From ca946a3c64573295d289dbd556c375ec5259c4b3 Mon Sep 17 00:00:00 2001
From: Magnus Henoch <magnus@erlang-solutions.com>
Date: Fri, 18 Dec 2015 14:49:43 +0000
Subject: More informative malformed_ssl_dist_opt error

---
 lib/ssl/src/ssl_tls_dist_proxy.erl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/ssl/src/ssl_tls_dist_proxy.erl b/lib/ssl/src/ssl_tls_dist_proxy.erl
index 4c789793ec..75562d6fae 100644
--- a/lib/ssl/src/ssl_tls_dist_proxy.erl
+++ b/lib/ssl/src/ssl_tls_dist_proxy.erl
@@ -420,8 +420,8 @@ ssl_options(server, ["server_dhfile", Value|T]) ->
     [{dhfile, Value} | ssl_options(server,T)];
 ssl_options(server, ["server_fail_if_no_peer_cert", Value|T]) ->
     [{fail_if_no_peer_cert, atomize(Value)} | ssl_options(server,T)];
-ssl_options(_,_) ->
-    exit(malformed_ssl_dist_opt).
+ssl_options(Type, Opts) ->
+    error(malformed_ssl_dist_opt, [Type, Opts]).
 
 atomize(List) when is_list(List) ->
     list_to_atom(List);
-- 
cgit v1.2.3


From 4b3a9cbeaa101603b6eaf6d68976e90780d85fc2 Mon Sep 17 00:00:00 2001
From: Magnus Henoch <magnus@erlang-solutions.com>
Date: Wed, 3 Feb 2016 18:20:39 +0000
Subject: Allow passing verify_fun for TLS distribution

Accept a value of the form {Module, Function, State} from the command
line.  This is different from the {Fun, State} that ssl:connect etc
expect, since there's no clean way to parse a fun from a command line
argument.
---
 lib/ssl/doc/src/ssl_distribution.xml |  9 +++--
 lib/ssl/src/ssl_tls_dist_proxy.erl   | 18 +++++++++
 lib/ssl/test/ssl_dist_SUITE.erl      | 75 +++++++++++++++++++++++++++++++++++-
 3 files changed, 97 insertions(+), 5 deletions(-)

(limited to 'lib')

diff --git a/lib/ssl/doc/src/ssl_distribution.xml b/lib/ssl/doc/src/ssl_distribution.xml
index dc04d446b0..db867ea74b 100644
--- a/lib/ssl/doc/src/ssl_distribution.xml
+++ b/lib/ssl/doc/src/ssl_distribution.xml
@@ -196,6 +196,7 @@ Eshell V5.0  (abort with ^G)
       <item><c>password</c></item>
       <item><c>cacertfile</c></item>
       <item><c>verify</c></item>
+      <item><c>verify_fun</c> (write as <c>{Module, Function, InitialUserState}</c>)</item>
       <item><c>reuse_sessions</c></item>
       <item><c>secure_renegotiate</c></item>
       <item><c>depth</c></item>
@@ -203,6 +204,10 @@ Eshell V5.0  (abort with ^G)
       <item><c>ciphers</c> (use old string format)</item>
     </list>
 
+    <p>Note that <c>verify_fun</c> needs to be written in a different
+    form than the corresponding SSL option, since funs are not
+    accepted on the command line.</p>
+
     <p>The server can also take the options <c>dhfile</c> and
     <c>fail_if_no_peer_cert</c> (also prefixed).</p>
 
@@ -210,10 +215,6 @@ Eshell V5.0  (abort with ^G)
     initiates a connection to another node. <c>server_</c>-prefixed 
     options are used when accepting a connection from a remote node.</p>
 
-    <p>More complex options, such as <c>verify_fun</c>, are currently not 
-    available, but a mechanism to handle such options may be added in
-    a future release.</p>
-
     <p>Raw socket options, such as <c>packet</c> and <c>size</c> must not 
     be specified on the command line.</p>
 
diff --git a/lib/ssl/src/ssl_tls_dist_proxy.erl b/lib/ssl/src/ssl_tls_dist_proxy.erl
index 75562d6fae..33204aa881 100644
--- a/lib/ssl/src/ssl_tls_dist_proxy.erl
+++ b/lib/ssl/src/ssl_tls_dist_proxy.erl
@@ -396,6 +396,10 @@ ssl_options(server, ["server_verify", Value|T]) ->
     [{verify, atomize(Value)} | ssl_options(server,T)];
 ssl_options(client, ["client_verify", Value|T]) ->
     [{verify, atomize(Value)} | ssl_options(client,T)];
+ssl_options(server, ["server_verify_fun", Value|T]) ->
+    [{verify_fun, verify_fun(Value)} | ssl_options(server,T)];
+ssl_options(client, ["client_verify_fun", Value|T]) ->
+    [{verify_fun, verify_fun(Value)} | ssl_options(client,T)];
 ssl_options(server, ["server_reuse_sessions", Value|T]) ->
     [{reuse_sessions, atomize(Value)} | ssl_options(server,T)];
 ssl_options(client, ["client_reuse_sessions", Value|T]) ->
@@ -428,6 +432,20 @@ atomize(List) when is_list(List) ->
 atomize(Atom) when is_atom(Atom) ->
     Atom.
 
+termify(String) when is_list(String) ->
+    {ok, Tokens, _} = erl_scan:string(String ++ "."),
+    {ok, Term} = erl_parse:parse_term(Tokens),
+    Term.
+
+verify_fun(Value) ->
+    case termify(Value) of
+	{Mod, Func, State} when is_atom(Mod), is_atom(Func) ->
+	    Fun = fun Mod:Func/3,
+	    {Fun, State};
+	_ ->
+	    error(malformed_ssl_dist_opt, [Value])
+    end.
+
 flush_old_controller(Pid, Socket) ->
     receive
 	{tcp, Socket, Data} ->
diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl
index 00f9ee8e3c..b07be0dcad 100644
--- a/lib/ssl/test/ssl_dist_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_SUITE.erl
@@ -41,7 +41,8 @@
 %%--------------------------------------------------------------------
 all() ->
     [basic, payload, plain_options, plain_verify_options, nodelay_option, 
-     listen_port_options, listen_options, connect_options, use_interface].
+     listen_port_options, listen_options, connect_options, use_interface,
+     verify_fun_fail, verify_fun_pass].
 
 groups() ->
     [].
@@ -418,6 +419,78 @@ use_interface(Config) when is_list(Config) ->
 
     stop_ssl_node(NH1),
     success(Config).
+%%--------------------------------------------------------------------
+verify_fun_fail() ->
+    [{doc,"Test specifying verify_fun with a function that always fails"}].
+verify_fun_fail(Config) when is_list(Config) ->
+    DistOpts = "-ssl_dist_opt "
+        "server_verify verify_peer server_verify_fun {ssl_dist_SUITE,verify_fail_always,{}} "
+        "client_verify verify_peer client_verify_fun {ssl_dist_SUITE,verify_fail_always,{}} ",
+
+    NH1 = start_ssl_node([{additional_dist_opts, DistOpts} | Config]),
+    NH2 = start_ssl_node([{additional_dist_opts, DistOpts} | Config]),
+    Node2 = NH2#node_handle.nodename,
+
+    pang = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end),
+
+    [] = apply_on_ssl_node(NH1, fun () -> nodes() end),
+    [] = apply_on_ssl_node(NH2, fun () -> nodes() end),
+
+    %% Check that the function ran on the client node.
+    [{verify_fail_always_ran, true}] =
+        apply_on_ssl_node(NH1, fun () -> ets:tab2list(verify_fun_ran) end),
+    %% On the server node, it wouldn't run, because the server didn't
+    %% request a certificate from the client.
+    undefined =
+        apply_on_ssl_node(NH2, fun () -> ets:info(verify_fun_ran) end),
+
+    stop_ssl_node(NH1),
+    stop_ssl_node(NH2),
+    success(Config).
+
+verify_fail_always(_Certificate, _Event, _State) ->
+    %% Create an ETS table, to record the fact that the verify function ran.
+    ets:new(verify_fun_ran, [public, named_table, {heir, whereis(ssl_tls_dist_proxy), {}}]),
+    ets:insert(verify_fun_ran, {verify_fail_always_ran, true}),
+    {fail, bad_certificate}.
+
+%%--------------------------------------------------------------------
+verify_fun_pass() ->
+    [{doc,"Test specifying verify_fun with a function that always succeeds"}].
+verify_fun_pass(Config) when is_list(Config) ->
+    DistOpts = "-ssl_dist_opt "
+        "server_verify verify_peer server_verify_fun {ssl_dist_SUITE,verify_pass_always,{}} "
+        "server_fail_if_no_peer_cert true "
+        "client_verify verify_peer client_verify_fun {ssl_dist_SUITE,verify_pass_always,{}} ",
+
+    NH1 = start_ssl_node([{additional_dist_opts, DistOpts} | Config]),
+    Node1 = NH1#node_handle.nodename,
+    NH2 = start_ssl_node([{additional_dist_opts, DistOpts} | Config]),
+    Node2 = NH2#node_handle.nodename,
+
+    pong = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end),
+
+    [Node2] = apply_on_ssl_node(NH1, fun () -> nodes() end),
+    [Node1] = apply_on_ssl_node(NH2, fun () -> nodes() end),
+
+    %% Check that the function ran on the client node.
+    [{verify_pass_always_ran, true}] =
+        apply_on_ssl_node(NH1, fun () -> ets:tab2list(verify_fun_ran) end),
+    %% Check that it ran on the server node as well.  The server
+    %% requested and verified the client's certificate because we
+    %% passed fail_if_no_peer_cert.
+    [{verify_pass_always_ran, true}] =
+        apply_on_ssl_node(NH2, fun () -> ets:tab2list(verify_fun_ran) end),
+
+    stop_ssl_node(NH1),
+    stop_ssl_node(NH2),
+    success(Config).
+
+verify_pass_always(_Certificate, _Event, State) ->
+    %% Create an ETS table, to record the fact that the verify function ran.
+    ets:new(verify_fun_ran, [public, named_table, {heir, whereis(ssl_tls_dist_proxy), {}}]),
+    ets:insert(verify_fun_ran, {verify_pass_always_ran, true}),
+    {valid, State}.
 
 %%--------------------------------------------------------------------
 %%% Internal functions -----------------------------------------------
-- 
cgit v1.2.3


From f464ded0ae4a4c203a5d01755be84c3e81042e19 Mon Sep 17 00:00:00 2001
From: Magnus Henoch <magnus@erlang-solutions.com>
Date: Thu, 4 Feb 2016 14:36:09 +0000
Subject: TLS distribution: crl_check and crl_cache options

Allow specifying the crl_check and crl_cache options for TLS
distribution connections.
---
 lib/ssl/doc/src/ssl_distribution.xml |   2 +
 lib/ssl/src/ssl_tls_dist_proxy.erl   |   8 ++
 lib/ssl/test/ssl_dist_SUITE.erl      | 176 ++++++++++++++++++++++++++++++++++-
 3 files changed, 183 insertions(+), 3 deletions(-)

(limited to 'lib')

diff --git a/lib/ssl/doc/src/ssl_distribution.xml b/lib/ssl/doc/src/ssl_distribution.xml
index db867ea74b..b2e633a814 100644
--- a/lib/ssl/doc/src/ssl_distribution.xml
+++ b/lib/ssl/doc/src/ssl_distribution.xml
@@ -197,6 +197,8 @@ Eshell V5.0  (abort with ^G)
       <item><c>cacertfile</c></item>
       <item><c>verify</c></item>
       <item><c>verify_fun</c> (write as <c>{Module, Function, InitialUserState}</c>)</item>
+      <item><c>crl_check</c></item>
+      <item><c>crl_cache</c> (write as Erlang term)</item>
       <item><c>reuse_sessions</c></item>
       <item><c>secure_renegotiate</c></item>
       <item><c>depth</c></item>
diff --git a/lib/ssl/src/ssl_tls_dist_proxy.erl b/lib/ssl/src/ssl_tls_dist_proxy.erl
index 33204aa881..3bffc7a862 100644
--- a/lib/ssl/src/ssl_tls_dist_proxy.erl
+++ b/lib/ssl/src/ssl_tls_dist_proxy.erl
@@ -400,6 +400,14 @@ ssl_options(server, ["server_verify_fun", Value|T]) ->
     [{verify_fun, verify_fun(Value)} | ssl_options(server,T)];
 ssl_options(client, ["client_verify_fun", Value|T]) ->
     [{verify_fun, verify_fun(Value)} | ssl_options(client,T)];
+ssl_options(server, ["server_crl_check", Value|T]) ->
+    [{crl_check, atomize(Value)} | ssl_options(server,T)];
+ssl_options(client, ["client_crl_check", Value|T]) ->
+    [{crl_check, atomize(Value)} | ssl_options(client,T)];
+ssl_options(server, ["server_crl_cache", Value|T]) ->
+    [{crl_cache, termify(Value)} | ssl_options(server,T)];
+ssl_options(client, ["client_crl_cache", Value|T]) ->
+    [{crl_cache, termify(Value)} | ssl_options(client,T)];
 ssl_options(server, ["server_reuse_sessions", Value|T]) ->
     [{reuse_sessions, atomize(Value)} | ssl_options(server,T)];
 ssl_options(client, ["client_reuse_sessions", Value|T]) ->
diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl
index b07be0dcad..a7cb5576ed 100644
--- a/lib/ssl/test/ssl_dist_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_SUITE.erl
@@ -21,6 +21,7 @@
 -module(ssl_dist_SUITE).
 
 -include_lib("common_test/include/ct.hrl").
+-include_lib("public_key/include/public_key.hrl").
 
 %% Note: This directive should only be used in test suites.
 -compile(export_all).
@@ -42,7 +43,8 @@
 all() ->
     [basic, payload, plain_options, plain_verify_options, nodelay_option, 
      listen_port_options, listen_options, connect_options, use_interface,
-     verify_fun_fail, verify_fun_pass].
+     verify_fun_fail, verify_fun_pass, crl_check_pass, crl_check_fail,
+     crl_check_best_effort, crl_cache_check_pass, crl_cache_check_fail].
 
 groups() ->
     [].
@@ -491,6 +493,161 @@ verify_pass_always(_Certificate, _Event, State) ->
     ets:new(verify_fun_ran, [public, named_table, {heir, whereis(ssl_tls_dist_proxy), {}}]),
     ets:insert(verify_fun_ran, {verify_pass_always_ran, true}),
     {valid, State}.
+%%--------------------------------------------------------------------
+crl_check_pass() ->
+    [{doc,"Test crl_check with non-revoked certificate"}].
+crl_check_pass(Config) when is_list(Config) ->
+    DistOpts = "-ssl_dist_opt client_crl_check true",
+    NewConfig =
+        [{many_verify_opts, true}, {additional_dist_opts, DistOpts}] ++ Config,
+
+    NH1 = start_ssl_node(NewConfig),
+    Node1 = NH1#node_handle.nodename,
+    NH2 = start_ssl_node(NewConfig),
+    Node2 = NH2#node_handle.nodename,
+
+    PrivDir = ?config(priv_dir, Config),
+    cache_crls_on_ssl_nodes(PrivDir, ["erlangCA", "otpCA"], [NH1, NH2]),
+
+    %% The server's certificate is not revoked, so connection succeeds.
+    pong = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end),
+
+    [Node2] = apply_on_ssl_node(NH1, fun () -> nodes() end),
+    [Node1] = apply_on_ssl_node(NH2, fun () -> nodes() end),
+
+    stop_ssl_node(NH1),
+    stop_ssl_node(NH2),
+    success(Config).
+
+%%--------------------------------------------------------------------
+crl_check_fail() ->
+    [{doc,"Test crl_check with revoked certificate"}].
+crl_check_fail(Config) when is_list(Config) ->
+    DistOpts = "-ssl_dist_opt client_crl_check true",
+    NewConfig =
+        [{many_verify_opts, true},
+         %% The server uses a revoked certificate.
+         {server_cert_dir, "revoked"},
+         {additional_dist_opts, DistOpts}] ++ Config,
+
+    NH1 = start_ssl_node(NewConfig),
+    %%Node1 = NH1#node_handle.nodename,
+    NH2 = start_ssl_node(NewConfig),
+    Node2 = NH2#node_handle.nodename,
+
+    PrivDir = ?config(priv_dir, Config),
+    cache_crls_on_ssl_nodes(PrivDir, ["erlangCA", "otpCA"], [NH1, NH2]),
+
+    %% The server's certificate is revoked, so connection fails.
+    pang = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end),
+
+    [] = apply_on_ssl_node(NH1, fun () -> nodes() end),
+    [] = apply_on_ssl_node(NH2, fun () -> nodes() end),
+
+    stop_ssl_node(NH1),
+    stop_ssl_node(NH2),
+    success(Config).
+
+%%--------------------------------------------------------------------
+crl_check_best_effort() ->
+    [{doc,"Test specifying crl_check as best_effort"}].
+crl_check_best_effort(Config) when is_list(Config) ->
+    DistOpts = "-ssl_dist_opt "
+        "server_verify verify_peer server_crl_check best_effort",
+    NewConfig =
+        [{many_verify_opts, true}, {additional_dist_opts, DistOpts}] ++ Config,
+
+    %% We don't have the correct CRL at hand, but since crl_check is
+    %% best_effort, we accept it anyway.
+    NH1 = start_ssl_node(NewConfig),
+    Node1 = NH1#node_handle.nodename,
+    NH2 = start_ssl_node(NewConfig),
+    Node2 = NH2#node_handle.nodename,
+
+    pong = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end),
+
+    [Node2] = apply_on_ssl_node(NH1, fun () -> nodes() end),
+    [Node1] = apply_on_ssl_node(NH2, fun () -> nodes() end),
+
+    stop_ssl_node(NH1),
+    stop_ssl_node(NH2),
+    success(Config).
+
+%%--------------------------------------------------------------------
+crl_cache_check_pass() ->
+    [{doc,"Test specifying crl_check with custom crl_cache module"}].
+crl_cache_check_pass(Config) when is_list(Config) ->
+    PrivDir = ?config(priv_dir, Config),
+    NodeDir = filename:join([PrivDir, "Certs"]),
+    DistOpts = "-ssl_dist_opt "
+        "client_crl_check true "
+        "client_crl_cache {ssl_dist_SUITE,{internal,\\\"" ++ NodeDir ++ "\\\"}}",
+    NewConfig =
+        [{many_verify_opts, true}, {additional_dist_opts, DistOpts}] ++ Config,
+
+    NH1 = start_ssl_node(NewConfig),
+    Node1 = NH1#node_handle.nodename,
+    NH2 = start_ssl_node(NewConfig),
+    Node2 = NH2#node_handle.nodename,
+
+    pong = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end),
+
+    [Node2] = apply_on_ssl_node(NH1, fun () -> nodes() end),
+    [Node1] = apply_on_ssl_node(NH2, fun () -> nodes() end),
+
+    stop_ssl_node(NH1),
+    stop_ssl_node(NH2),
+    success(Config).
+
+%%--------------------------------------------------------------------
+crl_cache_check_fail() ->
+    [{doc,"Test custom crl_cache module with revoked certificate"}].
+crl_cache_check_fail(Config) when is_list(Config) ->
+    PrivDir = ?config(priv_dir, Config),
+    NodeDir = filename:join([PrivDir, "Certs"]),
+    DistOpts = "-ssl_dist_opt "
+        "client_crl_check true "
+        "client_crl_cache {ssl_dist_SUITE,{internal,\\\"" ++ NodeDir ++ "\\\"}}",
+    NewConfig =
+        [{many_verify_opts, true},
+         %% The server uses a revoked certificate.
+         {server_cert_dir, "revoked"},
+         {additional_dist_opts, DistOpts}] ++ Config,
+
+    NH1 = start_ssl_node(NewConfig),
+    NH2 = start_ssl_node(NewConfig),
+    Node2 = NH2#node_handle.nodename,
+
+    pang = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end),
+
+    [] = apply_on_ssl_node(NH1, fun () -> nodes() end),
+    [] = apply_on_ssl_node(NH2, fun () -> nodes() end),
+
+    stop_ssl_node(NH1),
+    stop_ssl_node(NH2),
+    success(Config).
+
+%% ssl_crl_cache_api callbacks
+lookup(_DistributionPoint, _DbHandle) ->
+    not_available.
+
+select({rdnSequence, NameParts}, {_, NodeDir}) ->
+    %% Extract the CN from the issuer name...
+    [CN] = [CN ||
+               [#'AttributeTypeAndValue'{
+                   type = ?'id-at-commonName',
+                   value = <<_, _, CN/binary>>}] <- NameParts],
+    %% ...and use that as the directory name to find the CRL.
+    error_logger:info_report([{found_cn, CN}]),
+    CRLFile = filename:join([NodeDir, CN, "crl.pem"]),
+    {ok, PemBin} = file:read_file(CRLFile),
+    PemEntries = public_key:pem_decode(PemBin),
+    CRLs = [ CRL || {'CertificateList', CRL, not_encrypted} 
+                        <- PemEntries],
+    CRLs.
+
+fresh_crl(_DistributionPoint, CRL) ->
+    CRL.
 
 %%--------------------------------------------------------------------
 %%% Internal functions -----------------------------------------------
@@ -601,6 +758,19 @@ start_ssl_node_raw(Name, Args) ->
 	    exit({failed_to_start_node, Name, Error})
     end.
 
+cache_crls_on_ssl_nodes(PrivDir, CANames, NHs) ->
+    [begin
+         File = filename:join([PrivDir, "Certs", CAName, "crl.pem"]),
+         {ok, PemBin} = file:read_file(File),
+         PemEntries = public_key:pem_decode(PemBin),
+         CRLs = [ CRL || {'CertificateList', CRL, not_encrypted} 
+                             <- PemEntries],
+         ok = apply_on_ssl_node(NH, ssl_manager, insert_crls,
+                                ["no_distribution_point", CRLs, dist])
+     end
+     || NH <- NHs, CAName <- CANames],
+    ok.
+
 %%
 %% command line creation
 %%
@@ -888,8 +1058,8 @@ setup_dist_opts(Config) ->
     DataDir = ?config(data_dir, Config),
     Dhfile = filename:join([DataDir, "dHParam.pem"]),
     NodeDir = filename:join([PrivDir, "Certs"]),
-    SDir = filename:join([NodeDir, "server"]),
-    CDir = filename:join([NodeDir, "client"]),
+    SDir = filename:join([NodeDir, proplists:get_value(server_cert_dir, Config, "server")]),
+    CDir = filename:join([NodeDir, proplists:get_value(client_cert_dir, Config, "client")]),
     SC = filename:join([SDir, "cert.pem"]),
     SK = filename:join([SDir, "key.pem"]),
     SKC = filename:join([SDir, "keycert.pem"]),
-- 
cgit v1.2.3


From 66d6e66d80bd77a1d289f319b431f0f51ff5877c Mon Sep 17 00:00:00 2001
From: Magnus Henoch <magnus@erlang-solutions.com>
Date: Mon, 4 Apr 2016 18:38:45 +0100
Subject: More logging in ssl_dist_SUITE

Make SSL nodes used during testing write log messages to a file.

Also activate verbose logging of distribution connection events.
---
 lib/ssl/test/ssl_dist_SUITE.erl | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'lib')

diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl
index a7cb5576ed..f7b5f42e48 100644
--- a/lib/ssl/test/ssl_dist_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_SUITE.erl
@@ -806,11 +806,13 @@ mk_node_cmdline(ListenPort, Name, Args) ->
 	++ NameSw ++ " " ++ Name ++ " "
 	++ "-pa " ++ Pa ++ " "
 	++ "-run application start crypto -run application start public_key "
+	++ "-eval 'net_kernel:verbose(1)' "
 	++ "-run " ++ atom_to_list(?MODULE) ++ " cnct2tstsrvr "
 	++ host_name() ++ " "
 	++ integer_to_list(ListenPort) ++ " "
 	++ Args ++ " "
 	++ "-env ERL_CRASH_DUMP " ++ Pwd ++ "/erl_crash_dump." ++ Name ++ " "
+	++ "-kernel error_logger '{file,\"" ++ Pwd ++ "/error_log." ++ Name ++ "\"}' "
 	++ "-setcookie " ++ atom_to_list(erlang:get_cookie()).
 
 %%
-- 
cgit v1.2.3


From 4db8640612bed0b104c4d66c7acf3ad4d95fc3b0 Mon Sep 17 00:00:00 2001
From: Magnus Henoch <magnus@erlang-solutions.com>
Date: Wed, 27 Apr 2016 15:08:38 +0100
Subject: Fix ssl_dist_SUITE logging on Windows

Can't use single quotes to hide double quotes.  Let's fix that with
more backslashes.
---
 lib/ssl/test/ssl_dist_SUITE.erl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl
index f7b5f42e48..43771eea8e 100644
--- a/lib/ssl/test/ssl_dist_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_SUITE.erl
@@ -812,7 +812,7 @@ mk_node_cmdline(ListenPort, Name, Args) ->
 	++ integer_to_list(ListenPort) ++ " "
 	++ Args ++ " "
 	++ "-env ERL_CRASH_DUMP " ++ Pwd ++ "/erl_crash_dump." ++ Name ++ " "
-	++ "-kernel error_logger '{file,\"" ++ Pwd ++ "/error_log." ++ Name ++ "\"}' "
+	++ "-kernel error_logger \"{file,\\\"" ++ Pwd ++ "/error_log." ++ Name ++ "\\\"}\" "
 	++ "-setcookie " ++ atom_to_list(erlang:get_cookie()).
 
 %%
-- 
cgit v1.2.3


From 2b1767d29f7bd9d5d611b28624d9dd8bdbc620ce Mon Sep 17 00:00:00 2001
From: Magnus Henoch <magnus@erlang-solutions.com>
Date: Wed, 27 Apr 2016 17:14:13 +0100
Subject: Fix db handle for TLS distribution crl_cache opts

'internal' is reserved for the ssl_crl_cache module.  Since the stub
CRL cache implementation in the test module essentially uses the file
system as its "database", let's pass the directory as database handle.
---
 lib/ssl/test/ssl_dist_SUITE.erl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'lib')

diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl
index 43771eea8e..fa36b424ce 100644
--- a/lib/ssl/test/ssl_dist_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_SUITE.erl
@@ -581,7 +581,7 @@ crl_cache_check_pass(Config) when is_list(Config) ->
     NodeDir = filename:join([PrivDir, "Certs"]),
     DistOpts = "-ssl_dist_opt "
         "client_crl_check true "
-        "client_crl_cache {ssl_dist_SUITE,{internal,\\\"" ++ NodeDir ++ "\\\"}}",
+        "client_crl_cache {ssl_dist_SUITE,{\\\"" ++ NodeDir ++ "\\\",[]}}",
     NewConfig =
         [{many_verify_opts, true}, {additional_dist_opts, DistOpts}] ++ Config,
 
@@ -607,7 +607,7 @@ crl_cache_check_fail(Config) when is_list(Config) ->
     NodeDir = filename:join([PrivDir, "Certs"]),
     DistOpts = "-ssl_dist_opt "
         "client_crl_check true "
-        "client_crl_cache {ssl_dist_SUITE,{internal,\\\"" ++ NodeDir ++ "\\\"}}",
+        "client_crl_cache {ssl_dist_SUITE,{\\\"" ++ NodeDir ++ "\\\",[]}}",
     NewConfig =
         [{many_verify_opts, true},
          %% The server uses a revoked certificate.
@@ -631,7 +631,7 @@ crl_cache_check_fail(Config) when is_list(Config) ->
 lookup(_DistributionPoint, _DbHandle) ->
     not_available.
 
-select({rdnSequence, NameParts}, {_, NodeDir}) ->
+select({rdnSequence, NameParts}, {NodeDir, _}) ->
     %% Extract the CN from the issuer name...
     [CN] = [CN ||
                [#'AttributeTypeAndValue'{
-- 
cgit v1.2.3


From 79cf49a82bd1e654f05b3be092ee11686ac2828c Mon Sep 17 00:00:00 2001
From: Magnus Henoch <magnus@erlang-solutions.com>
Date: Wed, 27 Apr 2016 17:21:24 +0100
Subject: Avoid disappearing ETS tables in ssl_dist_SUITE

When recording the fact that a verify function ran, spawn a new
process to own the ETS table, to ensure that it's still there when we
want to query it.
---
 lib/ssl/test/ssl_dist_SUITE.erl | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

(limited to 'lib')

diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl
index fa36b424ce..6aacc8ecf4 100644
--- a/lib/ssl/test/ssl_dist_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_SUITE.erl
@@ -452,8 +452,16 @@ verify_fun_fail(Config) when is_list(Config) ->
 
 verify_fail_always(_Certificate, _Event, _State) ->
     %% Create an ETS table, to record the fact that the verify function ran.
-    ets:new(verify_fun_ran, [public, named_table, {heir, whereis(ssl_tls_dist_proxy), {}}]),
-    ets:insert(verify_fun_ran, {verify_fail_always_ran, true}),
+    %% Spawn a new process, to avoid the ETS table disappearing.
+    Parent = self(),
+    spawn(
+      fun() ->
+	      ets:new(verify_fun_ran, [public, named_table]),
+	      ets:insert(verify_fun_ran, {verify_fail_always_ran, true}),
+	      Parent ! go_ahead,
+	      timer:sleep(infinity)
+      end),
+    receive go_ahead -> ok end,
     {fail, bad_certificate}.
 
 %%--------------------------------------------------------------------
@@ -490,8 +498,16 @@ verify_fun_pass(Config) when is_list(Config) ->
 
 verify_pass_always(_Certificate, _Event, State) ->
     %% Create an ETS table, to record the fact that the verify function ran.
-    ets:new(verify_fun_ran, [public, named_table, {heir, whereis(ssl_tls_dist_proxy), {}}]),
-    ets:insert(verify_fun_ran, {verify_pass_always_ran, true}),
+    %% Spawn a new process, to avoid the ETS table disappearing.
+    Parent = self(),
+    spawn(
+      fun() ->
+	      ets:new(verify_fun_ran, [public, named_table]),
+	      ets:insert(verify_fun_ran, {verify_pass_always_ran, true}),
+	      Parent ! go_ahead,
+	      timer:sleep(infinity)
+      end),
+    receive go_ahead -> ok end,
     {valid, State}.
 %%--------------------------------------------------------------------
 crl_check_pass() ->
-- 
cgit v1.2.3


From 624fb38a6949fff28a7be80527ce126a26e2ad18 Mon Sep 17 00:00:00 2001
From: Raimo Niskanen <raimo@erlang.org>
Date: Tue, 31 May 2016 18:26:26 +0200
Subject: Quote curly brackets in command line options

Some shells i.e the bash emulating sh regard curly brackets
as special characters so e.g {a,b,{}} is expanded to a b {} which
is by erlang regarded as 3 arguments instead of a 3-tuple.

Other shells e.g Bourne classic /bin/sh, the ash/dash variants
and public domain Korn shell all avoid this surprise.
---
 lib/ssl/test/ssl_dist_SUITE.erl | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

(limited to 'lib')

diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl
index 6aacc8ecf4..16193e6327 100644
--- a/lib/ssl/test/ssl_dist_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_SUITE.erl
@@ -426,8 +426,10 @@ verify_fun_fail() ->
     [{doc,"Test specifying verify_fun with a function that always fails"}].
 verify_fun_fail(Config) when is_list(Config) ->
     DistOpts = "-ssl_dist_opt "
-        "server_verify verify_peer server_verify_fun {ssl_dist_SUITE,verify_fail_always,{}} "
-        "client_verify verify_peer client_verify_fun {ssl_dist_SUITE,verify_fail_always,{}} ",
+        "server_verify verify_peer server_verify_fun "
+	"\"{ssl_dist_SUITE,verify_fail_always,{}}\" "
+        "client_verify verify_peer client_verify_fun "
+	"\"{ssl_dist_SUITE,verify_fail_always,{}}\" ",
 
     NH1 = start_ssl_node([{additional_dist_opts, DistOpts} | Config]),
     NH2 = start_ssl_node([{additional_dist_opts, DistOpts} | Config]),
@@ -469,9 +471,11 @@ verify_fun_pass() ->
     [{doc,"Test specifying verify_fun with a function that always succeeds"}].
 verify_fun_pass(Config) when is_list(Config) ->
     DistOpts = "-ssl_dist_opt "
-        "server_verify verify_peer server_verify_fun {ssl_dist_SUITE,verify_pass_always,{}} "
+        "server_verify verify_peer server_verify_fun "
+	"\"{ssl_dist_SUITE,verify_pass_always,{}}\" "
         "server_fail_if_no_peer_cert true "
-        "client_verify verify_peer client_verify_fun {ssl_dist_SUITE,verify_pass_always,{}} ",
+        "client_verify verify_peer client_verify_fun "
+	"\"{ssl_dist_SUITE,verify_pass_always,{}}\" ",
 
     NH1 = start_ssl_node([{additional_dist_opts, DistOpts} | Config]),
     Node1 = NH1#node_handle.nodename,
@@ -597,7 +601,8 @@ crl_cache_check_pass(Config) when is_list(Config) ->
     NodeDir = filename:join([PrivDir, "Certs"]),
     DistOpts = "-ssl_dist_opt "
         "client_crl_check true "
-        "client_crl_cache {ssl_dist_SUITE,{\\\"" ++ NodeDir ++ "\\\",[]}}",
+        "client_crl_cache "
+	"\"{ssl_dist_SUITE,{\\\"" ++ NodeDir ++ "\\\",[]}}\"",
     NewConfig =
         [{many_verify_opts, true}, {additional_dist_opts, DistOpts}] ++ Config,
 
@@ -623,7 +628,8 @@ crl_cache_check_fail(Config) when is_list(Config) ->
     NodeDir = filename:join([PrivDir, "Certs"]),
     DistOpts = "-ssl_dist_opt "
         "client_crl_check true "
-        "client_crl_cache {ssl_dist_SUITE,{\\\"" ++ NodeDir ++ "\\\",[]}}",
+        "client_crl_cache "
+	"\"{ssl_dist_SUITE,{\\\"" ++ NodeDir ++ "\\\",[]}}\"",
     NewConfig =
         [{many_verify_opts, true},
          %% The server uses a revoked certificate.
-- 
cgit v1.2.3