Anonymous cipher suites

For testing purposes ssl now also support some anonymous cipher suites
when explicitly configured to do so.

Also moved session cache tests to its own suite, so that timeout
of end_per_testcase when the mnesia is used as session cache will
not affect other test cases.

1 files changed, 56 insertions, 198 deletions

diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index fade67f3ba..ea84b3c9d1 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -34,12 +34,6 @@
 -define(EXPIRE, 10).
 -define(SLEEP, 500).
 
--behaviour(ssl_session_cache_api).
-
-%% For the session cache tests
--export([init/1, terminate/1, lookup/2, update/3, 
-	 delete/2, foldl/3, select_session/2]).
-
 %% Test server callback functions
 %%--------------------------------------------------------------------
 %% Function: init_per_suite(Config) -> Config
@@ -89,13 +83,6 @@ end_per_suite(_Config) ->
 %% variable, but should NOT alter/remove any existing entries.
 %% Description: Initialization before each test case
 %%--------------------------------------------------------------------
-init_per_testcase(session_cache_process_list, Config) ->
-    init_customized_session_cache(list, Config);
-
-init_per_testcase(session_cache_process_mnesia, Config) ->
-    mnesia:start(),
-    init_customized_session_cache(mnesia, Config);
-
 init_per_testcase(reuse_session_expired, Config0) ->
     Config = lists:keydelete(watchdog, 1, Config0),
     Dog = ssl_test_lib:timetrap(?EXPIRE * 1000 * 5),
@@ -142,16 +129,6 @@ init_per_testcase(_TestCase, Config0) ->
     Dog = test_server:timetrap(?TIMEOUT),
    [{watchdog, Dog} | Config].
 
-init_customized_session_cache(Type, Config0) ->
-    Config = lists:keydelete(watchdog, 1, Config0),
-    Dog = test_server:timetrap(?TIMEOUT),
-    ssl:stop(),
-    application:load(ssl),
-    application:set_env(ssl, session_cb, ?MODULE),
-    application:set_env(ssl, session_cb_init_args, [Type]),
-    ssl:start(),
-    [{watchdog, Dog} | Config].
-
 %%--------------------------------------------------------------------
 %% Function: end_per_testcase(TestCase, Config) -> _
 %% Case - atom()
@@ -160,16 +137,6 @@ init_customized_session_cache(Type, Config0) ->
 %%   A list of key/value pairs, holding the test case configuration.
 %% Description: Cleanup after each test case
 %%--------------------------------------------------------------------
-end_per_testcase(session_cache_process_list, Config) ->
-    application:unset_env(ssl, session_cb),
-    end_per_testcase(default_action, Config);
-end_per_testcase(session_cache_process_mnesia, Config) ->
-    application:unset_env(ssl, session_cb),
-    application:unset_env(ssl, session_cb_init_args),
-    mnesia:stop(),
-    ssl:stop(),
-    ssl:start(),
-    end_per_testcase(default_action, Config);
 end_per_testcase(reuse_session_expired, Config) ->
     application:unset_env(ssl, session_lifetime),
     end_per_testcase(default_action, Config);
@@ -216,6 +183,8 @@ all(suite) ->
      ciphers_dsa_signed_certs_ssl3,
      ciphers_dsa_signed_certs_openssl_names,
      ciphers_dsa_signed_certs_openssl_names_ssl3,
+     anonymous_cipher_suites,
+     default_reject_anonymous,
      send_close,
      close_transport_accept, dh_params, server_verify_peer_passive,
      server_verify_peer_active, server_verify_peer_active_once,
@@ -226,7 +195,6 @@ all(suite) ->
      server_verify_client_once_active,
      server_verify_client_once_active_once, client_verify_none_passive,
      client_verify_none_active, client_verify_none_active_once,
-     session_cache_process_list, session_cache_process_mnesia,
      reuse_session, reuse_session_expired,
      server_does_not_want_to_reuse_session, client_renegotiate,
      server_renegotiate, client_renegotiate_reused_session,
@@ -1165,13 +1133,13 @@ ecertfile(Config) when is_list(Config) ->
     Server = 
 	ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 
 					 {from, self()},
-			    {options, ServerBadOpts}]),
+					 {options, ServerBadOpts}]),
 
     Port = ssl_test_lib:inet_port(Server),
 
     Client =
 	ssl_test_lib:start_client_error([{node, ClientNode}, 
-			    {port, Port}, {host, Hostname},
+					 {port, Port}, {host, Hostname},
 					 {from, self()}, 
 					 {options, ClientOpts}]),
     
@@ -1522,6 +1490,14 @@ ciphers_dsa_signed_certs_openssl_names_ssl3(Config) when is_list(Config) ->
     Ciphers = ssl_test_lib:openssl_dsa_suites(),
     run_suites(Ciphers, Version, Config, dsa).
 
+anonymous_cipher_suites(doc)->
+    ["Test the anonymous ciphersuites"];
+anonymous_cipher_suites(suite) ->
+    [];
+anonymous_cipher_suites(Config) when is_list(Config) ->
+    Version = ssl_record:protocol_version(ssl_record:highest_protocol_version([])),
+    Ciphers = ssl_test_lib:anonymous_suites(),
+    run_suites(Ciphers, Version, Config, anonymous).
 
 run_suites(Ciphers, Version, Config, Type) ->
     {ClientOpts, ServerOpts} =
@@ -1531,8 +1507,12 @@ run_suites(Ciphers, Version, Config, Type) ->
 		 ?config(server_opts, Config)};
 	    dsa ->
 		{?config(client_opts, Config),
-		 ?config(server_dsa_opts, Config)}
-	end,
+		 ?config(server_dsa_opts, Config)};
+	    anonymous ->
+		%% No certs in opts!
+		{?config(client_opts, Config),
+		 ?config(server_anon, Config)}
+	    end,
     
     Result =  lists:map(fun(Cipher) -> 
 				cipher(Cipher, Version, Config, ClientOpts, ServerOpts) end,
@@ -1593,6 +1573,32 @@ cipher(CipherSuite, Version, Config, ClientOpts, ServerOpts) ->
     end.
 
 %%--------------------------------------------------------------------
+default_reject_anonymous(doc)->
+    ["Test that by default anonymous cipher suites are rejected "];
+default_reject_anonymous(suite) ->
+    [];
+default_reject_anonymous(Config) when is_list(Config) ->
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),
+
+    [Cipher | _] = ssl_test_lib:anonymous_suites(),
+
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					      {from, self()},
+					      {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+			   {from, self()},
+			   {options,
+			    [{ciphers,[Cipher]} |
+			     ClientOpts]}]),
+
+    ssl_test_lib:check_result(Server, {error, "insufficient security"},
+			      Client, {error, "insufficient security"}).
+
+%%--------------------------------------------------------------------
 reuse_session(doc) -> 
     ["Test reuse of sessions (short handshake)"];
 
@@ -2952,7 +2958,7 @@ unknown_server_ca_accept_verify_peer(Config) when is_list(Config) ->
 
 %%--------------------------------------------------------------------
 unknown_server_ca_accept_backwardscompatibilty(doc) ->
-    ["Test that the client succeds if the ca is unknown in verify_none mode"];
+    ["Test that old style verify_funs will work"];
 unknown_server_ca_accept_backwardscompatibilty(suite) ->
     [];
 unknown_server_ca_accept_backwardscompatibilty(Config) when is_list(Config) ->
@@ -3047,6 +3053,17 @@ der_input_opts(Opts) ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
+erlang_ssl_receive(Socket, Data) ->
+    receive
+	{ssl, Socket, Data} ->
+	    io:format("Received ~p~n",[Data]),
+	    ok;
+	Other ->
+	    test_server:fail({unexpected_message, Other})
+    after ?SLEEP * 3 ->
+	    test_server:fail({did_not_get, Data})
+    end.
+
 send_recv_result(Socket) ->
     ssl:send(Socket, "Hello world"),
     {ok,"Hello world"} = ssl:recv(Socket, 11),
@@ -3086,162 +3103,3 @@ renegotiate_reuse_session(Socket, Data) ->
     %% Make sure session is registerd
     test_server:sleep(?SLEEP),
     renegotiate(Socket, Data).
- 
-session_cache_process_list(doc) -> 
-    ["Test reuse of sessions (short handshake)"];
-
-session_cache_process_list(suite) -> 
-    [];
-session_cache_process_list(Config) when is_list(Config) -> 
-    session_cache_process(list,Config).
-
-session_cache_process_mnesia(doc) -> 
-    ["Test reuse of sessions (short handshake)"];
-
-session_cache_process_mnesia(suite) -> 
-    [];
-session_cache_process_mnesia(Config) when is_list(Config) -> 
-    session_cache_process(mnesia,Config).
-
-session_cache_process(_Type,Config) when is_list(Config) ->
-    reuse_session(Config).
-
-init([Type]) ->
-    ets:new(ssl_test, [named_table, public, set]),
-    ets:insert(ssl_test, {type, Type}),
-    case Type of
-	list ->
-	    spawn(fun() -> session_loop([]) end);
-	mnesia ->
-	    mnesia:start(),
-	    {atomic,ok} = mnesia:create_table(sess_cache, []),
-	    sess_cache
-    end.
-
-session_cb() ->
-    [{type, Type}] = ets:lookup(ssl_test, type),
-    Type.
-
-terminate(Cache) ->
-    case session_cb() of
-	list ->
-	    Cache ! terminate;
-	mnesia ->
-	    catch {atomic,ok} = 
-		mnesia:delete_table(sess_cache)
-    end.
-
-lookup(Cache, Key) ->        
-    case session_cb() of
-	list ->
-	    Cache ! {self(), lookup, Key},
-	    receive {Cache, Res} -> Res end;
-	mnesia ->
-	    case mnesia:transaction(fun() -> 
-					    mnesia:read(sess_cache, 
-							Key, read) 
-				    end) of
-		{atomic, [{sess_cache, Key, Value}]} -> 
-		    Value;
-		_ -> 
-		    undefined
-	    end
-	end.
-
-update(Cache, Key, Value) ->
-    case session_cb() of
-	list ->
-	    Cache ! {update, Key, Value};
-	mnesia ->
-	    {atomic, ok} = 
-		mnesia:transaction(fun() -> 
-					   mnesia:write(sess_cache, 
-							{sess_cache, Key, Value}, write) 
-				   end)
-    end.
-
-delete(Cache, Key) -> 
-    case session_cb() of
-	list ->
-	    Cache ! {delete, Key};
-	mnesia ->
-	    {atomic, ok} = 
-		mnesia:transaction(fun() -> 
-					   mnesia:delete(sess_cache, Key) 
-				   end)
-    end.
-
-foldl(Fun, Acc, Cache) -> 
-    case session_cb() of
-	list ->
-	    Cache ! {self(),foldl,Fun,Acc},
-	    receive {Cache, Res} -> Res end;
-	mnesia ->
-	    Foldl = fun() ->
-			    mnesia:foldl(Fun, Acc, sess_cache)
-		    end,
-	    {atomic, Res} = mnesia:transaction(Foldl),
-	    Res
-    end.
-    
-select_session(Cache, PartialKey) ->
-    case session_cb() of
-	list ->
-	    Cache ! {self(),select_session, PartialKey},
-	    receive 
-		{Cache, Res} -> 
-		    Res 
-	    end;
-	mnesia ->
-	    Sel = fun() ->
-			  mnesia:select(Cache,
-					[{{sess_cache,{PartialKey,'$1'}, '$2'},
-					  [],['$$']}])
-		  end,
-	    {atomic, Res} = mnesia:transaction(Sel),
-	    Res
-    end.
-
-session_loop(Sess) ->
-    receive 
-	terminate ->
-	    ok;
-	{Pid, lookup, Key} ->
-	    case lists:keysearch(Key,1,Sess) of
-		{value, {Key,Value}} ->
-		    Pid ! {self(), Value};
-		_ -> 
-		    Pid ! {self(), undefined}
-	    end,
-	    session_loop(Sess);
-	{update, Key, Value} ->
-	    NewSess = [{Key,Value}| lists:keydelete(Key,1,Sess)],
-	    session_loop(NewSess);
-	{delete, Key} ->
-	    session_loop(lists:keydelete(Key,1,Sess));
-	{Pid,foldl,Fun,Acc} ->
-	    Res = lists:foldl(Fun, Acc,Sess),
-	    Pid ! {self(), Res},
-	    session_loop(Sess);
-	{Pid,select_session,PKey} ->
-	    Sel = fun({{PKey0, Id},Session}, Acc) when PKey == PKey0 -> 
-			  [[Id, Session]|Acc];
-		     (_,Acc) -> 
-			  Acc
-		  end, 
-	    Sessions = lists:foldl(Sel, [], Sess),
-	    Pid ! {self(), Sessions},
-	    session_loop(Sess)
-    end.
-	    
-
-erlang_ssl_receive(Socket, Data) ->
-    receive
-	{ssl, Socket, Data} ->
-	    io:format("Received ~p~n",[Data]),
-	    ok;
-	Other ->
-	    test_server:fail({unexpected_message, Other})
-    after ?SLEEP * 3 ->
-	    test_server:fail({did_not_get, Data})
-    end.