3 files changed, 114 insertions, 7 deletions

diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 527263363c..590ecf33ca 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2012. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -250,6 +250,8 @@ all() ->
      no_authority_key_identifier, invalid_signature_client,
      invalid_signature_server, cert_expired,
      client_with_cert_cipher_suites_handshake,
+     verify_fun_always_run_client,
+     verify_fun_always_run_server,
      unknown_server_ca_fail, der_input,
      unknown_server_ca_accept_verify_none,
      unknown_server_ca_accept_verify_peer,
@@ -3217,6 +3219,105 @@ client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->
     ssl_test_lib:check_result(Server, ok, Client, ok),
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
+
+%%--------------------------------------------------------------------
+verify_fun_always_run_client(doc) ->
+    ["Verify that user verify_fun is always run (for valid and valid_peer not only unknown_extension)"];
+verify_fun_always_run_client(suite) ->
+    [];
+verify_fun_always_run_client(Config) when is_list(Config) ->
+    ClientOpts =  ?config(client_verification_opts, Config),
+    ServerOpts =  ?config(server_verification_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					      {from, self()},
+					      {mfa, {ssl_test_lib,
+						     no_result, []}},
+					      {options, ServerOpts}]),
+    Port  = ssl_test_lib:inet_port(Server),
+
+    %% If user verify fun is called correctly we fail the connection.
+    %% otherwise we can not tell this case apart form where we miss
+    %% to call users verify fun
+    FunAndState =  {fun(_,{extension, _}, UserState) ->
+			    {unknown, UserState};
+		       (_, valid, [ChainLen]) ->
+			    {valid, [ChainLen + 1]};
+		       (_, valid_peer, [2]) ->
+			    {fail, "verify_fun_was_always_run"};
+		       (_, valid_peer, UserState) ->
+			    {valid, UserState}
+		    end, [0]},
+
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+					      {host, Hostname},
+					      {from, self()},
+					      {mfa, {ssl_test_lib,
+						     no_result, []}},
+					      {options,
+					       [{verify, verify_peer},
+						{verify_fun, FunAndState}
+						| ClientOpts]}]),
+    %% Server error may be esslaccept or closed depending on timing
+    %% this is not a bug it is a circumstance of how tcp works!
+    receive
+	{Server, ServerError} ->
+	    test_server:format("Server Error ~p~n", [ServerError])
+    end,
+
+    ssl_test_lib:check_result(Client, {error, esslconnect}).
+
+%%--------------------------------------------------------------------
+verify_fun_always_run_server(doc) ->
+    ["Verify that user verify_fun is always run (for valid and valid_peer not only unknown_extension)"];
+verify_fun_always_run_server(suite) ->
+    [];
+verify_fun_always_run_server(Config) when is_list(Config) ->
+    ClientOpts =  ?config(client_verification_opts, Config),
+    ServerOpts =  ?config(server_verification_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    %% If user verify fun is called correctly we fail the connection.
+    %% otherwise we can not tell this case apart form where we miss
+    %% to call users verify fun
+    FunAndState =  {fun(_,{extension, _}, UserState) ->
+			    {unknown, UserState};
+		       (_, valid, [ChainLen]) ->
+			    {valid, [ChainLen + 1]};
+		       (_, valid_peer, [2]) ->
+			    {fail, "verify_fun_was_always_run"};
+		       (_, valid_peer, UserState) ->
+			    {valid, UserState}
+		    end, [0]},
+
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+					      {from, self()},
+					      {mfa, {ssl_test_lib,
+						     no_result, []}},
+					      {options,
+					       [{verify, verify_peer},
+						{verify_fun, FunAndState} |
+						ServerOpts]}]),
+    Port  = ssl_test_lib:inet_port(Server),
+
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+					      {host, Hostname},
+					      {from, self()},
+					      {mfa, {ssl_test_lib,
+						     no_result, []}},
+					      {options,
+					       [{verify, verify_peer}
+						| ClientOpts]}]),
+
+    %% Client error may be esslconnect or closed depending on timing
+    %% this is not a bug it is a circumstance of how tcp works!
+    receive
+	{Client, ClientError} ->
+	    test_server:format("Client Error ~p~n", [ClientError])
+    end,
+
+    ssl_test_lib:check_result(Server, {error, esslaccept}).
+
 %%--------------------------------------------------------------------
 unknown_server_ca_fail(doc) ->
     ["Test that the client fails if the ca is unknown in verify_peer mode"];
@@ -3924,7 +4025,7 @@ renegotiate(Socket, Data) ->
     end.
 
 renegotiate_reuse_session(Socket, Data) ->
-    %% Make sure session is registerd
+    %% Make sure session is registered
     test_server:sleep(?SLEEP),
     renegotiate(Socket, Data).
 
diff --git a/lib/ssl/test/ssl_dist_SUITE.erl b/lib/ssl/test/ssl_dist_SUITE.erl
index 8fe55ee7a4..06182970e3 100644
--- a/lib/ssl/test/ssl_dist_SUITE.erl
+++ b/lib/ssl/test/ssl_dist_SUITE.erl
@@ -26,7 +26,7 @@
 
 -define(DEFAULT_TIMETRAP_SECS, 240).
 
--define(AWAIT_SLL_NODE_UP_TIMEOUT, 30000).
+-define(AWAIT_SSL_NODE_UP_TIMEOUT, 30000).
 
 -record(node_handle,
 	{connection_handler,
@@ -120,6 +120,12 @@ basic(Config) when is_list(Config) ->
     pang = net_adm:ping(Node1),
     pang = net_adm:ping(Node2),
 
+    %% SSL nodes should not be able to communicate with the test_server node
+    %% either (and ping should return eventually).
+    TestServer = node(),
+    pang = apply_on_ssl_node(NH1, fun () -> net_adm:ping(TestServer) end),
+    pang = apply_on_ssl_node(NH2, fun () -> net_adm:ping(TestServer) end),
+
     %%
     %% Check that we are able to communicate over the erlang
     %% distribution between the ssl nodes.
@@ -380,7 +386,7 @@ mk_node_cmdline(ListenPort, Name, Args) ->
 %%
 
 await_ssl_node_up(Name, LSock) ->
-    case gen_tcp:accept(LSock, ?AWAIT_SLL_NODE_UP_TIMEOUT) of
+    case gen_tcp:accept(LSock, ?AWAIT_SSL_NODE_UP_TIMEOUT) of
 	timeout ->
 	    gen_tcp:close(LSock),
 	    ?t:format("Timeout waiting for ssl node ~s to come up~n",
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index f04ab9af50..01fca1f166 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2011. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2012. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -1446,8 +1446,8 @@ check_sane_openssl_renegotaite(Config) ->
 
 check_sane_openssl_sslv2(Config) ->
     case os:cmd("openssl version") of
-	"OpenSSL 1.0.0e" ++ _ ->
-	    {skip, "Known option bug"};
+	"OpenSSL 1.0.0" ++ _ ->
+	    {skip, "sslv2 by default turned of in 1.*"};
 	_ ->
 	    Config
     end.