Anonymous cipher suites

For testing purposes ssl now also support some anonymous cipher suites
when explicitly configured to do so.

Also moved session cache tests to its own suite, so that timeout
of end_per_testcase when the mnesia is used as session cache will
not affect other test cases.

5 files changed, 145 insertions, 124 deletions

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index ef94750d02..7e5929d708 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -747,7 +747,7 @@ validate_option(depth, Value) when is_integer(Value),
 validate_option(cert, Value) when Value == undefined;
                                  is_binary(Value) ->
     Value;
-validate_option(certfile, Value) when is_list(Value) ->
+validate_option(certfile, Value) when Value == undefined; is_list(Value) ->
     Value;
 
 validate_option(key, undefined) ->
@@ -890,7 +890,7 @@ cipher_suites(Version, [{_,_,_}| _] = Ciphers0) ->
     Ciphers = [ssl_cipher:suite(C) || C <- Ciphers0],
     cipher_suites(Version, Ciphers);
 cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
-    Supported = ssl_cipher:suites(Version),
+    Supported = ssl_cipher:suites(Version) ++ ssl_cipher:anonymous_suites(),
     case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported)] of
 	[] ->
 	    Supported;
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 8230149304..9824e17fcd 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -34,7 +34,7 @@
 
 -export([security_parameters/2, suite_definition/1,
 	 decipher/5, cipher/4, 
-	 suite/1, suites/1,
+	 suite/1, suites/1, anonymous_suites/0,
 	 openssl_suite/1, openssl_suite_name/1, filter/2]).
 
 -compile(inline).
@@ -191,6 +191,19 @@ suites({3, N}) when N == 1; N == 2 ->
     ssl_tls1:suites().
 
 %%--------------------------------------------------------------------
+-spec anonymous_suites() -> [cipher_suite()].
+%%
+%% Description: Returns a list of the anonymous cipher suites, only supported
+%% if explicitly set by user. Intended only for testing.
+%%--------------------------------------------------------------------
+anonymous_suites() ->
+    [?TLS_DH_anon_WITH_RC4_128_MD5,
+     ?TLS_DH_anon_WITH_DES_CBC_SHA,
+     ?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
+     ?TLS_DH_anon_WITH_AES_128_CBC_SHA,
+     ?TLS_DH_anon_WITH_AES_256_CBC_SHA].
+
+%%--------------------------------------------------------------------
 -spec suite_definition(cipher_suite()) -> erl_cipher_suite().
 %%
 %% Description: Return erlang cipher suite definition.
@@ -235,7 +248,20 @@ suite_definition(?TLS_RSA_WITH_AES_256_CBC_SHA) ->
 suite_definition(?TLS_DHE_DSS_WITH_AES_256_CBC_SHA) ->
     {dhe_dss, aes_256_cbc, sha};
 suite_definition(?TLS_DHE_RSA_WITH_AES_256_CBC_SHA) ->
-    {dhe_rsa, aes_256_cbc, sha}.
+    {dhe_rsa, aes_256_cbc, sha};
+
+%%% DH-ANON deprecated by TLS spec and not available
+%%% by default, but good for testing purposes.
+suite_definition(?TLS_DH_anon_WITH_RC4_128_MD5) ->
+    {dh_anon, rc4_128, md5};
+suite_definition(?TLS_DH_anon_WITH_DES_CBC_SHA) ->
+    {dh_anon, des_cbc, sha};
+suite_definition(?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA) ->
+    {dh_anon, '3des_ede_cbc', sha};
+suite_definition(?TLS_DH_anon_WITH_AES_128_CBC_SHA) ->
+    {dh_anon, aes_128_cbc, sha};
+suite_definition(?TLS_DH_anon_WITH_AES_256_CBC_SHA) ->
+    {dh_anon, aes_256_cbc, sha}.
 
 %%--------------------------------------------------------------------
 -spec suite(erl_cipher_suite()) -> cipher_suite().
@@ -266,12 +292,12 @@ suite({dhe_rsa, des_cbc, sha}) ->
     ?TLS_DHE_RSA_WITH_DES_CBC_SHA;
 suite({dhe_rsa, '3des_ede_cbc', sha}) ->
     ?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA; 
-%% suite({dh_anon, rc4_128, md5}) ->
-%%     ?TLS_DH_anon_WITH_RC4_128_MD5;
-%% suite({dh_anon, des40_cbc, sha}) ->
-%%     ?TLS_DH_anon_WITH_DES_CBC_SHA;
-%% suite({dh_anon, '3des_ede_cbc', sha}) ->
-%%     ?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
+suite({dh_anon, rc4_128, md5}) ->
+    ?TLS_DH_anon_WITH_RC4_128_MD5;
+suite({dh_anon, des_cbc, sha}) ->
+    ?TLS_DH_anon_WITH_DES_CBC_SHA;
+suite({dh_anon, '3des_ede_cbc', sha}) ->
+    ?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
 
 %%% TSL V1.1 AES suites
 suite({rsa, aes_128_cbc, sha}) ->
@@ -280,16 +306,16 @@ suite({dhe_dss, aes_128_cbc, sha}) ->
     ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA; 
 suite({dhe_rsa, aes_128_cbc, sha}) ->
     ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
-%% suite({dh_anon, aes_128_cbc, sha}) ->
-%%     ?TLS_DH_anon_WITH_AES_128_CBC_SHA;
+suite({dh_anon, aes_128_cbc, sha}) ->
+    ?TLS_DH_anon_WITH_AES_128_CBC_SHA;
 suite({rsa, aes_256_cbc, sha}) ->
     ?TLS_RSA_WITH_AES_256_CBC_SHA;
 suite({dhe_dss, aes_256_cbc, sha}) ->
     ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA;
 suite({dhe_rsa, aes_256_cbc, sha}) ->
-    ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA.
-%% suite({dh_anon, aes_256_cbc, sha}) ->
-%%     ?TLS_DH_anon_WITH_AES_256_CBC_SHA.
+    ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
+suite({dh_anon, aes_256_cbc, sha}) ->
+    ?TLS_DH_anon_WITH_AES_256_CBC_SHA.
 
 %%--------------------------------------------------------------------
 -spec openssl_suite(openssl_cipher_suite()) -> cipher_suite().
@@ -580,5 +606,3 @@ filter_rsa_suites(Use, KeyUse, CipherSuits, RsaSuites) ->
 	false ->
 	    CipherSuits -- RsaSuites
     end.
-
-
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index bd1ba6978a..178c71ecc6 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -374,7 +374,7 @@ hello(#server_hello{cipher_suite = CipherSuite,
 
     case ssl_handshake:hello(Hello, SslOptions, ConnectionStates0, Renegotiation) of
 	{Version, NewId, ConnectionStates} ->
-	    {KeyAlgorithm, _, _} = 
+	    {KeyAlgorithm, _, _} =
 		ssl_cipher:suite_definition(CipherSuite),
 	    
 	    PremasterSecret = make_premaster_secret(ReqVersion, KeyAlgorithm),
@@ -512,7 +512,7 @@ certify(#certificate{} = Cert,
 certify(#server_key_exchange{} = KeyExchangeMsg, 
         #state{role = client, negotiated_version = Version,
 	       key_algorithm = Alg} = State0) 
-  when Alg == dhe_dss; Alg == dhe_rsa ->
+  when Alg == dhe_dss; Alg == dhe_rsa;  Alg == dh_anon ->
     case handle_server_key(KeyExchangeMsg, State0) of
 	#state{} = State1 ->
 	    {Record, State} = next_record(State1),
@@ -613,25 +613,10 @@ certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPubl
 			    #state{negotiated_version = Version,
 				   diffie_hellman_params = #'DHParameter'{prime = P,
 									  base = G},
-				   diffie_hellman_keys = {_, ServerDhPrivateKey},
-				   role = Role,
-				   session = Session,
-				   connection_states = ConnectionStates0} = State0) ->
-
-    PMpint = crypto:mpint(P),
-    GMpint = crypto:mpint(G),	
-    PremasterSecret = crypto:dh_compute_key(mpint_binary(ClientPublicDhKey),
-					    ServerDhPrivateKey,
-					    [PMpint, GMpint]),
-
-    case ssl_handshake:master_secret(Version, PremasterSecret,
-				     ConnectionStates0, Role) of
-	{MasterSecret, ConnectionStates} ->
-	    State1 = State0#state{session = 
-				      Session#session{master_secret
-						      = MasterSecret},
-				  connection_states = ConnectionStates},
+				   diffie_hellman_keys = {_, ServerDhPrivateKey}} = State0) ->
 
+    case dh_master_secret(crypto:mpint(P), crypto:mpint(G), ClientPublicDhKey, ServerDhPrivateKey, State0) of
+	#state{} = State1 ->
 	    {Record, State} = next_record(State1),
 	    next_state(cipher, Record, State);
 	#alert{} = Alert ->
@@ -1058,6 +1043,8 @@ init_certificates(#ssl_options{cacerts = CaCerts,
 	end,
     init_certificates(Cert, CertDbRef, CacheRef, CertFile, Role).
 
+init_certificates(undefined, CertDbRef, CacheRef, "", _) ->
+    {ok, CertDbRef, CacheRef, undefined};
 
 init_certificates(undefined, CertDbRef, CacheRef, CertFile, client) ->
     try 
@@ -1068,18 +1055,18 @@ init_certificates(undefined, CertDbRef, CacheRef, CertFile, client) ->
     end;
 
 init_certificates(undefined, CertDbRef, CacheRef, CertFile, server) ->
-     try 
+    try
 	[OwnCert] = ssl_certificate:file_to_certificats(CertFile),
 	{ok, CertDbRef, CacheRef, OwnCert}
-     catch
-	 Error:Reason ->
-	     handle_file_error(?LINE, Error, Reason, CertFile, ecertfile,
-			       erlang:get_stacktrace())
-     end;
+    catch
+	Error:Reason ->
+	    handle_file_error(?LINE, Error, Reason, CertFile, ecertfile,
+			      erlang:get_stacktrace())
+    end;
 init_certificates(Cert, CertDbRef, CacheRef, _, _) ->
     {ok, CertDbRef, CacheRef, Cert}.
 
-init_private_key(undefined, "", _Password, client) -> 
+init_private_key(undefined, "", _Password, _Client) ->
     undefined;
 init_private_key(undefined, KeyFile, Password, _)  -> 
     try
@@ -1340,15 +1327,17 @@ server_hello_done(#state{transport_cb = Transport,
     Transport:send(Socket, BinHelloDone),
     State#state{connection_states = NewConnectionStates,
 		tls_handshake_hashes = NewHashes}.
-   
-certify_server(#state{transport_cb = Transport,
-                      socket = Socket,
-                      negotiated_version = Version,
-                      connection_states = ConnectionStates,
-                      tls_handshake_hashes = Hashes,
-                      cert_db_ref = CertDbRef,
-                      own_cert = OwnCert} = State) ->
 
+certify_server(#state{key_algorithm = dh_anon} = State) ->
+    State;
+
+certify_server(#state{transport_cb = Transport,
+		      socket = Socket,
+		      negotiated_version = Version,
+		      connection_states = ConnectionStates,
+		      tls_handshake_hashes = Hashes,
+		      cert_db_ref = CertDbRef,
+		      own_cert = OwnCert} = State) ->
     case ssl_handshake:certificate(OwnCert, CertDbRef, server) of
 	CertMsg = #certificate{} ->
 	    {BinCertMsg, NewConnectionStates, NewHashes} =
@@ -1373,7 +1362,8 @@ key_exchange(#state{role = server, key_algorithm = Algo,
 		    transport_cb = Transport
 		   } = State) 
   when Algo == dhe_dss;
-       Algo == dhe_rsa ->
+       Algo == dhe_rsa;
+       Algo == dh_anon ->
 
     Keys = crypto:dh_generate_key([crypto:mpint(P), crypto:mpint(G)]),
     ConnectionState = 
@@ -1392,11 +1382,6 @@ key_exchange(#state{role = server, key_algorithm = Algo,
 		diffie_hellman_keys = Keys,
                 tls_handshake_hashes = Hashes1};
 
-
-%% key_algorithm = dh_anon is not supported. Should be by default disabled
-%% if support is implemented and then we need a key_exchange clause for it
-%% here. 
-   
 key_exchange(#state{role = client, 
 		    connection_states = ConnectionStates0,
 		    key_algorithm = rsa,
@@ -1419,7 +1404,8 @@ key_exchange(#state{role = client,
 		    socket = Socket, transport_cb = Transport,
 		    tls_handshake_hashes = Hashes0} = State) 
   when Algorithm == dhe_dss;
-       Algorithm == dhe_rsa ->
+       Algorithm == dhe_rsa;
+       Algorithm == dh_anon ->
     Msg =  ssl_handshake:key_exchange(client, {dh, DhPubKey}),
     {BinMsg, ConnectionStates1, Hashes1} =
         encode_handshake(Msg, Version, ConnectionStates0, Hashes0),
@@ -1497,23 +1483,30 @@ save_verify_data(client, #finished{verify_data = Data}, ConnectionStates, abbrev
 save_verify_data(server, #finished{verify_data = Data}, ConnectionStates, abbreviated) ->
     ssl_record:set_server_verify_data(current_write, Data, ConnectionStates).
 
+handle_server_key(#server_key_exchange{params =
+					   #server_dh_params{dh_p = P,
+							     dh_g = G,
+							     dh_y = ServerPublicDhKey},
+				       signed_params = <<>>},
+		  #state{key_algorithm = dh_anon} = State) ->
+    dh_master_secret(P, G, ServerPublicDhKey, undefined, State);
+
 handle_server_key(
   #server_key_exchange{params = 
 		       #server_dh_params{dh_p = P,
 					 dh_g = G,
 					 dh_y = ServerPublicDhKey}, 
 		       signed_params = Signed}, 
-  #state{session = Session, negotiated_version = Version, role = Role,
-	 public_key_info = PubKeyInfo,
+  #state{public_key_info = PubKeyInfo,
 	 key_algorithm = KeyAlgo,
-	 connection_states = ConnectionStates0} = State) ->
+	 connection_states = ConnectionStates} = State) ->
      
     PLen = size(P),
     GLen = size(G),
     YLen = size(ServerPublicDhKey),
 
     ConnectionState = 
-	ssl_record:pending_connection_state(ConnectionStates0, read),
+	ssl_record:pending_connection_state(ConnectionStates, read),
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams, 
@@ -1527,29 +1520,11 @@ handle_server_key(
     
     case verify_dh_params(Signed, Hash, PubKeyInfo) of
 	true ->
-	    PMpint = mpint_binary(P),
-	    GMpint = mpint_binary(G),	
-	    Keys = {_, ClientDhPrivateKey} = 
-		crypto:dh_generate_key([PMpint,GMpint]),
-	    PremasterSecret = 
-		crypto:dh_compute_key(mpint_binary(ServerPublicDhKey), 
-				      ClientDhPrivateKey, [PMpint, GMpint]),
-	    case ssl_handshake:master_secret(Version, PremasterSecret, 
-					     ConnectionStates0, Role) of
-		{MasterSecret, ConnectionStates} ->
-		    State#state{diffie_hellman_keys = Keys,
-				 session = 
-				 Session#session{master_secret 
-						 = MasterSecret},
-				 connection_states = ConnectionStates};
-		#alert{} = Alert ->
-		    Alert
-	    end;
+	    dh_master_secret(P, G, ServerPublicDhKey, undefined, State);
 	false ->
 	    ?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE)
     end.
 
-
 verify_dh_params(Signed, Hashes, {?rsaEncryption, PubKey, _PubKeyParams}) ->
     case public_key:decrypt_public(Signed, PubKey, 
 				   [{rsa_pad, rsa_pkcs1_padding}]) of
@@ -1561,6 +1536,30 @@ verify_dh_params(Signed, Hashes, {?rsaEncryption, PubKey, _PubKeyParams}) ->
 verify_dh_params(Signed, Hash, {?'id-dsa', PublicKey, PublicKeyParams}) ->
     public_key:verify(Hash, none, Signed, {PublicKey, PublicKeyParams}). 
 
+dh_master_secret(Prime, Base, PublicDhKey, undefined, State) ->
+    PMpint = mpint_binary(Prime),
+    GMpint = mpint_binary(Base),
+    Keys = {_, PrivateDhKey} =
+	crypto:dh_generate_key([PMpint,GMpint]),
+    dh_master_secret(PMpint, GMpint, PublicDhKey, PrivateDhKey, State#state{diffie_hellman_keys = Keys});
+
+dh_master_secret(PMpint, GMpint, PublicDhKey, PrivateDhKey,
+		 #state{session = Session,
+			negotiated_version = Version, role = Role,
+			connection_states = ConnectionStates0} = State) ->
+    PremasterSecret =
+	crypto:dh_compute_key(mpint_binary(PublicDhKey), PrivateDhKey,
+			      [PMpint, GMpint]),
+    case ssl_handshake:master_secret(Version, PremasterSecret,
+				     ConnectionStates0, Role) of
+	{MasterSecret, ConnectionStates} ->
+	    State#state{
+	      session =
+		  Session#session{master_secret = MasterSecret},
+	      connection_states = ConnectionStates};
+	#alert{} = Alert ->
+	    Alert
+    end.
 
 cipher_role(client, Data, Session, #state{connection_states = ConnectionStates0} = State) -> 
     ConnectionStates = ssl_record:set_server_verify_data(current_both, Data, ConnectionStates0),
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 5b1a510034..58c6befbc6 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -36,7 +36,7 @@
 	 client_certificate_verify/6, certificate_verify/6,
 	 certificate_request/2, key_exchange/2, server_key_exchange_hash/2,
 	 finished/4, verify_connection/5, get_tls_handshake/2,
-	 decode_client_key/3, server_hello_done/0, sig_alg/1,
+	 decode_client_key/3, server_hello_done/0,
 	 encode_handshake/3, init_hashes/0, update_hashes/2,
 	 decrypt_premaster_secret/2]).
 
@@ -237,7 +237,7 @@ certificate(OwnCert, CertDbRef, client) ->
 	    {error, _} -> 
 		%% If no suitable certificate is available, the client
 		%% SHOULD send a certificate message containing no
-		%% certificates. (chapter 7.4.6. rfc 4346) 
+		%% certificates. (chapter 7.4.6. RFC 4346)
 		[]	 
 	end,
     #certificate{asn1_certificates = Chain};
@@ -355,15 +355,22 @@ key_exchange(server, {dh, {<<?UINT32(Len), PublicKey:Len/binary>>, _},
     YLen = byte_size(PublicKey),
     ServerDHParams = #server_dh_params{dh_p = PBin, 
 				       dh_g = GBin, dh_y = PublicKey},    
-    Hash = 
-	server_key_exchange_hash(KeyAlgo, <<ClientRandom/binary, 
-					    ServerRandom/binary, 
-					    ?UINT16(PLen), PBin/binary, 
-					    ?UINT16(GLen), GBin/binary,
-					    ?UINT16(YLen), PublicKey/binary>>),
-    Signed = digitally_signed(Hash, PrivateKey),
-    #server_key_exchange{params = ServerDHParams,
-			 signed_params = Signed}.
+
+    case KeyAlgo of
+	dh_anon ->
+	    #server_key_exchange{params = ServerDHParams,
+				 signed_params = <<>>};
+	_ ->
+	    Hash =
+		server_key_exchange_hash(KeyAlgo, <<ClientRandom/binary,
+						    ServerRandom/binary,
+						    ?UINT16(PLen), PBin/binary,
+						    ?UINT16(GLen), GBin/binary,
+						    ?UINT16(YLen), PublicKey/binary>>),
+	    Signed = digitally_signed(Hash, PrivateKey),
+	    #server_key_exchange{params = ServerDHParams,
+				 signed_params = Signed}
+    end.
 
 %%--------------------------------------------------------------------
 -spec master_secret(tls_version(), #session{} | binary(), #connection_states{},
@@ -445,9 +452,8 @@ server_hello_done() ->
 %%     
 %% Description: Encode a handshake packet to binary
 %%--------------------------------------------------------------------
-encode_handshake(Package, Version, KeyAlg) ->
-    SigAlg = sig_alg(KeyAlg),
-    {MsgType, Bin} = enc_hs(Package, Version, SigAlg),
+encode_handshake(Package, Version, _KeyAlg) ->
+    {MsgType, Bin} = enc_hs(Package, Version),
     Len = byte_size(Bin),
     [MsgType, ?uint24(Len), Bin].
 
@@ -526,7 +532,7 @@ decrypt_premaster_secret(Secret, RSAPrivateKey) ->
     end.
 
 %%--------------------------------------------------------------------
--spec server_key_exchange_hash(rsa | dhe_rsa| dhe_dss, binary()) -> binary().
+-spec server_key_exchange_hash(rsa | dhe_rsa| dhe_dss | dh_anon, binary()) -> binary().
 
 %%
 %% Description: Calculate server key exchange hash
@@ -541,21 +547,6 @@ server_key_exchange_hash(dhe_dss, Value) ->
     crypto:sha(Value).
 
 %%--------------------------------------------------------------------
--spec sig_alg(atom()) -> integer().
-
-%%
-%% Description: Translate atom representation to enum representation.
-%%--------------------------------------------------------------------
-sig_alg(dh_anon) ->
-    ?SIGNATURE_ANONYMOUS;
-sig_alg(Alg) when Alg == dhe_rsa; Alg == rsa ->
-    ?SIGNATURE_RSA;
-sig_alg(dhe_dss) ->
-    ?SIGNATURE_DSA;
-sig_alg(_) ->
-    ?NULL.
-
-%%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
 get_tls_handshake_aux(<<?BYTE(Type), ?UINT24(Length), 
@@ -876,6 +867,13 @@ dec_hs(?CERTIFICATE, <<?UINT24(ACLen), ASN1Certs:ACLen/binary>>) ->
 dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(PLen), P:PLen/binary,
 			      ?UINT16(GLen), G:GLen/binary,
 			      ?UINT16(YLen), Y:YLen/binary,
+			       ?UINT16(0)>>) -> %% May happen if key_algorithm is dh_anon
+    #server_key_exchange{params = #server_dh_params{dh_p = P,dh_g = G,
+						    dh_y = Y},
+			 signed_params = <<>>};
+dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(PLen), P:PLen/binary,
+			      ?UINT16(GLen), G:GLen/binary,
+			      ?UINT16(YLen), Y:YLen/binary,
 			      ?UINT16(Len), Sig:Len/binary>>) ->
     #server_key_exchange{params = #server_dh_params{dh_p = P,dh_g = G, 
 						    dh_y = Y},
@@ -958,14 +956,14 @@ certs_from_list(ACList) ->
                         <<?UINT24(CertLen), Cert/binary>>
 		    end || Cert <- ACList]).
 
-enc_hs(#hello_request{}, _Version, _) ->
+enc_hs(#hello_request{}, _Version) ->
     {?HELLO_REQUEST, <<>>};
 enc_hs(#client_hello{client_version = {Major, Minor},
 		     random = Random,
 		     session_id = SessionID,
 		     cipher_suites = CipherSuites,
 		     compression_methods = CompMethods, 
-		     renegotiation_info = RenegotiationInfo}, _Version, _) ->
+		     renegotiation_info = RenegotiationInfo}, _Version) ->
     SIDLength = byte_size(SessionID),
     BinCompMethods = list_to_binary(CompMethods),
     CmLength = byte_size(BinCompMethods),
@@ -983,20 +981,20 @@ enc_hs(#server_hello{server_version = {Major, Minor},
 		     session_id = Session_ID,
 		     cipher_suite = Cipher_suite,
 		     compression_method = Comp_method,
-		     renegotiation_info = RenegotiationInfo}, _Version, _) ->
+		     renegotiation_info = RenegotiationInfo}, _Version) ->
     SID_length = byte_size(Session_ID),
     Extensions  = hello_extensions(RenegotiationInfo),
     ExtensionsBin = enc_hello_extensions(Extensions),
     {?SERVER_HELLO, <<?BYTE(Major), ?BYTE(Minor), Random:32/binary,
 		     ?BYTE(SID_length), Session_ID/binary,
                      Cipher_suite/binary, ?BYTE(Comp_method), ExtensionsBin/binary>>};
-enc_hs(#certificate{asn1_certificates = ASN1CertList}, _Version, _) ->
+enc_hs(#certificate{asn1_certificates = ASN1CertList}, _Version) ->
     ASN1Certs = certs_from_list(ASN1CertList),
     ACLen = erlang:iolist_size(ASN1Certs),
     {?CERTIFICATE, <<?UINT24(ACLen), ASN1Certs:ACLen/binary>>};
 enc_hs(#server_key_exchange{params = #server_dh_params{
 			      dh_p = P, dh_g = G, dh_y = Y},
-	signed_params = SignedParams}, _Version, _) ->
+	signed_params = SignedParams}, _Version) ->
     PLen = byte_size(P),
     GLen = byte_size(G),
     YLen = byte_size(Y),
@@ -1008,21 +1006,21 @@ enc_hs(#server_key_exchange{params = #server_dh_params{
     };
 enc_hs(#certificate_request{certificate_types = CertTypes,
 			    certificate_authorities = CertAuths}, 
-       _Version, _) ->
+       _Version) ->
     CertTypesLen = byte_size(CertTypes),
     CertAuthsLen = byte_size(CertAuths),
     {?CERTIFICATE_REQUEST,
        <<?BYTE(CertTypesLen), CertTypes/binary,
 	?UINT16(CertAuthsLen), CertAuths/binary>>
     };
-enc_hs(#server_hello_done{}, _Version, _) ->
+enc_hs(#server_hello_done{}, _Version) ->
     {?SERVER_HELLO_DONE, <<>>};
-enc_hs(#client_key_exchange{exchange_keys = ExchangeKeys}, Version, _) ->
+enc_hs(#client_key_exchange{exchange_keys = ExchangeKeys}, Version) ->
     {?CLIENT_KEY_EXCHANGE, enc_cke(ExchangeKeys, Version)};
-enc_hs(#certificate_verify{signature = BinSig}, _, _) ->
+enc_hs(#certificate_verify{signature = BinSig}, _) ->
     EncSig = enc_bin_sig(BinSig),
     {?CERTIFICATE_VERIFY, EncSig};
-enc_hs(#finished{verify_data = VerifyData}, _Version, _) ->
+enc_hs(#finished{verify_data = VerifyData}, _Version) ->
     {?FINISHED, VerifyData}.
 
 enc_cke(#encrypted_premaster_secret{premaster_secret = PKEPMS},{3, 0}) ->
@@ -1152,7 +1150,7 @@ calc_certificate_verify({3, N}, _, Algorithm, Hashes)
 key_exchange_alg(rsa) ->
     ?KEY_EXCHANGE_RSA;
 key_exchange_alg(Alg) when Alg == dhe_rsa; Alg == dhe_dss;
-			    Alg == dh_dss; Alg == dh_rsa  ->
+			    Alg == dh_dss; Alg == dh_rsa; Alg == dh_anon ->
     ?KEY_EXCHANGE_DIFFIE_HELLMAN;
 key_exchange_alg(_) ->
     ?NULL.
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index ddb05e70f6..d2dee4d861 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -104,7 +104,7 @@
 -type tls_atom_version()  :: sslv3 | tlsv1.
 -type cache_ref()         :: term(). 
 -type certdb_ref()        :: term(). 
--type key_algo()          :: null | rsa | dhe_rsa | dhe_dss.
+-type key_algo()          :: null | rsa | dhe_rsa | dhe_dss | dh_anon.
 -type enum_algo()          :: integer().
 -type public_key()        :: #'RSAPublicKey'{} | integer().
 -type public_key_params() :: #'Dss-Parms'{} | term().