166
202
%% Name of a test case.
167
203
%% Description: Returns a list of all test cases in this test suite
168
204
%%--------------------------------------------------------------------
170
["Test the basic ssl functionality"];
205
suite() -> [{ct_hooks,[ts_install_cth]}].
173
208
[app, alerts, connection_info, protocol_versions,
174
empty_protocol_versions, controlling_process, controller_dies,
175
client_closes_socket, peercert, connect_dist, peername, sockname,
176
socket_options, misc_ssl_options, versions, cipher_suites,
177
upgrade, upgrade_with_timeout, tcp_connect, ipv6, ekeyfile,
178
ecertfile, ecacertfile, eoptions, shutdown, shutdown_write,
179
shutdown_both, shutdown_error,
209
empty_protocol_versions, controlling_process,
210
controller_dies, client_closes_socket,
211
connect_dist, peername, peercert, sockname, socket_options,
212
invalid_inet_get_option, invalid_inet_get_option_not_list,
213
invalid_inet_get_option_improper_list,
214
invalid_inet_set_option, invalid_inet_set_option_not_list,
215
invalid_inet_set_option_improper_list,
216
misc_ssl_options, versions, cipher_suites, upgrade,
217
upgrade_with_timeout, tcp_connect, tcp_connect_big, ipv6, ekeyfile,
218
ecertfile, ecacertfile, eoptions, shutdown,
219
shutdown_write, shutdown_both, shutdown_error,
180
220
ciphers_rsa_signed_certs, ciphers_rsa_signed_certs_ssl3,
181
221
ciphers_rsa_signed_certs_openssl_names,
182
222
ciphers_rsa_signed_certs_openssl_names_ssl3,
183
ciphers_dsa_signed_certs,
184
ciphers_dsa_signed_certs_ssl3,
223
ciphers_dsa_signed_certs, ciphers_dsa_signed_certs_ssl3,
185
224
ciphers_dsa_signed_certs_openssl_names,
186
225
ciphers_dsa_signed_certs_openssl_names_ssl3,
187
226
anonymous_cipher_suites,
188
227
default_reject_anonymous,
190
close_transport_accept, dh_params, server_verify_peer_passive,
191
server_verify_peer_active, server_verify_peer_active_once,
229
close_transport_accept, dh_params,
230
server_verify_peer_passive, server_verify_peer_active,
231
server_verify_peer_active_once,
192
232
server_verify_none_passive, server_verify_none_active,
193
server_verify_none_active_once, server_verify_no_cacerts,
194
server_require_peer_cert_ok, server_require_peer_cert_fail,
233
server_verify_none_active_once,
234
server_verify_no_cacerts, server_require_peer_cert_ok,
235
server_require_peer_cert_fail,
195
236
server_verify_client_once_passive,
196
237
server_verify_client_once_active,
197
server_verify_client_once_active_once, client_verify_none_passive,
198
client_verify_none_active, client_verify_none_active_once,
199
reuse_session, reuse_session_expired,
200
server_does_not_want_to_reuse_session, client_renegotiate,
201
server_renegotiate, client_renegotiate_reused_session,
202
server_renegotiate_reused_session, client_no_wrap_sequence_number,
203
server_no_wrap_sequence_number, extended_key_usage,
204
no_authority_key_identifier,
205
invalid_signature_client, invalid_signature_server, cert_expired,
206
client_with_cert_cipher_suites_handshake, unknown_server_ca_fail,
207
der_input, unknown_server_ca_accept_verify_none, unknown_server_ca_accept_verify_peer,
208
unknown_server_ca_accept_backwardscompatibilty
238
server_verify_client_once_active_once,
239
client_verify_none_passive, client_verify_none_active,
240
client_verify_none_active_once,
242
reuse_session_expired,
243
server_does_not_want_to_reuse_session,
244
client_renegotiate, server_renegotiate,
245
client_renegotiate_reused_session,
246
server_renegotiate_reused_session,
247
client_no_wrap_sequence_number,
248
server_no_wrap_sequence_number, extended_key_usage_verify_peer,
249
extended_key_usage_verify_none,
250
no_authority_key_identifier, invalid_signature_client,
251
invalid_signature_server, cert_expired,
252
client_with_cert_cipher_suites_handshake,
253
unknown_server_ca_fail, der_input,
254
unknown_server_ca_accept_verify_none,
255
unknown_server_ca_accept_verify_peer,
256
unknown_server_ca_accept_backwardscompatibility,
257
%%different_ca_peer_sign,
258
no_reuses_session_server_restart_new_cert,
259
no_reuses_session_server_restart_new_cert_file, reuseaddr,
260
hibernate, connect_twice, renegotiate_dos_mitigate_active,
261
renegotiate_dos_mitigate_passive,
262
tcp_error_propagation_in_active_mode, rizzo, no_rizzo_rc4
268
init_per_group(_GroupName, Config) ->
271
end_per_group(_GroupName, Config) ->
211
274
%% Test cases starts here.
212
275
%%--------------------------------------------------------------------
756
835
{ok,[{nodelay,false}]} = ssl:getopts(Socket, [nodelay]),
757
836
ssl:setopts(Socket, [{nodelay, true}]),
758
837
{ok,[{nodelay, true}]} = ssl:getopts(Socket, [nodelay]),
838
{ok, All} = ssl:getopts(Socket, []),
839
test_server:format("All opts ~p~n", [All]),
843
%%--------------------------------------------------------------------
844
invalid_inet_get_option(doc) ->
845
["Test handling of invalid inet options in getopts"];
847
invalid_inet_get_option(suite) ->
850
invalid_inet_get_option(Config) when is_list(Config) ->
851
ClientOpts = ?config(client_opts, Config),
852
ServerOpts = ?config(server_opts, Config),
853
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
854
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
856
{mfa, {?MODULE, get_invalid_inet_option, []}},
857
{options, ServerOpts}]),
858
Port = ssl_test_lib:inet_port(Server),
859
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
862
{mfa, {ssl_test_lib, no_result, []}},
863
{options, ClientOpts}]),
865
test_server:format("Testcase ~p, Client ~p Server ~p ~n",
866
[self(), Client, Server]),
868
ssl_test_lib:check_result(Server, ok),
869
ssl_test_lib:close(Server),
870
ssl_test_lib:close(Client).
873
get_invalid_inet_option(Socket) ->
874
{error, {eoptions, {inet_option, foo, _}}} = ssl:getopts(Socket, [foo]),
877
%%--------------------------------------------------------------------
878
invalid_inet_get_option_not_list(doc) ->
879
["Test handling of invalid type in getopts"];
881
invalid_inet_get_option_not_list(suite) ->
884
invalid_inet_get_option_not_list(Config) when is_list(Config) ->
885
ClientOpts = ?config(client_opts, Config),
886
ServerOpts = ?config(server_opts, Config),
887
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
888
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
890
{mfa, {?MODULE, get_invalid_inet_option_not_list, []}},
891
{options, ServerOpts}]),
892
Port = ssl_test_lib:inet_port(Server),
893
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
896
{mfa, {ssl_test_lib, no_result, []}},
897
{options, ClientOpts}]),
899
test_server:format("Testcase ~p, Client ~p Server ~p ~n",
900
[self(), Client, Server]),
902
ssl_test_lib:check_result(Server, ok),
903
ssl_test_lib:close(Server),
904
ssl_test_lib:close(Client).
907
get_invalid_inet_option_not_list(Socket) ->
908
{error, {eoptions, {inet_options, some_invalid_atom_here}}}
909
= ssl:getopts(Socket, some_invalid_atom_here),
912
%%--------------------------------------------------------------------
913
invalid_inet_get_option_improper_list(doc) ->
914
["Test handling of invalid type in getopts"];
916
invalid_inet_get_option_improper_list(suite) ->
919
invalid_inet_get_option_improper_list(Config) when is_list(Config) ->
920
ClientOpts = ?config(client_opts, Config),
921
ServerOpts = ?config(server_opts, Config),
922
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
923
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
925
{mfa, {?MODULE, get_invalid_inet_option_improper_list, []}},
926
{options, ServerOpts}]),
927
Port = ssl_test_lib:inet_port(Server),
928
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
931
{mfa, {ssl_test_lib, no_result, []}},
932
{options, ClientOpts}]),
934
test_server:format("Testcase ~p, Client ~p Server ~p ~n",
935
[self(), Client, Server]),
937
ssl_test_lib:check_result(Server, ok),
938
ssl_test_lib:close(Server),
939
ssl_test_lib:close(Client).
942
get_invalid_inet_option_improper_list(Socket) ->
943
{error, {eoptions, {inet_option, foo,_}}} = ssl:getopts(Socket, [packet | foo]),
946
%%--------------------------------------------------------------------
947
invalid_inet_set_option(doc) ->
948
["Test handling of invalid inet options in setopts"];
950
invalid_inet_set_option(suite) ->
953
invalid_inet_set_option(Config) when is_list(Config) ->
954
ClientOpts = ?config(client_opts, Config),
955
ServerOpts = ?config(server_opts, Config),
956
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
957
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
959
{mfa, {?MODULE, set_invalid_inet_option, []}},
960
{options, ServerOpts}]),
961
Port = ssl_test_lib:inet_port(Server),
962
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
965
{mfa, {ssl_test_lib, no_result, []}},
966
{options, ClientOpts}]),
968
test_server:format("Testcase ~p, Client ~p Server ~p ~n",
969
[self(), Client, Server]),
971
ssl_test_lib:check_result(Server, ok),
972
ssl_test_lib:close(Server),
973
ssl_test_lib:close(Client).
975
set_invalid_inet_option(Socket) ->
976
{error, {eoptions, {inet_opt, {packet, foo}}}} = ssl:setopts(Socket, [{packet, foo}]),
977
{error, {eoptions, {inet_opt, {header, foo}}}} = ssl:setopts(Socket, [{header, foo}]),
978
{error, {eoptions, {inet_opt, {active, foo}}}} = ssl:setopts(Socket, [{active, foo}]),
979
{error, {eoptions, {inet_opt, {mode, foo}}}} = ssl:setopts(Socket, [{mode, foo}]),
981
%%--------------------------------------------------------------------
982
invalid_inet_set_option_not_list(doc) ->
983
["Test handling of invalid type in setopts"];
985
invalid_inet_set_option_not_list(suite) ->
988
invalid_inet_set_option_not_list(Config) when is_list(Config) ->
989
ClientOpts = ?config(client_opts, Config),
990
ServerOpts = ?config(server_opts, Config),
991
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
992
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
994
{mfa, {?MODULE, set_invalid_inet_option_not_list, []}},
995
{options, ServerOpts}]),
996
Port = ssl_test_lib:inet_port(Server),
997
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
1000
{mfa, {ssl_test_lib, no_result, []}},
1001
{options, ClientOpts}]),
1003
test_server:format("Testcase ~p, Client ~p Server ~p ~n",
1004
[self(), Client, Server]),
1006
ssl_test_lib:check_result(Server, ok),
1007
ssl_test_lib:close(Server),
1008
ssl_test_lib:close(Client).
1011
set_invalid_inet_option_not_list(Socket) ->
1012
{error, {eoptions, {not_a_proplist, some_invalid_atom_here}}}
1013
= ssl:setopts(Socket, some_invalid_atom_here),
1016
%%--------------------------------------------------------------------
1017
invalid_inet_set_option_improper_list(doc) ->
1018
["Test handling of invalid tye in setopts"];
1020
invalid_inet_set_option_improper_list(suite) ->
1023
invalid_inet_set_option_improper_list(Config) when is_list(Config) ->
1024
ClientOpts = ?config(client_opts, Config),
1025
ServerOpts = ?config(server_opts, Config),
1026
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
1027
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
1029
{mfa, {?MODULE, set_invalid_inet_option_improper_list, []}},
1030
{options, ServerOpts}]),
1031
Port = ssl_test_lib:inet_port(Server),
1032
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
1035
{mfa, {ssl_test_lib, no_result, []}},
1036
{options, ClientOpts}]),
1038
test_server:format("Testcase ~p, Client ~p Server ~p ~n",
1039
[self(), Client, Server]),
1041
ssl_test_lib:check_result(Server, ok),
1042
ssl_test_lib:close(Server),
1043
ssl_test_lib:close(Client).
1045
set_invalid_inet_option_improper_list(Socket) ->
1046
{error, {eoptions, {not_a_proplist, [{packet, 0} | {foo, 2}]}}} =
1047
ssl:setopts(Socket, [{packet, 0} | {foo, 2}]),
761
1050
%%--------------------------------------------------------------------
762
1051
misc_ssl_options(doc) ->
763
1052
["Test what happens when we give valid options"];
2551
2852
ClientExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-clientAuth']},
2552
2853
ClientOTPTbsCert = ClientOTPCert#'OTPCertificate'.tbsCertificate,
2553
2854
ClientExtensions = ClientOTPTbsCert#'OTPTBSCertificate'.extensions,
2554
NewClientOTPTbsCert = ClientOTPTbsCert#'OTPTBSCertificate'{extensions =
2855
NewClientOTPTbsCert = ClientOTPTbsCert#'OTPTBSCertificate'{extensions =
2555
2856
[ClientExtKeyUsageExt |
2556
2857
ClientExtensions]},
2557
NewClientDerCert = public_key:pkix_sign(NewClientOTPTbsCert, Key),
2858
NewClientDerCert = public_key:pkix_sign(NewClientOTPTbsCert, Key),
2558
2859
ssl_test_lib:der_to_pem(NewClientCertFile, [{'Certificate', NewClientDerCert, not_encrypted}]),
2559
2860
NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)],
2561
2862
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
2563
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
2864
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
2565
2866
{mfa, {?MODULE, send_recv_result_active, []}},
2566
2867
{options, [{verify, verify_peer} | NewServerOpts]}]),
2567
2868
Port = ssl_test_lib:inet_port(Server),
2568
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
2869
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
2569
2870
{host, Hostname},
2571
2872
{mfa, {?MODULE, send_recv_result_active, []}},
2572
2873
{options, [{verify, verify_peer} | NewClientOpts]}]),
2574
ssl_test_lib:check_result(Server, ok, Client, ok),
2875
ssl_test_lib:check_result(Server, ok, Client, ok),
2877
ssl_test_lib:close(Server),
2878
ssl_test_lib:close(Client).
2880
%%--------------------------------------------------------------------
2881
extended_key_usage_verify_none(doc) ->
2882
["Test cert that has a critical extended_key_usage extension in verify_none mode"];
2884
extended_key_usage_verify_none(suite) ->
2887
extended_key_usage_verify_none(Config) when is_list(Config) ->
2888
ClientOpts = ?config(client_verification_opts, Config),
2889
ServerOpts = ?config(server_verification_opts, Config),
2890
PrivDir = ?config(priv_dir, Config),
2892
KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"),
2893
[KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
2894
Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),
2896
ServerCertFile = proplists:get_value(certfile, ServerOpts),
2897
NewServerCertFile = filename:join(PrivDir, "server/new_cert.pem"),
2898
[{'Certificate', ServerDerCert, _}] = ssl_test_lib:pem_to_der(ServerCertFile),
2899
ServerOTPCert = public_key:pkix_decode_cert(ServerDerCert, otp),
2900
ServerExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-serverAuth']},
2901
ServerOTPTbsCert = ServerOTPCert#'OTPCertificate'.tbsCertificate,
2902
ServerExtensions = ServerOTPTbsCert#'OTPTBSCertificate'.extensions,
2903
NewServerOTPTbsCert = ServerOTPTbsCert#'OTPTBSCertificate'{extensions =
2904
[ServerExtKeyUsageExt |
2906
NewServerDerCert = public_key:pkix_sign(NewServerOTPTbsCert, Key),
2907
ssl_test_lib:der_to_pem(NewServerCertFile, [{'Certificate', NewServerDerCert, not_encrypted}]),
2908
NewServerOpts = [{certfile, NewServerCertFile} | proplists:delete(certfile, ServerOpts)],
2910
ClientCertFile = proplists:get_value(certfile, ClientOpts),
2911
NewClientCertFile = filename:join(PrivDir, "client/new_cert.pem"),
2912
[{'Certificate', ClientDerCert, _}] = ssl_test_lib:pem_to_der(ClientCertFile),
2913
ClientOTPCert = public_key:pkix_decode_cert(ClientDerCert, otp),
2914
ClientExtKeyUsageExt = {'Extension', ?'id-ce-extKeyUsage', true, [?'id-kp-clientAuth']},
2915
ClientOTPTbsCert = ClientOTPCert#'OTPCertificate'.tbsCertificate,
2916
ClientExtensions = ClientOTPTbsCert#'OTPTBSCertificate'.extensions,
2917
NewClientOTPTbsCert = ClientOTPTbsCert#'OTPTBSCertificate'{extensions =
2918
[ClientExtKeyUsageExt |
2920
NewClientDerCert = public_key:pkix_sign(NewClientOTPTbsCert, Key),
2921
ssl_test_lib:der_to_pem(NewClientCertFile, [{'Certificate', NewClientDerCert, not_encrypted}]),
2922
NewClientOpts = [{certfile, NewClientCertFile} | proplists:delete(certfile, ClientOpts)],
2924
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
2926
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
2928
{mfa, {?MODULE, send_recv_result_active, []}},
2929
{options, [{verify, verify_none} | NewServerOpts]}]),
2930
Port = ssl_test_lib:inet_port(Server),
2931
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
2934
{mfa, {?MODULE, send_recv_result_active, []}},
2935
{options, [{verify, verify_none} | NewClientOpts]}]),
2937
ssl_test_lib:check_result(Server, ok, Client, ok),
2576
2939
ssl_test_lib:close(Server),
2577
2940
ssl_test_lib:close(Client).
3042
3409
Keyfile = proplists:get_value(keyfile, Opts),
3043
3410
Dhfile = proplists:get_value(dhfile, Opts),
3044
3411
[{_, Cert, _}] = ssl_test_lib:pem_to_der(Certfile),
3045
[{_, Key, _}] = ssl_test_lib:pem_to_der(Keyfile),
3412
[{Asn1Type, Key, _}] = ssl_test_lib:pem_to_der(Keyfile),
3046
3413
[{_, DHParams, _}] = ssl_test_lib:pem_to_der(Dhfile),
3048
3415
lists:map(fun(Entry) ->
3049
3416
{_, CaCert, _} = Entry,
3051
3418
end, ssl_test_lib:pem_to_der(CaCertsfile)),
3052
{Cert, {rsa, Key}, CaCerts, DHParams}.
3419
{Cert, {Asn1Type, Key}, CaCerts, DHParams}.
3421
%%--------------------------------------------------------------------
3422
%% different_ca_peer_sign(doc) ->
3423
%% ["Check that a CA can have a different signature algorithm than the peer cert."];
3425
%% different_ca_peer_sign(suite) ->
3428
%% different_ca_peer_sign(Config) when is_list(Config) ->
3429
%% ClientOpts = ?config(client_mix_opts, Config),
3430
%% ServerOpts = ?config(server_mix_verify_opts, Config),
3432
%% {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3433
%% Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3435
%% {mfa, {?MODULE, send_recv_result_active_once, []}},
3436
%% {options, [{active, once},
3437
%% {verify, verify_peer} | ServerOpts]}]),
3438
%% Port = ssl_test_lib:inet_port(Server),
3440
%% Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
3441
%% {host, Hostname},
3444
%% send_recv_result_active_once,
3446
%% {options, [{active, once},
3447
%% {verify, verify_peer}
3448
%% | ClientOpts]}]),
3450
%% ssl_test_lib:check_result(Server, ok, Client, ok),
3451
%% ssl_test_lib:close(Server),
3452
%% ssl_test_lib:close(Client).
3455
%%--------------------------------------------------------------------
3456
no_reuses_session_server_restart_new_cert(doc) ->
3457
["Check that a session is not reused if the server is restarted with a new cert."];
3459
no_reuses_session_server_restart_new_cert(suite) ->
3462
no_reuses_session_server_restart_new_cert(Config) when is_list(Config) ->
3464
ClientOpts = ?config(client_opts, Config),
3465
ServerOpts = ?config(server_opts, Config),
3466
DsaServerOpts = ?config(server_dsa_opts, Config),
3467
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3470
ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3472
{mfa, {ssl_test_lib, session_info_result, []}},
3473
{options, ServerOpts}]),
3474
Port = ssl_test_lib:inet_port(Server),
3476
ssl_test_lib:start_client([{node, ClientNode},
3477
{port, Port}, {host, Hostname},
3478
{mfa, {ssl_test_lib, no_result, []}},
3479
{from, self()}, {options, ClientOpts}]),
3486
%% Make sure session is registered
3487
test_server:sleep(?SLEEP),
3488
ssl_test_lib:close(Server),
3489
ssl_test_lib:close(Client0),
3492
ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
3494
{mfa, {ssl_test_lib, no_result, []}},
3495
{options, DsaServerOpts}]),
3498
ssl_test_lib:start_client([{node, ClientNode},
3499
{port, Port}, {host, Hostname},
3500
{mfa, {ssl_test_lib, session_info_result, []}},
3501
{from, self()}, {options, ClientOpts}]),
3503
{Client1, SessionInfo} ->
3504
test_server:fail(session_reused_when_server_has_new_cert);
3505
{Client1, _Other} ->
3508
ssl_test_lib:close(Server1),
3509
ssl_test_lib:close(Client1).
3511
%%--------------------------------------------------------------------
3512
no_reuses_session_server_restart_new_cert_file(doc) ->
3513
["Check that a session is not reused if a server is restarted with a new "
3514
"cert contained in a file with the same name as the old cert."];
3516
no_reuses_session_server_restart_new_cert_file(suite) ->
3519
no_reuses_session_server_restart_new_cert_file(Config) when is_list(Config) ->
3520
ClientOpts = ?config(client_opts, Config),
3521
ServerOpts = ?config(server_verification_opts, Config),
3522
DsaServerOpts = ?config(server_dsa_opts, Config),
3523
PrivDir = ?config(priv_dir, Config),
3525
NewServerOpts = new_config(PrivDir, ServerOpts),
3526
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3529
ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3531
{mfa, {ssl_test_lib, session_info_result, []}},
3532
{options, NewServerOpts}]),
3533
Port = ssl_test_lib:inet_port(Server),
3535
ssl_test_lib:start_client([{node, ClientNode},
3536
{port, Port}, {host, Hostname},
3537
{mfa, {ssl_test_lib, no_result, []}},
3538
{from, self()}, {options, ClientOpts}]),
3545
%% Make sure session is registered and we get
3546
%% new file time stamp when calling new_config!
3547
test_server:sleep(?SLEEP* 2),
3548
ssl_test_lib:close(Server),
3549
ssl_test_lib:close(Client0),
3551
NewServerOpts = new_config(PrivDir, DsaServerOpts),
3554
ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
3556
{mfa, {ssl_test_lib, no_result, []}},
3557
{options, NewServerOpts}]),
3559
ssl_test_lib:start_client([{node, ClientNode},
3560
{port, Port}, {host, Hostname},
3561
{mfa, {ssl_test_lib, session_info_result, []}},
3562
{from, self()}, {options, ClientOpts}]),
3564
{Client1, SessionInfo} ->
3565
test_server:fail(session_reused_when_server_has_new_cert);
3566
{Client1, _Other} ->
3569
ssl_test_lib:close(Server1),
3570
ssl_test_lib:close(Client1).
3572
%%--------------------------------------------------------------------
3579
reuseaddr(Config) when is_list(Config) ->
3580
ClientOpts = ?config(client_opts, Config),
3581
ServerOpts = ?config(server_opts, Config),
3582
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3584
ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3586
{mfa, {ssl_test_lib, no_result, []}},
3587
{options, [{active, false} | ServerOpts]}]),
3588
Port = ssl_test_lib:inet_port(Server),
3590
ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
3593
{mfa, {ssl_test_lib, no_result, []}},
3594
{options, [{active, false} | ClientOpts]}]),
3595
test_server:sleep(?SLEEP),
3596
ssl_test_lib:close(Server),
3597
ssl_test_lib:close(Client),
3600
ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
3602
{mfa, {?MODULE, send_recv_result, []}},
3603
{options, [{active, false} | ServerOpts]}]),
3605
ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
3608
{mfa, {?MODULE, send_recv_result, []}},
3609
{options, [{active, false} | ClientOpts]}]),
3611
ssl_test_lib:check_result(Server1, ok, Client1, ok),
3612
ssl_test_lib:close(Server1),
3613
ssl_test_lib:close(Client1).
3615
%%--------------------------------------------------------------------
3618
["Check that an SSL connection that is started with option "
3619
"{hibernate_after, 1000} indeed hibernates after 1000ms of "
3625
hibernate(Config) ->
3626
ClientOpts = ?config(client_opts, Config),
3627
ServerOpts = ?config(server_opts, Config),
3629
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3631
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3633
{mfa, {?MODULE, send_recv_result_active, []}},
3634
{options, ServerOpts}]),
3635
Port = ssl_test_lib:inet_port(Server),
3636
{Client, #sslsocket{pid=Pid}} = ssl_test_lib:start_client([return_socket,
3637
{node, ClientNode}, {port, Port},
3640
{mfa, {?MODULE, send_recv_result_active, []}},
3641
{options, [{hibernate_after, 1000}|ClientOpts]}]),
3642
{current_function, _} =
3643
process_info(Pid, current_function),
3647
{current_function, {erlang, hibernate, 3}} =
3648
process_info(Pid, current_function),
3650
ssl_test_lib:close(Server),
3651
ssl_test_lib:close(Client).
3653
%%--------------------------------------------------------------------
3655
connect_twice(doc) ->
3657
connect_twice(suite) ->
3659
connect_twice(Config) when is_list(Config) ->
3660
ClientOpts = ?config(client_opts, Config),
3661
ServerOpts = ?config(server_opts, Config),
3663
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3666
ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3668
{mfa, {?MODULE, send_recv_result, []}},
3669
{options, [{keepalive, true},{active, false}
3671
Port = ssl_test_lib:inet_port(Server),
3673
ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
3676
{mfa, {?MODULE, send_recv_result, []}},
3677
{options, [{keepalive, true},{active, false}
3681
{Client1, #sslsocket{}} =
3682
ssl_test_lib:start_client([return_socket,
3683
{node, ClientNode}, {port, Port},
3686
{mfa, {?MODULE, send_recv_result, []}},
3687
{options, [{keepalive, true},{active, false}
3690
test_server:format("Testcase ~p, Client ~p Server ~p ~n",
3691
[self(), Client, Server]),
3693
ssl_test_lib:check_result(Server, ok, Client, ok),
3694
ssl_test_lib:check_result(Server, ok, Client1, ok),
3696
ssl_test_lib:close(Server),
3697
ssl_test_lib:close(Client),
3698
ssl_test_lib:close(Client1).
3700
%%--------------------------------------------------------------------
3701
renegotiate_dos_mitigate_active(doc) ->
3702
["Mitigate DOS computational attack by not allowing client to renegotiate many times in a row",
3703
"immediately after each other"];
3705
renegotiate_dos_mitigate_active(suite) ->
3708
renegotiate_dos_mitigate_active(Config) when is_list(Config) ->
3709
ServerOpts = ?config(server_opts, Config),
3710
ClientOpts = ?config(client_opts, Config),
3712
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3715
ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3717
{mfa, {?MODULE, send_recv_result_active, []}},
3718
{options, [ServerOpts]}]),
3719
Port = ssl_test_lib:inet_port(Server),
3721
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
3725
renegotiate_immediately, []}},
3726
{options, ClientOpts}]),
3728
ssl_test_lib:check_result(Client, ok, Server, ok),
3729
ssl_test_lib:close(Server),
3730
ssl_test_lib:close(Client).
3732
%%--------------------------------------------------------------------
3733
renegotiate_dos_mitigate_passive(doc) ->
3734
["Mitigate DOS computational attack by not allowing client to renegotiate many times in a row",
3735
"immediately after each other"];
3737
renegotiate_dos_mitigate_passive(suite) ->
3740
renegotiate_dos_mitigate_passive(Config) when is_list(Config) ->
3741
ServerOpts = ?config(server_opts, Config),
3742
ClientOpts = ?config(client_opts, Config),
3744
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3747
ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3749
{mfa, {?MODULE, send_recv_result, []}},
3750
{options, [{active, false} | ServerOpts]}]),
3751
Port = ssl_test_lib:inet_port(Server),
3753
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
3757
renegotiate_immediately, []}},
3758
{options, ClientOpts}]),
3760
ssl_test_lib:check_result(Client, ok, Server, ok),
3761
ssl_test_lib:close(Server),
3762
ssl_test_lib:close(Client).
3764
%%--------------------------------------------------------------------
3765
tcp_error_propagation_in_active_mode(doc) ->
3766
["Test that process recives {ssl_error, Socket, closed} when tcp error ocurres"];
3767
tcp_error_propagation_in_active_mode(Config) when is_list(Config) ->
3768
ClientOpts = ?config(client_opts, Config),
3769
ServerOpts = ?config(server_opts, Config),
3771
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3773
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3775
{mfa, {ssl_test_lib, no_result, []}},
3776
{options, ServerOpts}]),
3777
Port = ssl_test_lib:inet_port(Server),
3778
{Client, #sslsocket{pid=Pid} = SslSocket} = ssl_test_lib:start_client([return_socket,
3779
{node, ClientNode}, {port, Port},
3782
{mfa, {?MODULE, receive_msg, []}},
3783
{options, ClientOpts}]),
3785
{status, _, _, StatusInfo} = sys:get_status(Pid),
3786
[_, _,_, _, Prop] = StatusInfo,
3787
State = ssl_test_lib:state(Prop),
3788
Socket = element(10, State),
3791
Pid ! {tcp_error, Socket, etimedout},
3793
ssl_test_lib:check_result(Client, {ssl_closed, SslSocket}).
3794
%%--------------------------------------------------------------------
3796
rizzo(doc) -> ["Test that there is a 1/n-1-split for non RC4 in 'TLS < 1.1' as it is
3797
vunrable to Rizzo/Dungon attack"];
3799
rizzo(Config) when is_list(Config) ->
3800
Ciphers = [X || X ={_,Y,_} <- ssl:cipher_suites(), Y =/= rc4_128],
3801
run_send_recv_rizzo(Ciphers, Config, sslv3,
3802
{?MODULE, send_recv_result_active_rizzo, []}),
3803
run_send_recv_rizzo(Ciphers, Config, tlsv1,
3804
{?MODULE, send_recv_result_active_rizzo, []}).
3806
no_rizzo_rc4(doc) ->
3807
["Test that there is no 1/n-1-split for RC4 as it is not vunrable to Rizzo/Dungon attack"];
3809
no_rizzo_rc4(Config) when is_list(Config) ->
3810
Ciphers = [X || X ={_,Y,_} <- ssl:cipher_suites(),Y == rc4_128],
3811
run_send_recv_rizzo(Ciphers, Config, sslv3,
3812
{?MODULE, send_recv_result_active_no_rizzo, []}),
3813
run_send_recv_rizzo(Ciphers, Config, tlsv1,
3814
{?MODULE, send_recv_result_active_no_rizzo, []}).
3816
run_send_recv_rizzo(Ciphers, Config, Version, Mfa) ->
3817
Result = lists:map(fun(Cipher) ->
3818
rizzo_test(Cipher, Config, Version, Mfa) end,
3820
case lists:flatten(Result) of
3824
test_server:format("Cipher suite errors: ~p~n", [Error]),
3825
test_server:fail(cipher_suite_failed_see_test_case_log)
3828
rizzo_test(Cipher, Config, Version, Mfa) ->
3829
{ClientOpts, ServerOpts} = client_server_opts(Cipher, Config),
3830
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
3831
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
3834
{options, [{active, true}, {ciphers, [Cipher]},
3835
{versions, [Version]}
3837
Port = ssl_test_lib:inet_port(Server),
3838
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
3842
{options, [{active, true} | ClientOpts]}]),
3844
Result = ssl_test_lib:check_result(Server, ok, Client, ok),
3845
ssl_test_lib:close(Server),
3846
ssl_test_lib:close(Client),
3854
client_server_opts({KeyAlgo,_,_}, Config) when KeyAlgo == rsa orelse KeyAlgo == dhe_rsa ->
3855
{?config(client_opts, Config),
3856
?config(server_opts, Config)};
3857
client_server_opts({KeyAlgo,_,_}, Config) when KeyAlgo == dss orelse KeyAlgo == dhe_dss ->
3858
{?config(client_dsa_opts, Config),
3859
?config(server_dsa_opts, Config)}.
3054
3861
%%--------------------------------------------------------------------
3055
3862
%%% Internal functions
3056
3863
%%--------------------------------------------------------------------
3057
erlang_ssl_receive(Socket, Data) ->
3059
{ssl, Socket, Data} ->
3060
io:format("Received ~p~n",[Data]),
3063
test_server:fail({unexpected_message, Other})
3065
test_server:fail({did_not_get, Data})
3068
3864
send_recv_result(Socket) ->
3069
3865
ssl:send(Socket, "Hello world"),
3070
3866
{ok,"Hello world"} = ssl:recv(Socket, 11),
3104
3927
%% Make sure session is registerd
3105
3928
test_server:sleep(?SLEEP),
3106
3929
renegotiate(Socket, Data).
3931
renegotiate_immediately(Socket) ->
3933
{ssl, Socket, "Hello world"} ->
3935
%% Handle 1/n-1 splitting countermeasure Rizzo/Duong-Beast
3936
{ssl, Socket, "H"} ->
3938
{ssl, Socket, "ello world"} ->
3942
ok = ssl:renegotiate(Socket),
3943
{error, renegotiation_rejected} = ssl:renegotiate(Socket),
3944
test_server:sleep(?RENEGOTIATION_DISABLE_TIME +1),
3945
ok = ssl:renegotiate(Socket),
3946
test_server:format("Renegotiated again"),
3947
ssl:send(Socket, "Hello world"),
3950
new_config(PrivDir, ServerOpts0) ->
3951
CaCertFile = proplists:get_value(cacertfile, ServerOpts0),
3952
CertFile = proplists:get_value(certfile, ServerOpts0),
3953
KeyFile = proplists:get_value(keyfile, ServerOpts0),
3954
NewCaCertFile = filename:join(PrivDir, "new_ca.pem"),
3955
NewCertFile = filename:join(PrivDir, "new_cert.pem"),
3956
NewKeyFile = filename:join(PrivDir, "new_key.pem"),
3957
file:copy(CaCertFile, NewCaCertFile),
3958
file:copy(CertFile, NewCertFile),
3959
file:copy(KeyFile, NewKeyFile),
3960
ServerOpts1 = proplists:delete(cacertfile, ServerOpts0),
3961
ServerOpts2 = proplists:delete(certfile, ServerOpts1),
3962
ServerOpts = proplists:delete(keyfile, ServerOpts2),
3964
{ok, PEM} = file:read_file(NewCaCertFile),
3965
test_server:format("CA file content: ~p~n", [public_key:pem_decode(PEM)]),
3967
[{cacertfile, NewCaCertFile}, {certfile, NewCertFile},
3968
{keyfile, NewKeyFile} | ServerOpts].
3970
session_cache_process_list(doc) ->
3971
["Test reuse of sessions (short handshake)"];
3973
session_cache_process_list(suite) ->
3975
session_cache_process_list(Config) when is_list(Config) ->
3976
session_cache_process(list,Config).
3978
session_cache_process_mnesia(doc) ->
3979
["Test reuse of sessions (short handshake)"];
3981
session_cache_process_mnesia(suite) ->
3983
session_cache_process_mnesia(Config) when is_list(Config) ->
3984
session_cache_process(mnesia,Config).
3986
session_cache_process(_Type,Config) when is_list(Config) ->
3987
reuse_session(Config).
3990
ets:new(ssl_test, [named_table, public, set]),
3991
ets:insert(ssl_test, {type, Type}),
3994
spawn(fun() -> session_loop([]) end);
3997
{atomic,ok} = mnesia:create_table(sess_cache, []),
4002
[{type, Type}] = ets:lookup(ssl_test, type),
4006
case session_cb() of
4011
mnesia:delete_table(sess_cache)
4014
lookup(Cache, Key) ->
4015
case session_cb() of
4017
Cache ! {self(), lookup, Key},
4018
receive {Cache, Res} -> Res end;
4020
case mnesia:transaction(fun() ->
4021
mnesia:read(sess_cache,
4024
{atomic, [{sess_cache, Key, Value}]} ->
4031
update(Cache, Key, Value) ->
4032
case session_cb() of
4034
Cache ! {update, Key, Value};
4037
mnesia:transaction(fun() ->
4038
mnesia:write(sess_cache,
4039
{sess_cache, Key, Value}, write)
4043
delete(Cache, Key) ->
4044
case session_cb() of
4046
Cache ! {delete, Key};
4049
mnesia:transaction(fun() ->
4050
mnesia:delete(sess_cache, Key)
4054
foldl(Fun, Acc, Cache) ->
4055
case session_cb() of
4057
Cache ! {self(),foldl,Fun,Acc},
4058
receive {Cache, Res} -> Res end;
4061
mnesia:foldl(Fun, Acc, sess_cache)
4063
{atomic, Res} = mnesia:transaction(Foldl),
4067
select_session(Cache, PartialKey) ->
4068
case session_cb() of
4070
Cache ! {self(),select_session, PartialKey},
4077
mnesia:select(Cache,
4078
[{{sess_cache,{PartialKey,'$1'}, '$2'},
4081
{atomic, Res} = mnesia:transaction(Sel),
4085
session_loop(Sess) ->
4089
{Pid, lookup, Key} ->
4090
case lists:keysearch(Key,1,Sess) of
4091
{value, {Key,Value}} ->
4092
Pid ! {self(), Value};
4094
Pid ! {self(), undefined}
4097
{update, Key, Value} ->
4098
NewSess = [{Key,Value}| lists:keydelete(Key,1,Sess)],
4099
session_loop(NewSess);
4101
session_loop(lists:keydelete(Key,1,Sess));
4102
{Pid,foldl,Fun,Acc} ->
4103
Res = lists:foldl(Fun, Acc,Sess),
4104
Pid ! {self(), Res},
4106
{Pid,select_session,PKey} ->
4107
Sel = fun({{PKey0, Id},Session}, Acc) when PKey == PKey0 ->
4108
[[Id, Session]|Acc];
4112
Sessions = lists:foldl(Sel, [], Sess),
4113
Pid ! {self(), Sessions},
4118
erlang_ssl_receive(Socket, Data) ->
4120
{ssl, Socket, Data} ->
4121
io:format("Received ~p~n",[Data]),
4123
{ssl, Socket, Byte} when length(Byte) == 1 -> %% Handle 1/n-1 splitting countermeasure Rizzo/Duong-Beast
4124
io:format("Received ~p~n",[Byte]),
4125
erlang_ssl_receive(Socket, tl(Data));
4127
test_server:fail({unexpected_message, Other})
4129
test_server:fail({did_not_get, Data})