.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index 8f4f384497..bd6ecebbd4 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -1 +1 @@ -SSL_VSN = 7.3.2 +SSL_VSN = 7.3.3 -- cgit v1.2.3 From 26dae7637ddf42419aef0744a2f5bd57d17f6416 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Thu, 9 Jun 2016 17:13:02 +0200 Subject: inets: Prepare for release --- lib/inets/vsn.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/inets/vsn.mk b/lib/inets/vsn.mk index a0cf2a9c3f..12ac75a4b9 100644 --- a/lib/inets/vsn.mk +++ b/lib/inets/vsn.mk @@ -19,6 +19,6 @@ # %CopyrightEnd% APPLICATION = inets -INETS_VSN = 6.2.3 +INETS_VSN = 6.2.4 PRE_VSN = APP_VSN = "$(APPLICATION)-$(INETS_VSN)$(PRE_VSN)" -- cgit v1.2.3 From 3415d9274a456a2ba6e3e321b591c4d518c0e2c8 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Fri, 3 Jun 2016 17:00:17 +0200 Subject: ssl: Mitigate load increase when the whole session table is invalidated --- lib/ssl/src/ssl_manager.erl | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'lib') diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl index 311dac4619..8ed29cc6b0 100644 --- a/lib/ssl/src/ssl_manager.erl +++ b/lib/ssl/src/ssl_manager.erl @@ -67,6 +67,7 @@ -define(CLEAN_SESSION_DB, 60000). -define(CLEAN_CERT_DB, 500). -define(DEFAULT_MAX_SESSION_CACHE, 1000). +-define(LOAD_MITIGATION, 10). %%==================================================================== %% API @@ -196,10 +197,12 @@ register_session(Port, Session) -> %%-------------------------------------------------------------------- -spec invalidate_session(host(), inet:port_number(), #session{}) -> ok. invalidate_session(Host, Port, Session) -> + load_mitigation(), cast({invalidate_session, Host, Port, Session}). -spec invalidate_session(inet:port_number(), #session{}) -> ok. invalidate_session(Port, Session) -> + load_mitigation(), cast({invalidate_session, Port, Session}). -spec invalidate_pem(File::binary()) -> ok. @@ -719,3 +722,11 @@ invalidate_session_cache(undefined, CacheCb, Cache) -> start_session_validator(Cache, CacheCb, {invalidate_before, erlang:monotonic_time()}, undefined); invalidate_session_cache(Pid, _CacheCb, _Cache) -> Pid. + +load_mitigation() -> + MSec = rand:uniform(?LOAD_MITIGATION), + receive + after + MSec -> + continue + end. -- cgit v1.2.3 From 7f0b544e5d35af3e341b0a081701c85b2d9e02ee Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Mon, 13 Jun 2016 13:21:37 +0200 Subject: Update release notes --- lib/inets/doc/src/notes.xml | 17 ++++++++++++++++- lib/ssl/doc/src/notes.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/inets/doc/src/notes.xml b/lib/inets/doc/src/notes.xml index 00311c57ff..6593be02dc 100644 --- a/lib/inets/doc/src/notes.xml +++ b/lib/inets/doc/src/notes.xml @@ -33,7 +33,22 @@ notes.xml -
Inets 6.2.3 +
Inets 6.2.4 + +
Improvements and New Features + + +

+ Handle multiple \t in mime types file

+

+ Own Id: OTP-13663 Aux Id: seq13132

+
+
+
+ +
+ +
Inets 6.2.3
Improvements and New Features diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 1d6da17785..5b0b5ead20 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -28,6 +28,51 @@

This document describes the changes made to the SSL application.

+
SSL 7.3.3 + +
Fixed Bugs and Malfunctions + + +

+ Correct ssl:prf/5 to use the negotiated cipher suite's + prf function in ssl:prf/5 instead of the default prf.

+

+ Own Id: OTP-13546

+
+ +

+ Timeouts may have the value 0, guards have been corrected + to allow this

+

+ Own Id: OTP-13635

+
+ +

+ Change of internal handling of hash sign pairs as the + used one enforced to much restrictions making some valid + combinations unavailable.

+

+ Own Id: OTP-13670

+
+
+
+ + +
Improvements and New Features + + +

+ Create a little randomness in sending of session + invalidation messages, to mitigate load when whole table + is invalidated.

+

+ Own Id: OTP-13490

+
+
+
+ +
+
SSL 7.3.2
Fixed Bugs and Malfunctions -- cgit v1.2.3