7 files changed, 211 insertions, 40 deletions
diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index 8e909a5b74..f5cada9021 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -334,7 +334,9 @@ make_key(dsa, _Opts) ->
     gen_dsa2(128, 20);  %% Bytes i.e. {1024, 160}
 make_key(ec, _Opts) ->
     %% (OBS: for testing only)
-    gen_ec2(secp256k1).
+    CurveOid = hd(tls_v1:ecc_curves(0)),
+    NamedCurve = pubkey_cert_records:namedCurves(CurveOid),
+    gen_ec2(NamedCurve).
     
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %% RSA key generation  (OBS: for testing only)
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 05b040a2ab..1a864edb8b 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -121,6 +121,7 @@ options_tests() ->
 
 api_tests() ->
     [connection_info,
+     connection_information,
      peername,
      peercert,
      peercert_with_client_cert,
@@ -461,6 +462,37 @@ connection_info(Config) when is_list(Config) ->
     ssl_test_lib:close(Client).
 
 %%--------------------------------------------------------------------
+
+connection_information() ->
+    [{doc,"Test the API function ssl:connection_information/1"}].
+connection_information(Config) when is_list(Config) -> 
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+					{from, self()}, 
+					{mfa, {?MODULE, connection_information_result, []}},
+					{options, ServerOpts}]),
+    
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+			   {from, self()}, 
+			   {mfa, {?MODULE, connection_information_result, []}},
+			   {options, ClientOpts}]),
+    
+    ct:log("Testcase ~p, Client ~p  Server ~p ~n",
+		       [self(), Client, Server]),
+    
+    ServerMsg = ClientMsg = ok,
+			   
+    ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg),
+    
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+
+%%--------------------------------------------------------------------
 protocol_versions() ->
     [{doc,"Test to set a list of protocol versions in app environment."}].
 
@@ -3989,7 +4021,7 @@ run_suites(Ciphers, Version, Config, Type) ->
     end.
 
 erlang_cipher_suite(Suite) when is_list(Suite)->
-    ssl:suite_definition(ssl_cipher:openssl_suite(Suite));
+    ssl_cipher:erl_suite_definition(ssl_cipher:openssl_suite(Suite));
 erlang_cipher_suite(Suite) ->
     Suite.
 
@@ -4010,11 +4042,11 @@ cipher(CipherSuite, Version, Config, ClientOpts, ServerOpts) ->
     Port = ssl_test_lib:inet_port(Server),
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
 					{host, Hostname},
-			   {from, self()},
-			   {mfa, {ssl_test_lib, cipher_result, [ConnectionInfo]}},
-			   {options,
-			    [{ciphers,[CipherSuite]} |
-			     ClientOpts]}]),
+					{from, self()},
+					{mfa, {ssl_test_lib, cipher_result, [ConnectionInfo]}},
+					{options,
+					 [{ciphers,[CipherSuite]} |
+					  ClientOpts]}]),
 
     Result = ssl_test_lib:wait_for_result(Server, ok, Client, ok),
 
@@ -4028,6 +4060,17 @@ cipher(CipherSuite, Version, Config, ClientOpts, ServerOpts) ->
 	    [{ErlangCipherSuite, Error}]
     end.
 
+connection_information_result(Socket) ->
+    {ok, Info = [_ | _]} = ssl:connection_information(Socket),
+    case  length(Info) > 3 of
+	true -> 
+	    %% Atleast one ssloption() is set
+	    ct:log("Info ~p", [Info]),
+	    ok;
+	false ->
+	    ct:fail(no_ssl_options_returned)
+    end.
+
 connection_info_result(Socket) ->
     {ok, Info} = ssl:connection_information(Socket, [protocol, cipher_suite]),
     {ok, {proplists:get_value(protocol, Info), proplists:get_value(cipher_suite, Info)}}.
@@ -4154,6 +4197,12 @@ first_rsa_suite([{dhe_rsa, _, _} = Suite| _]) ->
     Suite;
 first_rsa_suite([{rsa, _, _} = Suite| _]) ->
     Suite;
+first_rsa_suite([{ecdhe_rsa, _, _, _} = Suite | _]) ->
+    Suite;
+first_rsa_suite([{dhe_rsa, _, _, _} = Suite| _]) ->
+    Suite;
+first_rsa_suite([{rsa, _, _, _} = Suite| _]) ->
+    Suite;
 first_rsa_suite([_ | Rest]) ->
     first_rsa_suite(Rest).
     
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index 123a7f4cbf..d10506cb69 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -77,7 +77,8 @@ error_handling_tests()->
      unknown_server_ca_accept_verify_none,
      unknown_server_ca_accept_verify_peer,
      unknown_server_ca_accept_backwardscompatibility,
-     no_authority_key_identifier].
+     no_authority_key_identifier,
+     no_authority_key_identifier_and_nonstandard_encoding].
 
 init_per_suite(Config0) ->
     catch crypto:stop(),
@@ -967,6 +968,68 @@ delete_authority_key_extension([Head | Rest], Acc) ->
 
 %%--------------------------------------------------------------------
 
+no_authority_key_identifier_and_nonstandard_encoding() ->
+    [{doc, "Test cert with nonstandard encoding that does not have"
+      " authorityKeyIdentifier extension but are present in trusted certs db."}].
+
+no_authority_key_identifier_and_nonstandard_encoding(Config) when is_list(Config) ->
+    ClientOpts = ?config(client_verification_opts, Config),
+    ServerOpts = ?config(server_verification_opts, Config),
+    PrivDir = ?config(priv_dir, Config),
+
+    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"),
+    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
+    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),
+
+    CertFile = proplists:get_value(certfile, ServerOpts),
+    NewCertFile = filename:join(PrivDir, "server/new_cert.pem"),
+    [{'Certificate', DerCert, _}] = ssl_test_lib:pem_to_der(CertFile),
+    ServerCert = public_key:pkix_decode_cert(DerCert, plain),
+    ServerTbsCert = ServerCert#'Certificate'.tbsCertificate,
+    Extensions0 =  ServerTbsCert#'TBSCertificate'.extensions,
+    %% need to remove authorityKeyIdentifier extension to cause DB lookup by signature
+    Extensions = delete_authority_key_extension(Extensions0, []),
+    NewExtensions = replace_key_usage_extension(Extensions, []),
+    NewServerTbsCert = ServerTbsCert#'TBSCertificate'{extensions = NewExtensions},
+
+    ct:log("Extensions ~p~n, NewExtensions: ~p~n", [Extensions, NewExtensions]),
+
+    TbsDer = public_key:pkix_encode('TBSCertificate', NewServerTbsCert, plain),
+    Sig = public_key:sign(TbsDer, md5, Key),
+    NewServerCert = ServerCert#'Certificate'{tbsCertificate = NewServerTbsCert, signature = Sig},
+    NewDerCert = public_key:pkix_encode('Certificate', NewServerCert, plain),
+    ssl_test_lib:der_to_pem(NewCertFile, [{'Certificate', NewDerCert, not_encrypted}]),
+    NewServerOpts = [{certfile, NewCertFile} | proplists:delete(certfile, ServerOpts)],
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib,
+					       send_recv_result_active, []}},
+					{options, [{active, true} | NewServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {ssl_test_lib,
+					       send_recv_result_active, []}},
+					{options, [{verify, verify_peer} | ClientOpts]}]),
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+replace_key_usage_extension([], Acc) ->
+    lists:reverse(Acc);
+replace_key_usage_extension([#'Extension'{extnID = ?'id-ce-keyUsage'} = E | Rest], Acc) ->
+    %% A nonstandard DER encoding of [digitalSignature, keyEncipherment]
+    Val = <<3, 2, 0, 16#A0>>,
+    replace_key_usage_extension(Rest, [E#'Extension'{extnValue = Val} | Acc]);
+replace_key_usage_extension([Head | Rest], Acc) ->
+    replace_key_usage_extension(Rest, [Head | Acc]).
+
+%%--------------------------------------------------------------------
+
 invalid_signature_server() ->
     [{doc,"Test client with invalid signature"}].
 
diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl
index 092015d3d8..00f9ee8e3c 100644
--- a/lib/ssl/test/ssl_dist_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_SUITE.erl
@@ -41,7 +41,7 @@
 %%--------------------------------------------------------------------
 all() ->
     [basic, payload, plain_options, plain_verify_options, nodelay_option, 
-     listen_port_options, listen_options, use_interface].
+     listen_port_options, listen_options, connect_options, use_interface].
 
 groups() ->
     [].
@@ -312,22 +312,7 @@ listen_port_options(Config) when is_list(Config) ->
 listen_options() ->
     [{doc, "Test inet_dist_listen_options"}].
 listen_options(Config) when is_list(Config) ->
-    Prio = 1,
-    case gen_udp:open(0, [{priority,Prio}]) of
-	{ok,Socket} ->
-	    case inet:getopts(Socket, [priority]) of
-		{ok,[{priority,Prio}]} ->
-		    ok = gen_udp:close(Socket),
-		    do_listen_options(Prio, Config);
-		_ ->
-		    ok = gen_udp:close(Socket),
-		    {skip,
-		     "Can not set priority "++integer_to_list(Prio)++
-			 " on socket"}
-	    end;
-	{error,_} ->
-	    {skip, "Can not set priority on socket"}
-    end.
+    try_setting_priority(fun do_listen_options/2, Config).
 
 do_listen_options(Prio, Config) ->
     PriorityString0 = "[{priority,"++integer_to_list(Prio)++"}]",
@@ -364,6 +349,48 @@ do_listen_options(Prio, Config) ->
     stop_ssl_node(NH2),
     success(Config).
 %%--------------------------------------------------------------------
+connect_options() ->
+    [{doc, "Test inet_dist_connect_options"}].
+connect_options(Config) when is_list(Config) ->
+    try_setting_priority(fun do_connect_options/2, Config).
+
+do_connect_options(Prio, Config) ->
+    PriorityString0 = "[{priority,"++integer_to_list(Prio)++"}]",
+    PriorityString =
+	case os:cmd("echo [{a,1}]") of
+	    "[{a,1}]"++_ ->
+		PriorityString0;
+	    _ ->
+		%% Some shells need quoting of [{}]
+		"'"++PriorityString0++"'"
+	end,
+
+    Options = "-kernel inet_dist_connect_options " ++ PriorityString,
+
+    NH1 = start_ssl_node([{additional_dist_opts, Options} | Config]),
+    NH2 = start_ssl_node([{additional_dist_opts, Options} | Config]),
+    Node2 = NH2#node_handle.nodename,
+    
+    pong = apply_on_ssl_node(NH1, fun () -> net_adm:ping(Node2) end),
+
+    PrioritiesNode1 =
+	apply_on_ssl_node(NH1, fun get_socket_priorities/0),
+    PrioritiesNode2 =
+	apply_on_ssl_node(NH2, fun get_socket_priorities/0),
+
+    Elevated1 = [P || P <- PrioritiesNode1, P =:= Prio],
+    ?t:format("Elevated1: ~p~n", [Elevated1]),
+    Elevated2 = [P || P <- PrioritiesNode2, P =:= Prio],
+    ?t:format("Elevated2: ~p~n", [Elevated2]),
+    %% Node 1 will have a socket with elevated priority.
+    [_|_] = Elevated1,
+    %% Node 2 will not, since it only applies to outbound connections.
+    [] = Elevated2,
+
+    stop_ssl_node(NH1),
+    stop_ssl_node(NH2),
+    success(Config).
+%%--------------------------------------------------------------------
 use_interface() ->
     [{doc, "Test inet_dist_use_interface"}].
 use_interface(Config) when is_list(Config) ->
@@ -405,6 +432,24 @@ tstsrvr_format(Fmt, ArgList) ->
 send_to_tstcntrl(Message) ->
     send_to_tstsrvr({message, Message}).
 
+try_setting_priority(TestFun, Config) ->
+    Prio = 1,
+    case gen_udp:open(0, [{priority,Prio}]) of
+	{ok,Socket} ->
+	    case inet:getopts(Socket, [priority]) of
+		{ok,[{priority,Prio}]} ->
+		    ok = gen_udp:close(Socket),
+		    TestFun(Prio, Config);
+		_ ->
+		    ok = gen_udp:close(Socket),
+		    {skip,
+		     "Can not set priority "++integer_to_list(Prio)++
+			 " on socket"}
+	    end;
+	{error,_} ->
+	    {skip, "Can not set priority on socket"}
+    end.
+
 get_socket_priorities() ->
     [Priority ||
 	{ok,[{priority,Priority}]} <-
@@ -493,17 +538,13 @@ host_name() ->
     Host.
 
 mk_node_name(Config) ->
-    {A, B, C} = erlang:now(),
+    N = erlang:unique_integer([positive]),
     Case = ?config(testcase, Config),
     atom_to_list(?MODULE)
 	++ "_"
 	++ atom_to_list(Case)
 	++ "_"
-	++ integer_to_list(A)
-	++ "-"
-	++ integer_to_list(B)
-	++ "-"
-	++ integer_to_list(C).
+	++ integer_to_list(N).
 
 mk_node_cmdline(ListenPort, Name, Args) ->
     Static = "-detached -noinput",
@@ -732,12 +773,10 @@ rand_bin(N) ->
 rand_bin(0, Acc) ->
     Acc;
 rand_bin(N, Acc) ->
-    rand_bin(N-1, [random:uniform(256)-1|Acc]).
+    rand_bin(N-1, [rand:uniform(256)-1|Acc]).
 
 make_randfile(Dir) ->
     {ok, IoDev} = file:open(filename:join([Dir, "RAND"]), [write]),
-    {A, B, C} = erlang:now(),
-    random:seed(A, B, C),
     ok = file:write(IoDev, rand_bin(1024)),
     file:close(IoDev).
 
diff --git a/lib/ssl/test/ssl_sni_SUITE.erl b/lib/ssl/test/ssl_sni_SUITE.erl
index f6ffe91027..90c2a49e61 100644
--- a/lib/ssl/test/ssl_sni_SUITE.erl
+++ b/lib/ssl/test/ssl_sni_SUITE.erl
@@ -108,8 +108,12 @@ ssl_recv(SSLSocket, CurrentData, ExpectedData) ->
 
 send_and_hostname(SSLSocket) ->
     ssl:send(SSLSocket, "OK"),
-    {ok, [{sni_hostname, Hostname}]} = ssl:connection_information(SSLSocket, [sni_hostname]),
-    Hostname.
+    case  ssl:connection_information(SSLSocket, [sni_hostname]) of
+	{ok, [{sni_hostname, Hostname}]} ->
+	    Hostname;
+	{ok, []} ->
+	    undefined
+    end.
 
 rdnPart([[#'AttributeTypeAndValue'{type=Type, value=Value} | _] | _], Type) -> 
     Value;
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 77c29668b5..90fcd193cc 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -818,7 +818,17 @@ rsa_suites(CounterPart) ->
 		    (_) ->
 			 false
 		 end,
-		 ssl:cipher_suites()).
+                 common_ciphers(CounterPart)).
+
+common_ciphers(crypto) ->
+    ssl:cipher_suites();
+common_ciphers(openssl) ->
+    OpenSslSuites =
+        string:tokens(string:strip(os:cmd("openssl ciphers"), right, $\n), ":"),
+    [ssl_cipher:erl_suite_definition(S)
+     || S <- ssl_cipher:suites(tls_record:highest_protocol_version([])),
+        lists:member(ssl_cipher:openssl_suite_name(S), OpenSslSuites)
+    ].
 
 rsa_non_signed_suites() ->
     lists:filter(fun({rsa, _, _}) ->
@@ -1214,7 +1224,7 @@ filter_suites(Ciphers0) ->
 	++ ssl_cipher:srp_suites() 
 	++ ssl_cipher:rc4_suites(Version),
     Supported1 = ssl_cipher:filter_suites(Supported0),
-    Supported2 = [ssl:suite_definition(S) || S <- Supported1],
+    Supported2 = [ssl_cipher:erl_suite_definition(S) || S <- Supported1],
     [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported2)].
 
 -define(OPENSSL_QUIT, "Q\n").
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index ecf6c4d6b8..6934d7f851 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -1268,8 +1268,12 @@ client_check_result(Port, DataExpected) ->
 
 send_and_hostname(SSLSocket) ->
     ssl:send(SSLSocket, "OK"),
-    {ok, [{sni_hostname, Hostname}]} = ssl:connection_information(SSLSocket, [sni_hostname]),
-    Hostname.
+    case ssl:connection_information(SSLSocket, [sni_hostname]) of
+	{ok, []} ->
+	    undefined;
+	{ok, [{sni_hostname, Hostname}]} ->
+	    Hostname
+    end.
 
 erlang_server_openssl_client_sni_test(Config, SNIHostname, ExpectedSNIHostname, ExpectedCN) ->
     ct:log("Start running handshake, Config: ~p, SNIHostname: ~p, ExpectedSNIHostname: ~p, ExpectedCN: ~p", [Config, SNIHostname, ExpectedSNIHostname, ExpectedCN]),