1%% 2%% %CopyrightBegin% 3%% 4%% Copyright Ericsson AB 2007-2019. All Rights Reserved. 5%% 6%% Licensed under the Apache License, Version 2.0 (the "License"); 7%% you may not use this file except in compliance with the License. 8%% You may obtain a copy of the License at 9%% 10%% http://www.apache.org/licenses/LICENSE-2.0 11%% 12%% Unless required by applicable law or agreed to in writing, software 13%% distributed under the License is distributed on an "AS IS" BASIS, 14%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15%% See the License for the specific language governing permissions and 16%% limitations under the License. 17%% 18%% %CopyrightEnd% 19%% 20 21%% 22 23-module(ssl_basic_SUITE). 24 25%% Note: This directive should only be used in test suites. 26-compile(export_all). 27 28-include_lib("common_test/include/ct.hrl"). 29-include_lib("public_key/include/public_key.hrl"). 30 31-include("ssl_api.hrl"). 32-include("ssl_internal.hrl"). 33-include("ssl_alert.hrl"). 34-include("ssl_internal.hrl"). 35-include("tls_record.hrl"). 36-include("tls_handshake.hrl"). 37 38-define(TIMEOUT, 20000). 39-define(EXPIRE, 10). 40-define(SLEEP, 500). 41-define(RENEGOTIATION_DISABLE_TIME, 12000). 42-define(CLEAN_SESSION_DB, 60000). 43-define(SEC_RENEGOTIATION_TIMEOUT, 30). 44 45%%-------------------------------------------------------------------- 46%% Common Test interface functions ----------------------------------- 47%%-------------------------------------------------------------------- 48all() -> 49 [ 50 {group, basic}, 51 {group, basic_tls}, 52 {group, options}, 53 {group, options_tls}, 54 {group, session}, 55 {group, 'dtlsv1.2'}, 56 {group, 'dtlsv1'}, 57 {group, 'tlsv1.2'}, 58 {group, 'tlsv1.1'}, 59 {group, 'tlsv1'}, 60 {group, 'sslv3'} 61 ]. 62 63groups() -> 64 [{basic, [], basic_tests()}, 65 {basic_tls, [], basic_tests_tls()}, 66 {options, [], options_tests()}, 67 {options_tls, [], options_tests_tls()}, 68 {'dtlsv1.2', [], all_versions_groups()}, 69 {'dtlsv1', [], all_versions_groups()}, 70 {'tlsv1.2', [], all_versions_groups() ++ tls_versions_groups() ++ [conf_signature_algs, no_common_signature_algs]}, 71 {'tlsv1.1', [], all_versions_groups() ++ tls_versions_groups()}, 72 {'tlsv1', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests()}, 73 {'sslv3', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests() ++ [tls_ciphersuite_vs_version]}, 74 {api,[], api_tests()}, 75 {api_tls,[], api_tests_tls()}, 76 {tls_ciphers,[], tls_cipher_tests()}, 77 {session, [], session_tests()}, 78 {renegotiate, [], renegotiate_tests()}, 79 {ciphers, [], cipher_tests()}, 80 {ciphers_ec, [], cipher_tests_ec()}, 81 {error_handling_tests, [], error_handling_tests()}, 82 {error_handling_tests_tls, [], error_handling_tests_tls()} 83 ]. 84 85tls_versions_groups ()-> 86 [ 87 {group, api_tls}, 88 {group, tls_ciphers}, 89 {group, error_handling_tests_tls}]. 90 91all_versions_groups ()-> 92 [{group, api}, 93 {group, renegotiate}, 94 {group, ciphers}, 95 {group, ciphers_ec}, 96 {group, error_handling_tests}]. 97 98 99basic_tests() -> 100 [app, 101 appup, 102 alerts, 103 alert_details, 104 alert_details_not_too_big, 105 version_option, 106 connect_twice, 107 connect_dist, 108 clear_pem_cache, 109 defaults, 110 fallback, 111 cipher_format, 112 suite_to_str 113 ]. 114 115basic_tests_tls() -> 116 [tls_send_close 117 ]. 118 119options_tests() -> 120 [der_input, 121 ssl_options_not_proplist, 122 raw_ssl_option, 123 invalid_inet_get_option, 124 invalid_inet_get_option_not_list, 125 invalid_inet_get_option_improper_list, 126 invalid_inet_set_option, 127 invalid_inet_set_option_not_list, 128 invalid_inet_set_option_improper_list, 129 dh_params, 130 invalid_certfile, 131 invalid_cacertfile, 132 invalid_keyfile, 133 invalid_options, 134 protocol_versions, 135 empty_protocol_versions, 136 ipv6, 137 reuseaddr, 138 honor_server_cipher_order, 139 honor_client_cipher_order, 140 unordered_protocol_versions_server, 141 unordered_protocol_versions_client, 142 max_handshake_size 143]. 144 145options_tests_tls() -> 146 [tls_misc_ssl_options, 147 tls_tcp_reuseaddr]. 148 149api_tests() -> 150 [secret_connection_info, 151 connection_information, 152 peercert, 153 peercert_with_client_cert, 154 versions, 155 eccs, 156 controlling_process, 157 getstat, 158 close_with_timeout, 159 hibernate, 160 hibernate_right_away, 161 listen_socket, 162 ssl_recv_timeout, 163 server_name_indication_option, 164 accept_pool, 165 prf, 166 socket_options, 167 active_n, 168 cipher_suites, 169 handshake_continue, 170 handshake_continue_timeout, 171 hello_client_cancel, 172 hello_server_cancel 173 ]. 174 175api_tests_tls() -> 176 [tls_versions_option, 177 tls_upgrade, 178 tls_upgrade_with_timeout, 179 tls_ssl_accept_timeout, 180 tls_downgrade, 181 tls_shutdown, 182 tls_shutdown_write, 183 tls_shutdown_both, 184 tls_shutdown_error, 185 peername, 186 sockname, 187 tls_socket_options, 188 new_options_in_accept 189 ]. 190 191session_tests() -> 192 [reuse_session, 193 reuse_session_expired, 194 server_does_not_want_to_reuse_session, 195 no_reuses_session_server_restart_new_cert, 196 no_reuses_session_server_restart_new_cert_file]. 197 198renegotiate_tests() -> 199 [client_renegotiate, 200 server_renegotiate, 201 client_secure_renegotiate, 202 client_secure_renegotiate_fallback, 203 client_renegotiate_reused_session, 204 server_renegotiate_reused_session, 205 client_no_wrap_sequence_number, 206 server_no_wrap_sequence_number, 207 renegotiate_dos_mitigate_active, 208 renegotiate_dos_mitigate_passive, 209 renegotiate_dos_mitigate_absolute]. 210 211tls_cipher_tests() -> 212 [rc4_rsa_cipher_suites, 213 rc4_ecdh_rsa_cipher_suites, 214 rc4_ecdsa_cipher_suites]. 215 216cipher_tests() -> 217 [old_cipher_suites, 218 cipher_suites_mix, 219 ciphers_rsa_signed_certs, 220 ciphers_rsa_signed_certs_openssl_names, 221 ciphers_dsa_signed_certs, 222 ciphers_dsa_signed_certs_openssl_names, 223 chacha_rsa_cipher_suites, 224 chacha_ecdsa_cipher_suites, 225 anonymous_cipher_suites, 226 psk_cipher_suites, 227 psk_with_hint_cipher_suites, 228 psk_anon_cipher_suites, 229 psk_anon_with_hint_cipher_suites, 230 srp_cipher_suites, 231 srp_anon_cipher_suites, 232 srp_dsa_cipher_suites, 233 des_rsa_cipher_suites, 234 des_ecdh_rsa_cipher_suites, 235 default_reject_anonymous]. 236 237cipher_tests_ec() -> 238 [ciphers_ecdsa_signed_certs, 239 ciphers_ecdsa_signed_certs_openssl_names, 240 ciphers_ecdh_rsa_signed_certs, 241 ciphers_ecdh_rsa_signed_certs_openssl_names]. 242 243error_handling_tests()-> 244 [close_transport_accept, 245 recv_active, 246 recv_active_once, 247 recv_active_n, 248 recv_error_handling, 249 call_in_error_state, 250 close_in_error_state, 251 abuse_transport_accept_socket, 252 controlling_process_transport_accept_socket 253 ]. 254 255error_handling_tests_tls()-> 256 [controller_dies, 257 tls_client_closes_socket, 258 tls_closed_in_active_once, 259 tls_tcp_error_propagation_in_active_mode, 260 tls_tcp_connect, 261 tls_tcp_connect_big, 262 tls_dont_crash_on_handshake_garbage 263 ]. 264 265rizzo_tests() -> 266 [rizzo, 267 no_rizzo_rc4, 268 rizzo_one_n_minus_one, 269 rizzo_zero_n, 270 rizzo_disabled]. 271 272%%-------------------------------------------------------------------- 273init_per_suite(Config0) -> 274 catch crypto:stop(), 275 try crypto:start() of 276 ok -> 277 ssl_test_lib:clean_start(), 278 %% make rsa certs using oppenssl 279 {ok, _} = make_certs:all(proplists:get_value(data_dir, Config0), 280 proplists:get_value(priv_dir, Config0)), 281 Config1 = ssl_test_lib:make_dsa_cert(Config0), 282 Config2 = ssl_test_lib:make_ecdsa_cert(Config1), 283 Config3 = ssl_test_lib:make_rsa_cert(Config2), 284 Config = ssl_test_lib:make_ecdh_rsa_cert(Config3), 285 ssl_test_lib:cert_options(Config) 286 catch _:_ -> 287 {skip, "Crypto did not start"} 288 end. 289 290end_per_suite(_Config) -> 291 ssl:stop(), 292 application:stop(crypto). 293 294%%-------------------------------------------------------------------- 295 296init_per_group(GroupName, Config) when GroupName == basic_tls; 297 GroupName == options_tls; 298 GroupName == options; 299 GroupName == basic; 300 GroupName == session; 301 GroupName == error_handling_tests_tls 302 -> 303 ssl_test_lib:clean_tls_version(Config); 304init_per_group(GroupName, Config) -> 305 ssl_test_lib:clean_tls_version(Config), 306 case ssl_test_lib:is_tls_version(GroupName) andalso ssl_test_lib:sufficient_crypto_support(GroupName) of 307 true -> 308 ssl_test_lib:init_tls_version(GroupName, Config); 309 _ -> 310 case ssl_test_lib:sufficient_crypto_support(GroupName) of 311 true -> 312 ssl:start(), 313 Config; 314 false -> 315 {skip, "Missing crypto support"} 316 end 317 end. 318 319end_per_group(GroupName, Config) -> 320 case ssl_test_lib:is_tls_version(GroupName) of 321 true -> 322 ssl_test_lib:clean_tls_version(Config); 323 false -> 324 Config 325 end. 326 327%%-------------------------------------------------------------------- 328init_per_testcase(Case, Config) when Case == unordered_protocol_versions_client; 329 Case == unordered_protocol_versions_server-> 330 case proplists:get_value(supported, ssl:versions()) of 331 ['tlsv1.2' | _] -> 332 ct:timetrap({seconds, 5}), 333 Config; 334 _ -> 335 {skip, "TLS 1.2 need but not supported on this platform"} 336 end; 337 338init_per_testcase(protocol_versions, Config) -> 339 ssl:stop(), 340 application:load(ssl), 341 %% For backwards compatibility sslv2 should be filtered out. 342 application:set_env(ssl, protocol_version, [sslv2, sslv3, tlsv1]), 343 ssl:start(), 344 ct:timetrap({seconds, 5}), 345 Config; 346 347init_per_testcase(reuse_session_expired, Config) -> 348 ssl:stop(), 349 application:load(ssl), 350 ssl_test_lib:clean_env(), 351 application:set_env(ssl, session_lifetime, ?EXPIRE), 352 application:set_env(ssl, session_delay_cleanup_time, 500), 353 ssl:start(), 354 ct:timetrap({seconds, 30}), 355 Config; 356 357init_per_testcase(empty_protocol_versions, Config) -> 358 ssl:stop(), 359 application:load(ssl), 360 ssl_test_lib:clean_env(), 361 application:set_env(ssl, protocol_version, []), 362 ssl:start(), 363 ct:timetrap({seconds, 5}), 364 Config; 365 366init_per_testcase(fallback, Config) -> 367 case tls_record:highest_protocol_version([]) of 368 {3, N} when N > 1 -> 369 ct:timetrap({seconds, 5}), 370 Config; 371 _ -> 372 {skip, "Not relevant if highest supported version is less than 3.2"} 373 end; 374 375init_per_testcase(TestCase, Config) when TestCase == client_renegotiate; 376 TestCase == server_renegotiate; 377 TestCase == client_secure_renegotiate; 378 TestCase == client_renegotiate_reused_session; 379 TestCase == server_renegotiate_reused_session; 380 TestCase == client_no_wrap_sequence_number; 381 TestCase == server_no_wrap_sequence_number; 382 TestCase == renegotiate_dos_mitigate_active; 383 TestCase == renegotiate_dos_mitigate_passive; 384 TestCase == renegotiate_dos_mitigate_absolute -> 385 ssl_test_lib:ct_log_supported_protocol_versions(Config), 386 ct:timetrap({seconds, ?SEC_RENEGOTIATION_TIMEOUT + 5}), 387 Config; 388 389init_per_testcase(TestCase, Config) when TestCase == psk_cipher_suites; 390 TestCase == psk_with_hint_cipher_suites; 391 TestCase == ciphers_rsa_signed_certs; 392 TestCase == ciphers_rsa_signed_certs_openssl_names; 393 TestCase == ciphers_ecdh_rsa_signed_certs_openssl_names; 394 TestCase == ciphers_ecdh_rsa_signed_certs; 395 TestCase == ciphers_dsa_signed_certs; 396 TestCase == ciphers_dsa_signed_certs_openssl_names; 397 TestCase == anonymous_cipher_suites; 398 TestCase == ciphers_ecdsa_signed_certs; 399 TestCase == ciphers_ecdsa_signed_certs_openssl_names; 400 TestCase == anonymous_cipher_suites; 401 TestCase == psk_anon_cipher_suites; 402 TestCase == psk_anon_with_hint_cipher_suites; 403 TestCase == srp_cipher_suites; 404 TestCase == srp_anon_cipher_suites; 405 TestCase == srp_dsa_cipher_suites; 406 TestCase == des_rsa_cipher_suites; 407 TestCase == des_ecdh_rsa_cipher_suites; 408 TestCase == versions_option; 409 TestCase == tls_tcp_connect_big -> 410 ssl_test_lib:ct_log_supported_protocol_versions(Config), 411 ct:timetrap({seconds, 60}), 412 Config; 413 414init_per_testcase(version_option, Config) -> 415 ssl_test_lib:ct_log_supported_protocol_versions(Config), 416 ct:timetrap({seconds, 10}), 417 Config; 418 419init_per_testcase(reuse_session, Config) -> 420 ssl_test_lib:ct_log_supported_protocol_versions(Config), 421 ct:timetrap({seconds, 10}), 422 Config; 423 424init_per_testcase(rizzo, Config) -> 425 ssl_test_lib:ct_log_supported_protocol_versions(Config), 426 ct:timetrap({seconds, 60}), 427 Config; 428 429init_per_testcase(no_rizzo_rc4, Config) -> 430 ssl_test_lib:ct_log_supported_protocol_versions(Config), 431 ct:timetrap({seconds, 60}), 432 Config; 433 434init_per_testcase(rizzo_one_n_minus_one, Config) -> 435 ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), 436 ct:timetrap({seconds, 60}), 437 rizzo_add_mitigation_option(one_n_minus_one, Config); 438 439init_per_testcase(rizzo_zero_n, Config) -> 440 ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), 441 ct:timetrap({seconds, 60}), 442 rizzo_add_mitigation_option(zero_n, Config); 443 444init_per_testcase(rizzo_disabled, Config) -> 445 ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), 446 ct:timetrap({seconds, 60}), 447 rizzo_add_mitigation_option(disabled, Config); 448 449init_per_testcase(TestCase, Config) when TestCase == no_reuses_session_server_restart_new_cert_file; 450 TestCase == no_reuses_session_server_restart_new_cert -> 451 ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), 452 ct:timetrap({seconds, 15}), 453 Config; 454 455init_per_testcase(prf, Config) -> 456 ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), 457 ct:timetrap({seconds, 40}), 458 case proplists:get_value(tc_group_path, Config) of 459 [] -> Prop = []; 460 [Prop] -> Prop 461 end, 462 case proplists:get_value(name, Prop) of 463 undefined -> TlsVersions = [sslv3, tlsv1, 'tlsv1.1', 'tlsv1.2']; 464 TlsVersion when is_atom(TlsVersion) -> 465 TlsVersions = [TlsVersion] 466 end, 467 PRFS=[md5, sha, sha256, sha384, sha512], 468 %All are the result of running tls_v1:prf(PrfAlgo, <<>>, <<>>, <<>>, 16) 469 %with the specified PRF algorithm 470 ExpectedPrfResults= 471 [{md5, <<96,139,180,171,236,210,13,10,28,32,2,23,88,224,235,199>>}, 472 {sha, <<95,3,183,114,33,169,197,187,231,243,19,242,220,228,70,151>>}, 473 {sha256, <<166,249,145,171,43,95,158,232,6,60,17,90,183,180,0,155>>}, 474 {sha384, <<153,182,217,96,186,130,105,85,65,103,123,247,146,91,47,106>>}, 475 {sha512, <<145,8,98,38,243,96,42,94,163,33,53,49,241,4,127,28>>}, 476 %TLS 1.0 and 1.1 PRF: 477 {md5sha, <<63,136,3,217,205,123,200,177,251,211,17,229,132,4,173,80>>}], 478 TestPlan = prf_create_plan(TlsVersions, PRFS, ExpectedPrfResults), 479 [{prf_test_plan, TestPlan} | Config]; 480 481init_per_testcase(TestCase, Config) when TestCase == tls_ssl_accept_timeout; 482 TestCase == tls_client_closes_socket; 483 TestCase == tls_closed_in_active_once; 484 TestCase == tls_downgrade -> 485 ssl:stop(), 486 ssl:start(), 487 ssl_test_lib:ct_log_supported_protocol_versions(Config), 488 ct:timetrap({seconds, 15}), 489 Config; 490init_per_testcase(TestCase, Config) when TestCase == clear_pem_cache; 491 TestCase == der_input; 492 TestCase == defaults -> 493 ssl_test_lib:ct_log_supported_protocol_versions(Config), 494 %% White box test need clean start 495 ssl:stop(), 496 ssl:start(), 497 ct:timetrap({seconds, 20}), 498 Config; 499init_per_testcase(raw_ssl_option, Config) -> 500 ct:timetrap({seconds, 5}), 501 case os:type() of 502 {unix,linux} -> 503 Config; 504 _ -> 505 {skip, "Raw options are platform-specific"} 506 end; 507 508init_per_testcase(accept_pool, Config) -> 509 ct:timetrap({seconds, 5}), 510 case proplists:get_value(protocol, Config) of 511 dtls -> 512 {skip, "Not yet supported on DTLS sockets"}; 513 _ -> 514 ssl_test_lib:ct_log_supported_protocol_versions(Config), 515 Config 516 end; 517init_per_testcase(controller_dies, Config) -> 518 ct:timetrap({seconds, 10}), 519 Config; 520init_per_testcase(eccs, Config) -> 521 case ssl:eccs() of 522 [] -> 523 {skip, "named curves not supported"}; 524 [_|_] -> 525 ssl_test_lib:ct_log_supported_protocol_versions(Config), 526 ct:timetrap({seconds, 5}), 527 Config 528 end; 529init_per_testcase(_TestCase, Config) -> 530 ssl_test_lib:ct_log_supported_protocol_versions(Config), 531 ct:timetrap({seconds, 5}), 532 Config. 533 534end_per_testcase(reuse_session_expired, Config) -> 535 application:unset_env(ssl, session_lifetime), 536 application:unset_env(ssl, session_delay_cleanup_time), 537 end_per_testcase(default_action, Config); 538 539end_per_testcase(Case, Config) when Case == protocol_versions; 540 Case == empty_protocol_versions-> 541 application:unset_env(ssl, protocol_versions), 542 end_per_testcase(default_action, Config); 543 544end_per_testcase(_TestCase, Config) -> 545 Config. 546 547%%-------------------------------------------------------------------- 548%% Test Cases -------------------------------------------------------- 549%%-------------------------------------------------------------------- 550app() -> 551 [{doc, "Test that the ssl app file is ok"}]. 552app(Config) when is_list(Config) -> 553 ok = ?t:app_test(ssl). 554%%-------------------------------------------------------------------- 555appup() -> 556 [{doc, "Test that the ssl appup file is ok"}]. 557appup(Config) when is_list(Config) -> 558 ok = ?t:appup_test(ssl). 559%%-------------------------------------------------------------------- 560alerts() -> 561 [{doc, "Test ssl_alert:alert_txt/1"}]. 562alerts(Config) when is_list(Config) -> 563 Descriptions = [?CLOSE_NOTIFY, ?UNEXPECTED_MESSAGE, ?BAD_RECORD_MAC, 564 ?DECRYPTION_FAILED_RESERVED, ?RECORD_OVERFLOW, ?DECOMPRESSION_FAILURE, 565 ?HANDSHAKE_FAILURE, ?BAD_CERTIFICATE, ?UNSUPPORTED_CERTIFICATE, 566 ?CERTIFICATE_REVOKED,?CERTIFICATE_EXPIRED, ?CERTIFICATE_UNKNOWN, 567 ?ILLEGAL_PARAMETER, ?UNKNOWN_CA, ?ACCESS_DENIED, ?DECODE_ERROR, 568 ?DECRYPT_ERROR, ?EXPORT_RESTRICTION, ?PROTOCOL_VERSION, 569 ?INSUFFICIENT_SECURITY, ?INTERNAL_ERROR, ?USER_CANCELED, 570 ?NO_RENEGOTIATION, ?UNSUPPORTED_EXTENSION, ?CERTIFICATE_UNOBTAINABLE, 571 ?UNRECOGNISED_NAME, ?BAD_CERTIFICATE_STATUS_RESPONSE, 572 ?BAD_CERTIFICATE_HASH_VALUE, ?UNKNOWN_PSK_IDENTITY, 573 255 %% Unsupported/unknow alert will result in a description too 574 ], 575 Alerts = [?ALERT_REC(?WARNING, ?CLOSE_NOTIFY) | 576 [?ALERT_REC(?FATAL, Desc) || Desc <- Descriptions]], 577 lists:foreach(fun(Alert) -> 578 try ssl_alert:alert_txt(Alert) 579 catch 580 C:E:T -> 581 ct:fail({unexpected, {C, E, T}}) 582 end 583 end, Alerts). 584%%-------------------------------------------------------------------- 585alert_details() -> 586 [{doc, "Test that ssl_alert:alert_txt/1 result contains extendend error description"}]. 587alert_details(Config) when is_list(Config) -> 588 Unique = make_ref(), 589 UniqueStr = lists:flatten(io_lib:format("~w", [Unique])), 590 Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Unique), 591 case string:str(ssl_alert:alert_txt(Alert), UniqueStr) of 592 0 -> 593 ct:fail(error_details_missing); 594 _ -> 595 ok 596 end. 597 598%%-------------------------------------------------------------------- 599alert_details_not_too_big() -> 600 [{doc, "Test that ssl_alert:alert_txt/1 limits printed depth of extended error description"}]. 601alert_details_not_too_big(Config) when is_list(Config) -> 602 Reason = lists:duplicate(10, lists:duplicate(10, lists:duplicate(10, {some, data}))), 603 Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Reason), 604 case length(ssl_alert:alert_txt(Alert)) < 1000 of 605 true -> 606 ok; 607 false -> 608 ct:fail(ssl_alert_text_too_big) 609 end. 610 611%%-------------------------------------------------------------------- 612new_options_in_accept() -> 613 [{doc,"Test that you can set ssl options in ssl_accept/3 and not only in tcp upgrade"}]. 614new_options_in_accept(Config) when is_list(Config) -> 615 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 616 ServerOpts0 = ssl_test_lib:ssl_options(server_dsa_opts, Config), 617 [_ , _ | ServerSslOpts] = ssl_test_lib:ssl_options(server_opts, Config), %% Remove non ssl opts 618 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 619 Version = ssl_test_lib:protocol_options(Config, [{tls, sslv3}, {dtls, dtlsv1}]), 620 Cipher = ssl_test_lib:protocol_options(Config, [{tls, #{key_exchange =>rsa, 621 cipher => rc4_128, 622 mac => sha, 623 prf => default_prf 624 }}, 625 {dtls, #{key_exchange =>rsa, 626 cipher => aes_128_cbc, 627 mac => sha, 628 prf => default_prf 629 }}]), 630 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 631 {from, self()}, 632 {ssl_extra_opts, [{versions, [Version]}, 633 {ciphers,[Cipher]} | ServerSslOpts]}, %% To be set in ssl_accept/3 634 {mfa, {?MODULE, connection_info_result, []}}, 635 {options, proplists:delete(cacertfile, ServerOpts0)}]), 636 637 Port = ssl_test_lib:inet_port(Server), 638 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 639 {host, Hostname}, 640 {from, self()}, 641 {mfa, {?MODULE, connection_info_result, []}}, 642 {options, [{versions, [Version]}, 643 {ciphers,[Cipher]} | ClientOpts]}]), 644 645 ct:log("Testcase ~p, Client ~p Server ~p ~n", 646 [self(), Client, Server]), 647 648 ServerMsg = ClientMsg = {ok, {Version, Cipher}}, 649 650 ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg), 651 652 ssl_test_lib:close(Server), 653 ssl_test_lib:close(Client). 654 655%%-------------------------------------------------------------------- 656handshake_continue() -> 657 [{doc, "Test API function ssl:handshake_continue/3"}]. 658handshake_continue(Config) when is_list(Config) -> 659 ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 660 ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), 661 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 662 663 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 664 {from, self()}, 665 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 666 {options, ssl_test_lib:ssl_options([{reuseaddr, true}, {handshake, hello}], 667 Config)}, 668 {continue_options, proplists:delete(reuseaddr, ServerOpts)} 669 ]), 670 671 Port = ssl_test_lib:inet_port(Server), 672 673 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 674 {host, Hostname}, 675 {from, self()}, 676 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 677 {options, ssl_test_lib:ssl_options([{handshake, hello}], 678 Config)}, 679 {continue_options, proplists:delete(reuseaddr, ClientOpts)}]), 680 681 ssl_test_lib:check_result(Server, ok, Client, ok), 682 683 ssl_test_lib:close(Server), 684 ssl_test_lib:close(Client). 685 686%%------------------------------------------------------------------ 687handshake_continue_timeout() -> 688 [{doc, "Test API function ssl:handshake_continue/3 with short timeout"}]. 689handshake_continue_timeout(Config) when is_list(Config) -> 690 ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), 691 ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), 692 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 693 694 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 695 {from, self()}, 696 {timeout, 1}, 697 {options, ssl_test_lib:ssl_options([{reuseaddr, true}, {handshake, hello}], 698 Config)}, 699 {continue_options, proplists:delete(reuseaddr, ServerOpts)} 700 ]), 701 702 Port = ssl_test_lib:inet_port(Server), 703 704 705 {connect_failed, _} = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 706 {host, Hostname}, 707 {from, self()}, 708 {options, ClientOpts}]), 709 710 ssl_test_lib:check_result(Server, {error,timeout}), 711 ssl_test_lib:close(Server). 712 713 714%%-------------------------------------------------------------------- 715hello_client_cancel() -> 716 [{doc, "Test API function ssl:handshake_cancel/1 on the client side"}]. 717hello_client_cancel(Config) when is_list(Config) -> 718 ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), 719 ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), 720 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 721 722 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 723 {from, self()}, 724 {options, ssl_test_lib:ssl_options([{handshake, hello}], Config)}, 725 {continue_options, proplists:delete(reuseaddr, ServerOpts)}]), 726 727 Port = ssl_test_lib:inet_port(Server), 728 729 %% That is ssl:handshake_cancel returns ok 730 {connect_failed, ok} = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 731 {host, Hostname}, 732 {from, self()}, 733 {options, ssl_test_lib:ssl_options([{handshake, hello}], Config)}, 734 {continue_options, cancel}]), 735 ssl_test_lib:check_server_alert(Server, user_canceled). 736%%-------------------------------------------------------------------- 737hello_server_cancel() -> 738 [{doc, "Test API function ssl:handshake_cancel/1 on the server side"}]. 739hello_server_cancel(Config) when is_list(Config) -> 740 ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 741 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 742 743 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 744 {from, self()}, 745 {options, ssl_test_lib:ssl_options([{handshake, hello}], Config)}, 746 {continue_options, cancel}]), 747 748 Port = ssl_test_lib:inet_port(Server), 749 750 {connect_failed, _} = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 751 {host, Hostname}, 752 {from, self()}, 753 {options, ssl_test_lib:ssl_options([{handshake, hello}], Config)}, 754 {continue_options, proplists:delete(reuseaddr, ClientOpts)}]), 755 756 ssl_test_lib:check_result(Server, ok). 757 758%%-------------------------------------------------------------------- 759prf() -> 760 [{doc,"Test that ssl:prf/5 uses the negotiated PRF."}]. 761prf(Config) when is_list(Config) -> 762 TestPlan = proplists:get_value(prf_test_plan, Config), 763 case TestPlan of 764 [] -> ct:fail({error, empty_prf_test_plan}); 765 _ -> lists:foreach(fun(Suite) -> 766 lists:foreach( 767 fun(Test) -> 768 V = proplists:get_value(tls_ver, Test), 769 C = proplists:get_value(ciphers, Test), 770 E = proplists:get_value(expected, Test), 771 P = proplists:get_value(prf, Test), 772 prf_run_test(Config, V, C, E, P) 773 end, Suite) 774 end, TestPlan) 775 end. 776 777%%-------------------------------------------------------------------- 778 779secret_connection_info() -> 780 [{doc,"Test the API function ssl:connection_information/2"}]. 781secret_connection_info(Config) when is_list(Config) -> 782 ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 783 ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), 784 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 785 786 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 787 {from, self()}, 788 {mfa, {?MODULE, secret_connection_info_result, []}}, 789 {options, ServerOpts}]), 790 791 Port = ssl_test_lib:inet_port(Server), 792 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 793 {host, Hostname}, 794 {from, self()}, 795 {mfa, {?MODULE, secret_connection_info_result, []}}, 796 {options, ClientOpts}]), 797 798 ct:log("Testcase ~p, Client ~p Server ~p ~n", 799 [self(), Client, Server]), 800 801 ssl_test_lib:check_result(Server, true, Client, true), 802 803 ssl_test_lib:close(Server), 804 ssl_test_lib:close(Client). 805 806 807%%-------------------------------------------------------------------- 808 809connection_information() -> 810 [{doc,"Test the API function ssl:connection_information/1"}]. 811connection_information(Config) when is_list(Config) -> 812 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 813 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 814 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 815 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 816 {from, self()}, 817 {mfa, {?MODULE, connection_information_result, []}}, 818 {options, ServerOpts}]), 819 820 Port = ssl_test_lib:inet_port(Server), 821 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 822 {host, Hostname}, 823 {from, self()}, 824 {mfa, {?MODULE, connection_information_result, []}}, 825 {options, ClientOpts}]), 826 827 ct:log("Testcase ~p, Client ~p Server ~p ~n", 828 [self(), Client, Server]), 829 830 ServerMsg = ClientMsg = ok, 831 832 ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg), 833 834 ssl_test_lib:close(Server), 835 ssl_test_lib:close(Client). 836 837 838%%-------------------------------------------------------------------- 839protocol_versions() -> 840 [{doc,"Test to set a list of protocol versions in app environment."}]. 841 842protocol_versions(Config) when is_list(Config) -> 843 basic_test(Config). 844 845%%-------------------------------------------------------------------- 846empty_protocol_versions() -> 847 [{doc,"Test to set an empty list of protocol versions in app environment."}]. 848 849empty_protocol_versions(Config) when is_list(Config) -> 850 basic_test(Config). 851 852%%-------------------------------------------------------------------- 853 854controlling_process() -> 855 [{doc,"Test API function controlling_process/2"}]. 856 857controlling_process(Config) when is_list(Config) -> 858 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 859 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 860 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 861 ClientMsg = "Server hello", 862 ServerMsg = "Client hello", 863 864 Server = ssl_test_lib:start_server([ 865 {node, ServerNode}, {port, 0}, 866 {from, self()}, 867 {mfa, {?MODULE, 868 controlling_process_result, [self(), 869 ServerMsg]}}, 870 {options, ServerOpts}]), 871 Port = ssl_test_lib:inet_port(Server), 872 {Client, CSocket} = ssl_test_lib:start_client([return_socket, 873 {node, ClientNode}, {port, Port}, 874 {host, Hostname}, 875 {from, self()}, 876 {mfa, {?MODULE, 877 controlling_process_result, [self(), 878 ClientMsg]}}, 879 {options, ClientOpts}]), 880 881 ct:log("Testcase ~p, Client ~p Server ~p ~n", 882 [self(), Client, Server]), 883 884 ServerMsg = ssl_test_lib:active_recv(CSocket, length(ServerMsg)), 885 %% We do not have the TLS server socket but all messages form the client 886 %% socket are now read, so ramining are form the server socket 887 ClientMsg = ssl_active_recv(length(ClientMsg)), 888 889 ssl_test_lib:close(Server), 890 ssl_test_lib:close(Client). 891 892%%-------------------------------------------------------------------- 893getstat() -> 894 [{doc,"Test API function getstat/2"}]. 895 896getstat(Config) when is_list(Config) -> 897 ClientOpts = ?config(client_opts, Config), 898 ServerOpts = ?config(server_opts, Config), 899 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 900 Server1 = 901 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 902 {from, self()}, 903 {mfa, {ssl_test_lib, send_recv_result, []}}, 904 {options, [{active, false} | ServerOpts]}]), 905 Port1 = ssl_test_lib:inet_port(Server1), 906 Server2 = 907 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 908 {from, self()}, 909 {mfa, {ssl_test_lib, send_recv_result, []}}, 910 {options, [{active, false} | ServerOpts]}]), 911 Port2 = ssl_test_lib:inet_port(Server2), 912 {ok, ActiveC} = rpc:call(ClientNode, ssl, connect, 913 [Hostname,Port1,[{active, once}|ClientOpts]]), 914 {ok, PassiveC} = rpc:call(ClientNode, ssl, connect, 915 [Hostname,Port2,[{active, false}|ClientOpts]]), 916 917 ct:log("Testcase ~p, Client ~p Servers ~p, ~p ~n", 918 [self(), self(), Server1, Server2]), 919 920 %% We only check that the values are non-zero initially 921 %% (due to the handshake), and that sending more changes the values. 922 923 %% Passive socket. 924 925 {ok, InitialStats} = ssl:getstat(PassiveC), 926 ct:pal("InitialStats ~p~n", [InitialStats]), 927 [true] = lists:usort([0 =/= proplists:get_value(Name, InitialStats) 928 || Name <- [recv_cnt, recv_oct, recv_avg, recv_max, send_cnt, send_oct, send_avg, send_max]]), 929 930 ok = ssl:send(PassiveC, "Hello world"), 931 wait_for_send(PassiveC), 932 {ok, SStats} = ssl:getstat(PassiveC, [send_cnt, send_oct]), 933 ct:pal("SStats ~p~n", [SStats]), 934 [true] = lists:usort([proplists:get_value(Name, SStats) =/= proplists:get_value(Name, InitialStats) 935 || Name <- [send_cnt, send_oct]]), 936 937 %% Active socket. 938 939 {ok, InitialAStats} = ssl:getstat(ActiveC), 940 ct:pal("InitialAStats ~p~n", [InitialAStats]), 941 [true] = lists:usort([0 =/= proplists:get_value(Name, InitialAStats) 942 || Name <- [recv_cnt, recv_oct, recv_avg, recv_max, send_cnt, send_oct, send_avg, send_max]]), 943 944 _ = receive 945 {ssl, ActiveC, _} -> 946 ok 947 after 948 ?SLEEP -> 949 exit(timeout) 950 end, 951 952 ok = ssl:send(ActiveC, "Hello world"), 953 wait_for_send(ActiveC), 954 {ok, ASStats} = ssl:getstat(ActiveC, [send_cnt, send_oct]), 955 ct:pal("ASStats ~p~n", [ASStats]), 956 [true] = lists:usort([proplists:get_value(Name, ASStats) =/= proplists:get_value(Name, InitialAStats) 957 || Name <- [send_cnt, send_oct]]), 958 959 ok. 960 961%%-------------------------------------------------------------------- 962controller_dies() -> 963 [{doc,"Test that the socket is closed after controlling process dies"}]. 964controller_dies(Config) when is_list(Config) -> 965 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 966 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 967 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 968 ClientMsg = "Hello server", 969 ServerMsg = "Hello client", 970 971 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 972 {from, self()}, 973 {mfa, {?MODULE, 974 controller_dies_result, [self(), 975 ServerMsg]}}, 976 {options, ServerOpts}]), 977 Port = ssl_test_lib:inet_port(Server), 978 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 979 {host, Hostname}, 980 {from, self()}, 981 {mfa, {?MODULE, 982 controller_dies_result, [self(), 983 ClientMsg]}}, 984 {options, ClientOpts}]), 985 986 ct:log("Testcase ~p, Client ~p Server ~p ~n", [self(), Client, Server]), 987 ct:sleep(?SLEEP), %% so that they are connected 988 989 process_flag(trap_exit, true), 990 991 %% Test that clients die 992 exit(Client, killed), 993 get_close(Client, ?LINE), 994 995 %% Test that clients die when process disappear 996 Server ! listen, 997 Tester = self(), 998 Connect = fun(Pid) -> 999 {ok, Socket} = ssl:connect(Hostname, Port, ClientOpts), 1000 %% Make sure server finishes and verification 1001 %% and is in coonection state before 1002 %% killing client 1003 ct:sleep(?SLEEP), 1004 Pid ! {self(), connected, Socket}, 1005 receive die_nice -> normal end 1006 end, 1007 Client2 = spawn_link(fun() -> Connect(Tester) end), 1008 receive {Client2, connected, _Socket} -> Client2 ! die_nice end, 1009 1010 get_close(Client2, ?LINE), 1011 1012 %% Test that clients die when the controlling process have changed 1013 Server ! listen, 1014 1015 Client3 = spawn_link(fun() -> Connect(Tester) end), 1016 Controller = spawn_link(fun() -> receive die_nice -> normal end end), 1017 receive 1018 {Client3, connected, Socket} -> 1019 ok = ssl:controlling_process(Socket, Controller), 1020 Client3 ! die_nice 1021 end, 1022 1023 ct:log("Wating on exit ~p~n",[Client3]), 1024 receive {'EXIT', Client3, normal} -> ok end, 1025 1026 receive %% Client3 is dead but that doesn't matter, socket should not be closed. 1027 Unexpected -> 1028 ct:log("Unexpected ~p~n",[Unexpected]), 1029 ct:fail({line, ?LINE-1}) 1030 after 1000 -> 1031 ok 1032 end, 1033 Controller ! die_nice, 1034 get_close(Controller, ?LINE), 1035 1036 %% Test that servers die 1037 Server ! listen, 1038 LastClient = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1039 {host, Hostname}, 1040 {from, self()}, 1041 {mfa, {?MODULE, 1042 controller_dies_result, [self(), 1043 ClientMsg]}}, 1044 {options, ClientOpts}]), 1045 ct:sleep(?SLEEP), %% so that they are connected 1046 1047 exit(Server, killed), 1048 get_close(Server, ?LINE), 1049 process_flag(trap_exit, false), 1050 ssl_test_lib:close(LastClient). 1051 1052%%-------------------------------------------------------------------- 1053tls_client_closes_socket() -> 1054 [{doc,"Test what happens when client closes socket before handshake is compleated"}]. 1055 1056tls_client_closes_socket(Config) when is_list(Config) -> 1057 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1058 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1059 TcpOpts = [binary, {reuseaddr, true}], 1060 1061 Server = ssl_test_lib:start_upgrade_server_error([{node, ServerNode}, {port, 0}, 1062 {from, self()}, 1063 {tcp_options, TcpOpts}, 1064 {ssl_options, ServerOpts}]), 1065 Port = ssl_test_lib:inet_port(Server), 1066 1067 Connect = fun() -> 1068 {ok, _Socket} = rpc:call(ClientNode, gen_tcp, connect, 1069 [Hostname, Port, [binary]]), 1070 %% Make sure that ssl_accept is called before 1071 %% client process ends and closes socket. 1072 ct:sleep(?SLEEP) 1073 end, 1074 1075 _Client = spawn_link(Connect), 1076 1077 ssl_test_lib:check_result(Server, {error,closed}). 1078 1079%%-------------------------------------------------------------------- 1080tls_closed_in_active_once() -> 1081 [{doc, "Test that ssl_closed is delivered in active once with non-empty buffer, check ERL-420."}]. 1082 1083tls_closed_in_active_once(Config) when is_list(Config) -> 1084 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1085 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1086 {_ClientNode, _ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1087 TcpOpts = [binary, {reuseaddr, true}], 1088 Port = ssl_test_lib:inet_port(node()), 1089 Server = fun() -> 1090 {ok, Listen} = gen_tcp:listen(Port, TcpOpts), 1091 {ok, TcpServerSocket} = gen_tcp:accept(Listen), 1092 {ok, ServerSocket} = ssl:ssl_accept(TcpServerSocket, ServerOpts), 1093 lists:foreach( 1094 fun(_) -> 1095 ssl:send(ServerSocket, "some random message\r\n") 1096 end, lists:seq(1, 20)), 1097 %% Close TCP instead of SSL socket to trigger the bug: 1098 gen_tcp:close(TcpServerSocket), 1099 gen_tcp:close(Listen) 1100 end, 1101 spawn_link(Server), 1102 {ok, Socket} = ssl:connect(Hostname, Port, [{active, false} | ClientOpts]), 1103 Result = tls_closed_in_active_once_loop(Socket), 1104 ssl:close(Socket), 1105 case Result of 1106 ok -> ok; 1107 _ -> ct:fail(Result) 1108 end. 1109 1110tls_closed_in_active_once_loop(Socket) -> 1111 case ssl:setopts(Socket, [{active, once}]) of 1112 ok -> 1113 receive 1114 {ssl, Socket, _} -> 1115 tls_closed_in_active_once_loop(Socket); 1116 {ssl_closed, Socket} -> 1117 ok 1118 after 5000 -> 1119 no_ssl_closed_received 1120 end; 1121 {error, closed} -> 1122 ok 1123 end. 1124%%-------------------------------------------------------------------- 1125connect_dist() -> 1126 [{doc,"Test a simple connect as is used by distribution"}]. 1127 1128connect_dist(Config) when is_list(Config) -> 1129 ClientOpts0 = ssl_test_lib:ssl_options(client_kc_opts, Config), 1130 ClientOpts = [{ssl_imp, new},{active, false}, {packet,4}|ClientOpts0], 1131 ServerOpts0 = ssl_test_lib:ssl_options(server_kc_opts, Config), 1132 ServerOpts = [{ssl_imp, new},{active, false}, {packet,4}|ServerOpts0], 1133 1134 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1135 1136 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1137 {from, self()}, 1138 {mfa, {?MODULE, connect_dist_s, []}}, 1139 {options, ServerOpts}]), 1140 Port = ssl_test_lib:inet_port(Server), 1141 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1142 {host, Hostname}, 1143 {from, self()}, 1144 {mfa, {?MODULE, connect_dist_c, []}}, 1145 {options, ClientOpts}]), 1146 1147 ssl_test_lib:check_result(Server, ok, Client, ok), 1148 1149 ssl_test_lib:close(Server), 1150 ssl_test_lib:close(Client). 1151 1152%%-------------------------------------------------------------------- 1153 1154clear_pem_cache() -> 1155 [{doc,"Test that internal reference tabel is cleaned properly even when " 1156 " the PEM cache is cleared" }]. 1157clear_pem_cache(Config) when is_list(Config) -> 1158 {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)), 1159 [_, _,_, _, Prop] = StatusInfo, 1160 State = ssl_test_lib:state(Prop), 1161 [_,{FilRefDb, _} |_] = element(6, State), 1162 {Server, Client} = basic_verify_test_no_close(Config), 1163 CountReferencedFiles = fun({_, -1}, Acc) -> 1164 Acc; 1165 ({_, N}, Acc) -> 1166 N + Acc 1167 end, 1168 1169 2 = ets:foldl(CountReferencedFiles, 0, FilRefDb), 1170 ssl:clear_pem_cache(), 1171 _ = sys:get_status(whereis(ssl_manager)), 1172 {Server1, Client1} = basic_verify_test_no_close(Config), 1173 4 = ets:foldl(CountReferencedFiles, 0, FilRefDb), 1174 ssl_test_lib:close(Server), 1175 ssl_test_lib:close(Client), 1176 ct:sleep(2000), 1177 _ = sys:get_status(whereis(ssl_manager)), 1178 2 = ets:foldl(CountReferencedFiles, 0, FilRefDb), 1179 ssl_test_lib:close(Server1), 1180 ssl_test_lib:close(Client1), 1181 ct:sleep(2000), 1182 _ = sys:get_status(whereis(ssl_manager)), 1183 0 = ets:foldl(CountReferencedFiles, 0, FilRefDb). 1184 1185%%-------------------------------------------------------------------- 1186 1187fallback() -> 1188 [{doc, "Test TLS_FALLBACK_SCSV downgrade prevention"}]. 1189 1190fallback(Config) when is_list(Config) -> 1191 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1192 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1193 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1194 1195 Server = 1196 ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 1197 {from, self()}, 1198 {options, ServerOpts}]), 1199 1200 Port = ssl_test_lib:inet_port(Server), 1201 1202 Client = 1203 ssl_test_lib:start_client_error([{node, ClientNode}, 1204 {port, Port}, {host, Hostname}, 1205 {from, self()}, {options, 1206 [{fallback, true}, 1207 {versions, ['tlsv1']} 1208 | ClientOpts]}]), 1209 ssl_test_lib:check_server_alert(Server, Client, inappropriate_fallback). 1210 1211 1212%%-------------------------------------------------------------------- 1213cipher_format() -> 1214 [{doc, "Test that cipher conversion from maps | tuples | stings to binarys works"}]. 1215cipher_format(Config) when is_list(Config) -> 1216 {ok, Socket0} = ssl:listen(0, [{ciphers, ssl:cipher_suites(default, 'tlsv1.2')}]), 1217 ssl:close(Socket0), 1218 %% Legacy 1219 {ok, Socket1} = ssl:listen(0, [{ciphers, ssl:cipher_suites()}]), 1220 ssl:close(Socket1), 1221 {ok, Socket2} = ssl:listen(0, [{ciphers, ssl:cipher_suites(openssl)}]), 1222 ssl:close(Socket2). 1223 1224%%-------------------------------------------------------------------- 1225suite_to_str() -> 1226 [{doc, "Test that the suite_to_str API works"}]. 1227suite_to_str(Config) when is_list(Config) -> 1228 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" = 1229 ssl:suite_to_str(#{key_exchange => null, 1230 cipher => null, 1231 mac => null, 1232 prf => null}), 1233 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" = 1234 ssl:suite_to_str(#{key_exchange => ecdhe_ecdsa, 1235 cipher => aes_128_gcm, 1236 mac => aead, 1237 prf => sha256}), 1238 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" = 1239 ssl:suite_to_str(#{key_exchange => ecdh_rsa, 1240 cipher => aes_128_cbc, 1241 mac => sha256, 1242 prf => sha256}). 1243 1244%%-------------------------------------------------------------------- 1245 1246peername() -> 1247 [{doc,"Test API function peername/1"}]. 1248 1249peername(Config) when is_list(Config) -> 1250 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1251 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1252 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1253 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1254 {from, self()}, 1255 {mfa, {?MODULE, peername_result, []}}, 1256 {options, ServerOpts}]), 1257 Port = ssl_test_lib:inet_port(Server), 1258 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1259 {host, Hostname}, 1260 {from, self()}, 1261 {mfa, {?MODULE, peername_result, []}}, 1262 {options, [{port, 0} | ClientOpts]}]), 1263 1264 ClientPort = ssl_test_lib:inet_port(Client), 1265 ServerIp = ssl_test_lib:node_to_hostip(ServerNode), 1266 ClientIp = ssl_test_lib:node_to_hostip(ClientNode), 1267 ServerMsg = {ok, {ClientIp, ClientPort}}, 1268 ClientMsg = {ok, {ServerIp, Port}}, 1269 1270 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1271 [self(), Client, Server]), 1272 1273 ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg), 1274 1275 ssl_test_lib:close(Server), 1276 ssl_test_lib:close(Client). 1277 1278%%-------------------------------------------------------------------- 1279peercert() -> 1280 [{doc,"Test API function peercert/1"}]. 1281peercert(Config) when is_list(Config) -> 1282 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1283 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1284 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1285 1286 Server = ssl_test_lib:start_server([{node, ClientNode}, {port, 0}, 1287 {from, self()}, 1288 {mfa, {?MODULE, peercert_result, []}}, 1289 {options, ServerOpts}]), 1290 Port = ssl_test_lib:inet_port(Server), 1291 Client = ssl_test_lib:start_client([{node, ServerNode}, {port, Port}, 1292 {host, Hostname}, 1293 {from, self()}, 1294 {mfa, {?MODULE, peercert_result, []}}, 1295 {options, ClientOpts}]), 1296 1297 CertFile = proplists:get_value(certfile, ServerOpts), 1298 [{'Certificate', BinCert, _}]= ssl_test_lib:pem_to_der(CertFile), 1299 1300 ServerMsg = {error, no_peercert}, 1301 ClientMsg = {ok, BinCert}, 1302 1303 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1304 [self(), Client, Server]), 1305 1306 ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg), 1307 1308 ssl_test_lib:close(Server), 1309 ssl_test_lib:close(Client). 1310 1311peercert_result(Socket) -> 1312 ssl:peercert(Socket). 1313%%-------------------------------------------------------------------- 1314 1315peercert_with_client_cert() -> 1316 [{doc,"Test API function peercert/1"}]. 1317peercert_with_client_cert(Config) when is_list(Config) -> 1318 ClientOpts = ssl_test_lib:ssl_options(client_dsa_opts, Config), 1319 ServerOpts = ssl_test_lib:ssl_options(server_dsa_verify_opts, Config), 1320 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1321 1322 Server = ssl_test_lib:start_server([{node, ClientNode}, {port, 0}, 1323 {from, self()}, 1324 {mfa, {?MODULE, peercert_result, []}}, 1325 {options, ServerOpts}]), 1326 Port = ssl_test_lib:inet_port(Server), 1327 Client = ssl_test_lib:start_client([{node, ServerNode}, {port, Port}, 1328 {host, Hostname}, 1329 {from, self()}, 1330 {mfa, {?MODULE, peercert_result, []}}, 1331 {options, ClientOpts}]), 1332 1333 ServerCertFile = proplists:get_value(certfile, ServerOpts), 1334 [{'Certificate', ServerBinCert, _}]= ssl_test_lib:pem_to_der(ServerCertFile), 1335 ClientCertFile = proplists:get_value(certfile, ClientOpts), 1336 [{'Certificate', ClientBinCert, _}]= ssl_test_lib:pem_to_der(ClientCertFile), 1337 1338 ServerMsg = {ok, ClientBinCert}, 1339 ClientMsg = {ok, ServerBinCert}, 1340 1341 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1342 [self(), Client, Server]), 1343 1344 ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg), 1345 1346 ssl_test_lib:close(Server), 1347 ssl_test_lib:close(Client). 1348 1349%%-------------------------------------------------------------------- 1350sockname() -> 1351 [{doc,"Test API function sockname/1"}]. 1352sockname(Config) when is_list(Config) -> 1353 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1354 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1355 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1356 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1357 {from, self()}, 1358 {mfa, {?MODULE, sockname_result, []}}, 1359 {options, ServerOpts}]), 1360 Port = ssl_test_lib:inet_port(Server), 1361 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1362 {host, Hostname}, 1363 {from, self()}, 1364 {mfa, {?MODULE, sockname_result, []}}, 1365 {options, [{port, 0} | ClientOpts]}]), 1366 1367 ClientPort = ssl_test_lib:inet_port(Client), 1368 ServerIp = 1369 case proplists:get_value(protocol, Config) of 1370 dtls -> 1371 %% DTLS sockets are not connected on the server side, 1372 %% so we can only get a ClientIP, ServerIP will always be 0.0.0.0 1373 {0,0,0,0}; 1374 _ -> 1375 ssl_test_lib:node_to_hostip(ServerNode) 1376 end, 1377 1378 ClientIp = ssl_test_lib:node_to_hostip(ClientNode), 1379 ServerMsg = {ok, {ServerIp, Port}}, 1380 ClientMsg = {ok, {ClientIp, ClientPort}}, 1381 1382 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1383 [self(), Client, Server]), 1384 1385 ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg), 1386 1387 ssl_test_lib:close(Server), 1388 ssl_test_lib:close(Client). 1389 1390sockname_result(S) -> 1391 ssl:sockname(S). 1392 1393%%-------------------------------------------------------------------- 1394 1395cipher_suites() -> 1396 [{doc,"Test API function cipher_suites/2, filter_cipher_suites/2" 1397 " and prepend|append_cipher_suites/2"}]. 1398 1399cipher_suites(Config) when is_list(Config) -> 1400 MandatoryCipherSuiteTLS1_0TLS1_1 = #{key_exchange => rsa, 1401 cipher => '3des_ede_cbc', 1402 mac => sha, 1403 prf => default_prf}, 1404 MandatoryCipherSuiteTLS1_0TLS1_2 = #{key_exchange =>rsa, 1405 cipher => 'aes_128_cbc', 1406 mac => sha, 1407 prf => default_prf}, 1408 Version = ssl_test_lib:protocol_version(Config), 1409 All = [_|_] = ssl:cipher_suites(all, Version), 1410 Default = [_|_] = ssl:cipher_suites(default, Version), 1411 Anonymous = [_|_] = ssl:cipher_suites(anonymous, Version), 1412 true = length(Default) < length(All), 1413 Filters = [{key_exchange, 1414 fun(dhe_rsa) -> 1415 true; 1416 (_) -> 1417 false 1418 end 1419 }, 1420 {cipher, 1421 fun(aes_256_cbc) -> 1422 true; 1423 (_) -> 1424 false 1425 end 1426 }, 1427 {mac, 1428 fun(sha) -> 1429 true; 1430 (_) -> 1431 false 1432 end 1433 } 1434 ], 1435 Cipher = #{cipher => aes_256_cbc, 1436 key_exchange => dhe_rsa, 1437 mac => sha, 1438 prf => default_prf}, 1439 [Cipher] = ssl:filter_cipher_suites(All, Filters), 1440 [Cipher | Rest0] = ssl:prepend_cipher_suites([Cipher], Default), 1441 [Cipher | Rest0] = ssl:prepend_cipher_suites(Filters, Default), 1442 true = lists:member(Cipher, Default), 1443 false = lists:member(Cipher, Rest0), 1444 [Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites([Cipher], Default)), 1445 [Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites(Filters, Default)), 1446 true = lists:member(Cipher, Default), 1447 false = lists:member(Cipher, Rest1), 1448 [] = lists:dropwhile(fun(X) -> not lists:member(X, Default) end, Anonymous), 1449 [] = lists:dropwhile(fun(X) -> not lists:member(X, All) end, Anonymous), 1450 true = lists:member(MandatoryCipherSuiteTLS1_0TLS1_1, All), 1451 true = lists:member(MandatoryCipherSuiteTLS1_0TLS1_2, All). 1452 1453%%-------------------------------------------------------------------- 1454 1455old_cipher_suites() -> 1456 [{doc,"Test API function cipher_suites/0"}]. 1457 1458old_cipher_suites(Config) when is_list(Config) -> 1459 MandatoryCipherSuite = {rsa, '3des_ede_cbc', sha}, 1460 [_|_] = Suites = ssl:cipher_suites(), 1461 Suites = ssl:cipher_suites(erlang), 1462 [_|_] = ssl:cipher_suites(openssl), 1463 true = lists:member(MandatoryCipherSuite, ssl:cipher_suites(all)). 1464 1465%%-------------------------------------------------------------------- 1466cipher_suites_mix() -> 1467 [{doc,"Test to have old and new cipher suites at the same time"}]. 1468 1469cipher_suites_mix(Config) when is_list(Config) -> 1470 CipherSuites = [{dhe_rsa,aes_128_cbc,sha256,sha256}, {dhe_rsa,aes_128_cbc,sha}], 1471 ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 1472 ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), 1473 1474 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1475 1476 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1477 {from, self()}, 1478 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 1479 {options, ServerOpts}]), 1480 Port = ssl_test_lib:inet_port(Server), 1481 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1482 {host, Hostname}, 1483 {from, self()}, 1484 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 1485 {options, [{ciphers, CipherSuites} | ClientOpts]}]), 1486 1487 ssl_test_lib:check_result(Server, ok, Client, ok), 1488 ssl_test_lib:close(Server), 1489 ssl_test_lib:close(Client). 1490%%-------------------------------------------------------------------- 1491tls_socket_options() -> 1492 [{doc,"Test API function getopts/2 and setopts/2"}]. 1493 1494tls_socket_options(Config) when is_list(Config) -> 1495 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1496 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1497 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1498 Values = [{mode, list}, {packet, 0}, {header, 0}, 1499 {active, true}], 1500 %% Shall be the reverse order of Values! 1501 Options = [active, header, packet, mode], 1502 1503 NewValues = [{mode, binary}, {active, once}], 1504 %% Shall be the reverse order of NewValues! 1505 NewOptions = [active, mode], 1506 1507 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1508 {from, self()}, 1509 {mfa, {?MODULE, tls_socket_options_result, 1510 [Options, Values, NewOptions, NewValues]}}, 1511 {options, ServerOpts}]), 1512 Port = ssl_test_lib:inet_port(Server), 1513 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1514 {host, Hostname}, 1515 {from, self()}, 1516 {mfa, {?MODULE, tls_socket_options_result, 1517 [Options, Values, NewOptions, NewValues]}}, 1518 {options, ClientOpts}]), 1519 1520 ssl_test_lib:check_result(Server, ok, Client, ok), 1521 1522 ssl_test_lib:close(Server), 1523 1524 {ok, Listen} = ssl:listen(0, ServerOpts), 1525 {ok,[{mode,list}]} = ssl:getopts(Listen, [mode]), 1526 ok = ssl:setopts(Listen, [{mode, binary}]), 1527 {ok,[{mode, binary}]} = ssl:getopts(Listen, [mode]), 1528 {ok,[{recbuf, _}]} = ssl:getopts(Listen, [recbuf]), 1529 ssl:close(Listen). 1530 1531tls_socket_options_result(Socket, Options, DefaultValues, NewOptions, NewValues) -> 1532 %% Test get/set emulated opts 1533 {ok, DefaultValues} = ssl:getopts(Socket, Options), 1534 ssl:setopts(Socket, NewValues), 1535 {ok, NewValues} = ssl:getopts(Socket, NewOptions), 1536 %% Test get/set inet opts 1537 {ok,[{nodelay,false}]} = ssl:getopts(Socket, [nodelay]), 1538 ssl:setopts(Socket, [{nodelay, true}]), 1539 {ok,[{nodelay, true}]} = ssl:getopts(Socket, [nodelay]), 1540 {ok, All} = ssl:getopts(Socket, []), 1541 ct:log("All opts ~p~n", [All]), 1542 ok. 1543 1544 1545%%-------------------------------------------------------------------- 1546socket_options() -> 1547 [{doc,"Test API function getopts/2 and setopts/2"}]. 1548 1549socket_options(Config) when is_list(Config) -> 1550 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1551 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1552 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1553 Values = [{mode, list}, {active, true}], 1554 %% Shall be the reverse order of Values! 1555 Options = [active, mode], 1556 1557 NewValues = [{mode, binary}, {active, once}], 1558 %% Shall be the reverse order of NewValues! 1559 NewOptions = [active, mode], 1560 1561 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1562 {from, self()}, 1563 {mfa, {?MODULE, socket_options_result, 1564 [Options, Values, NewOptions, NewValues]}}, 1565 {options, ServerOpts}]), 1566 Port = ssl_test_lib:inet_port(Server), 1567 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1568 {host, Hostname}, 1569 {from, self()}, 1570 {mfa, {?MODULE, socket_options_result, 1571 [Options, Values, NewOptions, NewValues]}}, 1572 {options, ClientOpts}]), 1573 1574 ssl_test_lib:check_result(Server, ok, Client, ok), 1575 1576 ssl_test_lib:close(Server), 1577 1578 {ok, Listen} = ssl:listen(0, ServerOpts), 1579 {ok,[{mode,list}]} = ssl:getopts(Listen, [mode]), 1580 ok = ssl:setopts(Listen, [{mode, binary}]), 1581 {ok,[{mode, binary}]} = ssl:getopts(Listen, [mode]), 1582 {ok,[{recbuf, _}]} = ssl:getopts(Listen, [recbuf]), 1583 ssl:close(Listen). 1584 1585 1586socket_options_result(Socket, Options, DefaultValues, NewOptions, NewValues) -> 1587 %% Test get/set emulated opts 1588 {ok, DefaultValues} = ssl:getopts(Socket, Options), 1589 ssl:setopts(Socket, NewValues), 1590 {ok, NewValues} = ssl:getopts(Socket, NewOptions), 1591 %% Test get/set inet opts 1592 {ok,[{reuseaddr, _}]} = ssl:getopts(Socket, [reuseaddr]), 1593 {ok, All} = ssl:getopts(Socket, []), 1594 ct:log("All opts ~p~n", [All]), 1595 ok. 1596 1597 1598%%-------------------------------------------------------------------- 1599invalid_inet_get_option() -> 1600 [{doc,"Test handling of invalid inet options in getopts"}]. 1601 1602invalid_inet_get_option(Config) when is_list(Config) -> 1603 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1604 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1605 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1606 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1607 {from, self()}, 1608 {mfa, {?MODULE, get_invalid_inet_option, []}}, 1609 {options, ServerOpts}]), 1610 Port = ssl_test_lib:inet_port(Server), 1611 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1612 {host, Hostname}, 1613 {from, self()}, 1614 {mfa, {ssl_test_lib, no_result, []}}, 1615 {options, ClientOpts}]), 1616 1617 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1618 [self(), Client, Server]), 1619 1620 ssl_test_lib:check_result(Server, ok), 1621 ssl_test_lib:close(Server), 1622 ssl_test_lib:close(Client). 1623 1624%%-------------------------------------------------------------------- 1625invalid_inet_get_option_not_list() -> 1626 [{doc,"Test handling of invalid type in getopts"}]. 1627 1628invalid_inet_get_option_not_list(Config) when is_list(Config) -> 1629 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1630 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1631 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1632 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1633 {from, self()}, 1634 {mfa, {?MODULE, get_invalid_inet_option_not_list, []}}, 1635 {options, ServerOpts}]), 1636 Port = ssl_test_lib:inet_port(Server), 1637 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1638 {host, Hostname}, 1639 {from, self()}, 1640 {mfa, {ssl_test_lib, no_result, []}}, 1641 {options, ClientOpts}]), 1642 1643 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1644 [self(), Client, Server]), 1645 1646 ssl_test_lib:check_result(Server, ok), 1647 ssl_test_lib:close(Server), 1648 ssl_test_lib:close(Client). 1649 1650 1651get_invalid_inet_option_not_list(Socket) -> 1652 {error, {options, {socket_options, some_invalid_atom_here}}} 1653 = ssl:getopts(Socket, some_invalid_atom_here), 1654 ok. 1655 1656%%-------------------------------------------------------------------- 1657invalid_inet_get_option_improper_list() -> 1658 [{doc,"Test handling of invalid type in getopts"}]. 1659 1660invalid_inet_get_option_improper_list(Config) when is_list(Config) -> 1661 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1662 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1663 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1664 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1665 {from, self()}, 1666 {mfa, {?MODULE, get_invalid_inet_option_improper_list, []}}, 1667 {options, ServerOpts}]), 1668 Port = ssl_test_lib:inet_port(Server), 1669 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1670 {host, Hostname}, 1671 {from, self()}, 1672 {mfa, {ssl_test_lib, no_result, []}}, 1673 {options, ClientOpts}]), 1674 1675 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1676 [self(), Client, Server]), 1677 1678 ssl_test_lib:check_result(Server, ok), 1679 ssl_test_lib:close(Server), 1680 ssl_test_lib:close(Client). 1681 1682 1683get_invalid_inet_option_improper_list(Socket) -> 1684 {error, {options, {socket_options, foo,_}}} = ssl:getopts(Socket, [packet | foo]), 1685 ok. 1686 1687%%-------------------------------------------------------------------- 1688invalid_inet_set_option() -> 1689 [{doc,"Test handling of invalid inet options in setopts"}]. 1690 1691invalid_inet_set_option(Config) when is_list(Config) -> 1692 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1693 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1694 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1695 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1696 {from, self()}, 1697 {mfa, {?MODULE, set_invalid_inet_option, []}}, 1698 {options, ServerOpts}]), 1699 Port = ssl_test_lib:inet_port(Server), 1700 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1701 {host, Hostname}, 1702 {from, self()}, 1703 {mfa, {ssl_test_lib, no_result, []}}, 1704 {options, ClientOpts}]), 1705 1706 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1707 [self(), Client, Server]), 1708 1709 ssl_test_lib:check_result(Server, ok), 1710 ssl_test_lib:close(Server), 1711 ssl_test_lib:close(Client). 1712 1713set_invalid_inet_option(Socket) -> 1714 {error, {options, {socket_options, {packet, foo}}}} = ssl:setopts(Socket, [{packet, foo}]), 1715 {error, {options, {socket_options, {header, foo}}}} = ssl:setopts(Socket, [{header, foo}]), 1716 {error, {options, {socket_options, {active, foo}}}} = ssl:setopts(Socket, [{active, foo}]), 1717 {error, {options, {socket_options, {mode, foo}}}} = ssl:setopts(Socket, [{mode, foo}]), 1718 ok. 1719%%-------------------------------------------------------------------- 1720invalid_inet_set_option_not_list() -> 1721 [{doc,"Test handling of invalid type in setopts"}]. 1722 1723invalid_inet_set_option_not_list(Config) when is_list(Config) -> 1724 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1725 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1726 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1727 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1728 {from, self()}, 1729 {mfa, {?MODULE, set_invalid_inet_option_not_list, []}}, 1730 {options, ServerOpts}]), 1731 Port = ssl_test_lib:inet_port(Server), 1732 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1733 {host, Hostname}, 1734 {from, self()}, 1735 {mfa, {ssl_test_lib, no_result, []}}, 1736 {options, ClientOpts}]), 1737 1738 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1739 [self(), Client, Server]), 1740 1741 ssl_test_lib:check_result(Server, ok), 1742 ssl_test_lib:close(Server), 1743 ssl_test_lib:close(Client). 1744 1745 1746set_invalid_inet_option_not_list(Socket) -> 1747 {error, {options, {not_a_proplist, some_invalid_atom_here}}} 1748 = ssl:setopts(Socket, some_invalid_atom_here), 1749 ok. 1750 1751%%-------------------------------------------------------------------- 1752invalid_inet_set_option_improper_list() -> 1753 [{doc,"Test handling of invalid tye in setopts"}]. 1754 1755invalid_inet_set_option_improper_list(Config) when is_list(Config) -> 1756 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1757 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1758 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1759 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1760 {from, self()}, 1761 {mfa, {?MODULE, set_invalid_inet_option_improper_list, []}}, 1762 {options, ServerOpts}]), 1763 Port = ssl_test_lib:inet_port(Server), 1764 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1765 {host, Hostname}, 1766 {from, self()}, 1767 {mfa, {ssl_test_lib, no_result, []}}, 1768 {options, ClientOpts}]), 1769 1770 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1771 [self(), Client, Server]), 1772 1773 ssl_test_lib:check_result(Server, ok), 1774 ssl_test_lib:close(Server), 1775 ssl_test_lib:close(Client). 1776 1777set_invalid_inet_option_improper_list(Socket) -> 1778 {error, {options, {not_a_proplist, [{packet, 0} | {foo, 2}]}}} = 1779 ssl:setopts(Socket, [{packet, 0} | {foo, 2}]), 1780 ok. 1781 1782%%-------------------------------------------------------------------- 1783tls_misc_ssl_options() -> 1784 [{doc,"Test what happens when we give valid options"}]. 1785 1786tls_misc_ssl_options(Config) when is_list(Config) -> 1787 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1788 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1789 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1790 1791 %% Check that ssl options not tested elsewhere are filtered away e.i. not passed to inet. 1792 TestOpts = [{depth, 1}, 1793 {key, undefined}, 1794 {password, []}, 1795 {reuse_session, fun(_,_,_,_) -> true end}, 1796 {cb_info, {gen_tcp, tcp, tcp_closed, tcp_error}}], 1797 1798 Server = 1799 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1800 {from, self()}, 1801 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 1802 {options, TestOpts ++ ServerOpts}]), 1803 Port = ssl_test_lib:inet_port(Server), 1804 Client = 1805 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1806 {host, Hostname}, 1807 {from, self()}, 1808 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 1809 {options, TestOpts ++ ClientOpts}]), 1810 1811 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1812 [self(), Client, Server]), 1813 1814 ssl_test_lib:check_result(Server, ok, Client, ok), 1815 ssl_test_lib:close(Server), 1816 ssl_test_lib:close(Client). 1817 1818%%-------------------------------------------------------------------- 1819ssl_options_not_proplist() -> 1820 [{doc,"Test what happens if an option is not a key value tuple"}]. 1821 1822ssl_options_not_proplist(Config) when is_list(Config) -> 1823 BadOption = {client_preferred_next_protocols, 1824 client, [<<"spdy/3">>,<<"http/1.1">>], <<"http/1.1">>}, 1825 {option_not_a_key_value_tuple, BadOption} = 1826 ssl:connect("twitter.com", 443, [binary, {active, false}, 1827 BadOption]). 1828 1829%%-------------------------------------------------------------------- 1830raw_ssl_option() -> 1831 [{doc,"Ensure that a single 'raw' option is passed to ssl:listen correctly."}]. 1832 1833raw_ssl_option(Config) when is_list(Config) -> 1834 % 'raw' option values are platform-specific; these are the Linux values: 1835 IpProtoTcp = 6, 1836 % Use TCP_KEEPIDLE, because (e.g.) TCP_MAXSEG can't be read back reliably. 1837 TcpKeepIdle = 4, 1838 KeepAliveTimeSecs = 55, 1839 LOptions = [{raw, IpProtoTcp, TcpKeepIdle, <<KeepAliveTimeSecs:32/native>>}], 1840 {ok, LSocket} = ssl:listen(0, LOptions), 1841 % Per http://www.erlang.org/doc/man/inet.html#getopts-2, we have to specify 1842 % exactly which raw option we want, and the size of the buffer. 1843 {ok, [{raw, IpProtoTcp, TcpKeepIdle, <<KeepAliveTimeSecs:32/native>>}]} = ssl:getopts(LSocket, [{raw, IpProtoTcp, TcpKeepIdle, 4}]). 1844 1845 1846%%-------------------------------------------------------------------- 1847versions() -> 1848 [{doc,"Test API function versions/0"}]. 1849 1850versions(Config) when is_list(Config) -> 1851 [_|_] = Versions = ssl:versions(), 1852 ct:log("~p~n", [Versions]). 1853 1854 1855%%-------------------------------------------------------------------- 1856eccs() -> 1857 [{doc, "Test API functions eccs/0 and eccs/1"}]. 1858 1859eccs(Config) when is_list(Config) -> 1860 [_|_] = All = ssl:eccs(), 1861 [] = SSL3 = ssl:eccs(sslv3), 1862 [_|_] = Tls = ssl:eccs(tlsv1), 1863 [_|_] = Tls1 = ssl:eccs('tlsv1.1'), 1864 [_|_] = Tls2 = ssl:eccs('tlsv1.2'), 1865 [_|_] = Tls1 = ssl:eccs('dtlsv1'), 1866 [_|_] = Tls2 = ssl:eccs('dtlsv1.2'), 1867 %% ordering is currently unverified by the test 1868 true = lists:sort(All) =:= lists:usort(SSL3 ++ Tls ++ Tls1 ++ Tls2), 1869 ok. 1870 1871%%-------------------------------------------------------------------- 1872send_recv() -> 1873 [{doc,""}]. 1874send_recv(Config) when is_list(Config) -> 1875 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1876 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1877 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1878 Server = 1879 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1880 {from, self()}, 1881 {mfa, {ssl_test_lib, send_recv_result, []}}, 1882 {options, [{active, false} | ServerOpts]}]), 1883 Port = ssl_test_lib:inet_port(Server), 1884 Client = 1885 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1886 {host, Hostname}, 1887 {from, self()}, 1888 {mfa, {ssl_test_lib, send_recv_result, []}}, 1889 {options, [{active, false} | ClientOpts]}]), 1890 1891 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1892 [self(), Client, Server]), 1893 1894 ssl_test_lib:check_result(Server, ok, Client, ok), 1895 1896 ssl_test_lib:close(Server), 1897 ssl_test_lib:close(Client). 1898 1899%%-------------------------------------------------------------------- 1900tls_send_close() -> 1901 [{doc,""}]. 1902tls_send_close(Config) when is_list(Config) -> 1903 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1904 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1905 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1906 Server = 1907 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1908 {from, self()}, 1909 {mfa, {ssl_test_lib, send_recv_result, []}}, 1910 {options, [{active, false} | ServerOpts]}]), 1911 Port = ssl_test_lib:inet_port(Server), 1912 {ok, TcpS} = rpc:call(ClientNode, gen_tcp, connect, 1913 [Hostname,Port,[binary, {active, false}]]), 1914 {ok, SslS} = rpc:call(ClientNode, ssl, connect, 1915 [TcpS,[{active, false}|ClientOpts]]), 1916 1917 ct:log("Testcase ~p, Client ~p Server ~p ~n", 1918 [self(), self(), Server]), 1919 ok = ssl:send(SslS, "Hello world"), 1920 {ok,<<"Hello world">>} = ssl:recv(SslS, 11), 1921 gen_tcp:close(TcpS), 1922 {error, _} = ssl:send(SslS, "Hello world"). 1923 1924%%-------------------------------------------------------------------- 1925version_option() -> 1926 [{doc, "Use version option and do no specify ciphers list. Bug specified incorrect ciphers"}]. 1927version_option(Config) when is_list(Config) -> 1928 Versions = proplists:get_value(supported, ssl:versions()), 1929 [version_option_test(Config, Version) || Version <- Versions]. 1930 1931%%-------------------------------------------------------------------- 1932close_transport_accept() -> 1933 [{doc,"Tests closing ssl socket when waiting on ssl:transport_accept/1"}]. 1934 1935close_transport_accept(Config) when is_list(Config) -> 1936 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1937 {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config), 1938 1939 Port = 0, 1940 Opts = [{active, false} | ServerOpts], 1941 {ok, ListenSocket} = rpc:call(ServerNode, ssl, listen, [Port, Opts]), 1942 spawn_link(fun() -> 1943 ct:sleep(?SLEEP), 1944 rpc:call(ServerNode, ssl, close, [ListenSocket]) 1945 end), 1946 case rpc:call(ServerNode, ssl, transport_accept, [ListenSocket]) of 1947 {error, closed} -> 1948 ok; 1949 Other -> 1950 exit({?LINE, Other}) 1951 end. 1952%%-------------------------------------------------------------------- 1953recv_active() -> 1954 [{doc,"Test recv on active socket"}]. 1955 1956recv_active(Config) when is_list(Config) -> 1957 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1958 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1959 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1960 Server = 1961 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1962 {from, self()}, 1963 {mfa, {?MODULE, try_recv_active, []}}, 1964 {options, [{active, true} | ServerOpts]}]), 1965 Port = ssl_test_lib:inet_port(Server), 1966 Client = 1967 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1968 {host, Hostname}, 1969 {from, self()}, 1970 {mfa, {?MODULE, try_recv_active, []}}, 1971 {options, [{active, true} | ClientOpts]}]), 1972 1973 ssl_test_lib:check_result(Server, ok, Client, ok), 1974 1975 ssl_test_lib:close(Server), 1976 ssl_test_lib:close(Client). 1977 1978%%-------------------------------------------------------------------- 1979recv_active_once() -> 1980 [{doc,"Test recv on active (once) socket"}]. 1981 1982recv_active_once(Config) when is_list(Config) -> 1983 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 1984 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 1985 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 1986 Server = 1987 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 1988 {from, self()}, 1989 {mfa, {?MODULE, try_recv_active_once, []}}, 1990 {options, [{active, once} | ServerOpts]}]), 1991 Port = ssl_test_lib:inet_port(Server), 1992 Client = 1993 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 1994 {host, Hostname}, 1995 {from, self()}, 1996 {mfa, {?MODULE, try_recv_active_once, []}}, 1997 {options, [{active, once} | ClientOpts]}]), 1998 1999 ssl_test_lib:check_result(Server, ok, Client, ok), 2000 2001 ssl_test_lib:close(Server), 2002 ssl_test_lib:close(Client). 2003 2004%%-------------------------------------------------------------------- 2005recv_active_n() -> 2006 [{doc,"Test recv on active (n) socket"}]. 2007 2008recv_active_n(Config) when is_list(Config) -> 2009 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2010 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2011 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2012 Server = 2013 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 2014 {from, self()}, 2015 {mfa, {?MODULE, try_recv_active_once, []}}, 2016 {options, [{active, 1} | ServerOpts]}]), 2017 Port = ssl_test_lib:inet_port(Server), 2018 Client = 2019 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 2020 {host, Hostname}, 2021 {from, self()}, 2022 {mfa, {?MODULE, try_recv_active_once, []}}, 2023 {options, [{active, 1} | ClientOpts]}]), 2024 2025 ssl_test_lib:check_result(Server, ok, Client, ok), 2026 2027 ssl_test_lib:close(Server), 2028 ssl_test_lib:close(Client). 2029 2030%%-------------------------------------------------------------------- 2031%% Test case adapted from gen_tcp_misc_SUITE. 2032active_n() -> 2033 [{doc,"Test {active,N} option"}]. 2034 2035active_n(Config) when is_list(Config) -> 2036 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2037 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2038 Port = ssl_test_lib:inet_port(node()), 2039 N = 3, 2040 LS = ok(ssl:listen(Port, [{active,N}|ServerOpts])), 2041 [{active,N}] = ok(ssl:getopts(LS, [active])), 2042 active_n_common(LS, N), 2043 Self = self(), 2044 spawn_link(fun() -> 2045 S0 = ok(ssl:transport_accept(LS)), 2046 {ok, S} = ssl:handshake(S0), 2047 ok = ssl:setopts(S, [{active,N}]), 2048 [{active,N}] = ok(ssl:getopts(S, [active])), 2049 ssl:controlling_process(S, Self), 2050 Self ! {server, S} 2051 end), 2052 C = ok(ssl:connect("localhost", Port, [{active,N}|ClientOpts])), 2053 [{active,N}] = ok(ssl:getopts(C, [active])), 2054 S = receive 2055 {server, S0} -> S0 2056 after 2057 1000 -> 2058 exit({error, connect}) 2059 end, 2060 active_n_common(C, N), 2061 active_n_common(S, N), 2062 ok = ssl:setopts(C, [{active,N}]), 2063 ok = ssl:setopts(S, [{active,N}]), 2064 ReceiveMsg = fun(Socket, Msg) -> 2065 receive 2066 {ssl,Socket,Msg} -> 2067 ok; 2068 {ssl,Socket,Begin} -> 2069 receive 2070 {ssl,Socket,End} -> 2071 Msg = Begin ++ End, 2072 ok 2073 after 1000 -> 2074 exit(timeout) 2075 end 2076 after 1000 -> 2077 exit(timeout) 2078 end 2079 end, 2080 repeat(3, fun(I) -> 2081 Msg = "message "++integer_to_list(I), 2082 ok = ssl:send(C, Msg), 2083 ReceiveMsg(S, Msg), 2084 ok = ssl:send(S, Msg), 2085 ReceiveMsg(C, Msg) 2086 end), 2087 receive 2088 {ssl_passive,S} -> 2089 [{active,false}] = ok(ssl:getopts(S, [active])) 2090 after 2091 1000 -> 2092 exit({error,ssl_passive}) 2093 end, 2094 receive 2095 {ssl_passive,C} -> 2096 [{active,false}] = ok(ssl:getopts(C, [active])) 2097 after 2098 1000 -> 2099 exit({error,ssl_passive}) 2100 end, 2101 LS2 = ok(ssl:listen(0, [{active,0}])), 2102 receive 2103 {ssl_passive,LS2} -> 2104 [{active,false}] = ok(ssl:getopts(LS2, [active])) 2105 after 2106 1000 -> 2107 exit({error,ssl_passive}) 2108 end, 2109 ok = ssl:close(LS2), 2110 ok = ssl:close(C), 2111 ok = ssl:close(S), 2112 ok = ssl:close(LS), 2113 ok. 2114 2115active_n_common(S, N) -> 2116 ok = ssl:setopts(S, [{active,-N}]), 2117 receive 2118 {ssl_passive, S} -> ok 2119 after 2120 1000 -> 2121 error({error,ssl_passive_failure}) 2122 end, 2123 [{active,false}] = ok(ssl:getopts(S, [active])), 2124 ok = ssl:setopts(S, [{active,0}]), 2125 receive 2126 {ssl_passive, S} -> ok 2127 after 2128 1000 -> 2129 error({error,ssl_passive_failure}) 2130 end, 2131 ok = ssl:setopts(S, [{active,32767}]), 2132 {error,{options,_}} = ssl:setopts(S, [{active,1}]), 2133 {error,{options,_}} = ssl:setopts(S, [{active,-32769}]), 2134 ok = ssl:setopts(S, [{active,-32768}]), 2135 receive 2136 {ssl_passive, S} -> ok 2137 after 2138 1000 -> 2139 error({error,ssl_passive_failure}) 2140 end, 2141 [{active,false}] = ok(ssl:getopts(S, [active])), 2142 ok = ssl:setopts(S, [{active,N}]), 2143 ok = ssl:setopts(S, [{active,true}]), 2144 [{active,true}] = ok(ssl:getopts(S, [active])), 2145 receive 2146 _ -> error({error,active_n}) 2147 after 2148 0 -> 2149 ok 2150 end, 2151 ok = ssl:setopts(S, [{active,N}]), 2152 ok = ssl:setopts(S, [{active,once}]), 2153 [{active,once}] = ok(ssl:getopts(S, [active])), 2154 receive 2155 _ -> error({error,active_n}) 2156 after 2157 0 -> 2158 ok 2159 end, 2160 {error,{options,_}} = ssl:setopts(S, [{active,32768}]), 2161 ok = ssl:setopts(S, [{active,false}]), 2162 [{active,false}] = ok(ssl:getopts(S, [active])), 2163 ok. 2164 2165ok({ok,V}) -> V. 2166 2167repeat(N, Fun) -> 2168 repeat(N, N, Fun). 2169 2170repeat(N, T, Fun) when is_integer(N), N > 0 -> 2171 Fun(T-N), 2172 repeat(N-1, T, Fun); 2173repeat(_, _, _) -> 2174 ok. 2175 2176%%-------------------------------------------------------------------- 2177dh_params() -> 2178 [{doc,"Test to specify DH-params file in server."}]. 2179 2180dh_params(Config) when is_list(Config) -> 2181 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2182 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2183 DataDir = proplists:get_value(data_dir, Config), 2184 DHParamFile = filename:join(DataDir, "dHParam.pem"), 2185 2186 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2187 2188 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 2189 {from, self()}, 2190 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 2191 {options, [{dhfile, DHParamFile} | ServerOpts]}]), 2192 Port = ssl_test_lib:inet_port(Server), 2193 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 2194 {host, Hostname}, 2195 {from, self()}, 2196 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 2197 {options, 2198 [{ciphers,[{dhe_rsa,aes_256_cbc,sha}]} | 2199 ClientOpts]}]), 2200 2201 ssl_test_lib:check_result(Server, ok, Client, ok), 2202 2203 ssl_test_lib:close(Server), 2204 ssl_test_lib:close(Client). 2205 2206%%-------------------------------------------------------------------- 2207tls_upgrade() -> 2208 [{doc,"Test that you can upgrade an tcp connection to an ssl connection"}]. 2209 2210tls_upgrade(Config) when is_list(Config) -> 2211 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2212 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2213 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2214 TcpOpts = [binary, {reuseaddr, true}], 2215 2216 Server = ssl_test_lib:start_upgrade_server([{node, ServerNode}, {port, 0}, 2217 {from, self()}, 2218 {mfa, {?MODULE, 2219 upgrade_result, []}}, 2220 {tcp_options, 2221 [{active, false} | TcpOpts]}, 2222 {ssl_options, ServerOpts}]), 2223 Port = ssl_test_lib:inet_port(Server), 2224 Client = ssl_test_lib:start_upgrade_client([{node, ClientNode}, 2225 {port, Port}, 2226 {host, Hostname}, 2227 {from, self()}, 2228 {mfa, {?MODULE, upgrade_result, []}}, 2229 {tcp_options, [binary]}, 2230 {ssl_options, ClientOpts}]), 2231 2232 ct:log("Testcase ~p, Client ~p Server ~p ~n", 2233 [self(), Client, Server]), 2234 2235 ssl_test_lib:check_result(Server, ok, Client, ok), 2236 2237 ssl_test_lib:close(Server), 2238 ssl_test_lib:close(Client). 2239 2240upgrade_result(Socket) -> 2241 ssl:setopts(Socket, [{active, true}]), 2242 ok = ssl:send(Socket, "Hello world"), 2243 %% Make sure binary is inherited from tcp socket and that we do 2244 %% not get the list default! 2245 receive 2246 {ssl, _, <<"H">>} -> 2247 receive 2248 {ssl, _, <<"ello world">>} -> 2249 ok 2250 end; 2251 {ssl, _, <<"Hello world">>} -> 2252 ok 2253 end. 2254 2255%%-------------------------------------------------------------------- 2256tls_upgrade_with_timeout() -> 2257 [{doc,"Test ssl_accept/3"}]. 2258 2259tls_upgrade_with_timeout(Config) when is_list(Config) -> 2260 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2261 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2262 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2263 TcpOpts = [binary, {reuseaddr, true}], 2264 2265 Server = ssl_test_lib:start_upgrade_server([{node, ServerNode}, {port, 0}, 2266 {from, self()}, 2267 {timeout, 5000}, 2268 {mfa, {?MODULE, 2269 upgrade_result, []}}, 2270 {tcp_options, 2271 [{active, false} | TcpOpts]}, 2272 {ssl_options, ServerOpts}]), 2273 Port = ssl_test_lib:inet_port(Server), 2274 Client = ssl_test_lib:start_upgrade_client([{node, ClientNode}, 2275 {port, Port}, 2276 {host, Hostname}, 2277 {from, self()}, 2278 {mfa, {?MODULE, upgrade_result, []}}, 2279 {tcp_options, TcpOpts}, 2280 {ssl_options, ClientOpts}]), 2281 2282 ct:log("Testcase ~p, Client ~p Server ~p ~n", 2283 [self(), Client, Server]), 2284 2285 ssl_test_lib:check_result(Server, ok, Client, ok), 2286 2287 ssl_test_lib:close(Server), 2288 ssl_test_lib:close(Client). 2289 2290%%-------------------------------------------------------------------- 2291tls_downgrade() -> 2292 [{doc,"Test that you can downgarde an ssl connection to an tcp connection"}]. 2293tls_downgrade(Config) when is_list(Config) -> 2294 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2295 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2296 2297 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2298 2299 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 2300 {from, self()}, 2301 {mfa, {?MODULE, tls_downgrade_result, [self()]}}, 2302 {options, [{active, false} | ServerOpts]}]), 2303 Port = ssl_test_lib:inet_port(Server), 2304 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 2305 {host, Hostname}, 2306 {from, self()}, 2307 {mfa, {?MODULE, tls_downgrade_result, [self()]}}, 2308 {options, [{active, false} |ClientOpts]}]), 2309 2310 2311 ssl_test_lib:check_result(Server, ready, Client, ready), 2312 2313 Server ! go, 2314 Client ! go, 2315 2316 ssl_test_lib:check_result(Server, ok, Client, ok), 2317 ssl_test_lib:close(Server), 2318 ssl_test_lib:close(Client). 2319 2320%%-------------------------------------------------------------------- 2321close_with_timeout() -> 2322 [{doc,"Test normal (not downgrade) ssl:close/2"}]. 2323close_with_timeout(Config) when is_list(Config) -> 2324 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2325 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2326 2327 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2328 2329 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 2330 {from, self()}, 2331 {mfa, {?MODULE, tls_close, []}}, 2332 {options,[{active, false} | ServerOpts]}]), 2333 Port = ssl_test_lib:inet_port(Server), 2334 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 2335 {host, Hostname}, 2336 {from, self()}, 2337 {mfa, {?MODULE, tls_close, []}}, 2338 {options, [{active, false} |ClientOpts]}]), 2339 2340 ssl_test_lib:check_result(Server, ok, Client, ok). 2341 2342 2343%%-------------------------------------------------------------------- 2344tls_tcp_connect() -> 2345 [{doc,"Test what happens when a tcp tries to connect, i,e. a bad (ssl) packet is sent first"}]. 2346 2347tls_tcp_connect(Config) when is_list(Config) -> 2348 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2349 {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2350 TcpOpts = [binary, {reuseaddr, true}, {active, false}], 2351 2352 Server = ssl_test_lib:start_upgrade_server_error([{node, ServerNode}, {port, 0}, 2353 {from, self()}, 2354 {timeout, 5000}, 2355 {mfa, {?MODULE, dummy, []}}, 2356 {tcp_options, TcpOpts}, 2357 {ssl_options, ServerOpts}]), 2358 Port = ssl_test_lib:inet_port(Server), 2359 2360 {ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {packet, 0}]), 2361 ct:log("Testcase ~p connected to Server ~p ~n", [self(), Server]), 2362 gen_tcp:send(Socket, "<SOME GARBLED NON SSL MESSAGE>"), 2363 2364 receive 2365 {tcp_closed, Socket} -> 2366 receive 2367 {Server, {error, Error}} -> 2368 ct:log("Error ~p", [Error]) 2369 end 2370 end. 2371%%-------------------------------------------------------------------- 2372tls_tcp_connect_big() -> 2373 [{doc,"Test what happens when a tcp tries to connect, i,e. a bad big (ssl) packet is sent first"}]. 2374 2375tls_tcp_connect_big(Config) when is_list(Config) -> 2376 process_flag(trap_exit, true), 2377 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2378 {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2379 TcpOpts = [binary, {reuseaddr, true}], 2380 2381 Rand = crypto:strong_rand_bytes(?MAX_CIPHER_TEXT_LENGTH+1), 2382 Server = ssl_test_lib:start_upgrade_server_error([{node, ServerNode}, {port, 0}, 2383 {from, self()}, 2384 {timeout, 5000}, 2385 {mfa, {?MODULE, dummy, []}}, 2386 {tcp_options, TcpOpts}, 2387 {ssl_options, ServerOpts}]), 2388 Port = ssl_test_lib:inet_port(Server), 2389 2390 {ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {packet, 0}]), 2391 ct:log("Testcase ~p connected to Server ~p ~n", [self(), Server]), 2392 2393 gen_tcp:send(Socket, <<?BYTE(0), 2394 ?BYTE(3), ?BYTE(1), ?UINT16(?MAX_CIPHER_TEXT_LENGTH), Rand/binary>>), 2395 2396 receive 2397 {tcp_closed, Socket} -> 2398 receive 2399 {Server, {error, timeout}} -> 2400 ct:fail("hangs"); 2401 {Server, {error, Error}} -> 2402 ct:log("Error ~p", [Error]); 2403 {'EXIT', Server, _} -> 2404 ok 2405 end 2406 end. 2407 2408%%-------------------------------------------------------------------- 2409ipv6() -> 2410 [{require, ipv6_hosts}, 2411 {doc,"Test ipv6."}]. 2412ipv6(Config) when is_list(Config) -> 2413 {ok, Hostname0} = inet:gethostname(), 2414 2415 case lists:member(list_to_atom(Hostname0), ct:get_config(ipv6_hosts)) of 2416 true -> 2417 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2418 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2419 {ClientNode, ServerNode, Hostname} = 2420 ssl_test_lib:run_where(Config, ipv6), 2421 Server = ssl_test_lib:start_server([{node, ServerNode}, 2422 {port, 0}, {from, self()}, 2423 {mfa, {ssl_test_lib, send_recv_result, []}}, 2424 {options, 2425 [inet6, {active, false} | ServerOpts]}]), 2426 Port = ssl_test_lib:inet_port(Server), 2427 Client = ssl_test_lib:start_client([{node, ClientNode}, 2428 {port, Port}, {host, Hostname}, 2429 {from, self()}, 2430 {mfa, {ssl_test_lib, send_recv_result, []}}, 2431 {options, 2432 [inet6, {active, false} | ClientOpts]}]), 2433 2434 ct:log("Testcase ~p, Client ~p Server ~p ~n", 2435 [self(), Client, Server]), 2436 2437 ssl_test_lib:check_result(Server, ok, Client, ok), 2438 2439 ssl_test_lib:close(Server), 2440 ssl_test_lib:close(Client); 2441 false -> 2442 {skip, "Host does not support IPv6"} 2443 end. 2444 2445%%-------------------------------------------------------------------- 2446 2447invalid_keyfile() -> 2448 [{doc,"Test what happens with an invalid key file"}]. 2449invalid_keyfile(Config) when is_list(Config) -> 2450 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2451 BadOpts = ssl_test_lib:ssl_options(server_bad_key, Config), 2452 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2453 2454 Server = 2455 ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 2456 {from, self()}, 2457 {options, BadOpts}]), 2458 2459 Port = ssl_test_lib:inet_port(Server), 2460 2461 Client = 2462 ssl_test_lib:start_client_error([{node, ClientNode}, 2463 {port, Port}, {host, Hostname}, 2464 {from, self()}, {options, ClientOpts}]), 2465 2466 File = proplists:get_value(keyfile,BadOpts), 2467 ssl_test_lib:check_result(Server, {error,{options, {keyfile, File, {error,enoent}}}}, Client, 2468 {error, closed}). 2469 2470%%-------------------------------------------------------------------- 2471 2472invalid_certfile() -> 2473 [{doc,"Test what happens with an invalid cert file"}]. 2474 2475invalid_certfile(Config) when is_list(Config) -> 2476 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2477 ServerBadOpts = ssl_test_lib:ssl_options(server_bad_cert, Config), 2478 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2479 2480 Server = 2481 ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 2482 {from, self()}, 2483 {options, ServerBadOpts}]), 2484 2485 Port = ssl_test_lib:inet_port(Server), 2486 2487 Client = 2488 ssl_test_lib:start_client_error([{node, ClientNode}, 2489 {port, Port}, {host, Hostname}, 2490 {from, self()}, 2491 {options, ClientOpts}]), 2492 File = proplists:get_value(certfile, ServerBadOpts), 2493 ssl_test_lib:check_result(Server, {error,{options, {certfile, File, {error,enoent}}}}, 2494 Client, {error, closed}). 2495 2496 2497%%-------------------------------------------------------------------- 2498invalid_cacertfile() -> 2499 [{doc,"Test what happens with an invalid cacert file"}]. 2500 2501invalid_cacertfile(Config) when is_list(Config) -> 2502 ClientOpts = [{reuseaddr, true}|ssl_test_lib:ssl_options(client_opts, Config)], 2503 ServerBadOpts = [{reuseaddr, true}|ssl_test_lib:ssl_options(server_bad_ca, Config)], 2504 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2505 2506 Server0 = 2507 ssl_test_lib:start_server_error([{node, ServerNode}, 2508 {port, 0}, {from, self()}, 2509 {options, ServerBadOpts}]), 2510 2511 Port0 = ssl_test_lib:inet_port(Server0), 2512 2513 2514 Client0 = 2515 ssl_test_lib:start_client_error([{node, ClientNode}, 2516 {port, Port0}, {host, Hostname}, 2517 {from, self()}, 2518 {options, ClientOpts}]), 2519 2520 File0 = proplists:get_value(cacertfile, ServerBadOpts), 2521 2522 ssl_test_lib:check_result(Server0, {error, {options, {cacertfile, File0,{error,enoent}}}}, 2523 Client0, {error, closed}), 2524 2525 File = File0 ++ "do_not_exit.pem", 2526 ServerBadOpts1 = [{cacertfile, File}|proplists:delete(cacertfile, ServerBadOpts)], 2527 2528 Server1 = 2529 ssl_test_lib:start_server_error([{node, ServerNode}, 2530 {port, 0}, {from, self()}, 2531 {options, ServerBadOpts1}]), 2532 2533 Port1 = ssl_test_lib:inet_port(Server1), 2534 2535 Client1 = 2536 ssl_test_lib:start_client_error([{node, ClientNode}, 2537 {port, Port1}, {host, Hostname}, 2538 {from, self()}, 2539 {options, ClientOpts}]), 2540 2541 2542 ssl_test_lib:check_result(Server1, {error, {options, {cacertfile, File,{error,enoent}}}}, 2543 Client1, {error, closed}), 2544 ok. 2545 2546 2547 2548%%-------------------------------------------------------------------- 2549invalid_options() -> 2550 [{doc,"Test what happens when we give invalid options"}]. 2551 2552invalid_options(Config) when is_list(Config) -> 2553 ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 2554 ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), 2555 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2556 2557 Check = fun(Client, Server, {versions, [sslv2, sslv3]} = Option) -> 2558 ssl_test_lib:check_result(Server, 2559 {error, {options, {sslv2, Option}}}, 2560 Client, 2561 {error, {options, {sslv2, Option}}}); 2562 (Client, Server, Option) -> 2563 ssl_test_lib:check_result(Server, 2564 {error, {options, Option}}, 2565 Client, 2566 {error, {options, Option}}) 2567 end, 2568 2569 TestOpts = 2570 [{versions, [sslv2, sslv3]}, 2571 {verify, 4}, 2572 {verify_fun, function}, 2573 {fail_if_no_peer_cert, 0}, 2574 {verify_client_once, 1}, 2575 {depth, four}, 2576 {certfile, 'cert.pem'}, 2577 {keyfile,'key.pem' }, 2578 {password, foo}, 2579 {cacertfile, ""}, 2580 {dhfile,'dh.pem' }, 2581 {ciphers, [{foo, bar, sha, ignore}]}, 2582 {reuse_session, foo}, 2583 {reuse_sessions, 0}, 2584 {renegotiate_at, "10"}, 2585 {mode, depech}, 2586 {packet, 8.0}, 2587 {packet_size, "2"}, 2588 {header, a}, 2589 {active, trice}, 2590 {key, 'key.pem' }], 2591 2592 [begin 2593 Server = 2594 ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 2595 {from, self()}, 2596 {options, [TestOpt | ServerOpts]}]), 2597 %% Will never reach a point where port is used. 2598 Client = 2599 ssl_test_lib:start_client_error([{node, ClientNode}, {port, 0}, 2600 {host, Hostname}, {from, self()}, 2601 {options, [TestOpt | ClientOpts]}]), 2602 Check(Client, Server, TestOpt), 2603 ok 2604 end || TestOpt <- TestOpts], 2605 ok. 2606 2607%%-------------------------------------------------------------------- 2608tls_shutdown() -> 2609 [{doc,"Test API function ssl:shutdown/2"}]. 2610tls_shutdown(Config) when is_list(Config) -> 2611 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2612 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2613 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2614 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 2615 {from, self()}, 2616 {mfa, {?MODULE, tls_shutdown_result, [server]}}, 2617 {options, [{exit_on_close, false}, 2618 {active, false} | ServerOpts]}]), 2619 Port = ssl_test_lib:inet_port(Server), 2620 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 2621 {host, Hostname}, 2622 {from, self()}, 2623 {mfa, 2624 {?MODULE, tls_shutdown_result, [client]}}, 2625 {options, 2626 [{exit_on_close, false}, 2627 {active, false} | ClientOpts]}]), 2628 2629 ssl_test_lib:check_result(Server, ok, Client, ok), 2630 2631 ssl_test_lib:close(Server), 2632 ssl_test_lib:close(Client). 2633 2634%%-------------------------------------------------------------------- 2635tls_shutdown_write() -> 2636 [{doc,"Test API function ssl:shutdown/2 with option write."}]. 2637tls_shutdown_write(Config) when is_list(Config) -> 2638 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2639 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2640 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2641 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 2642 {from, self()}, 2643 {mfa, {?MODULE, tls_shutdown_write_result, [server]}}, 2644 {options, [{active, false} | ServerOpts]}]), 2645 Port = ssl_test_lib:inet_port(Server), 2646 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 2647 {host, Hostname}, 2648 {from, self()}, 2649 {mfa, {?MODULE, tls_shutdown_write_result, [client]}}, 2650 {options, [{active, false} | ClientOpts]}]), 2651 2652 ssl_test_lib:check_result(Server, ok, Client, {error, closed}). 2653 2654%%-------------------------------------------------------------------- 2655tls_shutdown_both() -> 2656 [{doc,"Test API function ssl:shutdown/2 with option both."}]. 2657tls_shutdown_both(Config) when is_list(Config) -> 2658 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2659 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2660 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2661 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 2662 {from, self()}, 2663 {mfa, {?MODULE, tls_shutdown_both_result, [server]}}, 2664 {options, [{active, false} | ServerOpts]}]), 2665 Port = ssl_test_lib:inet_port(Server), 2666 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 2667 {host, Hostname}, 2668 {from, self()}, 2669 {mfa, {?MODULE, tls_shutdown_both_result, [client]}}, 2670 {options, [{active, false} | ClientOpts]}]), 2671 2672 ssl_test_lib:check_result(Server, ok, Client, {error, closed}). 2673 2674%%-------------------------------------------------------------------- 2675tls_shutdown_error() -> 2676 [{doc,"Test ssl:shutdown/2 error handling"}]. 2677tls_shutdown_error(Config) when is_list(Config) -> 2678 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2679 Port = ssl_test_lib:inet_port(node()), 2680 {ok, Listen} = ssl:listen(Port, ServerOpts), 2681 {error, enotconn} = ssl:shutdown(Listen, read_write), 2682 ok = ssl:close(Listen), 2683 {error, closed} = ssl:shutdown(Listen, read_write). 2684 2685%%------------------------------------------------------------------- 2686ciphers_rsa_signed_certs() -> 2687 [{doc,"Test all rsa ssl cipher suites in highest support ssl/tls version"}]. 2688 2689ciphers_rsa_signed_certs(Config) when is_list(Config) -> 2690 Ciphers = ssl_test_lib:rsa_suites(crypto), 2691 run_suites(Ciphers, Config, rsa). 2692%%------------------------------------------------------------------- 2693ciphers_rsa_signed_certs_openssl_names() -> 2694 [{doc,"Test all rsa ssl cipher suites in highest support ssl/tls version"}]. 2695 2696ciphers_rsa_signed_certs_openssl_names(Config) when is_list(Config) -> 2697 Ciphers = ssl_test_lib:openssl_rsa_suites(), 2698 run_suites(Ciphers, Config, rsa). 2699 2700%%------------------------------------------------------------------- 2701ciphers_dsa_signed_certs() -> 2702 [{doc,"Test all dsa ssl cipher suites in highest support ssl/tls version"}]. 2703 2704ciphers_dsa_signed_certs(Config) when is_list(Config) -> 2705 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2706 Ciphers = ssl_test_lib:dsa_suites(NVersion), 2707 run_suites(Ciphers, Config, dsa). 2708%%------------------------------------------------------------------- 2709ciphers_dsa_signed_certs_openssl_names() -> 2710 [{doc,"Test all dsa ssl cipher suites in highest support ssl/tls version"}]. 2711 2712ciphers_dsa_signed_certs_openssl_names(Config) when is_list(Config) -> 2713 Ciphers = ssl_test_lib:openssl_dsa_suites(), 2714 run_suites(Ciphers, Config, dsa). 2715 2716%%------------------------------------------------------------------- 2717chacha_rsa_cipher_suites()-> 2718 [{doc,"Test the cacha with ECDSA signed certs ciphersuites"}]. 2719chacha_rsa_cipher_suites(Config) when is_list(Config) -> 2720 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2721 Ciphers = [S || {KeyEx,_,_} = S <- ssl_test_lib:chacha_suites(NVersion), 2722 KeyEx == ecdhe_rsa, KeyEx == dhe_rsa], 2723 run_suites(Ciphers, Config, chacha_ecdsa). 2724 2725%%------------------------------------------------------------------- 2726chacha_ecdsa_cipher_suites()-> 2727 [{doc,"Test the cacha with ECDSA signed certs ciphersuites"}]. 2728chacha_ecdsa_cipher_suites(Config) when is_list(Config) -> 2729 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2730 Ciphers = [S || {ecdhe_ecdsa,_,_} = S <- ssl_test_lib:chacha_suites(NVersion)], 2731 run_suites(Ciphers, Config, chacha_rsa). 2732%%----------------------------------------------------------------- 2733anonymous_cipher_suites()-> 2734 [{doc,"Test the anonymous ciphersuites"}]. 2735anonymous_cipher_suites(Config) when is_list(Config) -> 2736 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2737 Ciphers = ssl_test_lib:ecdh_dh_anonymous_suites(NVersion), 2738 run_suites(Ciphers, Config, anonymous). 2739%%------------------------------------------------------------------- 2740psk_cipher_suites() -> 2741 [{doc, "Test the PSK ciphersuites WITHOUT server supplied identity hint"}]. 2742psk_cipher_suites(Config) when is_list(Config) -> 2743 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2744 Ciphers = ssl_test_lib:psk_suites(NVersion), 2745 run_suites(Ciphers, Config, psk). 2746%%------------------------------------------------------------------- 2747psk_with_hint_cipher_suites()-> 2748 [{doc, "Test the PSK ciphersuites WITH server supplied identity hint"}]. 2749psk_with_hint_cipher_suites(Config) when is_list(Config) -> 2750 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2751 Ciphers = ssl_test_lib:psk_suites(NVersion), 2752 run_suites(Ciphers, Config, psk_with_hint). 2753%%------------------------------------------------------------------- 2754psk_anon_cipher_suites() -> 2755 [{doc, "Test the anonymous PSK ciphersuites WITHOUT server supplied identity hint"}]. 2756psk_anon_cipher_suites(Config) when is_list(Config) -> 2757 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2758 Ciphers = ssl_test_lib:psk_anon_suites(NVersion), 2759 run_suites(Ciphers, Config, psk_anon). 2760%%------------------------------------------------------------------- 2761psk_anon_with_hint_cipher_suites()-> 2762 [{doc, "Test the anonymous PSK ciphersuites WITH server supplied identity hint"}]. 2763psk_anon_with_hint_cipher_suites(Config) when is_list(Config) -> 2764 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2765 Ciphers = ssl_test_lib:psk_anon_suites(NVersion), 2766 run_suites(Ciphers, Config, psk_anon_with_hint). 2767%%------------------------------------------------------------------- 2768srp_cipher_suites()-> 2769 [{doc, "Test the SRP ciphersuites"}]. 2770srp_cipher_suites(Config) when is_list(Config) -> 2771 Ciphers = ssl_test_lib:srp_suites(), 2772 run_suites(Ciphers, Config, srp). 2773%%------------------------------------------------------------------- 2774srp_anon_cipher_suites()-> 2775 [{doc, "Test the anonymous SRP ciphersuites"}]. 2776srp_anon_cipher_suites(Config) when is_list(Config) -> 2777 Ciphers = ssl_test_lib:srp_anon_suites(), 2778 run_suites(Ciphers, Config, srp_anon). 2779%%------------------------------------------------------------------- 2780srp_dsa_cipher_suites()-> 2781 [{doc, "Test the SRP DSA ciphersuites"}]. 2782srp_dsa_cipher_suites(Config) when is_list(Config) -> 2783 Ciphers = ssl_test_lib:srp_dss_suites(), 2784 run_suites(Ciphers, Config, srp_dsa). 2785%%------------------------------------------------------------------- 2786rc4_rsa_cipher_suites()-> 2787 [{doc, "Test the RC4 ciphersuites"}]. 2788rc4_rsa_cipher_suites(Config) when is_list(Config) -> 2789 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2790 Ciphers = [S || {rsa,_,_} = S <- ssl_test_lib:rc4_suites(NVersion)], 2791 run_suites(Ciphers, Config, rc4_rsa). 2792%------------------------------------------------------------------- 2793rc4_ecdh_rsa_cipher_suites()-> 2794 [{doc, "Test the RC4 ciphersuites"}]. 2795rc4_ecdh_rsa_cipher_suites(Config) when is_list(Config) -> 2796 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2797 Ciphers = [S || {ecdh_rsa,_,_} = S <- ssl_test_lib:rc4_suites(NVersion)], 2798 run_suites(Ciphers, Config, rc4_ecdh_rsa). 2799 2800%%------------------------------------------------------------------- 2801rc4_ecdsa_cipher_suites()-> 2802 [{doc, "Test the RC4 ciphersuites"}]. 2803rc4_ecdsa_cipher_suites(Config) when is_list(Config) -> 2804 NVersion = tls_record:highest_protocol_version([]), 2805 Ciphers = [S || {ecdhe_ecdsa,_,_} = S <- ssl_test_lib:rc4_suites(NVersion)], 2806 run_suites(Ciphers, Config, rc4_ecdsa). 2807 2808%%------------------------------------------------------------------- 2809des_rsa_cipher_suites()-> 2810 [{doc, "Test the des_rsa ciphersuites"}]. 2811des_rsa_cipher_suites(Config) when is_list(Config) -> 2812 NVersion = tls_record:highest_protocol_version([]), 2813 Ciphers = [S || {rsa,_,_} = S <- ssl_test_lib:des_suites(NVersion)], 2814 run_suites(Ciphers, Config, des_rsa). 2815%------------------------------------------------------------------- 2816des_ecdh_rsa_cipher_suites()-> 2817 [{doc, "Test ECDH rsa signed ciphersuites"}]. 2818des_ecdh_rsa_cipher_suites(Config) when is_list(Config) -> 2819 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2820 Ciphers = [S || {dhe_rsa,_,_} = S <- ssl_test_lib:des_suites(NVersion)], 2821 run_suites(Ciphers, Config, des_dhe_rsa). 2822 2823%%-------------------------------------------------------------------- 2824default_reject_anonymous()-> 2825 [{doc,"Test that by default anonymous cipher suites are rejected "}]. 2826default_reject_anonymous(Config) when is_list(Config) -> 2827 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2828 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2829 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2830 Version = ssl_test_lib:protocol_version(Config), 2831 TLSVersion = ssl_test_lib:tls_version(Version), 2832 2833 [CipherSuite | _] = ssl_test_lib:ecdh_dh_anonymous_suites(TLSVersion), 2834 2835 Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 2836 {from, self()}, 2837 {options, ServerOpts}]), 2838 Port = ssl_test_lib:inet_port(Server), 2839 Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, 2840 {host, Hostname}, 2841 {from, self()}, 2842 {options, 2843 [{ciphers,[CipherSuite]} | 2844 ClientOpts]}]), 2845 2846 ssl_test_lib:check_server_alert(Server, Client, insufficient_security). 2847 2848%%-------------------------------------------------------------------- 2849ciphers_ecdsa_signed_certs() -> 2850 [{doc, "Test all ecdsa ssl cipher suites in highest support ssl/tls version"}]. 2851 2852ciphers_ecdsa_signed_certs(Config) when is_list(Config) -> 2853 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2854 Ciphers = ssl_test_lib:ecdsa_suites(NVersion), 2855 run_suites(Ciphers, Config, ecdsa). 2856%%-------------------------------------------------------------------- 2857ciphers_ecdsa_signed_certs_openssl_names() -> 2858 [{doc, "Test all ecdsa ssl cipher suites in highest support ssl/tls version"}]. 2859 2860ciphers_ecdsa_signed_certs_openssl_names(Config) when is_list(Config) -> 2861 Ciphers = ssl_test_lib:openssl_ecdsa_suites(), 2862 run_suites(Ciphers, Config, ecdsa). 2863%%-------------------------------------------------------------------- 2864ciphers_ecdh_rsa_signed_certs() -> 2865 [{doc, "Test all ecdh_rsa ssl cipher suites in highest support ssl/tls version"}]. 2866 2867ciphers_ecdh_rsa_signed_certs(Config) when is_list(Config) -> 2868 NVersion = ssl_test_lib:protocol_version(Config, tuple), 2869 Ciphers = ssl_test_lib:ecdh_rsa_suites(NVersion), 2870 run_suites(Ciphers, Config, ecdh_rsa). 2871%%-------------------------------------------------------------------- 2872ciphers_ecdh_rsa_signed_certs_openssl_names() -> 2873 [{doc, "Test all ecdh_rsa ssl cipher suites in highest support ssl/tls version"}]. 2874 2875ciphers_ecdh_rsa_signed_certs_openssl_names(Config) when is_list(Config) -> 2876 Ciphers = ssl_test_lib:openssl_ecdh_rsa_suites(), 2877 run_suites(Ciphers, Config, ecdh_rsa). 2878%%-------------------------------------------------------------------- 2879reuse_session() -> 2880 [{doc,"Test reuse of sessions (short handshake)"}]. 2881reuse_session(Config) when is_list(Config) -> 2882 ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 2883 ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), 2884 2885 ssl_test_lib:reuse_session(ClientOpts, ServerOpts, Config). 2886%%-------------------------------------------------------------------- 2887reuse_session_expired() -> 2888 [{doc,"Test sessions is not reused when it has expired"}]. 2889reuse_session_expired(Config) when is_list(Config) -> 2890 ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 2891 ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), 2892 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2893 2894 Server0 = 2895 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 2896 {from, self()}, 2897 {mfa, {ssl_test_lib, no_result, []}}, 2898 {tcp_options, [{active, false}]}, 2899 {options, ServerOpts}]), 2900 Port0 = ssl_test_lib:inet_port(Server0), 2901 2902 Client0 = ssl_test_lib:start_client([{node, ClientNode}, 2903 {port, Port0}, {host, Hostname}, 2904 {mfa, {ssl_test_lib, session_id, []}}, 2905 {from, self()}, {options, [{reuse_sessions, save} | ClientOpts]}]), 2906 Server0 ! listen, 2907 2908 Client1 = ssl_test_lib:start_client([{node, ClientNode}, 2909 {port, Port0}, {host, Hostname}, 2910 {mfa, {ssl_test_lib, session_id, []}}, 2911 {from, self()}, {options, ClientOpts}]), 2912 2913 SID = receive 2914 {Client0, Id0} -> 2915 Id0 2916 end, 2917 2918 receive 2919 {Client1, SID} -> 2920 ok 2921 after ?SLEEP -> 2922 ct:fail(session_not_reused) 2923 end, 2924 2925 Server0 ! listen, 2926 2927 %% Make sure session is unregistered due to expiration 2928 ct:sleep((?EXPIRE*2)), 2929 2930 make_sure_expired(Hostname, Port0, SID), 2931 2932 Client2 = 2933 ssl_test_lib:start_client([{node, ClientNode}, 2934 {port, Port0}, {host, Hostname}, 2935 {mfa, {ssl_test_lib, session_id, []}}, 2936 {from, self()}, {options, ClientOpts}]), 2937 receive 2938 {Client2, SID} -> 2939 ct:fail(session_reused_when_session_expired); 2940 {Client2, _} -> 2941 ok 2942 end, 2943 process_flag(trap_exit, false), 2944 ssl_test_lib:close(Server0), 2945 ssl_test_lib:close(Client0), 2946 ssl_test_lib:close(Client1), 2947 ssl_test_lib:close(Client2). 2948 2949make_sure_expired(Host, Port, Id) -> 2950 {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)), 2951 [_, _,_, _, Prop] = StatusInfo, 2952 State = ssl_test_lib:state(Prop), 2953 ClientCache = element(2, State), 2954 2955 case ssl_session_cache:lookup(ClientCache, {{Host, Port}, Id}) of 2956 undefined -> 2957 ok; 2958 #session{is_resumable = false} -> 2959 ok; 2960 _ -> 2961 ct:sleep(?SLEEP), 2962 make_sure_expired(Host, Port, Id) 2963 end. 2964 2965%%-------------------------------------------------------------------- 2966server_does_not_want_to_reuse_session() -> 2967 [{doc,"Test reuse of sessions (short handshake)"}]. 2968server_does_not_want_to_reuse_session(Config) when is_list(Config) -> 2969 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 2970 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 2971 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 2972 2973 Server = 2974 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 2975 {from, self()}, 2976 {mfa, {ssl_test_lib, session_info_result, []}}, 2977 {options, [{reuse_session, fun(_,_,_,_) -> 2978 false 2979 end} | 2980 ServerOpts]}]), 2981 Port = ssl_test_lib:inet_port(Server), 2982 Client0 = 2983 ssl_test_lib:start_client([{node, ClientNode}, 2984 {port, Port}, {host, Hostname}, 2985 {mfa, {ssl_test_lib, no_result, []}}, 2986 {from, self()}, {options, ClientOpts}]), 2987 SessionInfo = 2988 receive 2989 {Server, Info} -> 2990 Info 2991 end, 2992 2993 Server ! {listen, {mfa, {ssl_test_lib, no_result, []}}}, 2994 2995 %% Make sure session is registered 2996 ct:sleep(?SLEEP), 2997 ssl_test_lib:close(Client0), 2998 2999 Client1 = 3000 ssl_test_lib:start_client([{node, ClientNode}, 3001 {port, Port}, {host, Hostname}, 3002 {mfa, {ssl_test_lib, session_info_result, []}}, 3003 {from, self()}, {options, ClientOpts}]), 3004 receive 3005 {Client1, SessionInfo} -> 3006 ct:fail(session_reused_when_server_does_not_want_to); 3007 {Client1, _Other} -> 3008 ok 3009 end, 3010 3011 ssl_test_lib:close(Server), 3012 ssl_test_lib:close(Client1). 3013 3014%%-------------------------------------------------------------------- 3015client_renegotiate() -> 3016 [{doc,"Test ssl:renegotiate/1 on client."}]. 3017client_renegotiate(Config) when is_list(Config) -> 3018 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3019 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3020 3021 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3022 3023 Data = "From erlang to erlang", 3024 3025 Server = 3026 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3027 {from, self()}, 3028 {mfa, {?MODULE, erlang_ssl_receive, [Data]}}, 3029 {options, ServerOpts}]), 3030 Port = ssl_test_lib:inet_port(Server), 3031 3032 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3033 {host, Hostname}, 3034 {from, self()}, 3035 {mfa, {?MODULE, 3036 renegotiate, [Data]}}, 3037 {options, [{reuse_sessions, false} | ClientOpts]}]), 3038 3039 ssl_test_lib:check_result(Client, ok, Server, ok), 3040 ssl_test_lib:close(Server), 3041 ssl_test_lib:close(Client). 3042 3043%%-------------------------------------------------------------------- 3044client_secure_renegotiate() -> 3045 [{doc,"Test ssl:renegotiate/1 on client."}]. 3046client_secure_renegotiate(Config) when is_list(Config) -> 3047 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3048 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3049 3050 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3051 3052 Data = "From erlang to erlang", 3053 3054 Server = 3055 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3056 {from, self()}, 3057 {mfa, {?MODULE, erlang_ssl_receive, [Data]}}, 3058 {options, [{secure_renegotiate, true} | ServerOpts]}]), 3059 Port = ssl_test_lib:inet_port(Server), 3060 3061 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3062 {host, Hostname}, 3063 {from, self()}, 3064 {mfa, {?MODULE, 3065 renegotiate, [Data]}}, 3066 {options, [{reuse_sessions, false}, 3067 {secure_renegotiate, true}| ClientOpts]}]), 3068 3069 ssl_test_lib:check_result(Client, ok, Server, ok), 3070 ssl_test_lib:close(Server), 3071 ssl_test_lib:close(Client). 3072 3073%%-------------------------------------------------------------------- 3074client_secure_renegotiate_fallback() -> 3075 [{doc,"Test that we can set secure_renegotiate to false that is " 3076 "fallback option, we however do not have a insecure server to test against!"}]. 3077client_secure_renegotiate_fallback(Config) when is_list(Config) -> 3078 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3079 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3080 3081 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3082 3083 Data = "From erlang to erlang", 3084 3085 Server = 3086 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3087 {from, self()}, 3088 {mfa, {?MODULE, erlang_ssl_receive, [Data]}}, 3089 {options, [{secure_renegotiate, false} | ServerOpts]}]), 3090 Port = ssl_test_lib:inet_port(Server), 3091 3092 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3093 {host, Hostname}, 3094 {from, self()}, 3095 {mfa, {?MODULE, 3096 renegotiate, [Data]}}, 3097 {options, [{reuse_sessions, false}, 3098 {secure_renegotiate, false}| ClientOpts]}]), 3099 3100 ssl_test_lib:check_result(Client, ok, Server, ok), 3101 ssl_test_lib:close(Server), 3102 ssl_test_lib:close(Client). 3103 3104%%-------------------------------------------------------------------- 3105server_renegotiate() -> 3106 [{doc,"Test ssl:renegotiate/1 on server."}]. 3107server_renegotiate(Config) when is_list(Config) -> 3108 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3109 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3110 3111 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3112 3113 Data = "From erlang to erlang", 3114 3115 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3116 {from, self()}, 3117 {mfa, {?MODULE, 3118 renegotiate, [Data]}}, 3119 {options, ServerOpts}]), 3120 Port = ssl_test_lib:inet_port(Server), 3121 3122 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3123 {host, Hostname}, 3124 {from, self()}, 3125 {mfa, {?MODULE, erlang_ssl_receive, [Data]}}, 3126 {options, [{reuse_sessions, false} | ClientOpts]}]), 3127 3128 ssl_test_lib:check_result(Server, ok, Client, ok), 3129 ssl_test_lib:close(Server), 3130 ssl_test_lib:close(Client). 3131 3132%%-------------------------------------------------------------------- 3133client_renegotiate_reused_session() -> 3134 [{doc,"Test ssl:renegotiate/1 on client when the ssl session will be reused."}]. 3135client_renegotiate_reused_session(Config) when is_list(Config) -> 3136 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3137 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3138 3139 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3140 3141 Data = "From erlang to erlang", 3142 3143 Server = 3144 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3145 {from, self()}, 3146 {mfa, {?MODULE, erlang_ssl_receive, [Data]}}, 3147 {options, ServerOpts}]), 3148 Port = ssl_test_lib:inet_port(Server), 3149 3150 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3151 {host, Hostname}, 3152 {from, self()}, 3153 {mfa, {?MODULE, 3154 renegotiate_reuse_session, [Data]}}, 3155 {options, [{reuse_sessions, true} | ClientOpts]}]), 3156 3157 ssl_test_lib:check_result(Client, ok, Server, ok), 3158 ssl_test_lib:close(Server), 3159 ssl_test_lib:close(Client). 3160%%-------------------------------------------------------------------- 3161server_renegotiate_reused_session() -> 3162 [{doc,"Test ssl:renegotiate/1 on server when the ssl session will be reused."}]. 3163server_renegotiate_reused_session(Config) when is_list(Config) -> 3164 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3165 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3166 3167 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3168 3169 Data = "From erlang to erlang", 3170 3171 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3172 {from, self()}, 3173 {mfa, {?MODULE, 3174 renegotiate_reuse_session, [Data]}}, 3175 {options, ServerOpts}]), 3176 Port = ssl_test_lib:inet_port(Server), 3177 3178 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3179 {host, Hostname}, 3180 {from, self()}, 3181 {mfa, {?MODULE, erlang_ssl_receive, [Data]}}, 3182 {options, [{reuse_sessions, true} | ClientOpts]}]), 3183 3184 ssl_test_lib:check_result(Server, ok, Client, ok), 3185 ssl_test_lib:close(Server), 3186 ssl_test_lib:close(Client). 3187%%-------------------------------------------------------------------- 3188client_no_wrap_sequence_number() -> 3189 [{doc,"Test that erlang client will renegotiate session when", 3190 "max sequence number celing is about to be reached. Although" 3191 "in the testcase we use the test option renegotiate_at" 3192 " to lower treashold substantially."}]. 3193 3194client_no_wrap_sequence_number(Config) when is_list(Config) -> 3195 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3196 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3197 3198 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3199 3200 ErlData = "From erlang to erlang", 3201 N = 12, 3202 3203 Server = 3204 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3205 {from, self()}, 3206 {mfa, {ssl_test_lib, no_result, []}}, 3207 {options, ServerOpts}]), 3208 Port = ssl_test_lib:inet_port(Server), 3209 3210 Version = ssl_test_lib:protocol_version(Config, tuple), 3211 3212 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3213 {host, Hostname}, 3214 {from, self()}, 3215 {mfa, {ssl_test_lib, 3216 trigger_renegotiate, [[ErlData, treashold(N, Version)]]}}, 3217 {options, [{reuse_sessions, false}, 3218 {renegotiate_at, N} | ClientOpts]}]), 3219 3220 ssl_test_lib:check_result(Client, ok), 3221 ssl_test_lib:close(Server), 3222 ssl_test_lib:close(Client). 3223 3224%%-------------------------------------------------------------------- 3225server_no_wrap_sequence_number() -> 3226 [{doc, "Test that erlang server will renegotiate session when", 3227 "max sequence number celing is about to be reached. Although" 3228 "in the testcase we use the test option renegotiate_at" 3229 " to lower treashold substantially."}]. 3230 3231server_no_wrap_sequence_number(Config) when is_list(Config) -> 3232 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3233 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3234 3235 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3236 3237 Data = "From erlang to erlang", 3238 N = 12, 3239 3240 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3241 {from, self()}, 3242 {mfa, {ssl_test_lib, 3243 trigger_renegotiate, [[Data, N+2]]}}, 3244 {options, [{renegotiate_at, N} | ServerOpts]}]), 3245 Port = ssl_test_lib:inet_port(Server), 3246 3247 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3248 {host, Hostname}, 3249 {from, self()}, 3250 {mfa, {ssl_test_lib, no_result, []}}, 3251 {options, [{reuse_sessions, false} | ClientOpts]}]), 3252 3253 ssl_test_lib:check_result(Server, ok), 3254 ssl_test_lib:close(Server), 3255 ssl_test_lib:close(Client). 3256 3257%%-------------------------------------------------------------------- 3258der_input() -> 3259 [{doc,"Test to input certs and key as der"}]. 3260 3261der_input(Config) when is_list(Config) -> 3262 DataDir = proplists:get_value(data_dir, Config), 3263 DHParamFile = filename:join(DataDir, "dHParam.pem"), 3264 3265 {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)), 3266 [_, _,_, _, Prop] = StatusInfo, 3267 State = ssl_test_lib:state(Prop), 3268 [CADb | _] = element(6, State), 3269 3270 Size = ets:info(CADb, size), 3271 3272 SeverVerifyOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), 3273 {ServerCert, ServerKey, ServerCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} | 3274 SeverVerifyOpts]), 3275 ClientVerifyOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), 3276 {ClientCert, ClientKey, ClientCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} | 3277 ClientVerifyOpts]), 3278 ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, 3279 {dh, DHParams}, 3280 {cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCaCerts}], 3281 ClientOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, 3282 {dh, DHParams}, 3283 {cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCaCerts}], 3284 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3285 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3286 {from, self()}, 3287 {mfa, {ssl_test_lib, send_recv_result, []}}, 3288 {options, [{active, false} | ServerOpts]}]), 3289 Port = ssl_test_lib:inet_port(Server), 3290 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3291 {host, Hostname}, 3292 {from, self()}, 3293 {mfa, {ssl_test_lib, send_recv_result, []}}, 3294 {options, [{active, false} | ClientOpts]}]), 3295 3296 ssl_test_lib:check_result(Server, ok, Client, ok), 3297 ssl_test_lib:close(Server), 3298 ssl_test_lib:close(Client), 3299 Size = ets:info(CADb, size). 3300 3301%%-------------------------------------------------------------------- 3302der_input_opts(Opts) -> 3303 Certfile = proplists:get_value(certfile, Opts), 3304 CaCertsfile = proplists:get_value(cacertfile, Opts), 3305 Keyfile = proplists:get_value(keyfile, Opts), 3306 Dhfile = proplists:get_value(dhfile, Opts), 3307 [{_, Cert, _}] = ssl_test_lib:pem_to_der(Certfile), 3308 [{Asn1Type, Key, _}] = ssl_test_lib:pem_to_der(Keyfile), 3309 [{_, DHParams, _}] = ssl_test_lib:pem_to_der(Dhfile), 3310 CaCerts = 3311 lists:map(fun(Entry) -> 3312 {_, CaCert, _} = Entry, 3313 CaCert 3314 end, ssl_test_lib:pem_to_der(CaCertsfile)), 3315 {Cert, {Asn1Type, Key}, CaCerts, DHParams}. 3316 3317%%-------------------------------------------------------------------- 3318no_reuses_session_server_restart_new_cert() -> 3319 [{doc,"Check that a session is not reused if the server is restarted with a new cert."}]. 3320no_reuses_session_server_restart_new_cert(Config) when is_list(Config) -> 3321 3322 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3323 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3324 DsaServerOpts = ssl_test_lib:ssl_options(server_dsa_opts, Config), 3325 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3326 3327 Server = 3328 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3329 {from, self()}, 3330 {mfa, {ssl_test_lib, session_info_result, []}}, 3331 {options, ServerOpts}]), 3332 Port = ssl_test_lib:inet_port(Server), 3333 Client0 = 3334 ssl_test_lib:start_client([{node, ClientNode}, 3335 {port, Port}, {host, Hostname}, 3336 {mfa, {ssl_test_lib, no_result, []}}, 3337 {from, self()}, {options, ClientOpts}]), 3338 SessionInfo = 3339 receive 3340 {Server, Info} -> 3341 Info 3342 end, 3343 3344 %% Make sure session is registered 3345 ct:sleep(?SLEEP), 3346 Monitor = erlang:monitor(process, Server), 3347 ssl_test_lib:close(Server), 3348 ssl_test_lib:close(Client0), 3349 receive 3350 {'DOWN', Monitor, _, _, _} -> 3351 ok 3352 end, 3353 3354 Server1 = 3355 ssl_test_lib:start_server([{node, ServerNode}, {port, Port}, 3356 {from, self()}, 3357 {mfa, {ssl_test_lib, no_result, []}}, 3358 {options, [{reuseaddr, true} | DsaServerOpts]}]), 3359 3360 Client1 = 3361 ssl_test_lib:start_client([{node, ClientNode}, 3362 {port, Port}, {host, Hostname}, 3363 {mfa, {ssl_test_lib, session_info_result, []}}, 3364 {from, self()}, {options, ClientOpts}]), 3365 receive 3366 {Client1, SessionInfo} -> 3367 ct:fail(session_reused_when_server_has_new_cert); 3368 {Client1, _Other} -> 3369 ok 3370 end, 3371 ssl_test_lib:close(Server1), 3372 ssl_test_lib:close(Client1). 3373 3374%%-------------------------------------------------------------------- 3375no_reuses_session_server_restart_new_cert_file() -> 3376 [{doc,"Check that a session is not reused if a server is restarted with a new " 3377 "cert contained in a file with the same name as the old cert."}]. 3378 3379no_reuses_session_server_restart_new_cert_file(Config) when is_list(Config) -> 3380 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3381 ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config), 3382 DsaServerOpts = ssl_test_lib:ssl_options(server_dsa_opts, Config), 3383 PrivDir = proplists:get_value(priv_dir, Config), 3384 3385 NewServerOpts0 = new_config(PrivDir, ServerOpts), 3386 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3387 3388 Server = 3389 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3390 {from, self()}, 3391 {mfa, {ssl_test_lib, session_info_result, []}}, 3392 {options, NewServerOpts0}]), 3393 Port = ssl_test_lib:inet_port(Server), 3394 Client0 = 3395 ssl_test_lib:start_client([{node, ClientNode}, 3396 {port, Port}, {host, Hostname}, 3397 {mfa, {ssl_test_lib, no_result, []}}, 3398 {from, self()}, {options, ClientOpts}]), 3399 SessionInfo = 3400 receive 3401 {Server, Info} -> 3402 Info 3403 end, 3404 3405 %% Make sure session is registered and we get 3406 %% new file time stamp when calling new_config! 3407 ct:sleep(?SLEEP* 2), 3408 ssl_test_lib:close(Server), 3409 ssl_test_lib:close(Client0), 3410 3411 ssl:clear_pem_cache(), 3412 3413 NewServerOpts1 = new_config(PrivDir, DsaServerOpts), 3414 3415 Server1 = 3416 ssl_test_lib:start_server([{node, ServerNode}, {port, Port}, 3417 {from, self()}, 3418 {mfa, {ssl_test_lib, no_result, []}}, 3419 {options, [{reuseaddr, true} | NewServerOpts1]}]), 3420 Client1 = 3421 ssl_test_lib:start_client([{node, ClientNode}, 3422 {port, Port}, {host, Hostname}, 3423 {mfa, {ssl_test_lib, session_info_result, []}}, 3424 {from, self()}, {options, ClientOpts}]), 3425 receive 3426 {Client1, SessionInfo} -> 3427 ct:fail(session_reused_when_server_has_new_cert); 3428 {Client1, _Other} -> 3429 ok 3430 end, 3431 ssl_test_lib:close(Server1), 3432 ssl_test_lib:close(Client1). 3433 3434%%-------------------------------------------------------------------- 3435defaults(Config) when is_list(Config)-> 3436 Versions = ssl:versions(), 3437 true = lists:member(sslv3, proplists:get_value(available, Versions)), 3438 false = lists:member(sslv3, proplists:get_value(supported, Versions)), 3439 true = lists:member('tlsv1', proplists:get_value(available, Versions)), 3440 true = lists:member('tlsv1', proplists:get_value(supported, Versions)), 3441 true = lists:member('tlsv1.1', proplists:get_value(available, Versions)), 3442 true = lists:member('tlsv1.1', proplists:get_value(supported, Versions)), 3443 true = lists:member('tlsv1.2', proplists:get_value(available, Versions)), 3444 true = lists:member('tlsv1.2', proplists:get_value(supported, Versions)), 3445 false = lists:member({rsa,rc4_128,sha}, ssl:cipher_suites()), 3446 true = lists:member({rsa,rc4_128,sha}, ssl:cipher_suites(all)), 3447 false = lists:member({rsa,des_cbc,sha}, ssl:cipher_suites()), 3448 true = lists:member({rsa,des_cbc,sha}, ssl:cipher_suites(all)), 3449 false = lists:member({dhe_rsa,des_cbc,sha}, ssl:cipher_suites()), 3450 true = lists:member({dhe_rsa,des_cbc,sha}, ssl:cipher_suites(all)), 3451 true = lists:member('dtlsv1.2', proplists:get_value(available_dtls, Versions)), 3452 true = lists:member('dtlsv1', proplists:get_value(available_dtls, Versions)), 3453 true = lists:member('dtlsv1.2', proplists:get_value(supported_dtls, Versions)), 3454 true = lists:member('dtlsv1', proplists:get_value(supported_dtls, Versions)). 3455 3456%%-------------------------------------------------------------------- 3457reuseaddr() -> 3458 [{doc,"Test reuseaddr option"}]. 3459 3460reuseaddr(Config) when is_list(Config) -> 3461 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3462 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3463 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3464 Server = 3465 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3466 {from, self()}, 3467 {mfa, {ssl_test_lib, no_result, []}}, 3468 {options, [{active, false} | ServerOpts]}]), 3469 Port = ssl_test_lib:inet_port(Server), 3470 Client = 3471 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3472 {host, Hostname}, 3473 {from, self()}, 3474 {mfa, {ssl_test_lib, no_result, []}}, 3475 {options, [{active, false} | ClientOpts]}]), 3476 ssl_test_lib:close(Server), 3477 ssl_test_lib:close(Client), 3478 3479 Server1 = 3480 ssl_test_lib:start_server([{node, ServerNode}, {port, Port}, 3481 {from, self()}, 3482 {mfa, {ssl_test_lib, send_recv_result, []}}, 3483 {options, [{active, false} | ServerOpts]}]), 3484 Client1 = 3485 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3486 {host, Hostname}, 3487 {from, self()}, 3488 {mfa, {ssl_test_lib, send_recv_result, []}}, 3489 {options, [{active, false} | ClientOpts]}]), 3490 3491 ssl_test_lib:check_result(Server1, ok, Client1, ok), 3492 ssl_test_lib:close(Server1), 3493 ssl_test_lib:close(Client1). 3494 3495%%-------------------------------------------------------------------- 3496tls_tcp_reuseaddr() -> 3497 [{doc, "Reference test case."}]. 3498tls_tcp_reuseaddr(Config) when is_list(Config) -> 3499 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3500 Server = 3501 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3502 {from, self()}, 3503 {transport, gen_tcp}, 3504 {mfa, {ssl_test_lib, no_result, []}}, 3505 {options, [{active, false}, {reuseaddr, true}]}]), 3506 Port = ssl_test_lib:inet_port(Server), 3507 Client = 3508 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3509 {host, Hostname}, 3510 {transport, gen_tcp}, 3511 {from, self()}, 3512 {mfa, {ssl_test_lib, no_result, []}}, 3513 {options, [{active, false}]}]), 3514 ssl_test_lib:close(Server), 3515 ssl_test_lib:close(Client), 3516 3517 Server1 = 3518 ssl_test_lib:start_server([{node, ServerNode}, {port, Port}, 3519 {from, self()}, 3520 {transport, gen_tcp}, 3521 {mfa, {?MODULE, tcp_send_recv_result, []}}, 3522 {options, [{active, false}, {reuseaddr, true}]}]), 3523 Client1 = 3524 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3525 {host, Hostname}, 3526 {from, self()}, 3527 {transport, gen_tcp}, 3528 {mfa, {?MODULE, tcp_send_recv_result, []}}, 3529 {options, [{active, false}]}]), 3530 3531 ssl_test_lib:check_result(Server1, ok, Client1, ok), 3532 ssl_test_lib:close(Server1), 3533 ssl_test_lib:close(Client1). 3534 3535%%-------------------------------------------------------------------- 3536 3537honor_server_cipher_order() -> 3538 [{doc,"Test API honor server cipher order."}]. 3539honor_server_cipher_order(Config) when is_list(Config) -> 3540 ClientCiphers = [#{key_exchange => dhe_rsa, 3541 cipher => aes_128_cbc, 3542 mac => sha, 3543 prf => default_prf}, 3544 #{key_exchange => dhe_rsa, 3545 cipher => aes_256_cbc, 3546 mac => sha, 3547 prf => default_prf}], 3548 ServerCiphers = [#{key_exchange => dhe_rsa, 3549 cipher => aes_256_cbc, 3550 mac =>sha, 3551 prf => default_prf}, 3552 #{key_exchange => dhe_rsa, 3553 cipher => aes_128_cbc, 3554 mac => sha, 3555 prf => default_prf}], 3556 honor_cipher_order(Config, true, ServerCiphers, ClientCiphers, #{key_exchange => dhe_rsa, 3557 cipher => aes_256_cbc, 3558 mac => sha, 3559 prf => default_prf}). 3560 3561honor_client_cipher_order() -> 3562 [{doc,"Test API honor server cipher order."}]. 3563honor_client_cipher_order(Config) when is_list(Config) -> 3564 ClientCiphers = [#{key_exchange => dhe_rsa, 3565 cipher => aes_128_cbc, 3566 mac => sha, 3567 prf => default_prf}, 3568 #{key_exchange => dhe_rsa, 3569 cipher => aes_256_cbc, 3570 mac => sha, 3571 prf => default_prf}], 3572 ServerCiphers = [#{key_exchange => dhe_rsa, 3573 cipher => aes_256_cbc, 3574 mac =>sha, 3575 prf => default_prf}, 3576 #{key_exchange => dhe_rsa, 3577 cipher => aes_128_cbc, 3578 mac => sha, 3579 prf => default_prf}], 3580honor_cipher_order(Config, false, ServerCiphers, ClientCiphers, #{key_exchange => dhe_rsa, 3581 cipher => aes_128_cbc, 3582 mac => sha, 3583 prf => default_prf}). 3584 3585honor_cipher_order(Config, Honor, ServerCiphers, ClientCiphers, Expected) -> 3586 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3587 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3588 3589 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3590 3591 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3592 {from, self()}, 3593 {mfa, {?MODULE, connection_info_result, []}}, 3594 {options, [{ciphers, ServerCiphers}, {honor_cipher_order, Honor} 3595 | ServerOpts]}]), 3596 Port = ssl_test_lib:inet_port(Server), 3597 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3598 {host, Hostname}, 3599 {from, self()}, 3600 {mfa, {?MODULE, connection_info_result, []}}, 3601 {options, [{ciphers, ClientCiphers}, {honor_cipher_order, Honor} 3602 | ClientOpts]}]), 3603 3604 Version = ssl_test_lib:protocol_version(Config), 3605 3606 ServerMsg = ClientMsg = {ok, {Version, Expected}}, 3607 3608 ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg), 3609 3610 ssl_test_lib:close(Server), 3611 ssl_test_lib:close(Client). 3612 3613%%-------------------------------------------------------------------- 3614tls_ciphersuite_vs_version() -> 3615 [{doc,"Test a SSLv3 client can not negotiate a TLSv* cipher suite."}]. 3616tls_ciphersuite_vs_version(Config) when is_list(Config) -> 3617 3618 {_ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3619 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3620 3621 Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 3622 {from, self()}, 3623 {options, ServerOpts}]), 3624 Port = ssl_test_lib:inet_port(Server), 3625 3626 {ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {active, false}]), 3627 ok = gen_tcp:send(Socket, 3628 <<22, 3,0, 49:16, % handshake, SSL 3.0, length 3629 1, 45:24, % client_hello, length 3630 3,0, % SSL 3.0 3631 16#deadbeef:256, % 32 'random' bytes = 256 bits 3632 0, % no session ID 3633 %% three cipher suites -- null, one with sha256 hash and one with sha hash 3634 6:16, 0,255, 0,61, 0,57, 3635 1, 0 % no compression 3636 >>), 3637 {ok, <<22, RecMajor:8, RecMinor:8, _RecLen:16, 2, HelloLen:24>>} = gen_tcp:recv(Socket, 9, 10000), 3638 {ok, <<HelloBin:HelloLen/binary>>} = gen_tcp:recv(Socket, HelloLen, 5000), 3639 ServerHello = tls_handshake:decode_handshake({RecMajor, RecMinor}, 2, HelloBin), 3640 case ServerHello of 3641 #server_hello{server_version = {3,0}, cipher_suite = <<0,57>>} -> 3642 ok; 3643 _ -> 3644 ct:fail({unexpected_server_hello, ServerHello}) 3645 end. 3646 3647%%-------------------------------------------------------------------- 3648conf_signature_algs() -> 3649 [{doc,"Test to set the signature_algs option on both client and server"}]. 3650conf_signature_algs(Config) when is_list(Config) -> 3651 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3652 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3653 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3654 Server = 3655 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3656 {from, self()}, 3657 {mfa, {ssl_test_lib, send_recv_result, []}}, 3658 {options, [{active, false}, {signature_algs, [{sha256, rsa}]} | ServerOpts]}]), 3659 Port = ssl_test_lib:inet_port(Server), 3660 Client = 3661 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3662 {host, Hostname}, 3663 {from, self()}, 3664 {mfa, {ssl_test_lib, send_recv_result, []}}, 3665 {options, [{active, false}, {signature_algs, [{sha256, rsa}]} | ClientOpts]}]), 3666 3667 ct:log("Testcase ~p, Client ~p Server ~p ~n", 3668 [self(), Client, Server]), 3669 3670 ssl_test_lib:check_result(Server, ok, Client, ok), 3671 3672 ssl_test_lib:close(Server), 3673 ssl_test_lib:close(Client). 3674 3675 3676%%-------------------------------------------------------------------- 3677no_common_signature_algs() -> 3678 [{doc,"Set the signature_algs option so that there client and server does not share any hash sign algorithms"}]. 3679no_common_signature_algs(Config) when is_list(Config) -> 3680 3681 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3682 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3683 3684 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3685 3686 3687 Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 3688 {from, self()}, 3689 {options, [{signature_algs, [{sha256, rsa}]} 3690 | ServerOpts]}]), 3691 Port = ssl_test_lib:inet_port(Server), 3692 Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, 3693 {host, Hostname}, 3694 {from, self()}, 3695 {options, [{signature_algs, [{sha384, rsa}]} 3696 | ClientOpts]}]), 3697 3698 ssl_test_lib:check_server_alert(Server, Client, insufficient_security). 3699 3700%%-------------------------------------------------------------------- 3701 3702tls_dont_crash_on_handshake_garbage() -> 3703 [{doc, "Ensure SSL server worker thows an alert on garbage during handshake " 3704 "instead of crashing and exposing state to user code"}]. 3705 3706tls_dont_crash_on_handshake_garbage(Config) -> 3707 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3708 3709 {_ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3710 3711 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3712 {from, self()}, 3713 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 3714 {options, ServerOpts}]), 3715 unlink(Server), monitor(process, Server), 3716 Port = ssl_test_lib:inet_port(Server), 3717 3718 {ok, Socket} = gen_tcp:connect(Hostname, Port, [binary, {active, false}]), 3719 3720 % Send hello and garbage record 3721 ok = gen_tcp:send(Socket, 3722 [<<22, 3,3, 49:16, 1, 45:24, 3,3, % client_hello 3723 16#deadbeef:256, % 32 'random' bytes = 256 bits 3724 0, 6:16, 0,255, 0,61, 0,57, 1, 0 >>, % some hello values 3725 3726 <<22, 3,3, 5:16, 92,64,37,228,209>> % garbage 3727 ]), 3728 % Send unexpected change_cipher_spec 3729 ok = gen_tcp:send(Socket, <<20, 3,3, 12:16, 111,40,244,7,137,224,16,109,197,110,249,152>>), 3730 3731 % Ensure we receive an alert, not sudden disconnect 3732 {ok, <<21, _/binary>>} = drop_handshakes(Socket, 1000). 3733 3734drop_handshakes(Socket, Timeout) -> 3735 {ok, <<RecType:8, _RecMajor:8, _RecMinor:8, RecLen:16>> = Header} = gen_tcp:recv(Socket, 5, Timeout), 3736 {ok, <<Frag:RecLen/binary>>} = gen_tcp:recv(Socket, RecLen, Timeout), 3737 case RecType of 3738 22 -> drop_handshakes(Socket, Timeout); 3739 _ -> {ok, <<Header/binary, Frag/binary>>} 3740 end. 3741 3742 3743%%-------------------------------------------------------------------- 3744 3745hibernate() -> 3746 [{doc,"Check that an SSL connection that is started with option " 3747 "{hibernate_after, 1000} indeed hibernates after 1000ms of " 3748 "inactivity"}]. 3749 3750hibernate(Config) -> 3751 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3752 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3753 3754 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3755 3756 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3757 {from, self()}, 3758 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 3759 {options, ServerOpts}]), 3760 Port = ssl_test_lib:inet_port(Server), 3761 {Client, #sslsocket{pid=[Pid|_]}} = ssl_test_lib:start_client([return_socket, 3762 {node, ClientNode}, {port, Port}, 3763 {host, Hostname}, 3764 {from, self()}, 3765 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 3766 {options, [{hibernate_after, 1000}|ClientOpts]}]), 3767 {current_function, _} = 3768 process_info(Pid, current_function), 3769 3770 ssl_test_lib:check_result(Server, ok, Client, ok), 3771 3772 ct:sleep(1500), 3773 {current_function, {erlang, hibernate, 3}} = 3774 process_info(Pid, current_function), 3775 3776 ssl_test_lib:close(Server), 3777 ssl_test_lib:close(Client). 3778 3779%%-------------------------------------------------------------------- 3780 3781hibernate_right_away() -> 3782 [{doc,"Check that an SSL connection that is configured to hibernate " 3783 "after 0 or 1 milliseconds hibernates as soon as possible and not " 3784 "crashes"}]. 3785 3786hibernate_right_away(Config) -> 3787 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3788 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3789 3790 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3791 3792 StartServerOpts = [{node, ServerNode}, {port, 0}, 3793 {from, self()}, 3794 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 3795 {options, ServerOpts}], 3796 StartClientOpts = [return_socket, 3797 {node, ClientNode}, 3798 {host, Hostname}, 3799 {from, self()}, 3800 {mfa, {ssl_test_lib, send_recv_result_active, []}}], 3801 3802 Server1 = ssl_test_lib:start_server(StartServerOpts), 3803 Port1 = ssl_test_lib:inet_port(Server1), 3804 {Client1, #sslsocket{pid = [Pid1|_]}} = ssl_test_lib:start_client(StartClientOpts ++ 3805 [{port, Port1}, {options, [{hibernate_after, 0}|ClientOpts]}]), 3806 3807 ssl_test_lib:check_result(Server1, ok, Client1, ok), 3808 3809 ct:sleep(1000), %% Schedule out 3810 3811 {current_function, {erlang, hibernate, 3}} = 3812 process_info(Pid1, current_function), 3813 ssl_test_lib:close(Server1), 3814 ssl_test_lib:close(Client1), 3815 3816 Server2 = ssl_test_lib:start_server(StartServerOpts), 3817 Port2 = ssl_test_lib:inet_port(Server2), 3818 {Client2, #sslsocket{pid = [Pid2|_]}} = ssl_test_lib:start_client(StartClientOpts ++ 3819 [{port, Port2}, {options, [{hibernate_after, 1}|ClientOpts]}]), 3820 3821 ssl_test_lib:check_result(Server2, ok, Client2, ok), 3822 3823 ct:sleep(1000), %% Schedule out 3824 3825 {current_function, {erlang, hibernate, 3}} = 3826 process_info(Pid2, current_function), 3827 3828 ssl_test_lib:close(Server2), 3829 ssl_test_lib:close(Client2). 3830 3831%%-------------------------------------------------------------------- 3832listen_socket() -> 3833 [{doc,"Check error handling and inet compliance when calling API functions with listen sockets."}]. 3834 3835listen_socket(Config) -> 3836 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3837 {ok, ListenSocket} = ssl:listen(0, ServerOpts), 3838 3839 %% This can be a valid thing to do as 3840 %% options are inherited by the accept socket 3841 ok = ssl:controlling_process(ListenSocket, self()), 3842 3843 {ok, _} = ssl:sockname(ListenSocket), 3844 3845 {error, enotconn} = ssl:send(ListenSocket, <<"data">>), 3846 {error, enotconn} = ssl:recv(ListenSocket, 0), 3847 {error, enotconn} = ssl:connection_information(ListenSocket), 3848 {error, enotconn} = ssl:peername(ListenSocket), 3849 {error, enotconn} = ssl:peercert(ListenSocket), 3850 {error, enotconn} = ssl:renegotiate(ListenSocket), 3851 {error, enotconn} = ssl:prf(ListenSocket, 'master_secret', <<"Label">>, [client_random], 256), 3852 {error, enotconn} = ssl:shutdown(ListenSocket, read_write), 3853 3854 ok = ssl:close(ListenSocket). 3855%%-------------------------------------------------------------------- 3856tls_ssl_accept_timeout() -> 3857 [{doc,"Test ssl:ssl_accept timeout"}]. 3858 3859tls_ssl_accept_timeout(Config) -> 3860 process_flag(trap_exit, true), 3861 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3862 {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3863 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3864 {from, self()}, 3865 {timeout, 5000}, 3866 {mfa, {ssl_test_lib, 3867 no_result_msg, []}}, 3868 {options, ServerOpts}]), 3869 Port = ssl_test_lib:inet_port(Server), 3870 {ok, CSocket} = gen_tcp:connect(Hostname, Port, [binary, {active, true}]), 3871 3872 receive 3873 {tcp_closed, CSocket} -> 3874 ssl_test_lib:check_result(Server, {error, timeout}), 3875 receive 3876 {'EXIT', Server, _} -> 3877 %% Make sure supervisor had time to react on process exit 3878 %% Could we come up with a better solution to this? 3879 ct:sleep(500), 3880 [] = supervisor:which_children(tls_connection_sup) 3881 end 3882 end. 3883 3884%%-------------------------------------------------------------------- 3885ssl_recv_timeout() -> 3886 [{doc,"Test ssl:ssl_accept timeout"}]. 3887 3888ssl_recv_timeout(Config) -> 3889 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3890 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3891 3892 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3893 3894 Server = 3895 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3896 {from, self()}, 3897 {mfa, {?MODULE, send_recv_result_timeout_server, []}}, 3898 {options, [{active, false} | ServerOpts]}]), 3899 Port = ssl_test_lib:inet_port(Server), 3900 3901 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3902 {host, Hostname}, 3903 {from, self()}, 3904 {mfa, {?MODULE, 3905 send_recv_result_timeout_client, []}}, 3906 {options, [{active, false} | ClientOpts]}]), 3907 3908 ssl_test_lib:check_result(Client, ok, Server, ok), 3909 ssl_test_lib:close(Server), 3910 ssl_test_lib:close(Client). 3911 3912%%-------------------------------------------------------------------- 3913connect_twice() -> 3914 [{doc,""}]. 3915connect_twice(Config) when is_list(Config) -> 3916 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3917 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3918 3919 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3920 3921 Server = 3922 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3923 {from, self()}, 3924 {mfa, {ssl_test_lib, send_recv_result, []}}, 3925 {options, [{keepalive, true},{active, false} 3926 | ServerOpts]}]), 3927 Port = ssl_test_lib:inet_port(Server), 3928 Client = 3929 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3930 {host, Hostname}, 3931 {from, self()}, 3932 {mfa, {ssl_test_lib, send_recv_result, []}}, 3933 {options, [{keepalive, true},{active, false} 3934 | ClientOpts]}]), 3935 Server ! listen, 3936 3937 {Client1, #sslsocket{}} = 3938 ssl_test_lib:start_client([return_socket, 3939 {node, ClientNode}, {port, Port}, 3940 {host, Hostname}, 3941 {from, self()}, 3942 {mfa, {ssl_test_lib, send_recv_result, []}}, 3943 {options, [{keepalive, true},{active, false} 3944 | ClientOpts]}]), 3945 3946 ct:log("Testcase ~p, Client ~p Server ~p ~n", 3947 [self(), Client, Server]), 3948 3949 ssl_test_lib:check_result(Server, ok, Client, ok), 3950 ssl_test_lib:check_result(Server, ok, Client1, ok), 3951 3952 ssl_test_lib:close(Server), 3953 ssl_test_lib:close(Client), 3954 ssl_test_lib:close(Client1). 3955 3956%%-------------------------------------------------------------------- 3957renegotiate_dos_mitigate_active() -> 3958 [{doc, "Mitigate DOS computational attack by not allowing client to renegotiate many times in a row", 3959 "immediately after each other"}]. 3960renegotiate_dos_mitigate_active(Config) when is_list(Config) -> 3961 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3962 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3963 3964 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3965 3966 Server = 3967 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3968 {from, self()}, 3969 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 3970 {options, ServerOpts}]), 3971 Port = ssl_test_lib:inet_port(Server), 3972 3973 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 3974 {host, Hostname}, 3975 {from, self()}, 3976 {mfa, {?MODULE, 3977 renegotiate_immediately, []}}, 3978 {options, ClientOpts}]), 3979 3980 ssl_test_lib:check_result(Client, ok, Server, ok), 3981 ssl_test_lib:close(Server), 3982 ssl_test_lib:close(Client). 3983 3984%%-------------------------------------------------------------------- 3985renegotiate_dos_mitigate_passive() -> 3986 [{doc, "Mitigate DOS computational attack by not allowing client to renegotiate many times in a row", 3987 "immediately after each other"}]. 3988renegotiate_dos_mitigate_passive(Config) when is_list(Config) -> 3989 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 3990 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 3991 3992 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 3993 3994 Server = 3995 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 3996 {from, self()}, 3997 {mfa, {ssl_test_lib, send_recv_result, []}}, 3998 {options, [{active, false} | ServerOpts]}]), 3999 Port = ssl_test_lib:inet_port(Server), 4000 4001 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4002 {host, Hostname}, 4003 {from, self()}, 4004 {mfa, {?MODULE, 4005 renegotiate_immediately, []}}, 4006 {options, ClientOpts}]), 4007 4008 ssl_test_lib:check_result(Client, ok, Server, ok), 4009 ssl_test_lib:close(Server), 4010 ssl_test_lib:close(Client). 4011 4012%%-------------------------------------------------------------------- 4013renegotiate_dos_mitigate_absolute() -> 4014 [{doc, "Mitigate DOS computational attack by not allowing client to initiate renegotiation"}]. 4015renegotiate_dos_mitigate_absolute(Config) when is_list(Config) -> 4016 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4017 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4018 4019 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4020 4021 Server = 4022 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4023 {from, self()}, 4024 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4025 {options, [{client_renegotiation, false} | ServerOpts]}]), 4026 Port = ssl_test_lib:inet_port(Server), 4027 4028 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4029 {host, Hostname}, 4030 {from, self()}, 4031 {mfa, {?MODULE, 4032 renegotiate_rejected, 4033 []}}, 4034 {options, ClientOpts}]), 4035 4036 ssl_test_lib:check_result(Client, ok, Server, ok), 4037 ssl_test_lib:close(Server), 4038 ssl_test_lib:close(Client). 4039 4040%%-------------------------------------------------------------------- 4041tls_tcp_error_propagation_in_active_mode() -> 4042 [{doc,"Test that process recives {ssl_error, Socket, closed} when tcp error ocurres"}]. 4043tls_tcp_error_propagation_in_active_mode(Config) when is_list(Config) -> 4044 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4045 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4046 4047 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4048 4049 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4050 {from, self()}, 4051 {mfa, {ssl_test_lib, no_result, []}}, 4052 {options, ServerOpts}]), 4053 Port = ssl_test_lib:inet_port(Server), 4054 {Client, #sslsocket{pid=[Pid|_]} = SslSocket} = ssl_test_lib:start_client([return_socket, 4055 {node, ClientNode}, {port, Port}, 4056 {host, Hostname}, 4057 {from, self()}, 4058 {mfa, {?MODULE, receive_msg, []}}, 4059 {options, ClientOpts}]), 4060 4061 {status, _, _, StatusInfo} = sys:get_status(Pid), 4062 [_, _,_, _, Prop] = StatusInfo, 4063 State = ssl_test_lib:state(Prop), 4064 StaticEnv = element(2, State), 4065 Socket = element(11, StaticEnv), 4066 %% Fake tcp error 4067 Pid ! {tcp_error, Socket, etimedout}, 4068 4069 ssl_test_lib:check_result(Client, {ssl_closed, SslSocket}). 4070 4071%%-------------------------------------------------------------------- 4072recv_error_handling() -> 4073 [{doc,"Special case of call error handling"}]. 4074recv_error_handling(Config) when is_list(Config) -> 4075 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4076 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4077 4078 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4079 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4080 {from, self()}, 4081 {mfa, {?MODULE, recv_close, []}}, 4082 {options, [{active, false} | ServerOpts]}]), 4083 Port = ssl_test_lib:inet_port(Server), 4084 {_Client, #sslsocket{} = SslSocket} = ssl_test_lib:start_client([return_socket, 4085 {node, ClientNode}, {port, Port}, 4086 {host, Hostname}, 4087 {from, self()}, 4088 {mfa, {ssl_test_lib, no_result, []}}, 4089 {options, ClientOpts}]), 4090 ssl:close(SslSocket), 4091 ssl_test_lib:check_result(Server, ok). 4092 4093 4094 4095%%-------------------------------------------------------------------- 4096call_in_error_state() -> 4097 [{doc,"Special case of call error handling"}]. 4098call_in_error_state(Config) when is_list(Config) -> 4099 ServerOpts0 = ssl_test_lib:ssl_options(server_opts, Config), 4100 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4101 ServerOpts = [{cacertfile, "foo.pem"} | proplists:delete(cacertfile, ServerOpts0)], 4102 Pid = spawn_link(?MODULE, run_error_server, [[self() | ServerOpts]]), 4103 receive 4104 {Pid, Port} -> 4105 spawn_link(?MODULE, run_client_error, [[Port, ClientOpts]]) 4106 end, 4107 receive 4108 {error, closed} -> 4109 ok; 4110 Other -> 4111 ct:fail(Other) 4112 end. 4113 4114run_client_error([Port, Opts]) -> 4115 ssl:connect("localhost", Port, Opts). 4116 4117run_error_server([ Pid | Opts]) -> 4118 {ok, Listen} = ssl:listen(0, Opts), 4119 {ok,{_, Port}} = ssl:sockname(Listen), 4120 Pid ! {self(), Port}, 4121 {ok, Socket} = ssl:transport_accept(Listen), 4122 Pid ! ssl:controlling_process(Socket, self()). 4123 4124%%-------------------------------------------------------------------- 4125 4126close_in_error_state() -> 4127 [{doc,"Special case of closing socket in error state"}]. 4128close_in_error_state(Config) when is_list(Config) -> 4129 ServerOpts0 = ssl_test_lib:ssl_options(server_opts, Config), 4130 ServerOpts = [{cacertfile, "foo.pem"} | proplists:delete(cacertfile, ServerOpts0)], 4131 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4132 _ = spawn_link(?MODULE, run_error_server_close, [[self() | ServerOpts]]), 4133 receive 4134 {_Pid, Port} -> 4135 spawn_link(?MODULE, run_client_error, [[Port, ClientOpts]]) 4136 end, 4137 receive 4138 ok -> 4139 ok; 4140 Other -> 4141 ct:fail(Other) 4142 end. 4143%%-------------------------------------------------------------------- 4144abuse_transport_accept_socket() -> 4145 [{doc,"Only ssl:handshake and ssl:controlling_process is allowed for transport_accept:sockets"}]. 4146abuse_transport_accept_socket(Config) when is_list(Config) -> 4147 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4148 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4149 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4150 4151 Server = ssl_test_lib:start_server_transport_abuse_socket([{node, ServerNode}, 4152 {port, 0}, 4153 {from, self()}, 4154 {options, ServerOpts}]), 4155 Port = ssl_test_lib:inet_port(Server), 4156 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4157 {host, Hostname}, 4158 {from, self()}, 4159 {mfa, {ssl_test_lib, no_result, []}}, 4160 {options, ClientOpts}]), 4161 ssl_test_lib:check_result(Server, ok), 4162 ssl_test_lib:close(Server), 4163 ssl_test_lib:close(Client). 4164 4165 4166%%-------------------------------------------------------------------- 4167controlling_process_transport_accept_socket() -> 4168 [{doc,"Only ssl:handshake and ssl:controlling_process is allowed for transport_accept:sockets"}]. 4169controlling_process_transport_accept_socket(Config) when is_list(Config) -> 4170 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4171 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4172 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4173 4174 Server = ssl_test_lib:start_server_transport_control([{node, ServerNode}, 4175 {port, 0}, 4176 {from, self()}, 4177 {options, ServerOpts}]), 4178 Port = ssl_test_lib:inet_port(Server), 4179 4180 _Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, 4181 {host, Hostname}, 4182 {from, self()}, 4183 {options, ClientOpts}]), 4184 ssl_test_lib:check_result(Server, ok), 4185 ssl_test_lib:close(Server). 4186 4187%%-------------------------------------------------------------------- 4188run_error_server_close([Pid | Opts]) -> 4189 {ok, Listen} = ssl:listen(0, Opts), 4190 {ok,{_, Port}} = ssl:sockname(Listen), 4191 Pid ! {self(), Port}, 4192 {ok, Socket} = ssl:transport_accept(Listen), 4193 Pid ! ssl:close(Socket). 4194 4195%%-------------------------------------------------------------------- 4196 4197rizzo() -> 4198 [{doc, "Test that there is a 1/n-1-split for non RC4 in 'TLS < 1.1' as it is 4199 vunrable to Rizzo/Dungon attack"}]. 4200 4201rizzo(Config) when is_list(Config) -> 4202 Prop = proplists:get_value(tc_group_properties, Config), 4203 Version = proplists:get_value(name, Prop), 4204 NVersion = ssl_test_lib:protocol_version(Config, tuple), 4205 Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, NVersion), 4206 [{key_exchange, 4207 fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa-> 4208 true; 4209 (_) -> 4210 false 4211 end}, 4212 {cipher, 4213 fun(rc4_128) -> 4214 false; 4215 (chacha20_poly1305) -> 4216 false; 4217 (_) -> 4218 true 4219 end}]), 4220 4221 run_send_recv_rizzo(Ciphers, Config, Version, 4222 {?MODULE, send_recv_result_active_rizzo, []}). 4223%%-------------------------------------------------------------------- 4224no_rizzo_rc4() -> 4225 [{doc,"Test that there is no 1/n-1-split for RC4 as it is not vunrable to Rizzo/Dungon attack"}]. 4226 4227no_rizzo_rc4(Config) when is_list(Config) -> 4228 Prop = proplists:get_value(tc_group_properties, Config), 4229 Version = proplists:get_value(name, Prop), 4230 NVersion = ssl_test_lib:protocol_version(Config, tuple), 4231 %% Test uses RSA certs 4232 Ciphers = ssl:filter_cipher_suites(ssl_test_lib:rc4_suites(NVersion), 4233 [{key_exchange, 4234 fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa-> 4235 true; 4236 (_) -> 4237 false 4238 end}]), 4239 run_send_recv_rizzo(Ciphers, Config, Version, 4240 {?MODULE, send_recv_result_active_no_rizzo, []}). 4241 4242rizzo_one_n_minus_one() -> 4243 [{doc,"Test that the 1/n-1-split mitigation of Rizzo/Dungon attack can be explicitly selected"}]. 4244 4245rizzo_one_n_minus_one(Config) when is_list(Config) -> 4246 Prop = proplists:get_value(tc_group_properties, Config), 4247 Version = proplists:get_value(name, Prop), 4248 NVersion = ssl_test_lib:protocol_version(Config, tuple), 4249 Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, NVersion), 4250 [{key_exchange, 4251 fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa-> 4252 true; 4253 (_) -> 4254 false 4255 end}, 4256 {cipher, 4257 fun(rc4_128) -> 4258 false; 4259 %% TODO: remove this clause when chacha is fixed! 4260 (chacha20_poly1305) -> 4261 false; 4262 (_) -> 4263 true 4264 end}]), 4265 run_send_recv_rizzo(Ciphers, Config, Version, 4266 {?MODULE, send_recv_result_active_rizzo, []}). 4267 4268rizzo_zero_n() -> 4269 [{doc,"Test that the 0/n-split mitigation of Rizzo/Dungon attack can be explicitly selected"}]. 4270 4271rizzo_zero_n(Config) when is_list(Config) -> 4272 Prop = proplists:get_value(tc_group_properties, Config), 4273 Version = proplists:get_value(name, Prop), 4274 NVersion = ssl_test_lib:protocol_version(Config, tuple), 4275 Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(default, NVersion), 4276 [{cipher, 4277 fun(rc4_128) -> 4278 false; 4279 (_) -> 4280 true 4281 end}]), 4282 run_send_recv_rizzo(Ciphers, Config, Version, 4283 {?MODULE, send_recv_result_active_no_rizzo, []}). 4284 4285rizzo_disabled() -> 4286 [{doc,"Test that the mitigation of Rizzo/Dungon attack can be explicitly disabled"}]. 4287 4288rizzo_disabled(Config) when is_list(Config) -> 4289 Prop = proplists:get_value(tc_group_properties, Config), 4290 Version = proplists:get_value(name, Prop), 4291 NVersion = ssl_test_lib:protocol_version(Config, tuple), 4292 Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(default, NVersion), 4293 [{cipher, 4294 fun(rc4_128) -> 4295 false; 4296 (_) -> 4297 true 4298 end}]), 4299 run_send_recv_rizzo(Ciphers, Config, Version, 4300 {?MODULE, send_recv_result_active_no_rizzo, []}). 4301 4302%%-------------------------------------------------------------------- 4303new_server_wants_peer_cert() -> 4304 [{doc, "Test that server configured to do client certification does" 4305 " not reuse session without a client certificate."}]. 4306new_server_wants_peer_cert(Config) when is_list(Config) -> 4307 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4308 VServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true} 4309 | ssl_test_lib:ssl_options(server_verification_opts, Config)], 4310 ClientOpts = ssl_test_lib:ssl_options(client_verification_opts, Config), 4311 4312 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4313 4314 Server = 4315 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4316 {from, self()}, 4317 {mfa, {?MODULE, peercert_result, []}}, 4318 {options, [ServerOpts]}]), 4319 Port = ssl_test_lib:inet_port(Server), 4320 Client = 4321 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4322 {host, Hostname}, 4323 {from, self()}, 4324 {mfa, {ssl_test_lib, no_result, []}}, 4325 {options, ClientOpts}]), 4326 4327 Monitor = erlang:monitor(process, Server), 4328 ssl_test_lib:close(Server), 4329 ssl_test_lib:close(Client), 4330 receive 4331 {'DOWN', Monitor, _, _, _} -> 4332 ok 4333 end, 4334 4335 Server1 = ssl_test_lib:start_server([{node, ServerNode}, {port, Port}, 4336 {from, self()}, 4337 {mfa, {?MODULE, peercert_result, []}}, 4338 {options, VServerOpts}]), 4339 Client1 = 4340 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4341 {host, Hostname}, 4342 {from, self()}, 4343 {mfa, {ssl_test_lib, no_result, []}}, 4344 {options, [ClientOpts]}]), 4345 4346 CertFile = proplists:get_value(certfile, ClientOpts), 4347 [{'Certificate', BinCert, _}]= ssl_test_lib:pem_to_der(CertFile), 4348 4349 ServerMsg = {error, no_peercert}, 4350 Sever1Msg = {ok, BinCert}, 4351 4352 ssl_test_lib:check_result(Server, ServerMsg, Server1, Sever1Msg), 4353 4354 ssl_test_lib:close(Server1), 4355 ssl_test_lib:close(Client), 4356 ssl_test_lib:close(Client1). 4357 4358%%-------------------------------------------------------------------- 4359session_cache_process_list() -> 4360 [{doc,"Test reuse of sessions (short handshake)"}]. 4361session_cache_process_list(Config) when is_list(Config) -> 4362 session_cache_process(list,Config). 4363%%-------------------------------------------------------------------- 4364session_cache_process_mnesia() -> 4365 [{doc,"Test reuse of sessions (short handshake)"}]. 4366session_cache_process_mnesia(Config) when is_list(Config) -> 4367 session_cache_process(mnesia,Config). 4368 4369%%-------------------------------------------------------------------- 4370 4371tls_versions_option() -> 4372 [{doc,"Test API versions option to connect/listen."}]. 4373tls_versions_option(Config) when is_list(Config) -> 4374 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4375 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4376 4377 Supported = proplists:get_value(supported, ssl:versions()), 4378 Available = proplists:get_value(available, ssl:versions()), 4379 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4380 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4381 {from, self()}, 4382 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4383 {options, [{versions, Supported} | ServerOpts]}]), 4384 Port = ssl_test_lib:inet_port(Server), 4385 4386 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4387 {host, Hostname}, 4388 {from, self()}, 4389 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4390 {options, ClientOpts}]), 4391 4392 ssl_test_lib:check_result(Server, ok, Client, ok), 4393 Server ! listen, 4394 4395 ErrClient = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, 4396 {host, Hostname}, 4397 {from, self()}, 4398 {options, [{versions , Available -- Supported} | ClientOpts]}]), 4399 receive 4400 {Server, _} -> 4401 ok 4402 end, 4403 ssl_test_lib:check_client_alert(ErrClient, protocol_version). 4404 4405 4406%%-------------------------------------------------------------------- 4407unordered_protocol_versions_server() -> 4408 [{doc,"Test that the highest protocol is selected even" 4409 " when it is not first in the versions list."}]. 4410 4411unordered_protocol_versions_server(Config) when is_list(Config) -> 4412 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4413 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4414 4415 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4416 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4417 {from, self()}, 4418 {mfa, {?MODULE, protocol_info_result, []}}, 4419 {options, [{versions, ['tlsv1.1', 'tlsv1.2']} | ServerOpts]}]), 4420 Port = ssl_test_lib:inet_port(Server), 4421 4422 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4423 {host, Hostname}, 4424 {from, self()}, 4425 {mfa, {?MODULE, protocol_info_result, []}}, 4426 {options, ClientOpts}]), 4427 4428 ServerMsg = ClientMsg = {ok,'tlsv1.2'}, 4429 ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg). 4430 4431%%-------------------------------------------------------------------- 4432unordered_protocol_versions_client() -> 4433 [{doc,"Test that the highest protocol is selected even" 4434 " when it is not first in the versions list."}]. 4435 4436unordered_protocol_versions_client(Config) when is_list(Config) -> 4437 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4438 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4439 4440 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4441 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4442 {from, self()}, 4443 {mfa, {?MODULE, protocol_info_result, []}}, 4444 {options, ServerOpts }]), 4445 Port = ssl_test_lib:inet_port(Server), 4446 4447 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4448 {host, Hostname}, 4449 {from, self()}, 4450 {mfa, {?MODULE, protocol_info_result, []}}, 4451 {options, [{versions, ['tlsv1.1', 'tlsv1.2']} | ClientOpts]}]), 4452 4453 ServerMsg = ClientMsg = {ok, 'tlsv1.2'}, 4454 ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg). 4455 4456%%-------------------------------------------------------------------- 4457max_handshake_size() -> 4458 [{doc,"Test that we can set max_handshake_size to max value."}]. 4459 4460max_handshake_size(Config) when is_list(Config) -> 4461 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4462 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4463 4464 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4465 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4466 {from, self()}, 4467 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4468 {options, [{max_handshake_size, 8388607} |ServerOpts]}]), 4469 Port = ssl_test_lib:inet_port(Server), 4470 4471 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4472 {host, Hostname}, 4473 {from, self()}, 4474 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4475 {options, [{max_handshake_size, 8388607} | ClientOpts]}]), 4476 4477 ssl_test_lib:check_result(Server, ok, Client, ok). 4478 4479%%-------------------------------------------------------------------- 4480 4481server_name_indication_option() -> 4482 [{doc,"Test API server_name_indication option to connect."}]. 4483server_name_indication_option(Config) when is_list(Config) -> 4484 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4485 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4486 4487 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4488 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4489 {from, self()}, 4490 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4491 {options, ServerOpts}]), 4492 Port = ssl_test_lib:inet_port(Server), 4493 4494 Client0 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4495 {host, Hostname}, 4496 {from, self()}, 4497 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4498 {options, 4499 [{server_name_indication, disable} | 4500 ClientOpts]} 4501 ]), 4502 4503 ssl_test_lib:check_result(Server, ok, Client0, ok), 4504 Server ! listen, 4505 4506 Client1 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4507 {host, Hostname}, 4508 {from, self()}, 4509 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4510 {options, 4511 [{server_name_indication, Hostname} | ClientOpts] 4512 }]), 4513 ssl_test_lib:check_result(Server, ok, Client1, ok), 4514 ssl_test_lib:close(Server), 4515 ssl_test_lib:close(Client0), 4516 ssl_test_lib:close(Client1). 4517%%-------------------------------------------------------------------- 4518 4519accept_pool() -> 4520 [{doc,"Test having an accept pool."}]. 4521accept_pool(Config) when is_list(Config) -> 4522 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4523 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4524 4525 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4526 Server0 = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4527 {from, self()}, 4528 {accepters, 3}, 4529 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4530 {options, ServerOpts}]), 4531 Port = ssl_test_lib:inet_port(Server0), 4532 [Server1, Server2] = ssl_test_lib:accepters(2), 4533 4534 Client0 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4535 {host, Hostname}, 4536 {from, self()}, 4537 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4538 {options, ClientOpts} 4539 ]), 4540 4541 Client1 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4542 {host, Hostname}, 4543 {from, self()}, 4544 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4545 {options, ClientOpts} 4546 ]), 4547 4548 Client2 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4549 {host, Hostname}, 4550 {from, self()}, 4551 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4552 {options, ClientOpts} 4553 ]), 4554 4555 ssl_test_lib:check_ok([Server0, Server1, Server2, Client0, Client1, Client2]), 4556 4557 ssl_test_lib:close(Server0), 4558 ssl_test_lib:close(Server1), 4559 ssl_test_lib:close(Server2), 4560 ssl_test_lib:close(Client0), 4561 ssl_test_lib:close(Client1), 4562 ssl_test_lib:close(Client2). 4563 4564 4565%%-------------------------------------------------------------------- 4566%% Internal functions ------------------------------------------------ 4567%%-------------------------------------------------------------------- 4568send_recv_result(Socket) -> 4569 ssl:send(Socket, "Hello world"), 4570 {ok,"Hello world"} = ssl:recv(Socket, 11), 4571 ok. 4572tcp_send_recv_result(Socket) -> 4573 gen_tcp:send(Socket, "Hello world"), 4574 {ok,"Hello world"} = gen_tcp:recv(Socket, 11), 4575 ok. 4576 4577basic_verify_test_no_close(Config) -> 4578 ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 4579 ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), 4580 4581 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4582 4583 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4584 {from, self()}, 4585 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4586 {options, ServerOpts}]), 4587 Port = ssl_test_lib:inet_port(Server), 4588 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4589 {host, Hostname}, 4590 {from, self()}, 4591 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4592 {options, ClientOpts}]), 4593 4594 ssl_test_lib:check_result(Server, ok, Client, ok), 4595 {Server, Client}. 4596 4597basic_test(Config) -> 4598 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 4599 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 4600 4601 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4602 4603 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 4604 {from, self()}, 4605 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4606 {options, ServerOpts}]), 4607 Port = ssl_test_lib:inet_port(Server), 4608 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 4609 {host, Hostname}, 4610 {from, self()}, 4611 {mfa, {ssl_test_lib, send_recv_result_active, []}}, 4612 {options, ClientOpts}]), 4613 4614 ssl_test_lib:check_result(Server, ok, Client, ok), 4615 ssl_test_lib:close(Server), 4616 ssl_test_lib:close(Client). 4617 4618prf_create_plan(TlsVersions, PRFs, Results) -> 4619 lists:foldl(fun(Ver, Acc) -> 4620 A = prf_ciphers_and_expected(Ver, PRFs, Results), 4621 [A|Acc] 4622 end, [], TlsVersions). 4623prf_ciphers_and_expected(TlsVer, PRFs, Results) -> 4624 case TlsVer of 4625 TlsVer when TlsVer == sslv3 orelse TlsVer == tlsv1 4626 orelse TlsVer == 'tlsv1.1' orelse TlsVer == 'dtlsv1' -> 4627 Ciphers = ssl:cipher_suites(), 4628 {_, Expected} = lists:keyfind(md5sha, 1, Results), 4629 [[{tls_ver, TlsVer}, {ciphers, Ciphers}, {expected, Expected}, {prf, md5sha}]]; 4630 TlsVer when TlsVer == 'tlsv1.2' orelse TlsVer == 'dtlsv1.2'-> 4631 lists:foldl( 4632 fun(PRF, Acc) -> 4633 Ciphers = prf_get_ciphers(TlsVer, PRF), 4634 case Ciphers of 4635 [] -> 4636 ct:log("No ciphers for PRF algorithm ~p. Skipping.", [PRF]), 4637 Acc; 4638 Ciphers -> 4639 {_, Expected} = lists:keyfind(PRF, 1, Results), 4640 [[{tls_ver, TlsVer}, {ciphers, Ciphers}, {expected, Expected}, 4641 {prf, PRF}] | Acc] 4642 end 4643 end, [], PRFs) 4644 end. 4645prf_get_ciphers(_, PRF) -> 4646 lists:filter( 4647 fun(C) when tuple_size(C) == 4 andalso 4648 element(4, C) == PRF -> 4649 true; 4650 (_) -> 4651 false 4652 end, 4653 ssl:cipher_suites()). 4654prf_run_test(_, TlsVer, [], _, Prf) -> 4655 ct:fail({error, cipher_list_empty, TlsVer, Prf}); 4656prf_run_test(Config, TlsVer, Ciphers, Expected, Prf) -> 4657 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 4658 BaseOpts = [{active, true}, {versions, [TlsVer]}, {ciphers, Ciphers}, {protocol, tls_or_dtls(TlsVer)}], 4659 ServerOpts = BaseOpts ++ proplists:get_value(server_opts, Config), 4660 ClientOpts = BaseOpts ++ proplists:get_value(client_opts, Config), 4661 Server = ssl_test_lib:start_server( 4662 [{node, ServerNode}, {port, 0}, {from, self()}, 4663 {mfa, {?MODULE, prf_verify_value, [TlsVer, Expected, Prf]}}, 4664 {options, ServerOpts}]), 4665 Port = ssl_test_lib:inet_port(Server), 4666 Client = ssl_test_lib:start_client( 4667 [{node, ClientNode}, {port, Port}, 4668 {host, Hostname}, {from, self()}, 4669 {mfa, {?MODULE, prf_verify_value, [TlsVer, Expected, Prf]}}, 4670 {options, ClientOpts}]), 4671 ssl_test_lib:check_result(Server, ok, Client, ok), 4672 ssl_test_lib:close(Server), 4673 ssl_test_lib:close(Client). 4674prf_verify_value(Socket, TlsVer, Expected, Algo) -> 4675 Ret = ssl:prf(Socket, <<>>, <<>>, [<<>>], 16), 4676 case TlsVer of 4677 sslv3 -> 4678 case Ret of 4679 {error, undefined} -> ok; 4680 _ -> 4681 {error, {expected, {error, undefined}, 4682 got, Ret, tls_ver, TlsVer, prf_algorithm, Algo}} 4683 end; 4684 _ -> 4685 case Ret of 4686 {ok, Expected} -> ok; 4687 {ok, Val} -> {error, {expected, Expected, got, Val, tls_ver, TlsVer, 4688 prf_algorithm, Algo}} 4689 end 4690 end. 4691 4692send_recv_result_timeout_client(Socket) -> 4693 {error, timeout} = ssl:recv(Socket, 11, 500), 4694 {error, timeout} = ssl:recv(Socket, 11, 0), 4695 ssl:send(Socket, "Hello world"), 4696 receive 4697 Msg -> 4698 io:format("Msg ~p~n",[Msg]) 4699 after 500 -> 4700 ok 4701 end, 4702 {ok, "Hello world"} = ssl:recv(Socket, 11, 500), 4703 ok. 4704send_recv_result_timeout_server(Socket) -> 4705 ssl:send(Socket, "Hello"), 4706 {ok, "Hello world"} = ssl:recv(Socket, 11), 4707 ssl:send(Socket, " world"), 4708 ok. 4709 4710recv_close(Socket) -> 4711 {error, closed} = ssl:recv(Socket, 11), 4712 receive 4713 {_,{error,closed}} -> 4714 error_extra_close_sent_to_user_process 4715 after 500 -> 4716 ok 4717 end. 4718 4719 4720send_recv_result_active_rizzo(Socket) -> 4721 ssl:send(Socket, "Hello world"), 4722 "Hello world" = ssl_test_lib:active_recv(Socket, 11), 4723 ok. 4724 4725send_recv_result_active_no_rizzo(Socket) -> 4726 ssl:send(Socket, "Hello world"), 4727 "Hello world" = ssl_test_lib:active_recv(Socket, 11), 4728 ok. 4729 4730 4731ssl_active_recv(N) -> 4732 ssl_active_recv(N, []). 4733 4734ssl_active_recv(0, Acc) -> 4735 Acc; 4736ssl_active_recv(N, Acc) -> 4737 receive 4738 {ssl, _, Bytes} -> 4739 ssl_active_recv(N-length(Bytes), Acc ++ Bytes) 4740 end. 4741 4742result_ok(_Socket) -> 4743 ok. 4744 4745renegotiate(Socket, Data) -> 4746 ct:log("Renegotiating ~n", []), 4747 Result = ssl:renegotiate(Socket), 4748 ct:log("Result ~p~n", [Result]), 4749 ssl:send(Socket, Data), 4750 case Result of 4751 ok -> 4752 ok; 4753 Other -> 4754 Other 4755 end. 4756 4757renegotiate_reuse_session(Socket, Data) -> 4758 %% Make sure session is registered 4759 ct:sleep(?SLEEP), 4760 renegotiate(Socket, Data). 4761 4762renegotiate_immediately(Socket) -> 4763 _ = ssl_test_lib:active_recv(Socket, 11), 4764 ok = ssl:renegotiate(Socket), 4765 {error, renegotiation_rejected} = ssl:renegotiate(Socket), 4766 ct:sleep(?RENEGOTIATION_DISABLE_TIME + ?SLEEP), 4767 ok = ssl:renegotiate(Socket), 4768 ct:log("Renegotiated again"), 4769 ssl:send(Socket, "Hello world"), 4770 ok. 4771 4772renegotiate_rejected(Socket) -> 4773 _ = ssl_test_lib:active_recv(Socket, 11), 4774 {error, renegotiation_rejected} = ssl:renegotiate(Socket), 4775 {error, renegotiation_rejected} = ssl:renegotiate(Socket), 4776 ct:sleep(?RENEGOTIATION_DISABLE_TIME +1), 4777 {error, renegotiation_rejected} = ssl:renegotiate(Socket), 4778 ct:log("Failed to renegotiate again"), 4779 ssl:send(Socket, "Hello world"), 4780 ok. 4781 4782rizzo_add_mitigation_option(Value, Config) -> 4783 lists:foldl(fun(Opt, Acc) -> 4784 case proplists:get_value(Opt, Acc) of 4785 undefined -> Acc; 4786 C -> 4787 N = lists:keystore(beast_mitigation, 1, C, 4788 {beast_mitigation, Value}), 4789 lists:keystore(Opt, 1, Acc, {Opt, N}) 4790 end 4791 end, Config, 4792 [client_opts, client_dsa_opts, server_opts, server_dsa_opts, 4793 server_ecdsa_opts, server_ecdh_rsa_opts]). 4794 4795new_config(PrivDir, ServerOpts0) -> 4796 CaCertFile = proplists:get_value(cacertfile, ServerOpts0), 4797 CertFile = proplists:get_value(certfile, ServerOpts0), 4798 KeyFile = proplists:get_value(keyfile, ServerOpts0), 4799 NewCaCertFile = filename:join(PrivDir, "new_ca.pem"), 4800 NewCertFile = filename:join(PrivDir, "new_cert.pem"), 4801 NewKeyFile = filename:join(PrivDir, "new_key.pem"), 4802 file:copy(CaCertFile, NewCaCertFile), 4803 file:copy(CertFile, NewCertFile), 4804 file:copy(KeyFile, NewKeyFile), 4805 ServerOpts1 = proplists:delete(cacertfile, ServerOpts0), 4806 ServerOpts2 = proplists:delete(certfile, ServerOpts1), 4807 ServerOpts = proplists:delete(keyfile, ServerOpts2), 4808 4809 {ok, PEM} = file:read_file(NewCaCertFile), 4810 ct:log("CA file content: ~p~n", [public_key:pem_decode(PEM)]), 4811 4812 [{cacertfile, NewCaCertFile}, {certfile, NewCertFile}, 4813 {keyfile, NewKeyFile} | ServerOpts]. 4814 4815session_cache_process(_Type,Config) when is_list(Config) -> 4816 reuse_session(Config). 4817 4818init([Type]) -> 4819 ets:new(ssl_test, [named_table, public, set]), 4820 ets:insert(ssl_test, {type, Type}), 4821 case Type of 4822 list -> 4823 spawn(fun() -> session_loop([]) end); 4824 mnesia -> 4825 mnesia:start(), 4826 {atomic,ok} = mnesia:create_table(sess_cache, []), 4827 sess_cache 4828 end. 4829 4830session_cb() -> 4831 [{type, Type}] = ets:lookup(ssl_test, type), 4832 Type. 4833 4834terminate(Cache) -> 4835 case session_cb() of 4836 list -> 4837 Cache ! terminate; 4838 mnesia -> 4839 catch {atomic,ok} = 4840 mnesia:delete_table(sess_cache) 4841 end. 4842 4843lookup(Cache, Key) -> 4844 case session_cb() of 4845 list -> 4846 Cache ! {self(), lookup, Key}, 4847 receive {Cache, Res} -> Res end; 4848 mnesia -> 4849 case mnesia:transaction(fun() -> 4850 mnesia:read(sess_cache, 4851 Key, read) 4852 end) of 4853 {atomic, [{sess_cache, Key, Value}]} -> 4854 Value; 4855 _ -> 4856 undefined 4857 end 4858 end. 4859 4860update(Cache, Key, Value) -> 4861 case session_cb() of 4862 list -> 4863 Cache ! {update, Key, Value}; 4864 mnesia -> 4865 {atomic, ok} = 4866 mnesia:transaction(fun() -> 4867 mnesia:write(sess_cache, 4868 {sess_cache, Key, Value}, write) 4869 end) 4870 end. 4871 4872delete(Cache, Key) -> 4873 case session_cb() of 4874 list -> 4875 Cache ! {delete, Key}; 4876 mnesia -> 4877 {atomic, ok} = 4878 mnesia:transaction(fun() -> 4879 mnesia:delete(sess_cache, Key) 4880 end) 4881 end. 4882 4883foldl(Fun, Acc, Cache) -> 4884 case session_cb() of 4885 list -> 4886 Cache ! {self(),foldl,Fun,Acc}, 4887 receive {Cache, Res} -> Res end; 4888 mnesia -> 4889 Foldl = fun() -> 4890 mnesia:foldl(Fun, Acc, sess_cache) 4891 end, 4892 {atomic, Res} = mnesia:transaction(Foldl), 4893 Res 4894 end. 4895 4896select_session(Cache, PartialKey) -> 4897 case session_cb() of 4898 list -> 4899 Cache ! {self(),select_session, PartialKey}, 4900 receive 4901 {Cache, Res} -> 4902 Res 4903 end; 4904 mnesia -> 4905 Sel = fun() -> 4906 mnesia:select(Cache, 4907 [{{sess_cache,{PartialKey,'$1'}, '$2'}, 4908 [],['$$']}]) 4909 end, 4910 {atomic, Res} = mnesia:transaction(Sel), 4911 Res 4912 end. 4913 4914session_loop(Sess) -> 4915 receive 4916 terminate -> 4917 ok; 4918 {Pid, lookup, Key} -> 4919 case lists:keysearch(Key,1,Sess) of 4920 {value, {Key,Value}} -> 4921 Pid ! {self(), Value}; 4922 _ -> 4923 Pid ! {self(), undefined} 4924 end, 4925 session_loop(Sess); 4926 {update, Key, Value} -> 4927 NewSess = [{Key,Value}| lists:keydelete(Key,1,Sess)], 4928 session_loop(NewSess); 4929 {delete, Key} -> 4930 session_loop(lists:keydelete(Key,1,Sess)); 4931 {Pid,foldl,Fun,Acc} -> 4932 Res = lists:foldl(Fun, Acc,Sess), 4933 Pid ! {self(), Res}, 4934 session_loop(Sess); 4935 {Pid,select_session,PKey} -> 4936 Sel = fun({{PKey0, Id},Session}, Acc) when PKey == PKey0 -> 4937 [[Id, Session]|Acc]; 4938 (_,Acc) -> 4939 Acc 4940 end, 4941 Sessions = lists:foldl(Sel, [], Sess), 4942 Pid ! {self(), Sessions}, 4943 session_loop(Sess) 4944 end. 4945 4946 4947erlang_ssl_receive(Socket, Data) -> 4948 case ssl_test_lib:active_recv(Socket, length(Data)) of 4949 Data -> 4950 ok; 4951 Other -> 4952 ct:fail({{expected, Data}, {got, Other}}) 4953 end. 4954 4955receive_msg(_) -> 4956 receive 4957 Msg -> 4958 Msg 4959 end. 4960 4961controlling_process_result(Socket, Pid, Msg) -> 4962 ok = ssl:controlling_process(Socket, Pid), 4963 %% Make sure other side has evaluated controlling_process 4964 %% before message is sent 4965 ct:sleep(?SLEEP), 4966 ssl:send(Socket, Msg), 4967 no_result_msg. 4968 4969 4970controller_dies_result(_Socket, _Pid, _Msg) -> 4971 receive Result -> Result end. 4972 4973get_close(Pid, Where) -> 4974 receive 4975 {'EXIT', Pid, _Reason} -> 4976 receive 4977 {_, {ssl_closed, Socket}} -> 4978 ct:log("Socket closed ~p~n",[Socket]); 4979 Unexpected -> 4980 ct:log("Unexpected ~p~n",[Unexpected]), 4981 ct:fail({line, ?LINE-1}) 4982 after 5000 -> 4983 ct:fail({timeout, {line, ?LINE, Where}}) 4984 end; 4985 Unexpected -> 4986 ct:log("Unexpected ~p~n",[Unexpected]), 4987 ct:fail({line, ?LINE-1}) 4988 after 5000 -> 4989 ct:fail({timeout, {line, ?LINE, Where}}) 4990 end. 4991 4992run_send_recv_rizzo(Ciphers, Config, Version, Mfa) -> 4993 Result = lists:map(fun(Cipher) -> 4994 rizzo_test(Cipher, Config, Version, Mfa) end, 4995 Ciphers), 4996 case lists:flatten(Result) of 4997 [] -> 4998 ok; 4999 Error -> 5000 ct:log("Cipher suite errors: ~p~n", [Error]), 5001 ct:fail(cipher_suite_failed_see_test_case_log) 5002 end. 5003 5004rizzo_test(Cipher, Config, Version, Mfa) -> 5005 {ClientOpts, ServerOpts} = client_server_opts(Cipher, Config), 5006 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 5007 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 5008 {from, self()}, 5009 {mfa, Mfa}, 5010 {options, [{active, true}, {ciphers, [Cipher]}, 5011 {versions, [Version]} 5012 | ServerOpts]}]), 5013 Port = ssl_test_lib:inet_port(Server), 5014 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 5015 {host, Hostname}, 5016 {from, self()}, 5017 {mfa, Mfa}, 5018 {options, [{active, true}, {ciphers, [Cipher]}| ClientOpts]}]), 5019 5020 Result = ssl_test_lib:check_result(Server, ok, Client, ok), 5021 ssl_test_lib:close(Server), 5022 ssl_test_lib:close(Client), 5023 case Result of 5024 ok -> 5025 []; 5026 Error -> 5027 [{Cipher, Error}] 5028 end. 5029 5030client_server_opts(#{key_exchange := KeyAlgo}, Config) 5031 when KeyAlgo == rsa orelse 5032 KeyAlgo == dhe_rsa orelse 5033 KeyAlgo == ecdhe_rsa orelse 5034 KeyAlgo == rsa_psk orelse 5035 KeyAlgo == srp_rsa -> 5036 {ssl_test_lib:ssl_options(client_opts, Config), 5037 ssl_test_lib:ssl_options(server_opts, Config)}; 5038client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == dss orelse KeyAlgo == dhe_dss -> 5039 {ssl_test_lib:ssl_options(client_dsa_opts, Config), 5040 ssl_test_lib:ssl_options(server_dsa_opts, Config)}; 5041client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == ecdh_ecdsa orelse KeyAlgo == ecdhe_ecdsa -> 5042 {ssl_test_lib:ssl_options(client_opts, Config), 5043 ssl_test_lib:ssl_options(server_ecdsa_opts, Config)}; 5044client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == ecdh_rsa -> 5045 {ssl_test_lib:ssl_options(client_opts, Config), 5046 ssl_test_lib:ssl_options(server_ecdh_rsa_opts, Config)}. 5047 5048run_suites(Ciphers, Config, Type) -> 5049 Version = ssl_test_lib:protocol_version(Config), 5050 ct:log("Running cipher suites ~p~n", [Ciphers]), 5051 {ClientOpts, ServerOpts} = 5052 case Type of 5053 rsa -> 5054 {ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 5055 [{ciphers, Ciphers} | 5056 ssl_test_lib:ssl_options(server_rsa_opts, Config)]}; 5057 dsa -> 5058 {ssl_test_lib:ssl_options(client_dsa_verify_opts, Config), 5059 [{ciphers, Ciphers} | 5060 ssl_test_lib:ssl_options(server_dsa_opts, Config)]}; 5061 anonymous -> 5062 %% No certs in opts! 5063 {ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 5064 [{ciphers, Ciphers} | 5065 ssl_test_lib:ssl_options([], Config)]}; 5066 psk -> 5067 {ssl_test_lib:ssl_options(client_psk, Config), 5068 [{ciphers, Ciphers} | 5069 ssl_test_lib:ssl_options(server_psk, Config)]}; 5070 psk_with_hint -> 5071 {ssl_test_lib:ssl_options(client_psk, Config), 5072 [{ciphers, Ciphers} | 5073 ssl_test_lib:ssl_options(server_psk_hint, Config) 5074 ]}; 5075 psk_anon -> 5076 {ssl_test_lib:ssl_options(client_psk, Config), 5077 [{ciphers, Ciphers} | 5078 ssl_test_lib:ssl_options(server_psk_anon, Config)]}; 5079 psk_anon_with_hint -> 5080 {ssl_test_lib:ssl_options(client_psk, Config), 5081 [{ciphers, Ciphers} | 5082 ssl_test_lib:ssl_options(server_psk_anon_hint, Config)]}; 5083 srp -> 5084 {ssl_test_lib:ssl_options(client_srp, Config), 5085 [{ciphers, Ciphers} | 5086 ssl_test_lib:ssl_options(server_srp, Config)]}; 5087 srp_anon -> 5088 {ssl_test_lib:ssl_options(client_srp, Config), 5089 [{ciphers, Ciphers} | 5090 ssl_test_lib:ssl_options(server_srp_anon, Config)]}; 5091 srp_dsa -> 5092 {ssl_test_lib:ssl_options(client_srp_dsa, Config), 5093 [{ciphers, Ciphers} | 5094 ssl_test_lib:ssl_options(server_srp_dsa, Config)]}; 5095 ecdsa -> 5096 {ssl_test_lib:ssl_options(client_ecdsa_opts, Config), 5097 [{ciphers, Ciphers} | 5098 ssl_test_lib:ssl_options(server_ecdsa_opts, Config)]}; 5099 ecdh_rsa -> 5100 {ssl_test_lib:ssl_options(client_ecdh_rsa_opts, Config), 5101 [{ciphers, Ciphers} | 5102 ssl_test_lib:ssl_options(server_ecdh_rsa_opts, Config)]}; 5103 rc4_rsa -> 5104 {ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 5105 [{ciphers, Ciphers} | 5106 ssl_test_lib:ssl_options(server_rsa_verify_opts, Config)]}; 5107 rc4_ecdh_rsa -> 5108 {ssl_test_lib:ssl_options(client_ecdh_rsa_opts, Config), 5109 [{ciphers, Ciphers} | 5110 ssl_test_lib:ssl_options(server_ecdh_rsa_opts, Config)]}; 5111 rc4_ecdsa -> 5112 {ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 5113 [{ciphers, Ciphers} | 5114 ssl_test_lib:ssl_options(server_ecdsa_opts, Config)]}; 5115 des_dhe_rsa -> 5116 {ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 5117 [{ciphers, Ciphers} | 5118 ssl_test_lib:ssl_options(server_verification_opts, Config)]}; 5119 des_rsa -> 5120 {ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 5121 [{ciphers, Ciphers} | 5122 ssl_test_lib:ssl_options(server_rsa_verify_opts, Config)]}; 5123 chacha_rsa -> 5124 {ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), 5125 [{ciphers, Ciphers} | 5126 ssl_test_lib:ssl_options(server_rsa_verify_opts, Config)]}; 5127 chacha_ecdsa -> 5128 {ssl_test_lib:ssl_options(client_ecdsa_opts, Config), 5129 [{ciphers, Ciphers} | 5130 ssl_test_lib:ssl_options(server_ecdsa_opts, Config)]} 5131 end, 5132 Suites = ssl_test_lib:filter_suites(Ciphers, Version), 5133 ct:pal("ssl_test_lib:filter_suites(~p ~p) -> ~p ", [Ciphers, Version, Suites]), 5134 Results0 = lists:map(fun(Cipher) -> 5135 cipher(Cipher, Version, Config, ClientOpts, ServerOpts) end, 5136 ssl_test_lib:filter_suites(Ciphers, Version)), 5137 Results = lists:flatten(Results0), 5138 true = length(Results) == length(Suites), 5139 check_cipher_result(Results). 5140 5141check_cipher_result([]) -> 5142 ok; 5143check_cipher_result([ok | Rest]) -> 5144 check_cipher_result(Rest); 5145check_cipher_result([_ |_] = Error) -> 5146 ct:fail(Error). 5147 5148erlang_cipher_suite(Suite) when is_list(Suite)-> 5149 ssl_cipher_format:suite_definition(ssl_cipher_format:openssl_suite(Suite)); 5150erlang_cipher_suite(Suite) -> 5151 Suite. 5152 5153cipher(CipherSuite, Version, Config, ClientOpts, ServerOpts) -> 5154 %% process_flag(trap_exit, true), 5155 ct:log("Testing CipherSuite ~p~n", [CipherSuite]), 5156 ct:log("Server Opts ~p~n", [ServerOpts]), 5157 ct:log("Client Opts ~p~n", [ClientOpts]), 5158 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 5159 5160 ErlangCipherSuite = erlang_cipher_suite(CipherSuite), 5161 5162 ConnectionInfo = {ok, {Version, ErlangCipherSuite}}, 5163 5164 Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 5165 {from, self()}, 5166 {mfa, {ssl_test_lib, cipher_result, [ConnectionInfo]}}, 5167 {options, ServerOpts}]), 5168 Port = ssl_test_lib:inet_port(Server), 5169 Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 5170 {host, Hostname}, 5171 {from, self()}, 5172 {mfa, {ssl_test_lib, cipher_result, [ConnectionInfo]}}, 5173 {options, 5174 [{ciphers,[CipherSuite]} | 5175 ClientOpts]}]), 5176 5177 Result = ssl_test_lib:wait_for_result(Server, ok, Client, ok), 5178 5179 ssl_test_lib:close(Server), 5180 ssl_test_lib:close(Client), 5181 5182 case Result of 5183 ok -> 5184 [ok]; 5185 Error -> 5186 [{ErlangCipherSuite, Error}] 5187 end. 5188 5189connection_information_result(Socket) -> 5190 {ok, Info = [_ | _]} = ssl:connection_information(Socket), 5191 case length(Info) > 3 of 5192 true -> 5193 %% Atleast one ssl_option() is set 5194 ct:log("Info ~p", [Info]), 5195 ok; 5196 false -> 5197 ct:fail(no_ssl_options_returned) 5198 end. 5199 5200connection_info_result(Socket) -> 5201 {ok, Info} = ssl:connection_information(Socket, [protocol, selected_cipher_suite]), 5202 {ok, {proplists:get_value(protocol, Info), proplists:get_value(selected_cipher_suite, Info)}}. 5203 5204protocol_info_result(Socket) -> 5205 {ok, [{protocol, PVersion}]} = ssl:connection_information(Socket, [protocol]), 5206 {ok, PVersion}. 5207 5208version_info_result(Socket) -> 5209 {ok, [{version, Version}]} = ssl:connection_information(Socket, [version]), 5210 {ok, Version}. 5211 5212secret_connection_info_result(Socket) -> 5213 {ok, [{client_random, ClientRand}, {server_random, ServerRand}, {master_secret, MasterSecret}]} 5214 = ssl:connection_information(Socket, [client_random, server_random, master_secret]), 5215 is_binary(ClientRand) andalso is_binary(ServerRand) andalso is_binary(MasterSecret). 5216 5217connect_dist_s(S) -> 5218 Msg = term_to_binary({erlang,term}), 5219 ok = ssl:send(S, Msg). 5220 5221connect_dist_c(S) -> 5222 Test = binary_to_list(term_to_binary({erlang,term})), 5223 {ok, Test} = ssl:recv(S, 0, 10000), 5224 ok. 5225 5226tls_downgrade_result(Socket, Pid) -> 5227 ok = ssl_test_lib:send_recv_result(Socket), 5228 Pid ! {self(), ready}, 5229 receive 5230 go -> 5231 ok 5232 end, 5233 case ssl:close(Socket, {self(), 10000}) of 5234 {ok, TCPSocket} -> 5235 inet:setopts(TCPSocket, [{active, true}]), 5236 gen_tcp:send(TCPSocket, "Downgraded"), 5237 receive 5238 {tcp, TCPSocket, <<"Downgraded">>} -> 5239 ok; 5240 {tcp_closed, TCPSocket} -> 5241 ct:fail("Peer timed out, downgrade aborted"), 5242 ok; 5243 Other -> 5244 {error, Other} 5245 end; 5246 {error, timeout} -> 5247 ct:fail("Timed out, downgrade aborted"), 5248 ok; 5249 Fail -> 5250 {error, Fail} 5251 end. 5252 5253tls_close(Socket) -> 5254 ok = ssl_test_lib:send_recv_result(Socket), 5255 case ssl:close(Socket, 5000) of 5256 ok -> 5257 ok; 5258 {error, closed} -> 5259 ok; 5260 Other -> 5261 ct:fail(Other) 5262 end. 5263 5264 %% First two clauses handles 1/n-1 splitting countermeasure Rizzo/Duong-Beast 5265treashold(N, {3,0}) -> 5266 (N div 2) + 1; 5267treashold(N, {3,1}) -> 5268 (N div 2) + 1; 5269treashold(N, _) -> 5270 N + 1. 5271 5272get_invalid_inet_option(Socket) -> 5273 {error, {options, {socket_options, foo, _}}} = ssl:getopts(Socket, [foo]), 5274 ok. 5275 5276tls_shutdown_result(Socket, server) -> 5277 ssl:send(Socket, "Hej"), 5278 ok = ssl:shutdown(Socket, write), 5279 {ok, "Hej hopp"} = ssl:recv(Socket, 8), 5280 ok; 5281 5282tls_shutdown_result(Socket, client) -> 5283 ssl:send(Socket, "Hej hopp"), 5284 ok = ssl:shutdown(Socket, write), 5285 {ok, "Hej"} = ssl:recv(Socket, 3), 5286 ok. 5287 5288tls_shutdown_write_result(Socket, server) -> 5289 ct:sleep(?SLEEP), 5290 ssl:shutdown(Socket, write); 5291tls_shutdown_write_result(Socket, client) -> 5292 ssl:recv(Socket, 0). 5293 5294dummy(_Socket) -> 5295 %% Should not happen as the ssl connection will not be established 5296 %% due to fatal handshake failiure 5297 exit(kill). 5298 5299tls_shutdown_both_result(Socket, server) -> 5300 ct:sleep(?SLEEP), 5301 ssl:shutdown(Socket, read_write); 5302tls_shutdown_both_result(Socket, client) -> 5303 ssl:recv(Socket, 0). 5304 5305peername_result(S) -> 5306 ssl:peername(S). 5307 5308version_option_test(Config, Version) -> 5309 ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), 5310 ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), 5311 {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), 5312 Server = 5313 ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 5314 {from, self()}, 5315 {mfa, {ssl_test_lib, send_recv_result, []}}, 5316 {options, [{active, false}, {versions, [Version]}| ServerOpts]}]), 5317 Port = ssl_test_lib:inet_port(Server), 5318 Client = 5319 ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 5320 {host, Hostname}, 5321 {from, self()}, 5322 {mfa, {ssl_test_lib, send_recv_result, []}}, 5323 {options, [{active, false}, {versions, [Version]}| ClientOpts]}]), 5324 5325 ct:log("Testcase ~p, Client ~p Server ~p ~n", 5326 [self(), Client, Server]), 5327 5328 ssl_test_lib:check_result(Server, ok, Client, ok), 5329 5330 ssl_test_lib:close(Server), 5331 ssl_test_lib:close(Client). 5332 5333try_recv_active(Socket) -> 5334 ssl:send(Socket, "Hello world"), 5335 {error, einval} = ssl:recv(Socket, 11), 5336 ok. 5337try_recv_active_once(Socket) -> 5338 {error, einval} = ssl:recv(Socket, 11), 5339 ok. 5340 5341 5342wait_for_send(Socket) -> 5343 %% Make sure TLS process processed send message event 5344 _ = ssl:connection_information(Socket). 5345 5346tls_or_dtls('dtlsv1') -> 5347 dtls; 5348tls_or_dtls('dtlsv1.2') -> 5349 dtls; 5350tls_or_dtls(_) -> 5351 tls. 5352