16 files changed, 164 insertions, 29 deletions

diff --git a/lib/ssl/test/ssl.spec b/lib/ssl/test/ssl.spec
index 86e14c033e..0ad94e22bc 100644
--- a/lib/ssl/test/ssl.spec
+++ b/lib/ssl/test/ssl.spec
@@ -1,4 +1,5 @@
 {suites,"../ssl_test",all}.
 {skip_cases, "../ssl_test",
-    ssl_bench_SUITE, [setup_sequential, setup_concurrent, payload_simple],
+    ssl_bench_SUITE, [setup_sequential, setup_concurrent, payload_simple,
+	use_pem_cache, bypass_pem_cache],
     "Benchmarks run separately"}.
diff --git a/lib/ssl/test/ssl_ECC_SUITE.erl b/lib/ssl/test/ssl_ECC_SUITE.erl
index 69ac9908fa..258922d128 100644
--- a/lib/ssl/test/ssl_ECC_SUITE.erl
+++ b/lib/ssl/test/ssl_ECC_SUITE.erl
@@ -145,7 +145,7 @@ init_per_testcase(TestCase, Config) ->
     ssl_test_lib:ct_log_supported_protocol_versions(Config),
     ct:log("Ciphers: ~p~n ", [ ssl:cipher_suites()]),
     end_per_testcase(TestCase, Config),
-    ssl:start(),	
+    ssl_test_lib:clean_start(),	
     ct:timetrap({seconds, 15}),
     Config.
 
diff --git a/lib/ssl/test/ssl_alpn_handshake_SUITE.erl b/lib/ssl/test/ssl_alpn_handshake_SUITE.erl
index da181faf64..9d57e89b9b 100644
--- a/lib/ssl/test/ssl_alpn_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_alpn_handshake_SUITE.erl
@@ -71,7 +71,7 @@ init_per_suite(Config) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config),
 				     proplists:get_value(priv_dir, Config)),
 	    ssl_test_lib:cert_options(Config)
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 8ffee751fc..57963fd44b 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -250,7 +250,7 @@ init_per_suite(Config0) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    %% make rsa certs using oppenssl
 	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config0),
 				     proplists:get_value(priv_dir, Config0)),
@@ -307,6 +307,7 @@ init_per_testcase(protocol_versions, Config)  ->
 init_per_testcase(reuse_session_expired, Config)  ->
     ssl:stop(),
     application:load(ssl),
+    ssl_test_lib:clean_env(),
     application:set_env(ssl, session_lifetime, ?EXPIRE),
     application:set_env(ssl, session_delay_cleanup_time, 500),
     ssl:start(),
@@ -316,6 +317,7 @@ init_per_testcase(reuse_session_expired, Config)  ->
 init_per_testcase(empty_protocol_versions, Config)  ->
     ssl:stop(),
     application:load(ssl),
+    ssl_test_lib:clean_env(),
     application:set_env(ssl, protocol_version, []),
     ssl:start(),
     ct:timetrap({seconds, 5}),
@@ -454,6 +456,11 @@ end_per_testcase(reuse_session_expired, Config) ->
     application:unset_env(ssl, session_delay_cleanup_time),
     end_per_testcase(default_action, Config);
 
+end_per_testcase(Case, Config) when Case == protocol_versions;
+				    Case == empty_protocol_versions->
+    application:unset_env(ssl, protocol_versions),
+    end_per_testcase(default_action, Config);
+
 end_per_testcase(_TestCase, Config) ->
     Config.
 
diff --git a/lib/ssl/test/ssl_bench_SUITE.erl b/lib/ssl/test/ssl_bench_SUITE.erl
index ed439a425f..21989f8d99 100644
--- a/lib/ssl/test/ssl_bench_SUITE.erl
+++ b/lib/ssl/test/ssl_bench_SUITE.erl
@@ -25,11 +25,12 @@
 
 suite() -> [{ct_hooks,[{ts_install_cth,[{nodenames,2}]}]}].
 
-all() -> [{group, setup}, {group, payload}].
+all() -> [{group, setup}, {group, payload}, {group, pem_cache}].
 
 groups() ->
     [{setup, [{repeat, 3}], [setup_sequential, setup_concurrent]},
-     {payload, [{repeat, 3}], [payload_simple]}
+     {payload, [{repeat, 3}], [payload_simple]},
+     {pem_cache, [{repeat, 3}], [use_pem_cache, bypass_pem_cache]}
     ].
 
 init_per_group(_GroupName, Config) ->
@@ -49,9 +50,33 @@ init_per_suite(Config) ->
 end_per_suite(_Config) ->
     ok.
 
+init_per_testcase(use_pem_cache, Conf) ->
+    case bypass_pem_cache_supported() of
+        false -> {skipped, "PEM cache bypass support required"};
+        true ->
+            application:set_env(ssl, bypass_pem_cache, false),
+            Conf
+    end;
+init_per_testcase(bypass_pem_cache, Conf) ->
+    case bypass_pem_cache_supported() of
+        false -> {skipped, "PEM cache bypass support required"};
+        true ->
+            application:set_env(ssl, bypass_pem_cache, true),
+            Conf
+    end;
 init_per_testcase(_Func, Conf) ->
     Conf.
 
+end_per_testcase(use_pem_cache, _Config) ->
+    case bypass_pem_cache_supported() of
+        false -> ok;
+        true -> application:set_env(ssl, bypass_pem_cache, false)
+    end;
+end_per_testcase(bypass_pem_cache, _Config) ->
+    case bypass_pem_cache_supported() of
+        false -> ok;
+        true -> application:set_env(ssl, bypass_pem_cache, false)
+    end;
 end_per_testcase(_Func, _Conf) ->
     ok.
 
@@ -94,6 +119,18 @@ payload_simple(Config) ->
 				 {suite, "ssl"}, {name, "Payload simple"}]}),
     ok.
 
+use_pem_cache(_Config) ->
+    {ok, Result} = do_test(ssl, pem_cache, 100, 500, node()),
+    ct_event:notify(#event{name = benchmark_data,
+                           data=[{value, Result},
+                                 {suite, "ssl"}, {name, "Use PEM cache"}]}).
+
+bypass_pem_cache(_Config) ->
+    {ok, Result} = do_test(ssl, pem_cache, 100, 500, node()),
+    ct_event:notify(#event{name = benchmark_data,
+                           data=[{value, Result},
+                                 {suite, "ssl"}, {name, "Bypass PEM cache"}]}).
+
 
 ssl() ->
     test(ssl, ?COUNT, node()).
@@ -172,6 +209,18 @@ server_init(ssl, payload, Loop, _, Server) ->
 		   ssl:close(TSocket)
 	   end,
     setup_server_connection(Socket, Test);
+server_init(ssl, pem_cache, Loop, _, Server) ->
+    {ok, Socket} = ssl:listen(0, ssl_opts(listen_der)),
+    {ok, {_Host, Port}} = ssl:sockname(Socket),
+    {ok, Host} = inet:gethostname(),
+    Server ! {self(), {init, Host, Port}},
+    Test = fun(TSocket) ->
+		   ok = ssl:ssl_accept(TSocket),
+		   Size = byte_size(msg()),
+		   server_echo(TSocket, Size, Loop),
+		   ssl:close(TSocket)
+	   end,
+    setup_server_connection(Socket, Test);
 
 server_init(Type, Tc, _, _, Server) ->
     io:format("No server init code for ~p ~p~n",[Type, Tc]),
@@ -185,6 +234,11 @@ client_init(Master, ssl, payload, Host, Port) ->
     Master ! {self(), init},
     Size = byte_size(msg()),
     {Sock, Size};
+client_init(Master, ssl, pem_cache, Host, Port) ->
+    {ok, Sock} = ssl:connect(Host, Port, ssl_opts(connect_der)),
+    Master ! {self(), init},
+    Size = byte_size(msg()),
+    {Sock, Size};
 client_init(_Me, Type, Tc, Host, Port) ->
     io:format("No client init code for ~p ~p~n",[Type, Tc]),
     {Host, Port}.
@@ -228,6 +282,13 @@ payload(Loop, ssl, D = {Socket, Size}) when Loop > 0 ->
 payload(_, _, {Socket, _}) ->
     ssl:close(Socket).
 
+pem_cache(N, ssl, Data = {Socket, Size}) when N > 0 ->
+    ok = ssl:send(Socket, msg()),
+    {ok, _} = ssl:recv(Socket, Size),
+    pem_cache(N-1, ssl, Data);
+pem_cache(_, _, {Socket, _}) ->
+    ssl:close(Socket).
+
 msg() ->
     <<"Hello", 
       0:(512*8), 
@@ -352,16 +413,43 @@ stop_profile(fprof, File) ->
 ssl_opts(listen) ->
     [{backlog, 500} | ssl_opts("server")];
 ssl_opts(connect) ->
-    [{verify, verify_peer}
-     | ssl_opts("client")];
+    [{verify, verify_peer} | ssl_opts("client")];
+ssl_opts(listen_der) ->
+    [{backlog, 500} | ssl_opts("server_der")];
+ssl_opts(connect_der) ->
+    [{verify, verify_peer} | ssl_opts("client_der")];
 ssl_opts(Role) ->
-    Dir = filename:join([code:lib_dir(ssl), "examples", "certs", "etc"]),
+    CertData = cert_data(Role),
     [{active, false},
      {depth, 2},
      {reuseaddr, true},
      {mode,binary},
      {nodelay, true},
-     {ciphers, [{dhe_rsa,aes_256_cbc,sha}]},
-     {cacertfile, filename:join([Dir, Role, "cacerts.pem"])},
+     {ciphers, [{dhe_rsa,aes_256_cbc,sha}]}
+    |CertData].
+
+cert_data(Der) when Der =:= "server_der"; Der =:= "client_der" ->
+    [Role,_] = string:tokens(Der, "_"),
+    Dir = filename:join([code:lib_dir(ssl), "examples", "certs", "etc"]),
+    {ok, CaCert0} = file:read_file(filename:join([Dir, Role, "cacerts.pem"])),
+    {ok, Cert0} = file:read_file(filename:join([Dir, Role, "cert.pem"])),
+    {ok, Key0} = file:read_file(filename:join([Dir, Role, "key.pem"])),
+    [{_, Cert, _}] = public_key:pem_decode(Cert0),
+    CaCert1 = public_key:pem_decode(CaCert0),
+    CaCert = [CCert || {_, CCert, _} <- CaCert1],
+    [{KeyType, Key, _}] = public_key:pem_decode(Key0),
+    [{cert, Cert},
+     {cacerts, CaCert},
+     {key, {KeyType, Key}}];
+cert_data(Role) ->
+    Dir = filename:join([code:lib_dir(ssl), "examples", "certs", "etc"]),
+    [{cacertfile, filename:join([Dir, Role, "cacerts.pem"])},
      {certfile, filename:join([Dir, Role, "cert.pem"])},
      {keyfile, filename:join([Dir, Role, "key.pem"])}].
+
+bypass_pem_cache_supported() ->
+    %% This function is currently critical to support cache bypass
+    %% and did not exist in prior versions.
+    catch ssl_pkix_db:module_info(), % ensure module is loaded
+    erlang:function_exported(ssl_pkix_db, extract_trusted_certs, 1).
+
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index c83c513eb3..4c6f1d7c01 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -85,7 +85,7 @@ init_per_suite(Config0) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    %% make rsa certs using oppenssl
 	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config0),
 				     proplists:get_value(priv_dir, Config0)),
diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index e37e127440..bc2822f0c4 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -136,7 +136,7 @@ init_per_testcase(Case, Config0) ->
 	true ->
 	    end_per_testcase(Case, Config0),
 	    inets:start(),
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    ServerRoot = make_dir_path([proplists:get_value(priv_dir, Config0), idp_crl, tmp]),
 	    %% start a HTTP server to serve the CRLs
 	    {ok, Httpd} = inets:start(httpd, [{ipfamily, proplists:get_value(ipfamily, Config0)},
@@ -155,7 +155,7 @@ init_per_testcase(Case, Config0) ->
 	    [{cert_dir, CertDir} | Config];
 	false ->
 	    end_per_testcase(Case, Config0),
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    Config0
     end.
 
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index a671e3e307..51f0651568 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -60,7 +60,7 @@ init_per_testcase(ignore_hassign_extension_pre_tls_1_2, Config0) ->
 	ok ->
 	    case is_supported(sha512) of
 		true ->
-		    ssl:start(),
+		    ssl_test_lib:clean_start(),
 		    %% make rsa certs using oppenssl
 		    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config0),
 					     proplists:get_value(priv_dir, Config0)),
diff --git a/lib/ssl/test/ssl_npn_handshake_SUITE.erl b/lib/ssl/test/ssl_npn_handshake_SUITE.erl
index c55fa73cfb..a02881f1ae 100644
--- a/lib/ssl/test/ssl_npn_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_npn_handshake_SUITE.erl
@@ -68,7 +68,7 @@ init_per_suite(Config) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config),
 				      proplists:get_value(priv_dir, Config)),
 	    ssl_test_lib:cert_options(Config)
diff --git a/lib/ssl/test/ssl_packet_SUITE.erl b/lib/ssl/test/ssl_packet_SUITE.erl
index 17237118a0..81a49776e4 100644
--- a/lib/ssl/test/ssl_packet_SUITE.erl
+++ b/lib/ssl/test/ssl_packet_SUITE.erl
@@ -140,8 +140,7 @@ init_per_suite(Config) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl:stop(),
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config),
 				     proplists:get_value(priv_dir, Config)),
 	    ssl_test_lib:cert_options(Config)
@@ -278,6 +277,7 @@ packet_raw_active_once_many_small() ->
     [{doc,"Test packet option {packet, raw} in active once mode."}].
 
 packet_raw_active_once_many_small(Config) when is_list(Config) ->
+    ct:timetrap({seconds, ?BASE_TIMEOUT_SECONDS * ?MANY_SCALE}),
     Data = "Packet option is {packet, raw}",
     packet(Config, Data, send_raw, active_once_raw, ?MANY, raw, once).
 
@@ -394,6 +394,7 @@ packet_0_active_some_big() ->
     [{doc,"Test packet option {packet, 0} in active mode."}].
 
 packet_0_active_some_big(Config) when is_list(Config) ->
+    ct:timetrap({seconds, ?BASE_TIMEOUT_SECONDS * ?SOME_SCALE}),
     Data = lists:append(lists:duplicate(100, "1234567890")),
     packet(Config, Data, send, active_raw, ?SOME, 0, true).
 
@@ -429,6 +430,7 @@ packet_2_active_some_big() ->
     [{doc,"Test packet option {packet, 2} in active mode"}].
 
 packet_2_active_some_big(Config) when is_list(Config) ->
+    ct:timetrap({seconds, ?BASE_TIMEOUT_SECONDS * ?SOME_SCALE}),
     Data = lists:append(lists:duplicate(100, "1234567890")),
     packet(Config, Data, send, active_packet, ?SOME, 2, true).
 
@@ -1902,6 +1904,31 @@ header_decode_two_bytes_one_sent_passive(Config) when is_list(Config) ->
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
 %%--------------------------------------------------------------------
+
+packet(Config, Data, Send, Recv, Quantity, Packet, Active) when Packet == 0;
+								Packet == raw ->
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server([{node, ClientNode}, {port, 0},
+					{from, self()},
+					{mfa, {?MODULE, Send ,[Data, Quantity]}},
+					{options, [{nodelay, true},{packet, Packet} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ServerNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {?MODULE, Recv, [Data, Quantity]}},
+					{options, [{active, Active}, {nodelay, true},
+						   {packet, Packet} |
+						   ClientOpts]}]),
+
+    ssl_test_lib:check_result(Client, ok),
+
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client);
+
 packet(Config, Data, Send, Recv, Quantity, Packet, Active) ->
     ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
     ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
diff --git a/lib/ssl/test/ssl_payload_SUITE.erl b/lib/ssl/test/ssl_payload_SUITE.erl
index c0b762760d..cb1957327a 100644
--- a/lib/ssl/test/ssl_payload_SUITE.erl
+++ b/lib/ssl/test/ssl_payload_SUITE.erl
@@ -70,7 +70,7 @@ init_per_suite(Config) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config), proplists:get_value(priv_dir, Config)),
 	    ssl_test_lib:cert_options(Config)
     catch _:_  ->
diff --git a/lib/ssl/test/ssl_pem_cache_SUITE.erl b/lib/ssl/test/ssl_pem_cache_SUITE.erl
index 13b0ce8ed9..02c98fc40f 100644
--- a/lib/ssl/test/ssl_pem_cache_SUITE.erl
+++ b/lib/ssl/test/ssl_pem_cache_SUITE.erl
@@ -43,7 +43,7 @@ init_per_suite(Config0) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    %% make rsa certs using oppenssl
 	    {ok, _} =  make_certs:all(proplists:get_value(data_dir, Config0),
 				      proplists:get_value(priv_dir, Config0)),
@@ -63,14 +63,15 @@ end_per_group(_GroupName, Config) ->
     Config.
 
 init_per_testcase(pem_cleanup = Case, Config) ->
-    end_per_testcase(Case, Config) ,
     application:load(ssl),
+    end_per_testcase(Case, Config) ,
     application:set_env(ssl, ssl_pem_cache_clean, ?CLEANUP_INTERVAL),
     ssl:start(),
     ct:timetrap({minutes, 1}),
     Config.
 
 end_per_testcase(_TestCase, Config) ->
+    ssl_test_lib:clean_env(),
     ssl:stop(),
     Config.
 
diff --git a/lib/ssl/test/ssl_session_cache_SUITE.erl b/lib/ssl/test/ssl_session_cache_SUITE.erl
index b352844ba0..28637fc32d 100644
--- a/lib/ssl/test/ssl_session_cache_SUITE.erl
+++ b/lib/ssl/test/ssl_session_cache_SUITE.erl
@@ -58,7 +58,7 @@ init_per_suite(Config0) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl:start(),
+	    ssl_test_lib:clean_start(),
 	    %% make rsa certs using 
 	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config0),
 				     proplists:get_value(priv_dir, Config0)),
diff --git a/lib/ssl/test/ssl_sni_SUITE.erl b/lib/ssl/test/ssl_sni_SUITE.erl
index 34ef2e6af9..4e916a7f03 100644
--- a/lib/ssl/test/ssl_sni_SUITE.erl
+++ b/lib/ssl/test/ssl_sni_SUITE.erl
@@ -41,7 +41,7 @@ init_per_suite(Config0) ->
     catch crypto:stop(),
     try crypto:start() of
         ok ->
-            ssl:start(),
+            ssl_test_lib:clean_start(),
 	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config0),
 				     proplists:get_value(priv_dir, Config0)),
             ssl_test_lib:cert_options(Config0)
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index a92b978ca9..81f16030f7 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -1355,3 +1355,19 @@ ct_log_supported_protocol_versions(Config) ->
 	_ ->
 	    ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()])
     end.
+
+clean_env() ->
+    application:unset_env(ssl, protocol_version),
+    application:unset_env(ssl, session_lifetime),
+    application:unset_env(ssl, session_cb),
+    application:unset_env(ssl, session_cb_init_args),
+    application:unset_env(ssl, session_cache_client_max),
+    application:unset_env(ssl, session_cache_server_max),
+    application:unset_env(ssl, ssl_pem_cache_clean),
+    application:unset_env(ssl, alert_timeout).
+
+clean_start() ->
+    ssl:stop(),
+    application:load(ssl),
+    clean_env(),
+    ssl:start().
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 9ae032503a..9ecfe5b0ea 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -119,12 +119,7 @@ init_per_suite(Config0) ->
 	    catch crypto:stop(),
 	    try crypto:start() of
 		ok ->
-		    ssl:stop(),
-		    application:load(ssl),
-		    ct:pal("Before clean: Version: ~p", [ssl:versions()]),
-		    application:unset_env(ssl, protocol_version),
-		    ct:pal("After clean: Version: ~p", [ssl:versions()]),
-		    ssl:start(),
+		    ssl_test_lib:clean_start(),
 		    {ok,  _} = make_certs:all(proplists:get_value(data_dir, Config0),
 					      proplists:get_value(priv_dir, Config0)),
 		    Config1 = ssl_test_lib:make_dsa_cert(Config0),