dtls: DTLS specific handling of socket and ciphers

DTLS does not support stream ciphers and needs diffrent handling of the "#ssl_socket{}" handle .
author: Ingela Anderton Andin <[email protected]> 2017-01-26 11:59:11 +0100
committer: Ingela Anderton Andin <[email protected]> 2017-03-06 10:34:15 +0100
commit: 658aa05997d56c742be1a1126fc921b69d5d06a5 (patch)
tree: ba4418d544c1e85d04810c003560f9679f3b6ebe /lib/ssl/test
parent: b089b27a486e7175c1145db61d464922a46cad65 (diff)
download: otp-658aa05997d56c742be1a1126fc921b69d5d06a5.tar.gz
otp-658aa05997d56c742be1a1126fc921b69d5d06a5.tar.bz2
otp-658aa05997d56c742be1a1126fc921b69d5d06a5.zip
2 files changed, 93 insertions, 87 deletions
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index f0a3c42e8d..27adcc115c 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -53,7 +53,7 @@ all() ->
      {group, options_tls},
      {group, session},
      {group, 'dtlsv1.2'},
-     %%{group, 'dtlsv1'},
+     {group, 'dtlsv1'},
      {group, 'tlsv1.2'},
      {group, 'tlsv1.1'},
      {group, 'tlsv1'},
@@ -65,15 +65,15 @@ groups() ->
      {basic_tls, [], basic_tests_tls()},
      {options, [], options_tests()},
      {options_tls, [], options_tests_tls()},
-     %%{'dtlsv1.2', [], all_versions_groups()},
-     {'dtlsv1.2', [], [connection_information]},
-     %%{'dtlsv1', [], all_versions_groups()},
+     {'dtlsv1.2', [], all_versions_groups()},
+     {'dtlsv1', [], all_versions_groups()},
      {'tlsv1.2', [], all_versions_groups() ++ tls_versions_groups() ++ [conf_signature_algs, no_common_signature_algs]},
      {'tlsv1.1', [], all_versions_groups() ++ tls_versions_groups()},
      {'tlsv1', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests()},
      {'sslv3', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests() ++ [tls_ciphersuite_vs_version]},
      {api,[], api_tests()},
      {api_tls,[], api_tests_tls()},
+     {tls_ciphers,[], tls_cipher_tests()},
      {session, [], session_tests()},
      {renegotiate, [], renegotiate_tests()},
      {ciphers, [], cipher_tests()},
@@ -84,11 +84,12 @@ groups() ->
 
 tls_versions_groups ()->
     [{group, api_tls},
+     {group, tls_ciphers},
      {group, error_handling_tests_tls}].
 
 all_versions_groups ()->
     [{group, api},
-     {group, renegotiate},
+     %%{group, renegotiate},
      {group, ciphers},
      {group, ciphers_ec},
      {group, error_handling_tests}].
@@ -197,6 +198,11 @@ renegotiate_tests() ->
      renegotiate_dos_mitigate_passive,
      renegotiate_dos_mitigate_absolute].
 
+tls_cipher_tests() ->
+    [rc4_rsa_cipher_suites,
+     rc4_ecdh_rsa_cipher_suites,
+     rc4_ecdsa_cipher_suites].
+
 cipher_tests() ->
     [cipher_suites,
      cipher_suites_mix,
@@ -212,9 +218,6 @@ cipher_tests() ->
      srp_cipher_suites,
      srp_anon_cipher_suites,
      srp_dsa_cipher_suites,
-     rc4_rsa_cipher_suites,
-     rc4_ecdh_rsa_cipher_suites,
-     rc4_ecdsa_cipher_suites,
      des_rsa_cipher_suites,
      des_ecdh_rsa_cipher_suites,
      default_reject_anonymous].
@@ -843,8 +846,7 @@ controller_dies(Config) when is_list(Config) ->
     Server ! listen, 
     Tester = self(),
     Connect = fun(Pid) ->
-		      {ok, Socket} = ssl:connect(Hostname, Port, 
-						  [{reuseaddr,true},{ssl_imp,new}]),
+		      {ok, Socket} = ssl:connect(Hostname, Port, ClientOpts),
 		      %% Make sure server finishes and verification
 		      %% and is in coonection state before
 		      %% killing client
@@ -2194,8 +2196,9 @@ ciphers_dsa_signed_certs() ->
     [{doc,"Test all dsa ssl cipher suites in highest support ssl/tls version"}].
        
 ciphers_dsa_signed_certs(Config) when is_list(Config) ->
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:dsa_suites(tls_record:protocol_version(Version)),
+    Ciphers = ssl_test_lib:dsa_suites(NVersion),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, dsa).
 %%-------------------------------------------------------------------
@@ -2218,29 +2221,33 @@ anonymous_cipher_suites(Config) when is_list(Config) ->
 psk_cipher_suites() ->
     [{doc, "Test the PSK ciphersuites WITHOUT server supplied identity hint"}].
 psk_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:psk_suites(),
+    Ciphers = ssl_test_lib:psk_suites(NVersion),
     run_suites(Ciphers, Version, Config, psk).
 %%-------------------------------------------------------------------
 psk_with_hint_cipher_suites()->
     [{doc, "Test the PSK ciphersuites WITH server supplied identity hint"}].
 psk_with_hint_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:psk_suites(),
+    Ciphers = ssl_test_lib:psk_suites(NVersion),
     run_suites(Ciphers, Version, Config, psk_with_hint).
 %%-------------------------------------------------------------------
 psk_anon_cipher_suites() ->
     [{doc, "Test the anonymous PSK ciphersuites WITHOUT server supplied identity hint"}].
 psk_anon_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:psk_anon_suites(),
+    Ciphers = ssl_test_lib:psk_anon_suites(NVersion),
     run_suites(Ciphers, Version, Config, psk_anon).
 %%-------------------------------------------------------------------
 psk_anon_with_hint_cipher_suites()->
     [{doc, "Test the anonymous PSK ciphersuites WITH server supplied identity hint"}].
 psk_anon_with_hint_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:psk_anon_suites(),
+    Ciphers = ssl_test_lib:psk_anon_suites(NVersion),
     run_suites(Ciphers, Version, Config, psk_anon_with_hint).
 %%-------------------------------------------------------------------
 srp_cipher_suites()->
@@ -2291,18 +2298,17 @@ rc4_ecdsa_cipher_suites(Config) when is_list(Config) ->
 
 %%-------------------------------------------------------------------
 des_rsa_cipher_suites()->
-    [{doc, "Test the RC4 ciphersuites"}].
+    [{doc, "Test the des_rsa ciphersuites"}].
 des_rsa_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = tls_record:protocol_version(NVersion),
-    Ciphers = ssl_test_lib:des_suites(NVersion),
+    Version = ssl_test_lib:protocol_version(Config),
+    Ciphers = ssl_test_lib:des_suites(Config),
     run_suites(Ciphers, Version, Config, des_rsa).
 %-------------------------------------------------------------------
 des_ecdh_rsa_cipher_suites()->
-    [{doc, "Test the RC4 ciphersuites"}].
+    [{doc, "Test ECDH rsa signed ciphersuites"}].
 des_ecdh_rsa_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = tls_record:protocol_version(NVersion),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:des_suites(NVersion),
     run_suites(Ciphers, Version, Config, des_dhe_rsa).
 
@@ -2313,9 +2319,11 @@ default_reject_anonymous(Config) when is_list(Config) ->
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
     ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
-    Version = tls_record:highest_protocol_version(tls_record:supported_protocol_versions()),
-    [CipherSuite | _] = ssl_test_lib:anonymous_suites(Version),
-
+    Version = ssl_test_lib:protocol_version(Config),
+    TLSVersion = ssl_test_lib:tls_version(Version),
+    
+   [CipherSuite | _] = ssl_test_lib:anonymous_suites(TLSVersion),
+    
     Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
 					      {from, self()},
 					      {options, ServerOpts}]),
@@ -2335,8 +2343,9 @@ ciphers_ecdsa_signed_certs() ->
     [{doc, "Test all ecdsa ssl cipher suites in highest support ssl/tls version"}].
 
 ciphers_ecdsa_signed_certs(Config) when is_list(Config) ->
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:ecdsa_suites(tls_record:protocol_version(Version)),
+    Ciphers = ssl_test_lib:ecdsa_suites(NVersion),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, ecdsa).
 %%--------------------------------------------------------------------
@@ -2353,8 +2362,9 @@ ciphers_ecdh_rsa_signed_certs() ->
     [{doc, "Test all ecdh_rsa ssl cipher suites in highest support ssl/tls version"}].
 
 ciphers_ecdh_rsa_signed_certs(Config) when is_list(Config) ->
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:ecdh_rsa_suites(tls_record:protocol_version(Version)),
+    Ciphers = ssl_test_lib:ecdh_rsa_suites(NVersion),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, ecdh_rsa).
 %%--------------------------------------------------------------------
@@ -3326,7 +3336,7 @@ hibernate(Config) ->
         process_info(Pid, current_function),
 
     ssl_test_lib:check_result(Server, ok, Client, ok),
-    timer:sleep(1100),
+    timer:sleep(1500),
 
     {current_function, {erlang, hibernate, 3}} =
 	process_info(Pid, current_function),
@@ -3377,7 +3387,7 @@ hibernate_right_away(Config) ->
 
     ssl_test_lib:check_result(Server2, ok, Client2, ok),
 
-    ct:sleep(100), %% Schedule out
+    timer:sleep(1000), %% Schedule out
 
     {current_function, {erlang, hibernate, 3}} =
 	process_info(Pid2, current_function),
@@ -4507,16 +4517,21 @@ run_suites(Ciphers, Version, Config, Type) ->
 		 [{reuseaddr, true}, {ciphers, ssl_test_lib:anonymous_suites(Version)}]};
 	    psk ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-		 ssl_test_lib:ssl_options(server_psk, Config)};
+                 [{ciphers, ssl_test_lib:psk_suites(Version)} | 
+                  ssl_test_lib:ssl_options(server_psk, Config)]};
 	    psk_with_hint ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-		 ssl_test_lib:ssl_options(server_psk_hint, Config)};
+		 [{ciphers, ssl_test_lib:psk_suites(Version)} |
+                  ssl_test_lib:ssl_options(server_psk_hint, Config)
+                 ]};
 	    psk_anon ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-		 ssl_test_lib:ssl_options(server_psk_anon, Config)};
+                 [{ciphers, ssl_test_lib:psk_anon_suites(Version)} |
+                  ssl_test_lib:ssl_options(server_psk_anon, Config)]};
 	    psk_anon_with_hint ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-		 ssl_test_lib:ssl_options(server_psk_anon_hint, Config)};
+                 [{ciphers, ssl_test_lib:psk_anon_suites(Version)} |
+		 ssl_test_lib:ssl_options(server_psk_anon_hint, Config)]};
 	    srp ->
 		{ssl_test_lib:ssl_options(client_srp, Config),
 		 ssl_test_lib:ssl_options(server_srp, Config)};
@@ -4556,7 +4571,7 @@ run_suites(Ciphers, Version, Config, Type) ->
 
     Result =  lists:map(fun(Cipher) ->
 				cipher(Cipher, Version, Config, ClientOpts, ServerOpts) end,
-			ssl_test_lib:filter_suites(Ciphers)),
+			ssl_test_lib:filter_suites(Ciphers, Version)),
     case lists:flatten(Result) of
 	[] ->
 	    ok;
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 49d2b5c1b8..833802b34b 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -407,20 +407,16 @@ cert_options(Config) ->
 		   {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
      {server_psk, [{ssl_imp, new},{reuseaddr, true},
 		   {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
-		   {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
-		   {ciphers, psk_suites()}]},
+		   {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
      {server_psk_hint, [{ssl_imp, new},{reuseaddr, true},
 			{certfile, ServerCertFile}, {keyfile, ServerKeyFile},
 			{psk_identity, "HINT"},
-			{user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
-			{ciphers, psk_suites()}]},
+			{user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
      {server_psk_anon, [{ssl_imp, new},{reuseaddr, true},
-			{user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
-			{ciphers, psk_anon_suites()}]},
+			{user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
      {server_psk_anon_hint, [{ssl_imp, new},{reuseaddr, true},
 			     {psk_identity, "HINT"},
-			     {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
-			     {ciphers, psk_anon_suites()}]},
+			     {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
      {client_srp, [{ssl_imp, new},{reuseaddr, true},
 		   {srp_identity, {"Test-User", "secret"}}]},
      {server_srp, [{ssl_imp, new},{reuseaddr, true},
@@ -830,17 +826,17 @@ rsa_suites(CounterPart) ->
 		    ({dhe_rsa, des_cbc, sha}) when FIPS == true ->
 			 false;
 		    ({rsa, Cipher, _}) ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({dhe_rsa, Cipher, _}) ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({ecdhe_rsa, Cipher, _}) when ECC == true ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({rsa, Cipher, _, _}) ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({dhe_rsa, Cipher, _,_}) ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({ecdhe_rsa, Cipher, _,_}) when ECC == true ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    (_) ->
 			 false
 		 end,
@@ -933,44 +929,12 @@ anonymous_suites(Version) ->
     Suites = ssl_cipher:anonymous_suites(Version),
     ssl_cipher:filter_suites(Suites).
 
-psk_suites() ->
-    Suites =
-	[{psk, rc4_128, sha},
-	 {psk, '3des_ede_cbc', sha},
-	 {psk, aes_128_cbc, sha},
-	 {psk, aes_256_cbc, sha},
-	 {psk, aes_128_cbc, sha256},
-	 {psk, aes_256_cbc, sha384},
-	 {dhe_psk, rc4_128, sha},
-	 {dhe_psk, '3des_ede_cbc', sha},
-	 {dhe_psk, aes_128_cbc, sha},
-	 {dhe_psk, aes_256_cbc, sha},
-	 {dhe_psk, aes_128_cbc, sha256},
-	 {dhe_psk, aes_256_cbc, sha384},
-	 {rsa_psk, rc4_128, sha},
-	 {rsa_psk, '3des_ede_cbc', sha},
-	 {rsa_psk, aes_128_cbc, sha},
-	 {rsa_psk, aes_256_cbc, sha},
-	 {rsa_psk, aes_128_cbc, sha256},
-	 {rsa_psk, aes_256_cbc, sha384},
-	 {psk, aes_128_gcm, null, sha256},
-	 {psk, aes_256_gcm, null, sha384},
-	 {dhe_psk, aes_128_gcm, null, sha256},
-	 {dhe_psk, aes_256_gcm, null, sha384},
-	 {rsa_psk, aes_128_gcm, null, sha256},
-	 {rsa_psk, aes_256_gcm, null, sha384}],
+psk_suites(Version) ->
+    Suites = ssl_cipher:psk_suites(Version),
     ssl_cipher:filter_suites(Suites).
 
-psk_anon_suites() ->
-    Suites =
-	[{psk, rc4_128, sha},
-	 {psk, '3des_ede_cbc', sha},
-	 {psk, aes_128_cbc, sha},
-	 {psk, aes_256_cbc, sha},
-	 {dhe_psk, rc4_128, sha},
-	 {dhe_psk, '3des_ede_cbc', sha},
-	 {dhe_psk, aes_128_cbc, sha},
-	 {dhe_psk, aes_256_cbc, sha}],
+psk_anon_suites(Version) ->
+    Suites = [Suite || Suite <- psk_suites(Version), is_psk_anon_suite(Suite)],
     ssl_cipher:filter_suites(Suites).
 
 srp_suites() ->
@@ -1258,8 +1222,8 @@ version_flag(sslv3) ->
 version_flag(sslv2) ->
     "-ssl2".
 
-filter_suites(Ciphers0) ->
-    Version = tls_record:highest_protocol_version([]),
+filter_suites(Ciphers0, AtomVersion) ->
+    Version = tls_version(AtomVersion),
     Supported0 = ssl_cipher:suites(Version)
 	++ ssl_cipher:anonymous_suites(Version)
 	++ ssl_cipher:psk_suites(Version)
@@ -1341,7 +1305,7 @@ protocol_version(Config) ->
 protocol_version(Config, tuple) ->
     case proplists:get_value(protocol, Config) of
 	dtls ->
-	    dtls_record:protocol_version(dtls_record:highest_protocol_version([]));
+	    dtls_record:highest_protocol_version(dtls_record:supported_protocol_versions());
 	_ ->
 	    tls_record:highest_protocol_version(tls_record:supported_protocol_versions())
    end;
@@ -1375,6 +1339,7 @@ clean_env() ->
     application:unset_env(ssl, session_cache_client_max),
     application:unset_env(ssl, session_cache_server_max),
     application:unset_env(ssl, ssl_pem_cache_clean),
+    application:unset_env(ssl, bypass_pem_cache),
     application:unset_env(ssl, alert_timeout).
 
 clean_start() ->
@@ -1382,3 +1347,29 @@ clean_start() ->
     application:load(ssl),
     clean_env(),
     ssl:start().
+
+is_psk_anon_suite({psk, _,_}) ->
+    true;
+is_psk_anon_suite({dhe_psk,_,_}) ->
+    true;
+is_psk_anon_suite({psk, _,_,_}) ->
+    true;
+is_psk_anon_suite({dhe_psk, _,_,_}) ->
+    true;
+is_psk_anon_suite(_) ->
+    false.
+
+cipher_atom(aes_256_cbc) ->
+    aes_cbc256;
+cipher_atom(aes_128_cbc) ->
+    aes_cbc128;
+cipher_atom('3des_ede_cbc') ->
+    des_ede3;
+cipher_atom(Atom) ->
+    Atom.
+tls_version('dtlsv1' = Atom) ->
+    dtls_v1:corresponding_tls_version(dtls_record:protocol_version(Atom));
+tls_version('dtlsv1.2' = Atom) ->
+    dtls_v1:corresponding_tls_version(dtls_record:protocol_version(Atom));
+tls_version(Atom) ->
+    tls_record:protocol_version(Atom).
author	Ingela Anderton Andin <[email protected]>	2017-01-26 11:59:11 +0100
committer	Ingela Anderton Andin <[email protected]>	2017-03-06 10:34:15 +0100
commit	658aa05997d56c742be1a1126fc921b69d5d06a5 (patch)
tree	ba4418d544c1e85d04810c003560f9679f3b6ebe /lib/ssl/test
parent	b089b27a486e7175c1145db61d464922a46cad65 (diff)
download	otp-658aa05997d56c742be1a1126fc921b69d5d06a5.tar.gz otp-658aa05997d56c742be1a1126fc921b69d5d06a5.tar.bz2 otp-658aa05997d56c742be1a1126fc921b69d5d06a5.zip