15 files changed, 225 insertions, 146 deletions
diff --git a/lib/ssl/src/dtls.erl b/lib/ssl/src/dtls.erl
index 1cad9560b5..780bddeb10 100644
--- a/lib/ssl/src/dtls.erl
+++ b/lib/ssl/src/dtls.erl
@@ -31,25 +31,29 @@
 	 handshake/1, handshake/2, handshake/3]).
 
 %%--------------------------------------------------------------------
+%%
+%% Description: Connect to a DTLS server.
+%%--------------------------------------------------------------------
+
 -spec connect(host() | port(), [connect_option()]) -> {ok, #sslsocket{}} |
 					      {error, reason()}.
+
+connect(Socket, Options) when is_port(Socket) ->
+    connect(Socket, Options, infinity).
+
 -spec connect(host() | port(), [connect_option()] | inet:port_number(),
 	      timeout() | list()) ->
 		     {ok, #sslsocket{}} | {error, reason()}.
--spec connect(host() | port(), inet:port_number(), list(), timeout()) ->
-		     {ok, #sslsocket{}} | {error, reason()}.
-
-%%
-%% Description: Connect to an DTLS server.
-%%--------------------------------------------------------------------
 
-connect(Socket, Options) when is_port(Socket) ->
-    connect(Socket, Options, infinity).
 connect(Socket, SslOptions, Timeout)  when is_port(Socket) ->
     DTLSOpts = [{protocol, dtls} | SslOptions],
     ssl:connect(Socket, DTLSOpts, Timeout);
 connect(Host, Port, Options) ->
     connect(Host, Port, Options, infinity).
+
+-spec connect(host() | port(), inet:port_number(), list(), timeout()) ->
+		     {ok, #sslsocket{}} | {error, reason()}.
+
 connect(Host, Port, Options, Timeout) ->
     DTLSOpts = [{protocol, dtls} | Options],
     ssl:connect(Host, Port, DTLSOpts, Timeout).
@@ -65,38 +69,44 @@ listen(Port, Options) ->
     ssl:listen(Port, DTLSOpts).
 
 %%--------------------------------------------------------------------
--spec accept(#sslsocket{}) -> {ok, #sslsocket{}} |
-					{error, reason()}.
--spec accept(#sslsocket{}, timeout()) -> {ok, #sslsocket{}} |
-						   {error, reason()}.
 %%
 %% Description: Performs transport accept on an ssl listen socket
 %%--------------------------------------------------------------------
+-spec accept(#sslsocket{}) -> {ok, #sslsocket{}} |
+					{error, reason()}.
 accept(ListenSocket) ->
     accept(ListenSocket, infinity).
+
+-spec accept(#sslsocket{}, timeout()) -> {ok, #sslsocket{}} |
+						   {error, reason()}.
 accept(Socket, Timeout) ->
     ssl:transport_accept(Socket, Timeout).
 
 %%--------------------------------------------------------------------
--spec handshake(#sslsocket{}) -> ok | {error, reason()}.
--spec handshake(#sslsocket{} | port(), timeout()| [ssl_option()
-						    | transport_option()]) ->
-			ok | {ok, #sslsocket{}} | {error, reason()}.
--spec handshake(port(), [ssl_option()| transport_option()], timeout()) ->
-			{ok, #sslsocket{}} | {error, reason()}.
 %%
 %% Description: Performs accept on an ssl listen socket. e.i. performs
 %%              ssl handshake.
 %%--------------------------------------------------------------------
 
+-spec handshake(#sslsocket{}) -> ok | {error, reason()}.
+
 handshake(ListenSocket) ->
     handshake(ListenSocket, infinity).
 
+
+-spec handshake(#sslsocket{} | port(), timeout()| [ssl_option()
+						    | transport_option()]) ->
+			ok | {ok, #sslsocket{}} | {error, reason()}.
+
 handshake(#sslsocket{} = Socket, Timeout) ->
     ssl:ssl_accept(Socket, Timeout);
 
 handshake(ListenSocket, SslOptions)  when is_port(ListenSocket) ->
     handshake(ListenSocket, SslOptions, infinity).
 
+
+-spec handshake(port(), [ssl_option()| transport_option()], timeout()) ->
+			{ok, #sslsocket{}} | {error, reason()}.
+
 handshake(Socket, SslOptions, Timeout) when is_port(Socket) ->
     ssl:ssl_accept(Socket, SslOptions, Timeout).
diff --git a/lib/ssl/src/dtls_handshake.erl b/lib/ssl/src/dtls_handshake.erl
index ec7f21bd35..5db2434753 100644
--- a/lib/ssl/src/dtls_handshake.erl
+++ b/lib/ssl/src/dtls_handshake.erl
@@ -342,7 +342,7 @@ dtls_fragment_init(Length, 0, Length, Body) ->
     {Length, [{0, Length}], Body};
 dtls_fragment_init(Length, FragmentOffset, FragmentLength, Body) ->
     Bin = dtls_fragment_bin_add(FragmentOffset, FragmentLength, Body, <<0:(Length*8)>>),
-    {Length, [{FragmentOffset, FragmentLength}], Bin}.
+    {Length, [{FragmentOffset, FragmentOffset + FragmentLength}], Bin}.
 
 dtls_fragment_bin_add(FragmentOffset, FragmentLength, Add, Buffer) ->
     <<First:FragmentOffset/bytes, _:FragmentLength/bytes, Rest/binary>> = Buffer,
diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src
index 68ebc49e4a..99839f6149 100644
--- a/lib/ssl/src/ssl.app.src
+++ b/lib/ssl/src/ssl.app.src
@@ -47,6 +47,8 @@
     {registered, [ssl_sup, ssl_manager]},
     {applications, [crypto, public_key, kernel, stdlib]},
     {env, []},
-    {mod, {ssl_app, []}}]}.
+    {mod, {ssl_app, []}},
+    {runtime_dependencies, ["stdlib-2.0","public_key-0.22","kernel-3.0",
+			    "erts-6.0","crypto-3.3"]}]}.
 
 
diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index 3a64841976..b0ef292c4e 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -1,27 +1,36 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
-  {<<"5.3.2">>, [{load_module, ssl, soft_purge, soft_purge, []},
-		 {load_module, ssl_connection, soft_purge, soft_purge, []},
-		 {load_module, ssl_handshake, soft_purge, soft_purge, []},
-		 {load_module, tls_connection, soft_purge, soft_purge, []}]},
-  {<<"5.3.1">>, [{restart_application, ssl}]},
-  {<<"5.2\\*">>, [{restart_application, ssl}]},
-  {<<"5.1\\*">>, [{restart_application, ssl}]},
-  {<<"5.0\\*">>, [{restart_application, ssl}]},
-  {<<"4\\.*">>, [{restart_application, ssl}]},
-  {<<"3\\.*">>, [{restart_application, ssl}]}
+  {"5.3.3", [{load_module, ssl, soft_purge, soft_purge, []},
+	     {load_module, ssl_connection, soft_purge, soft_purge, []},
+	     {load_module, ssl_handshake, soft_purge, soft_purge, []},
+	     {load_module, tls_handshake, soft_purge, soft_purge, []},
+	     {load_module, tls_connection, soft_purge, soft_purge, []}]},
+  {"5.3.2", [{load_module, ssl, soft_purge, soft_purge, []},
+	     {load_module, ssl_connection, soft_purge, soft_purge, []},
+	     {load_module, ssl_handshake, soft_purge, soft_purge, []},
+	     {load_module, tls_handshake, soft_purge, soft_purge, []},
+	     {load_module, tls_connection, soft_purge, soft_purge, []}]},
+  {<<"5\\.3\\.1($|\\..*)">>, [{restart_application, ssl}]},
+  {<<"5\\.[0-2]($|\\..*)">>, [{restart_application, ssl}]},
+  {<<"4\\..*">>, [{restart_application, ssl}]},
+  {<<"3\\..*">>, [{restart_application, ssl}]}
  ], 
  [
-  {<<"5.3.2">>, [{load_module, ssl, soft_purge, soft_purge, []},
-		 {load_module, ssl_connection, soft_purge, soft_purge, []},
-		 {load_module, ssl_handshake, soft_purge, soft_purge, []},
-		 {load_module, tls_connection, soft_purge, soft_purge, []}]},
-  {<<"5.3.1">>, [{restart_application, ssl}]},
-  {<<"5.2\\*">>, [{restart_application, ssl}]},
-  {<<"5.1\\*">>, [{restart_application, ssl}]},
-  {<<"5.0\\*">>, [{restart_application, ssl}]},
-  {<<"4\\.*">>, [{restart_application, ssl}]},
-  {<<"3\\.*">>, [{restart_application, ssl}]}
- ]}.
+  {"5.3.3", [{load_module, ssl, soft_purge, soft_purge, []},
+	     {load_module, ssl_connection, soft_purge, soft_purge, []},
+	     {load_module, ssl_handshake, soft_purge, soft_purge, []},
+	     {load_module, tls_handshake, soft_purge, soft_purge, []},
+	     {load_module, tls_connection, soft_purge, soft_purge, []}]},
+  {"5.3.2", [{load_module, ssl, soft_purge, soft_purge, []},
+	     {load_module, ssl_connection, soft_purge, soft_purge, []},
+	     {load_module, ssl_handshake, soft_purge, soft_purge, []},
+	     {load_module, tls_handshake, soft_purge, soft_purge, []},
+	     {load_module, tls_connection, soft_purge, soft_purge, []}]},
+  {<<"5\\.3\\.1($|\\..*)">>, [{restart_application, ssl}]},
+  {<<"5\\.[0-2]($|\\..*)">>, [{restart_application, ssl}]},
+  {<<"4\\..*">>, [{restart_application, ssl}]},
+  {<<"3\\..*">>, [{restart_application, ssl}]}
+ ]
+}.
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index a7fd9f5f81..9e098e12c4 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -557,6 +557,7 @@ do_connect(Address, Port,
 handle_options(Opts0, _Role) ->
     Opts = proplists:expand([{binary, [{mode, binary}]},
 			     {list, [{mode, list}]}], Opts0),
+    assert_proplist(Opts),
     ReuseSessionFun = fun(_, _, _, _) -> true end,
 
     DefaultVerifyNoneFun =
@@ -626,7 +627,7 @@ handle_options(Opts0, _Role) ->
 		    user_lookup_fun = handle_option(user_lookup_fun, Opts, undefined),
 		    psk_identity = handle_option(psk_identity, Opts, undefined),
 		    srp_identity = handle_option(srp_identity, Opts, undefined),
-		    ciphers    = handle_option(ciphers, Opts, []),
+		    ciphers    = handle_cipher_option(proplists:get_value(ciphers, Opts, []), hd(Versions)),
 		    %% Server side option
 		    reuse_session = handle_option(reuse_session, Opts, ReuseSessionFun),
 		    reuse_sessions = handle_option(reuse_sessions, Opts, true),
@@ -640,7 +641,8 @@ handle_options(Opts0, _Role) ->
 			make_next_protocol_selector(
 			  handle_option(client_preferred_next_protocols, Opts, undefined)),
 		    log_alert = handle_option(log_alert, Opts, true),
-		    server_name_indication = handle_option(server_name_indication, Opts, undefined)
+		    server_name_indication = handle_option(server_name_indication, Opts, undefined),
+		    honor_cipher_order = handle_option(honor_cipher_order, Opts, false)
 		   },
 
     CbInfo  = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed, tcp_error}),
@@ -652,7 +654,8 @@ handle_options(Opts0, _Role) ->
 		  reuse_session, reuse_sessions, ssl_imp,
 		  cb_info, renegotiate_at, secure_renegotiate, hibernate_after,
 		  erl_dist, next_protocols_advertised,
-		  client_preferred_next_protocols, log_alert, server_name_indication],
+		  client_preferred_next_protocols, log_alert,
+		  server_name_indication, honor_cipher_order],
 
     SockOpts = lists:foldl(fun(Key, PropList) ->
 				   proplists:delete(Key, PropList)
@@ -695,11 +698,9 @@ validate_option(verify_fun, Fun) when is_function(Fun) ->
      end, Fun};
 validate_option(verify_fun, {Fun, _} = Value) when is_function(Fun) ->
    Value;
-validate_option(fail_if_no_peer_cert, Value)
-  when Value == true; Value == false ->
+validate_option(fail_if_no_peer_cert, Value) when is_boolean(Value) ->
     Value;
-validate_option(verify_client_once, Value)
-  when Value == true; Value == false ->
+validate_option(verify_client_once, Value) when is_boolean(Value) ->
     Value;
 validate_option(depth, Value) when is_integer(Value),
                                    Value >= 0, Value =< 255->
@@ -712,7 +713,7 @@ validate_option(certfile, undefined = Value) ->
 validate_option(certfile, Value) when is_binary(Value) ->
     Value;
 validate_option(certfile, Value) when is_list(Value) ->
-    list_to_binary(Value);
+    binary_filename(Value);
 
 validate_option(key, undefined) ->
     undefined;
@@ -729,7 +730,7 @@ validate_option(keyfile, undefined) ->
 validate_option(keyfile, Value) when is_binary(Value) ->
     Value;
 validate_option(keyfile, Value) when is_list(Value), Value =/= "" ->
-    list_to_binary(Value);
+    binary_filename(Value);
 validate_option(password, Value) when is_list(Value) ->
     Value;
 
@@ -743,7 +744,7 @@ validate_option(cacertfile, undefined) ->
 validate_option(cacertfile, Value) when is_binary(Value) ->
     Value;
 validate_option(cacertfile, Value) when is_list(Value), Value =/= ""->
-    list_to_binary(Value);
+    binary_filename(Value);
 validate_option(dh, Value) when Value == undefined;
 				is_binary(Value) ->
     Value;
@@ -752,12 +753,12 @@ validate_option(dhfile, undefined = Value)  ->
 validate_option(dhfile, Value) when is_binary(Value) ->
     Value;
 validate_option(dhfile, Value) when is_list(Value), Value =/= "" ->
-    list_to_binary(Value);
+    binary_filename(Value);
 validate_option(psk_identity, undefined) ->
     undefined;
 validate_option(psk_identity, Identity)
   when is_list(Identity), Identity =/= "", length(Identity) =< 65535 ->
-    list_to_binary(Identity);
+    binary_filename(Identity);
 validate_option(user_lookup_fun, undefined) ->
     undefined;
 validate_option(user_lookup_fun, {Fun, _} = Value) when is_function(Fun, 3) ->
@@ -766,25 +767,15 @@ validate_option(srp_identity, undefined) ->
     undefined;
 validate_option(srp_identity, {Username, Password})
   when is_list(Username), is_list(Password), Username =/= "", length(Username) =< 255 ->
-    {list_to_binary(Username), list_to_binary(Password)};
+    {unicode:characters_to_binary(Username),
+     unicode:characters_to_binary(Password)};
 
-validate_option(ciphers, Value)  when is_list(Value) ->
-    Version = tls_record:highest_protocol_version([]),
-    try cipher_suites(Version, Value)
-    catch
-	exit:_ ->
-	    throw({error, {options, {ciphers, Value}}});
-	error:_->
-	    throw({error, {options, {ciphers, Value}}})
-    end;
 validate_option(reuse_session, Value) when is_function(Value) ->
     Value;
-validate_option(reuse_sessions, Value) when Value == true;
-					    Value == false ->
+validate_option(reuse_sessions, Value) when is_boolean(Value) ->
     Value;
 
-validate_option(secure_renegotiate, Value) when Value == true;
-						Value == false ->
+validate_option(secure_renegotiate, Value) when is_boolean(Value) ->
     Value;
 validate_option(renegotiate_at, Value) when is_integer(Value) ->
     erlang:min(Value, ?DEFAULT_RENEGOTIATE_AT);
@@ -793,8 +784,7 @@ validate_option(hibernate_after, undefined) ->
     undefined;
 validate_option(hibernate_after, Value) when is_integer(Value), Value >= 0 ->
     Value;
-validate_option(erl_dist,Value) when Value == true;
-				     Value == false ->
+validate_option(erl_dist,Value) when is_boolean(Value) ->
     Value;
 validate_option(client_preferred_next_protocols = Opt, {Precedence, PreferredProtocols} = Value)
   when is_list(PreferredProtocols) ->
@@ -820,8 +810,7 @@ validate_option(client_preferred_next_protocols = Opt, {Precedence, PreferredPro
 
 validate_option(client_preferred_next_protocols, undefined) ->
     undefined;
-validate_option(log_alert, Value) when Value == true;
-				       Value == false ->
+validate_option(log_alert, Value) when is_boolean(Value) ->
     Value;
 validate_option(next_protocols_advertised = Opt, Value) when is_list(Value) ->
     case tls_record:highest_protocol_version([]) of
@@ -840,6 +829,8 @@ validate_option(server_name_indication, disable) ->
     disable;
 validate_option(server_name_indication, undefined) ->
     undefined;
+validate_option(honor_cipher_order, Value) when is_boolean(Value) ->
+    Value;
 validate_option(Opt, Value) ->
     throw({error, {options, {Opt, Value}}}).
 
@@ -938,16 +929,26 @@ emulated_options([Opt|Opts], Inet, Emulated) ->
 emulated_options([], Inet,Emulated) ->
     {Inet, Emulated}.
 
-cipher_suites(Version, []) ->
+handle_cipher_option(Value, Version)  when is_list(Value) ->
+    try binary_cipher_suites(Version, Value) of
+	Suites ->
+	    Suites
+    catch
+	exit:_ ->
+	    throw({error, {options, {ciphers, Value}}});
+	error:_->
+	    throw({error, {options, {ciphers, Value}}})
+    end.
+binary_cipher_suites(Version, []) -> %% Defaults to all supported suits
     ssl_cipher:suites(Version);
-cipher_suites(Version, [{_,_,_,_}| _] = Ciphers0) -> %% Backwards compatibility
+binary_cipher_suites(Version, [{_,_,_,_}| _] = Ciphers0) -> %% Backwards compatibility
     Ciphers = [{KeyExchange, Cipher, Hash} || {KeyExchange, Cipher, Hash, _} <- Ciphers0],
-    cipher_suites(Version, Ciphers);
-cipher_suites(Version, [{_,_,_}| _] = Ciphers0) ->
+    binary_cipher_suites(Version, Ciphers);
+binary_cipher_suites(Version, [{_,_,_}| _] = Ciphers0) ->
     Ciphers = [ssl_cipher:suite(C) || C <- Ciphers0],
-    cipher_suites(Version, Ciphers);
+    binary_cipher_suites(Version, Ciphers);
 
-cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
+binary_cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
     Supported0 = ssl_cipher:suites(Version)
 	++ ssl_cipher:anonymous_suites()
 	++ ssl_cipher:psk_suites(Version)
@@ -955,18 +956,18 @@ cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
     Supported = ssl_cipher:filter_suites(Supported0),
     case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported)] of
 	[] ->
-	    Supported;
+	    Supported;  %% Defaults to all supported suits
 	Ciphers ->
 	    Ciphers
     end;
-cipher_suites(Version, [Head | _] = Ciphers0) when is_list(Head) ->
+binary_cipher_suites(Version, [Head | _] = Ciphers0) when is_list(Head) ->
     %% Format: ["RC4-SHA","RC4-MD5"]
     Ciphers = [ssl_cipher:openssl_suite(C) || C <- Ciphers0],
-    cipher_suites(Version, Ciphers);
-cipher_suites(Version, Ciphers0)  ->
+    binary_cipher_suites(Version, Ciphers);
+binary_cipher_suites(Version, Ciphers0)  ->
     %% Format: "RC4-SHA:RC4-MD5"
     Ciphers = [ssl_cipher:openssl_suite(C) || C <- string:tokens(Ciphers0, ":")],
-    cipher_suites(Version, Ciphers).
+    binary_cipher_suites(Version, Ciphers).
 
 unexpected_format(Error) ->
     lists:flatten(io_lib:format("Unexpected error: ~p", [Error])).
@@ -1038,3 +1039,19 @@ connection_sup(tls_connection) ->
     tls_connection_sup;
 connection_sup(dtls_connection) ->
     dtls_connection_sup.
+
+binary_filename(FileName) ->
+    Enc = file:native_name_encoding(),
+    unicode:characters_to_binary(FileName, unicode, Enc).
+
+assert_proplist([]) ->
+    true;
+assert_proplist([{Key,_} | Rest]) when is_atom(Key) ->
+    assert_proplist(Rest);
+%% Handle exceptions 
+assert_proplist([inet | Rest]) ->
+    assert_proplist(Rest);
+assert_proplist([inet6 | Rest]) ->
+    assert_proplist(Rest);
+assert_proplist([Value | _]) ->
+    throw({option_not_a_key_value_tuple, Value}).
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 82106935cb..e283e6079e 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2013-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2013-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -1757,12 +1757,12 @@ handle_unrecv_data(StateName, #state{socket = Socket, transport_cb = Transport,
 	    Connection:handle_close_alert(Data, StateName, State)
     end.
 
-handle_trusted_certs_db(#state{ssl_options = #ssl_options{cacertfile = <<>>}}) ->
+handle_trusted_certs_db(#state{ssl_options = #ssl_options{cacertfile = <<>>, cacerts = []}}) ->
     %% No trusted certs specified
     ok;
 handle_trusted_certs_db(#state{cert_db_ref = Ref,
 			       cert_db = CertDb,
-			       ssl_options = #ssl_options{cacertfile = undefined}}) ->
+			       ssl_options = #ssl_options{cacertfile = <<>>}}) ->
     %% Certs provided as DER directly can not be shared
     %% with other connections and it is safe to delete them when the connection ends.
     ssl_pkix_db:remove_trusted_certs(Ref, CertDb);
diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl
index 27489ca325..341a4217e4 100644
--- a/lib/ssl/src/ssl_connection.hrl
+++ b/lib/ssl/src/ssl_connection.hrl
@@ -2,7 +2,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2013-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2013-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -41,7 +41,7 @@
           data_tag              :: atom(),   % ex tcp.
 	  close_tag             :: atom(),   % ex tcp_closed
 	  error_tag             :: atom(),   % ex tcp_error
-          host                  :: string() | inet:ipaddress(),
+          host                  :: string() | inet:ip_address(),
           port                  :: integer(),
           socket                :: port(),
           ssl_options           :: #ssl_options{},
@@ -73,7 +73,7 @@
 	  renegotiation        :: undefined | {boolean(), From::term() | internal | peer},
 	  start_or_recv_from   :: term(),
 	  timer                :: undefined | reference(), % start_or_recive_timer
-	  send_queue           :: queue(),
+	  send_queue           :: queue:queue(),
 	  terminated = false                          ::boolean(),
 	  allow_renegotiate = true                    ::boolean(),
           expecting_next_protocol_negotiation = false ::boolean(),
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 2b9bae6e80..74ca7ca699 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -164,7 +164,7 @@ next_protocol(SelectedProtocol) ->
 
 %%--------------------------------------------------------------------
 -spec client_certificate_verify(undefined | der_cert(), binary(),
-				tls_version(), term(), private_key(),
+				tls_version(), term(), public_key:private_key(),
 				tls_handshake_history()) ->
     #certificate_verify{} | ignore | #alert{}.
 %%
@@ -207,12 +207,12 @@ certificate_request(CipherSuite, CertDbHandle, CertDbRef, Version) ->
 		   {premaster_secret, binary(), public_key_info()} |
 		   {dh, binary()} |
 		   {dh, {binary(), binary()}, #'DHParameter'{}, {HashAlgo::atom(), SignAlgo::atom()},
-		   binary(), binary(), private_key()} |
+		   binary(), binary(), public_key:private_key()} |
 		   {ecdh, #'ECPrivateKey'{}} |
 		   {psk, binary()} |
 		   {dhe_psk, binary(), binary()} |
 		   {srp, {binary(), binary()}, #srp_user{}, {HashAlgo::atom(), SignAlgo::atom()},
-		   binary(), binary(), private_key()}) ->
+		   binary(), binary(), public_key:private_key()}) ->
     #client_key_exchange{} | #server_key_exchange{}.
 
 %%
@@ -315,8 +315,7 @@ finished(Version, Role, PrfAlgo, MasterSecret, {Handshake, _}) -> % use the curr
 
 %% ---------- Handle handshake messages  ----------
 
-verify_server_key(#server_key_params{params = Params,
-				     params_bin = EncParams,
+verify_server_key(#server_key_params{params_bin = EncParams,
 				     signature = Signature},
 		  HashSign = {HashAlgo, _},
 		  ConnectionStates, Version, PubKeyInfo) ->
@@ -1029,14 +1028,15 @@ cipher_suites(Suites, true) ->
 
 select_session(SuggestedSessionId, CipherSuites, Compressions, Port, #session{ecc = ECCCurve} = 
 		   Session, Version,
-	       #ssl_options{ciphers = UserSuites} = SslOpts, Cache, CacheCb, Cert) ->
+	       #ssl_options{ciphers = UserSuites, honor_cipher_order = HCO} = SslOpts,
+	       Cache, CacheCb, Cert) ->
     {SessionId, Resumed} = ssl_session:server_id(Port, SuggestedSessionId,
 						 SslOpts, Cert,
 						 Cache, CacheCb),
     case Resumed of
         undefined ->
 	    Suites = available_suites(Cert, UserSuites, Version, ECCCurve),
-	    CipherSuite = select_cipher_suite(CipherSuites, Suites),
+	    CipherSuite = select_cipher_suite(CipherSuites, Suites, HCO),
 	    Compression = select_compression(Compressions),
 	    {new, Session#session{session_id = SessionId,
 				  cipher_suite = CipherSuite,
@@ -1654,7 +1654,16 @@ dec_hello_extensions(<<?UINT16(?SIGNATURE_ALGORITHMS_EXT), ?UINT16(Len),
 dec_hello_extensions(<<?UINT16(?ELLIPTIC_CURVES_EXT), ?UINT16(Len),
 		       ExtData:Len/binary, Rest/binary>>, Acc) ->
     <<?UINT16(_), EllipticCurveList/binary>> = ExtData,
-    EllipticCurves = [tls_v1:enum_to_oid(X) || <<X:16>> <= EllipticCurveList],
+    %% Ignore unknown curves
+    Pick = fun(Enum) ->
+		   case tls_v1:enum_to_oid(Enum) of
+		       undefined ->
+			   false;
+		       Oid ->
+			   {true, Oid}
+		   end
+	   end,
+    EllipticCurves = lists:filtermap(Pick, [ECC || <<ECC:16>> <= EllipticCurveList]),
     dec_hello_extensions(Rest, Acc#hello_extensions{elliptic_curves =
 							#elliptic_curves{elliptic_curve_list =
 									     EllipticCurves}});
@@ -1796,6 +1805,11 @@ handle_srp_extension(#srp{username = Username}, Session) ->
 
 %%-------------Misc --------------------------------
 
+select_cipher_suite(CipherSuites, Suites, false) ->
+    select_cipher_suite(CipherSuites, Suites);
+select_cipher_suite(CipherSuites, Suites, true) ->
+    select_cipher_suite(Suites, CipherSuites).
+
 select_cipher_suite([], _) ->
    no_suite;
 select_cipher_suite([Suite | ClientSuites], SupportedSuites) ->
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 0186f9fca2..64b89e9f95 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -35,7 +35,6 @@
 -type certdb_ref()        :: reference().
 -type db_handle()         :: term().
 -type der_cert()          :: binary().
--type private_key()       :: #'RSAPrivateKey'{} | #'DSAPrivateKey'{} | #'ECPrivateKey'{}.
 -type issuer()            :: tuple().
 -type serialnumber()      :: integer().
 -type cert_key()          :: {reference(), integer(), issuer()}.
@@ -83,13 +82,13 @@
 	  validate_extensions_fun, 
 	  depth                :: integer(),
 	  certfile             :: binary(),
-	  cert                 :: der_encoded(),
+	  cert                 :: public_key:der_encoded(),
 	  keyfile              :: binary(),
-	  key	               :: {'RSAPrivateKey' | 'DSAPrivateKey' | 'ECPrivateKey' | 'PrivateKeyInfo', der_encoded()},
+	  key	               :: {'RSAPrivateKey' | 'DSAPrivateKey' | 'ECPrivateKey' | 'PrivateKeyInfo', public_key:der_encoded()},
 	  password	       :: string(),
-	  cacerts              :: [der_encoded()],
+	  cacerts              :: [public_key:der_encoded()],
 	  cacertfile           :: binary(),
-	  dh                   :: der_encoded(),
+	  dh                   :: public_key:der_encoded(),
 	  dhfile               :: binary(),
 	  user_lookup_fun,  % server option, fun to lookup the user
 	  psk_identity         :: binary(),
@@ -114,7 +113,10 @@
 	  next_protocols_advertised = undefined, %% [binary()],
 	  next_protocol_selector = undefined,  %% fun([binary()]) -> binary())
 	  log_alert             :: boolean(),
-	  server_name_indication = undefined
+	  server_name_indication = undefined,
+	  %% Should the server prefer its own cipher order over the one provided by
+	  %% the client?
+	  honor_cipher_order = false
 	  }).
 
 -record(config, {ssl,               %% SSL parameters
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index 4d5eaeb607..fbc73e0e42 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -167,27 +167,27 @@ clean_cert_db(Ref, File) ->
     ok.
 
 %%--------------------------------------------------------------------
--spec register_session(inet:port_number(), #session{}) -> ok.
--spec register_session(host(), inet:port_number(), #session{}) -> ok.
 %%
 %% Description: Make the session available for reuse.
 %%--------------------------------------------------------------------
+-spec register_session(host(), inet:port_number(), #session{}) -> ok.
 register_session(Host, Port, Session) ->
     cast({register_session, Host, Port, Session}).
 
+-spec register_session(inet:port_number(), #session{}) -> ok.
 register_session(Port, Session) ->
     cast({register_session, Port, Session}).
 %%--------------------------------------------------------------------
--spec invalidate_session(inet:port_number(), #session{}) -> ok.
--spec invalidate_session(host(), inet:port_number(), #session{}) -> ok.
 %%
 %% Description: Make the session unavailable for reuse. After
 %% a the session has been marked "is_resumable = false" for some while
 %% it will be safe to remove the data from the session database.
 %%--------------------------------------------------------------------
+-spec invalidate_session(host(), inet:port_number(), #session{}) -> ok.
 invalidate_session(Host, Port, Session) ->
     cast({invalidate_session, Host, Port, Session}).
 
+-spec invalidate_session(inet:port_number(), #session{}) -> ok.
 invalidate_session(Port, Session) ->
     cast({invalidate_session, Port, Session}).
 
diff --git a/lib/ssl/src/ssl_pkix_db.erl b/lib/ssl/src/ssl_pkix_db.erl
index 9de50c8f26..e59aba0618 100644
--- a/lib/ssl/src/ssl_pkix_db.erl
+++ b/lib/ssl/src/ssl_pkix_db.erl
@@ -115,17 +115,17 @@ add_trusted_certs(_Pid, File, [CertsDb, RefDb, PemChache] = Db) ->
 	    new_trusted_cert_entry({MD5, File}, Db)
     end.
 %%--------------------------------------------------------------------
--spec cache_pem_file({binary(), binary()}, [db_handle()]) -> {ok, term()}.
--spec cache_pem_file(reference(), {binary(), binary()}, [db_handle()]) -> {ok, term()}.
 %%
 %% Description: Cache file as binary in DB
 %%--------------------------------------------------------------------
+-spec cache_pem_file({binary(), binary()}, [db_handle()]) -> {ok, term()}.
 cache_pem_file({MD5, File}, [_CertsDb, _RefDb, PemChache]) ->
     {ok, PemBin} = file:read_file(File),
     Content = public_key:pem_decode(PemBin),
     insert(MD5, Content, PemChache),
     {ok, Content}.
 
+-spec cache_pem_file(reference(), {binary(), binary()}, [db_handle()]) -> {ok, term()}.
 cache_pem_file(Ref, {MD5, File}, [_CertsDb, _RefDb, PemChache]) ->
     {ok, PemBin} = file:read_file(File),
     Content = public_key:pem_decode(PemBin),
diff --git a/lib/ssl/src/ssl_sup.erl b/lib/ssl/src/ssl_sup.erl
index 77b40a7b38..e1aeb11ca4 100644
--- a/lib/ssl/src/ssl_sup.erl
+++ b/lib/ssl/src/ssl_sup.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 1998-2013. All Rights Reserved.
+%% Copyright Ericsson AB 1998-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -89,14 +89,14 @@ tls_connection_manager_child_spec() ->
     Type = supervisor,
     {Name, StartFunc, Restart, Shutdown, Type, Modules}.
 
-dtls_connection_manager_child_spec() ->
-    Name = dtls_connection,  
-    StartFunc = {dtls_connection_sup, start_link, []},
-    Restart = permanent, 
-    Shutdown = 4000,
-    Modules = [dtls_connection, ssl_connection],
-    Type = supervisor,
-    {Name, StartFunc, Restart, Shutdown, Type, Modules}.
+%% dtls_connection_manager_child_spec() ->
+%%     Name = dtls_connection,  
+%%     StartFunc = {dtls_connection_sup, start_link, []},
+%%     Restart = permanent, 
+%%     Shutdown = 4000,
+%%     Modules = [dtls_connection, ssl_connection],
+%%     Type = supervisor,
+%%     {Name, StartFunc, Restart, Shutdown, Type, Modules}.
 
 session_cb_init_args() ->
     case application:get_env(ssl, session_cb_init_args) of
diff --git a/lib/ssl/src/tls.erl b/lib/ssl/src/tls.erl
index 3e7b2db9c2..c829129250 100644
--- a/lib/ssl/src/tls.erl
+++ b/lib/ssl/src/tls.erl
@@ -30,25 +30,29 @@
 	 handshake/1, handshake/2, handshake/3]).
 
 %%--------------------------------------------------------------------
--spec connect(host() | port(), [connect_option()]) -> {ok, #sslsocket{}} |
-					      {error, reason()}.
--spec connect(host() | port(), [connect_option()] | inet:port_number(), 
-	      timeout() | list()) ->
-		     {ok, #sslsocket{}} | {error, reason()}.
--spec connect(host() | port(), inet:port_number(), list(), timeout()) ->
-		     {ok, #sslsocket{}} | {error, reason()}.
-
 %%
 %% Description: Connect to an TLS server.
 %%--------------------------------------------------------------------
 
+-spec connect(host() | port(), [connect_option()]) -> {ok, #sslsocket{}} |
+					      {error, reason()}.
+
 connect(Socket, Options) when is_port(Socket) ->
     connect(Socket, Options, infinity).
+
+-spec connect(host() | port(), [connect_option()] | inet:port_number(),
+	      timeout() | list()) ->
+		     {ok, #sslsocket{}} | {error, reason()}.
+
 connect(Socket, SslOptions, Timeout)  when is_port(Socket) ->
     TLSOpts = [{protocol, tls} | SslOptions],
     ssl:connect(Socket, TLSOpts, Timeout);
 connect(Host, Port, Options) ->
     connect(Host, Port, Options, infinity).
+
+-spec connect(host() | port(), inet:port_number(), list(), timeout()) ->
+		     {ok, #sslsocket{}} | {error, reason()}.
+
 connect(Host, Port, Options, Timeout) ->
     TLSOpts = [{protocol, tls} | Options],
     ssl:connect(Host, Port, TLSOpts, Timeout).
@@ -64,39 +68,44 @@ listen(Port, Options) ->
     ssl:listen(Port, TLSOpts).
 
 %%--------------------------------------------------------------------
--spec accept(#sslsocket{}) -> {ok, #sslsocket{}} |
-					{error, reason()}.
--spec accept(#sslsocket{}, timeout()) -> {ok, #sslsocket{}} |
-						   {error, reason()}.
 %%
 %% Description: Performs transport accept on an ssl listen socket
 %%--------------------------------------------------------------------
+-spec accept(#sslsocket{}) -> {ok, #sslsocket{}} |
+					{error, reason()}.
 accept(ListenSocket) ->
     accept(ListenSocket, infinity).
+
+-spec accept(#sslsocket{}, timeout()) -> {ok, #sslsocket{}} |
+						   {error, reason()}.
 accept(Socket, Timeout) ->
     ssl:transport_accept(Socket, Timeout).
 
 %%--------------------------------------------------------------------
--spec handshake(#sslsocket{}) -> ok | {error, reason()}.
--spec handshake(#sslsocket{} | port(), timeout()| [ssl_option()
-						    | transport_option()]) ->
-			ok | {ok, #sslsocket{}} | {error, reason()}.
--spec handshake(port(), [ssl_option()| transport_option()], timeout()) ->
-			{ok, #sslsocket{}} | {error, reason()}.
 %%
 %% Description: Performs accept on an ssl listen socket. e.i. performs
 %%              ssl handshake. 
 %%--------------------------------------------------------------------
 
+-spec handshake(#sslsocket{}) -> ok | {error, reason()}.
+
 handshake(ListenSocket) ->
     handshake(ListenSocket, infinity).
 
 
+-spec handshake(#sslsocket{} | port(), timeout()| [ssl_option()
+						    | transport_option()]) ->
+			ok | {ok, #sslsocket{}} | {error, reason()}.
+
 handshake(#sslsocket{} = Socket, Timeout) ->
     ssl:ssl_accept(Socket, Timeout);
     
 handshake(ListenSocket, SslOptions)  when is_port(ListenSocket) ->
     handshake(ListenSocket, SslOptions, infinity).
 
+
+-spec handshake(port(), [ssl_option()| transport_option()], timeout()) ->
+			{ok, #sslsocket{}} | {error, reason()}.
+
 handshake(Socket, SslOptions, Timeout) when is_port(Socket) ->
     ssl:ssl_accept(Socket, SslOptions, Timeout).
diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
index 88107557a0..8c0c4f3c91 100644
--- a/lib/ssl/src/tls_record.erl
+++ b/lib/ssl/src/tls_record.erl
@@ -262,18 +262,18 @@ supported_protocol_versions([_|_] = Vsns) ->
     Vsns.
 
 %%--------------------------------------------------------------------
--spec is_acceptable_version(tls_version()) -> boolean().
--spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean().
 %%     
 %% Description: ssl version 2 is not acceptable security risks are too big.
 %% 
 %%--------------------------------------------------------------------
+-spec is_acceptable_version(tls_version()) -> boolean().
 is_acceptable_version({N,_}) 
   when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
     true;
 is_acceptable_version(_) ->
     false.
 
+-spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean().
 is_acceptable_version({N,_} = Version, Versions)   
   when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
     lists:member(Version, Versions);
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index 2395e98642..7b1f53b969 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -368,11 +368,19 @@ finished_label(server) ->
 
 %% list ECC curves in prefered order
 ecc_curves(_Minor) ->
-    [?sect571r1,?sect571k1,?secp521r1,?sect409k1,?sect409r1,
-     ?secp384r1,?sect283k1,?sect283r1,?secp256k1,?secp256r1,
-     ?sect239k1,?sect233k1,?sect233r1,?secp224k1,?secp224r1,
-     ?sect193r1,?sect193r2,?secp192k1,?secp192r1,?sect163k1,
-     ?sect163r1,?sect163r2,?secp160k1,?secp160r1,?secp160r2].
+    TLSCurves = [sect571r1,sect571k1,secp521r1,brainpoolP512r1,
+		 sect409k1,sect409r1,brainpoolP384r1,secp384r1,
+		 sect283k1,sect283r1,brainpoolP256r1,secp256k1,secp256r1,
+		 sect239k1,sect233k1,sect233r1,secp224k1,secp224r1,
+		 sect193r1,sect193r2,secp192k1,secp192r1,sect163k1,
+		 sect163r1,sect163r2,secp160k1,secp160r1,secp160r2],
+    CryptoCurves = crypto:ec_curves(),
+    lists:foldr(fun(Curve, Curves) ->
+			case proplists:get_bool(Curve, CryptoCurves) of
+			    true ->  [pubkey_cert_records:namedCurves(Curve)|Curves];
+			    false -> Curves
+			end
+		end, [], TLSCurves).
 
 %% ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005)
 oid_to_enum(?sect163k1) -> 1;
@@ -399,7 +407,10 @@ oid_to_enum(?secp224r1) -> 21;
 oid_to_enum(?secp256k1) -> 22;
 oid_to_enum(?secp256r1) -> 23;
 oid_to_enum(?secp384r1) -> 24;
-oid_to_enum(?secp521r1) -> 25.
+oid_to_enum(?secp521r1) -> 25;
+oid_to_enum(?brainpoolP256r1) -> 26;
+oid_to_enum(?brainpoolP384r1) -> 27;
+oid_to_enum(?brainpoolP512r1) -> 28.
 
 enum_to_oid(1) -> ?sect163k1;
 enum_to_oid(2) -> ?sect163r1;
@@ -425,7 +436,12 @@ enum_to_oid(21) -> ?secp224r1;
 enum_to_oid(22) -> ?secp256k1;
 enum_to_oid(23) -> ?secp256r1;
 enum_to_oid(24) -> ?secp384r1;
-enum_to_oid(25) -> ?secp521r1.
+enum_to_oid(25) -> ?secp521r1;
+enum_to_oid(26) -> ?brainpoolP256r1;
+enum_to_oid(27) -> ?brainpoolP384r1;
+enum_to_oid(28) -> ?brainpoolP512r1;
+enum_to_oid(_) ->
+    undefined.
 
 sufficent_ec_support() ->
     CryptoSupport = crypto:supports(),