1 files changed, 72 insertions, 111 deletions

diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 407152aa75..aeb4897d7e 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -360,6 +360,8 @@ init_per_testcase(TestCase, Config) when TestCase == psk_cipher_suites;
 					 TestCase == psk_with_hint_cipher_suites;
 					 TestCase == ciphers_rsa_signed_certs;
 					 TestCase == ciphers_rsa_signed_certs_openssl_names;
+                                         TestCase == ciphers_ecdh_rsa_signed_certs_openssl_names;
+                                         TestCase == ciphers_ecdh_rsa_signed_certs;                           
 					 TestCase == ciphers_dsa_signed_certs;
 					 TestCase == ciphers_dsa_signed_certs_openssl_names;
 					 TestCase == anonymous_cipher_suites;
@@ -368,6 +370,11 @@ init_per_testcase(TestCase, Config) when TestCase == psk_cipher_suites;
 					 TestCase == anonymous_cipher_suites;
 					 TestCase == psk_anon_cipher_suites;
 					 TestCase == psk_anon_with_hint_cipher_suites;
+                                         TestCase == srp_cipher_suites,
+                                         TestCase == srp_anon_cipher_suites,
+                                         TestCase == srp_dsa_cipher_suites,
+                                         TestCase == des_rsa_cipher_suites,
+                                         TestCase == des_ecdh_rsa_cipher_suites,
 					 TestCase == versions_option,
 					 TestCase == tls_tcp_connect_big ->
     ssl_test_lib:ct_log_supported_protocol_versions(Config),
@@ -386,22 +393,27 @@ init_per_testcase(reuse_session, Config) ->
 
 init_per_testcase(rizzo, Config) ->
     ssl_test_lib:ct_log_supported_protocol_versions(Config),
-    ct:timetrap({seconds, 40}),
+    ct:timetrap({seconds, 60}),
+    Config;
+
+init_per_testcase(no_rizzo_rc4, Config) ->
+    ssl_test_lib:ct_log_supported_protocol_versions(Config),
+    ct:timetrap({seconds, 60}),
     Config;
 
 init_per_testcase(rizzo_one_n_minus_one, Config) ->
     ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
-    ct:timetrap({seconds, 40}),
+    ct:timetrap({seconds, 60}),
     rizzo_add_mitigation_option(one_n_minus_one, Config);
 
 init_per_testcase(rizzo_zero_n, Config) ->
     ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
-    ct:timetrap({seconds, 40}),
+    ct:timetrap({seconds, 60}),
     rizzo_add_mitigation_option(zero_n, Config);
 
 init_per_testcase(rizzo_disabled, Config) ->
     ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
-    ct:timetrap({seconds, 40}),
+    ct:timetrap({seconds, 60}),
     rizzo_add_mitigation_option(disabled, Config);
 
 init_per_testcase(prf, Config) ->
@@ -2308,20 +2320,16 @@ tls_shutdown_error(Config) when is_list(Config) ->
 ciphers_rsa_signed_certs() ->
     [{doc,"Test all rsa ssl cipher suites in highest support ssl/tls version"}].
        
-ciphers_rsa_signed_certs(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
+ciphers_rsa_signed_certs(Config) when is_list(Config) ->  
     Ciphers = ssl_test_lib:rsa_suites(crypto),
-    ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
-    run_suites(Ciphers, Version, Config, rsa).
+    run_suites(Ciphers, Config, rsa).
 %%-------------------------------------------------------------------
 ciphers_rsa_signed_certs_openssl_names() ->
     [{doc,"Test all rsa ssl cipher suites in highest support ssl/tls version"}].
        
 ciphers_rsa_signed_certs_openssl_names(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:openssl_rsa_suites(crypto),  
-    ct:log("tls1 openssl cipher suites ~p~n", [Ciphers]),
-    run_suites(Ciphers, Version, Config, rsa).
+    Ciphers = ssl_test_lib:openssl_rsa_suites(),  
+    run_suites(Ciphers, Config, rsa).
 
 %%-------------------------------------------------------------------
 ciphers_dsa_signed_certs() ->
@@ -2329,120 +2337,104 @@ ciphers_dsa_signed_certs() ->
        
 ciphers_dsa_signed_certs(Config) when is_list(Config) ->
     NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:dsa_suites(NVersion),
-    ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
-    run_suites(Ciphers, Version, Config, dsa).
+    run_suites(Ciphers, Config, dsa).
 %%-------------------------------------------------------------------
 ciphers_dsa_signed_certs_openssl_names() ->
     [{doc,"Test all dsa ssl cipher suites in highest support ssl/tls version"}].
        
 ciphers_dsa_signed_certs_openssl_names(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:openssl_dsa_suites(),
-    ct:log("tls1 openssl cipher suites ~p~n", [Ciphers]),
-    run_suites(Ciphers, Version, Config, dsa).
+    run_suites(Ciphers, Config, dsa).
 %%-------------------------------------------------------------------
 anonymous_cipher_suites()->
     [{doc,"Test the anonymous ciphersuites"}].
 anonymous_cipher_suites(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:anonymous_suites(Version),
-    run_suites(Ciphers, Version, Config, anonymous).
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    Ciphers = ssl_test_lib:anonymous_suites(NVersion),
+    run_suites(Ciphers, Config, anonymous).
 %%-------------------------------------------------------------------
 psk_cipher_suites() ->
     [{doc, "Test the PSK ciphersuites WITHOUT server supplied identity hint"}].
 psk_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = ssl_test_lib:protocol_version(Config),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Ciphers = ssl_test_lib:psk_suites(NVersion),
-    run_suites(Ciphers, Version, Config, psk).
+    run_suites(Ciphers, Config, psk).
 %%-------------------------------------------------------------------
 psk_with_hint_cipher_suites()->
     [{doc, "Test the PSK ciphersuites WITH server supplied identity hint"}].
 psk_with_hint_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = ssl_test_lib:protocol_version(Config),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Ciphers = ssl_test_lib:psk_suites(NVersion),
-    run_suites(Ciphers, Version, Config, psk_with_hint).
+    run_suites(Ciphers, Config, psk_with_hint).
 %%-------------------------------------------------------------------
 psk_anon_cipher_suites() ->
     [{doc, "Test the anonymous PSK ciphersuites WITHOUT server supplied identity hint"}].
 psk_anon_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = ssl_test_lib:protocol_version(Config),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Ciphers = ssl_test_lib:psk_anon_suites(NVersion),
-    run_suites(Ciphers, Version, Config, psk_anon).
+    run_suites(Ciphers, Config, psk_anon).
 %%-------------------------------------------------------------------
 psk_anon_with_hint_cipher_suites()->
     [{doc, "Test the anonymous PSK ciphersuites WITH server supplied identity hint"}].
 psk_anon_with_hint_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = ssl_test_lib:protocol_version(Config),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Ciphers = ssl_test_lib:psk_anon_suites(NVersion),
-    run_suites(Ciphers, Version, Config, psk_anon_with_hint).
+    run_suites(Ciphers, Config, psk_anon_with_hint).
 %%-------------------------------------------------------------------
 srp_cipher_suites()->
     [{doc, "Test the SRP ciphersuites"}].
 srp_cipher_suites(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:srp_suites(),
-    run_suites(Ciphers, Version, Config, srp).
+    run_suites(Ciphers, Config, srp).
 %%-------------------------------------------------------------------
 srp_anon_cipher_suites()->
     [{doc, "Test the anonymous SRP ciphersuites"}].
 srp_anon_cipher_suites(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:srp_anon_suites(),
-    run_suites(Ciphers, Version, Config, srp_anon).
+    run_suites(Ciphers, Config, srp_anon).
 %%-------------------------------------------------------------------
 srp_dsa_cipher_suites()->
     [{doc, "Test the SRP DSA ciphersuites"}].
 srp_dsa_cipher_suites(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:srp_dss_suites(),
-    run_suites(Ciphers, Version, Config, srp_dsa).
+    run_suites(Ciphers, Config, srp_dsa).
 %%-------------------------------------------------------------------
 rc4_rsa_cipher_suites()->
     [{doc, "Test the RC4 ciphersuites"}].
 rc4_rsa_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = tls_record:protocol_version(NVersion),
-    Ciphers = ssl_test_lib:rc4_suites(NVersion),
-    run_suites(Ciphers, Version, Config, rc4_rsa).
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    Ciphers = [S || {rsa,_,_} = S <- ssl_test_lib:rc4_suites(NVersion)],
+    run_suites(Ciphers, Config, rc4_rsa).
 %-------------------------------------------------------------------
 rc4_ecdh_rsa_cipher_suites()->
     [{doc, "Test the RC4 ciphersuites"}].
 rc4_ecdh_rsa_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = tls_record:protocol_version(NVersion),
-    Ciphers = ssl_test_lib:rc4_suites(NVersion),
-    run_suites(Ciphers, Version, Config, rc4_ecdh_rsa).
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    Ciphers = [S || {ecdh_rsa,_,_} = S <- ssl_test_lib:rc4_suites(NVersion)],
+    run_suites(Ciphers, Config, rc4_ecdh_rsa).
 
 %%-------------------------------------------------------------------
 rc4_ecdsa_cipher_suites()->
     [{doc, "Test the RC4 ciphersuites"}].
 rc4_ecdsa_cipher_suites(Config) when is_list(Config) ->
     NVersion = tls_record:highest_protocol_version([]),
-    Version = tls_record:protocol_version(NVersion),
-    Ciphers = ssl_test_lib:rc4_suites(NVersion),
-    run_suites(Ciphers, Version, Config, rc4_ecdsa).
+    Ciphers = [S || {ecdhe_ecdsa,_,_} = S <- ssl_test_lib:rc4_suites(NVersion)],
+    run_suites(Ciphers, Config, rc4_ecdsa).
 
 %%-------------------------------------------------------------------
 des_rsa_cipher_suites()->
     [{doc, "Test the des_rsa ciphersuites"}].
 des_rsa_cipher_suites(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:des_suites(Config),
-    run_suites(Ciphers, Version, Config, des_rsa).
+    run_suites(Ciphers, Config, des_rsa).
 %-------------------------------------------------------------------
 des_ecdh_rsa_cipher_suites()->
     [{doc, "Test ECDH rsa signed ciphersuites"}].
 des_ecdh_rsa_cipher_suites(Config) when is_list(Config) ->
     NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:des_suites(NVersion),
-    run_suites(Ciphers, Version, Config, des_dhe_rsa).
+    run_suites(Ciphers, Config, des_dhe_rsa).
 
 %%--------------------------------------------------------------------
 default_reject_anonymous()->
@@ -2476,38 +2468,30 @@ ciphers_ecdsa_signed_certs() ->
 
 ciphers_ecdsa_signed_certs(Config) when is_list(Config) ->
     NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:ecdsa_suites(NVersion),
-    ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
-    run_suites(Ciphers, Version, Config, ecdsa).
+    run_suites(Ciphers, Config, ecdsa).
 %%--------------------------------------------------------------------
 ciphers_ecdsa_signed_certs_openssl_names() ->
     [{doc, "Test all ecdsa ssl cipher suites in highest support ssl/tls version"}].
 
 ciphers_ecdsa_signed_certs_openssl_names(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:openssl_ecdsa_suites(),
-    ct:log("tls1 openssl cipher suites ~p~n", [Ciphers]),
-    run_suites(Ciphers, Version, Config, ecdsa).
+    run_suites(Ciphers, Config, ecdsa).
 %%--------------------------------------------------------------------
 ciphers_ecdh_rsa_signed_certs() ->
     [{doc, "Test all ecdh_rsa ssl cipher suites in highest support ssl/tls version"}].
 
 ciphers_ecdh_rsa_signed_certs(Config) when is_list(Config) ->
     NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:ecdh_rsa_suites(NVersion),
-    ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
-    run_suites(Ciphers, Version, Config, ecdh_rsa).
+    run_suites(Ciphers, Config, ecdh_rsa).
 %%--------------------------------------------------------------------
 ciphers_ecdh_rsa_signed_certs_openssl_names() ->
     [{doc, "Test all ecdh_rsa ssl cipher suites in highest support ssl/tls version"}].
 
 ciphers_ecdh_rsa_signed_certs_openssl_names(Config) when is_list(Config) ->
-    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:openssl_ecdh_rsa_suites(),
-    ct:log("tls1 openssl cipher suites ~p~n", [Ciphers]),
-    run_suites(Ciphers, Version, Config, ecdh_rsa).
+    run_suites(Ciphers, Config, ecdh_rsa).
 %%--------------------------------------------------------------------
 reuse_session() ->
     [{doc,"Test reuse of sessions (short handshake)"}].
@@ -3024,37 +3008,6 @@ der_input_opts(Opts) ->
     {Cert, {Asn1Type, Key}, CaCerts, DHParams}.
 
 %%--------------------------------------------------------------------
-%% different_ca_peer_sign() ->
-%%     ["Check that a CA can have a different signature algorithm than the peer cert."];
-
-%% different_ca_peer_sign(Config) when is_list(Config) ->
-%%     ClientOpts =  ssl_test_lib:ssl_options(client_mix_opts, Config),
-%%     ServerOpts =  ssl_test_lib:ssl_options(server_mix_verify_opts, Config),
-
-%%     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-%%     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
-%% 					{from, self()},
-%% 			   {mfa, {ssl_test_lib, send_recv_result_active_once, []}},
-%% 			   {options, [{active, once},
-%% 				      {verify, verify_peer} | ServerOpts]}]),
-%%     Port  = ssl_test_lib:inet_port(Server),
-
-%%     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
-%% 					{host, Hostname},
-%% 					{from, self()},
-%% 					{mfa, {ssl_test_lib,
-%% 					       send_recv_result_active_once,
-%% 					       []}},
-%% 					{options, [{active, once},
-%% 						   {verify, verify_peer}
-%% 						   | ClientOpts]}]),
-
-%%     ssl_test_lib:check_result(Server, ok, Client, ok),
-%%     ssl_test_lib:close(Server),
-%%     ssl_test_lib:close(Client).
-
-
-%%--------------------------------------------------------------------
 no_reuses_session_server_restart_new_cert() ->
     [{doc,"Check that a session is not reused if the server is restarted with a new cert."}].
 no_reuses_session_server_restart_new_cert(Config) when is_list(Config) ->
@@ -3122,14 +3075,14 @@ no_reuses_session_server_restart_new_cert_file(Config) when is_list(Config) ->
     DsaServerOpts = ssl_test_lib:ssl_options(server_dsa_opts, Config),
     PrivDir =  proplists:get_value(priv_dir, Config),
 
-    NewServerOpts = new_config(PrivDir, ServerOpts),
+    NewServerOpts0 = new_config(PrivDir, ServerOpts),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
 
     Server =
 	ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
 				   {from, self()},
 		      {mfa, {ssl_test_lib, session_info_result, []}},
-				   {options, NewServerOpts}]),
+				   {options, NewServerOpts0}]),
     Port = ssl_test_lib:inet_port(Server),
     Client0 =
 	ssl_test_lib:start_client([{node, ClientNode},
@@ -3150,13 +3103,13 @@ no_reuses_session_server_restart_new_cert_file(Config) when is_list(Config) ->
 
     ssl:clear_pem_cache(),
 
-    NewServerOpts = new_config(PrivDir, DsaServerOpts),
+    NewServerOpts1 = new_config(PrivDir, DsaServerOpts),
 
     Server1 =
 	ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
 				   {from, self()},
 		      {mfa, {ssl_test_lib, no_result, []}},
-				   {options, NewServerOpts}]),
+				   {options, NewServerOpts1}]),
     Client1 =
 	ssl_test_lib:start_client([{node, ClientNode},
 		      {port, Port}, {host, Hostname},
@@ -3807,8 +3760,10 @@ no_rizzo_rc4() ->
 no_rizzo_rc4(Config) when is_list(Config) ->
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
-    Ciphers  =  [ssl_cipher:erl_suite_definition(Suite) || 
-		    Suite  <- ssl_test_lib:rc4_suites(tls_record:protocol_version(Version))],
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    %% Test uses RSA certs
+    Ciphers  = ssl_test_lib:rc4_suites(NVersion) -- [{ecdhe_ecdsa,rc4_128,sha},
+                                                     {ecdh_ecdsa,rc4_128,sha}],
     run_send_recv_rizzo(Ciphers, Config, Version,
 			{?MODULE, send_recv_result_active_no_rizzo, []}).
 
@@ -3818,7 +3773,8 @@ rizzo_one_n_minus_one() ->
 rizzo_one_n_minus_one(Config) when is_list(Config) ->
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
-    AllSuites = ssl_test_lib:available_suites(tls_record:protocol_version(Version)),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    AllSuites = ssl_test_lib:available_suites(NVersion),
     Ciphers  = [X || X ={_,Y,_} <- AllSuites, Y  =/= rc4_128],
     run_send_recv_rizzo(Ciphers, Config, Version,
 			 {?MODULE, send_recv_result_active_rizzo, []}).
@@ -3829,7 +3785,8 @@ rizzo_zero_n() ->
 rizzo_zero_n(Config) when is_list(Config) ->
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
-    AllSuites = ssl_test_lib:available_suites(tls_record:protocol_version(Version)),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    AllSuites = ssl_test_lib:available_suites(NVersion),
     Ciphers  = [X || X ={_,Y,_} <- AllSuites, Y  =/= rc4_128],
     run_send_recv_rizzo(Ciphers, Config, Version,
 			 {?MODULE, send_recv_result_active_no_rizzo, []}).
@@ -4631,7 +4588,10 @@ client_server_opts({KeyAlgo,_,_}, Config) when KeyAlgo == ecdh_rsa ->
     {ssl_test_lib:ssl_options(client_opts, Config),
      ssl_test_lib:ssl_options(server_ecdh_rsa_opts, Config)}.
 
-run_suites(Ciphers, Version, Config, Type) ->
+run_suites(Ciphers, Config, Type) ->
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    Version = ssl_test_lib:protocol_version(Config),
+    ct:log("Running cipher suites ~p~n", [Ciphers]),
     {ClientOpts, ServerOpts} =
 	case Type of
 	    rsa ->
@@ -4643,23 +4603,24 @@ run_suites(Ciphers, Version, Config, Type) ->
 	    anonymous ->
 		%% No certs in opts!
 		{ssl_test_lib:ssl_options(client_verification_opts, Config),
-		 [{reuseaddr, true}, {ciphers, ssl_test_lib:anonymous_suites(Version)}]};
+		 [{reuseaddr, true}, {ciphers, ssl_test_lib:anonymous_suites(NVersion)} |
+                  ssl_test_lib:ssl_options([], Config)]};
 	    psk ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-                 [{ciphers, ssl_test_lib:psk_suites(Version)} | 
+                 [{ciphers, ssl_test_lib:psk_suites(NVersion)} | 
                   ssl_test_lib:ssl_options(server_psk, Config)]};
 	    psk_with_hint ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-		 [{ciphers, ssl_test_lib:psk_suites(Version)} |
+		 [{ciphers, ssl_test_lib:psk_suites(NVersion)} |
                   ssl_test_lib:ssl_options(server_psk_hint, Config)
                  ]};
 	    psk_anon ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-                 [{ciphers, ssl_test_lib:psk_anon_suites(Version)} |
+                 [{ciphers, ssl_test_lib:psk_anon_suites(NVersion)} |
                   ssl_test_lib:ssl_options(server_psk_anon, Config)]};
 	    psk_anon_with_hint ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-                 [{ciphers, ssl_test_lib:psk_anon_suites(Version)} |
+                 [{ciphers, ssl_test_lib:psk_anon_suites(NVersion)} |
 		 ssl_test_lib:ssl_options(server_psk_anon_hint, Config)]};
 	    srp ->
 		{ssl_test_lib:ssl_options(client_srp, Config),