8 files changed, 101 insertions, 47 deletions
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index b8be686b99..a0d9982aaa 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -65,9 +65,7 @@
 	 hello/3, certify/3, cipher/3, abbreviated/3, %% Handshake states 
 	 connection/3]). 
 %% gen_statem callbacks
--export([terminate/3, code_change/4, format_status/2]).
-
--define(GEN_STATEM_CB_MODE, state_functions).
+-export([callback_mode/0, terminate/3, code_change/4, format_status/2]).
 
 %%====================================================================
 %% Internal application API
@@ -161,12 +159,15 @@ init([Role, Host, Port, Socket, Options,  User, CbInfo]) ->
     State0 =  initial_state(Role, Host, Port, Socket, Options, User, CbInfo),
     try
 	State = ssl_connection:ssl_config(State0#state.ssl_options, Role, State0),
-	gen_statem:enter_loop(?MODULE, [], ?GEN_STATEM_CB_MODE, init, State)
+	gen_statem:enter_loop(?MODULE, [], init, State)
     catch
 	throw:Error ->
-	    gen_statem:enter_loop(?MODULE, [], ?GEN_STATEM_CB_MODE, error, {Error,State0})
+	    gen_statem:enter_loop(?MODULE, [], error, {Error,State0})
     end.
 
+callback_mode() ->
+    state_functions.
+
 %%--------------------------------------------------------------------
 %% State functionsconnection/2
 %%--------------------------------------------------------------------
@@ -376,7 +377,7 @@ terminate(Reason, StateName, State) ->
 %% Description: Convert process state when code is changed
 %%--------------------------------------------------------------------
 code_change(_OldVsn, StateName, State, _Extra) ->
-    {?GEN_STATEM_CB_MODE, StateName, State}.
+    {ok, StateName, State}.
 
 format_status(Type, Data) ->
     ssl_connection:format_status(Type, Data).
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index adee59393e..8a990870e8 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -824,8 +824,6 @@ handle_common_event(internal, #change_cipher_spec{type = <<1>>}, StateName,
 		    #state{negotiated_version = Version} = State, Connection) ->
     Connection:handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE), Version, 
 				StateName, State);
-handle_common_event(internal, _, _, _, _) ->
-    {keep_state_and_data, [postpone]};
 handle_common_event(_Type, Msg, StateName, #state{negotiated_version = Version} = State, 
 		    Connection) ->
     Alert =  ?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE),
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 9880befa94..8b828f3421 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -68,10 +68,8 @@
 	 hello/3, certify/3, cipher/3, abbreviated/3, %% Handshake states 
 	 connection/3]). 
 %% gen_statem callbacks
--export([terminate/3, code_change/4, format_status/2]).
+-export([callback_mode/0, terminate/3, code_change/4, format_status/2]).
  
--define(GEN_STATEM_CB_MODE, state_functions).
-
 %%====================================================================
 %% Internal application API
 %%====================================================================	     
@@ -169,11 +167,14 @@ init([Role, Host, Port, Socket, Options,  User, CbInfo]) ->
     State0 = initial_state(Role, Host, Port, Socket, Options, User, CbInfo),
     try 
 	State = ssl_connection:ssl_config(State0#state.ssl_options, Role, State0),
-	gen_statem:enter_loop(?MODULE, [], ?GEN_STATEM_CB_MODE, init, State)
+	gen_statem:enter_loop(?MODULE, [], init, State)
     catch throw:Error ->
-	gen_statem:enter_loop(?MODULE, [], ?GEN_STATEM_CB_MODE, error, {Error, State0}) 
+	gen_statem:enter_loop(?MODULE, [], error, {Error, State0}) 
     end.
 
+callback_mode() ->
+    state_functions.
+
 %%--------------------------------------------------------------------
 %% State functions
 %%--------------------------------------------------------------------
@@ -213,7 +214,7 @@ init({call, From}, {start, Timeout},
     {Record, State} = next_record(State1),
     next_event(hello, Record, State);
 init(Type, Event, State) ->
-    ssl_connection:init(Type, Event, State, ?MODULE).
+    gen_handshake(ssl_connection, init, Type, Event, State).
  
 %%--------------------------------------------------------------------
 -spec error(gen_statem:event_type(),
@@ -257,13 +258,13 @@ hello(internal, #client_hello{client_version = ClientVersion,
 			   _ -> Protocol0
 		       end,
 	    
-	    ssl_connection:hello(internal, {common_client_hello, Type, ServerHelloExt},
+	    gen_handshake(ssl_connection, hello, internal, {common_client_hello, Type, ServerHelloExt},
 				 State#state{connection_states  = ConnectionStates,
 					     negotiated_version = Version,
 					     hashsign_algorithm = HashSign,
 					     session = Session,
 					     client_ecc = {EllipticCurves, EcPointFormats},
-					     negotiated_protocol = Protocol}, ?MODULE)
+					     negotiated_protocol = Protocol})
     end;
 hello(internal, #server_hello{} = Hello,
       #state{connection_states = ConnectionStates0,
@@ -279,36 +280,36 @@ hello(internal, #server_hello{} = Hello,
 					  Version, NewId, ConnectionStates, ProtoExt, Protocol, State)
     end;
 hello(info, Event, State) ->
-    handle_info(Event, hello, State);
+    gen_info(Event, hello, State);
 hello(Type, Event, State) ->
-    ssl_connection:hello(Type, Event, State, ?MODULE).
+    gen_handshake(ssl_connection, hello, Type, Event, State).
 
 %%--------------------------------------------------------------------
 -spec abbreviated(gen_statem:event_type(), term(), #state{}) ->
 			 gen_statem:state_function_result().
 %%--------------------------------------------------------------------
 abbreviated(info, Event, State) ->
-    handle_info(Event, abbreviated, State);
+    gen_info(Event, abbreviated, State);
 abbreviated(Type, Event, State) ->
-    ssl_connection:abbreviated(Type, Event, State, ?MODULE).
+    gen_handshake(ssl_connection, abbreviated, Type, Event, State).
 
 %%--------------------------------------------------------------------
 -spec certify(gen_statem:event_type(), term(), #state{}) ->
 		     gen_statem:state_function_result().
 %%--------------------------------------------------------------------
 certify(info, Event, State) ->
-    handle_info(Event, certify, State);
+    gen_info(Event, certify, State);
 certify(Type, Event, State) ->
-    ssl_connection:certify(Type, Event, State, ?MODULE).
+    gen_handshake(ssl_connection, certify, Type, Event, State).
 
 %%--------------------------------------------------------------------
 -spec cipher(gen_statem:event_type(), term(), #state{}) ->
 		    gen_statem:state_function_result().
 %%--------------------------------------------------------------------
 cipher(info, Event, State) ->
-    handle_info(Event, cipher, State);
+    gen_info(Event, cipher, State);
 cipher(Type, Event, State) ->
-     ssl_connection:cipher(Type, Event, State, ?MODULE).
+     gen_handshake(ssl_connection, cipher, Type, Event, State).
 
 %%--------------------------------------------------------------------
 -spec connection(gen_statem:event_type(),  
@@ -316,7 +317,7 @@ cipher(Type, Event, State) ->
 			gen_statem:state_function_result().
 %%--------------------------------------------------------------------
 connection(info, Event, State) ->
-    handle_info(Event, connection, State);
+    gen_info(Event, connection, State);
 connection(internal, #hello_request{},
 	   #state{role = client, host = Host, port = Port,
 		  session = #session{own_certificate = Cert} = Session0,
@@ -432,11 +433,16 @@ handle_common_event(internal, #ssl_tls{type = ?CHANGE_CIPHER_SPEC, fragment = Da
 %%% TLS record protocol level Alert messages
 handle_common_event(internal, #ssl_tls{type = ?ALERT, fragment = EncAlerts}, StateName,
 		    #state{negotiated_version = Version} = State) ->
-    case decode_alerts(EncAlerts) of
+    try decode_alerts(EncAlerts) of	
 	Alerts = [_|_] ->
 	    handle_alerts(Alerts,  {next_state, StateName, State});
+	[] ->
+	    handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, empty_alert), Version, StateName, State);
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, StateName, State)
+    catch
+	_:_ ->
+	    handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, alert_decode_error), Version, StateName, State)  
     end;
 %% Ignore unknown TLS record level protocol messages
 handle_common_event(internal, #ssl_tls{type = _Unknown}, StateName, State) ->
@@ -457,9 +463,9 @@ format_status(Type, Data) ->
 %%--------------------------------------------------------------------
 code_change(_OldVsn, StateName, State0, {Direction, From, To}) ->
     State = convert_state(State0, Direction, From, To),
-    {?GEN_STATEM_CB_MODE, StateName, State};
+    {ok, StateName, State};
 code_change(_OldVsn, StateName, State, _) ->
-    {?GEN_STATEM_CB_MODE, StateName, State}.
+    {ok, StateName, State}.
 
 %%--------------------------------------------------------------------
 %%% Internal functions
@@ -1039,3 +1045,31 @@ handle_sni_extension(#client_hello{extensions = HelloExtensions}, State0) ->
     end;
 handle_sni_extension(_, State) ->
     State.
+
+gen_handshake(GenConnection, StateName, Type, Event, #state{negotiated_version = Version} = State) ->
+    try GenConnection:StateName(Type, Event, State, ?MODULE) of
+	Result ->
+	    Result
+    catch 
+	_:_ ->
+	    handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, malformed_handshake_data), Version, StateName, State)  
+    end.
+	    
+gen_info(Event, connection = StateName,  #state{negotiated_version = Version} = State) ->
+    try handle_info(Event, StateName, State) of
+	Result ->
+	    Result
+    catch 
+	_:_ ->
+	    handle_own_alert(?ALERT_REC(?FATAL, ?INTERNAL_ERROR, malformed_data), Version, StateName, State)  
+    end;
+
+gen_info(Event, StateName, #state{negotiated_version = Version} = State) ->
+    try handle_info(Event, StateName, State) of
+	Result ->
+	    Result
+    catch 
+        _:_ ->
+	    handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, malformed_handshake_data), Version, StateName, State)  
+    end.
+	    
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index 566b7db332..6e593950d9 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -109,19 +109,25 @@ hello(#client_hello{client_version = ClientVersion,
 		    cipher_suites = CipherSuites} = Hello,
       #ssl_options{versions = Versions} = SslOpts,
       Info, Renegotiation) ->
-    Version = ssl_handshake:select_version(tls_record, ClientVersion, Versions),
-    case ssl_cipher:is_fallback(CipherSuites) of
+    try
+	Version = ssl_handshake:select_version(tls_record, ClientVersion, Versions),
+	case ssl_cipher:is_fallback(CipherSuites) of
 	true -> 
-	    Highest = tls_record:highest_protocol_version(Versions),
-	    case tls_record:is_higher(Highest, Version) of
-		true ->
-		    ?ALERT_REC(?FATAL, ?INAPPROPRIATE_FALLBACK);
-		false ->				     
-		    handle_client_hello(Version, Hello, SslOpts, Info, Renegotiation)
-	    end;
-	false ->
-	    handle_client_hello(Version, Hello, SslOpts, Info, Renegotiation)
-    end.
+		Highest = tls_record:highest_protocol_version(Versions),
+		case tls_record:is_higher(Highest, Version) of
+		    true ->
+			?ALERT_REC(?FATAL, ?INAPPROPRIATE_FALLBACK);
+		    false ->				     
+			handle_client_hello(Version, Hello, SslOpts, Info, Renegotiation)
+		end;
+	    false ->
+		handle_client_hello(Version, Hello, SslOpts, Info, Renegotiation)
+	end
+    catch
+	_:_ ->
+	    ?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, malformed_handshake_data)
+    end.  
+
 %%--------------------------------------------------------------------
 -spec encode_handshake(tls_handshake(), tls_record:tls_version()) -> iolist().
 %%     
@@ -187,8 +193,13 @@ handle_client_hello(Version, #client_hello{session_id = SugesstedId,
 get_tls_handshake_aux(Version, <<?BYTE(Type), ?UINT24(Length),
 				 Body:Length/binary,Rest/binary>>, #ssl_options{v2_hello_compatible = V2Hello} = Opts,  Acc) ->
     Raw = <<?BYTE(Type), ?UINT24(Length), Body/binary>>,
-    Handshake = decode_handshake(Version, Type, Body, V2Hello),
-    get_tls_handshake_aux(Version, Rest, Opts, [{Handshake,Raw} | Acc]);
+    try decode_handshake(Version, Type, Body, V2Hello) of
+	Handshake ->
+	    get_tls_handshake_aux(Version, Rest, Opts, [{Handshake,Raw} | Acc])
+    catch
+	_:_ ->
+	    throw(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, handshake_decode_error))
+    end;
 get_tls_handshake_aux(_Version, Data, _, Acc) ->
     {lists:reverse(Acc), Data}.
 
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 665dbb1df3..38341f77aa 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -340,7 +340,7 @@ init_per_testcase(TestCase, Config) when TestCase == client_renegotiate;
 					 TestCase == renegotiate_dos_mitigate_passive;
 					 TestCase == renegotiate_dos_mitigate_absolute ->
     ssl_test_lib:ct_log_supported_protocol_versions(Config),
-    ct:timetrap({seconds, 30}),
+    ct:timetrap({seconds, 90}),
     Config;
 
 init_per_testcase(TestCase, Config) when TestCase == psk_cipher_suites;
@@ -350,6 +350,11 @@ init_per_testcase(TestCase, Config) when TestCase == psk_cipher_suites;
 					 TestCase == ciphers_dsa_signed_certs;
 					 TestCase == ciphers_dsa_signed_certs_openssl_names;
 					 TestCase == anonymous_cipher_suites;
+					 TestCase == ciphers_ecdsa_signed_certs;
+					 TestCase == ciphers_ecdsa_signed_certs_openssl_names;
+					 TestCase == anonymous_cipher_suites;
+					 TestCase == psk_anon_cipher_suites;
+					 TestCase == psk_anon_with_hint_cipher_suites;
 					 TestCase == versions_option,
 					 TestCase == tls_tcp_connect_big ->
     ssl_test_lib:ct_log_supported_protocol_versions(Config),
diff --git a/lib/ssl/test/ssl_packet_SUITE.erl b/lib/ssl/test/ssl_packet_SUITE.erl
index e49d432c21..193307b347 100644
--- a/lib/ssl/test/ssl_packet_SUITE.erl
+++ b/lib/ssl/test/ssl_packet_SUITE.erl
@@ -41,7 +41,7 @@
 
 -define(MANY, 1000).
 -define(SOME, 50).
--define(BASE_TIMEOUT_SECONDS, 15).
+-define(BASE_TIMEOUT_SECONDS, 30).
 -define(SOME_SCALE, 20).
 -define(MANY_SCALE, 20).
 
diff --git a/lib/ssl/test/ssl_payload_SUITE.erl b/lib/ssl/test/ssl_payload_SUITE.erl
index cb0571d0a7..c0b762760d 100644
--- a/lib/ssl/test/ssl_payload_SUITE.erl
+++ b/lib/ssl/test/ssl_payload_SUITE.erl
@@ -104,8 +104,13 @@ init_per_testcase(TestCase, Config) when TestCase == server_echos_passive_huge;
 					 TestCase == client_echos_passive_huge;
 					 TestCase == client_echos_active_once_huge;
 					 TestCase == client_echos_active_huge ->
-    ct:timetrap({seconds, 90}),
-    Config;
+    case erlang:system_info(system_architecture) of
+	"sparc-sun-solaris2.10" ->
+	    {skip,"Will take to long time on an old Sparc"};
+	_ ->
+	    ct:timetrap({seconds, 90}),
+	    Config
+    end;
 
 init_per_testcase(TestCase, Config) when TestCase == server_echos_passive_big;
 					 TestCase == server_echos_active_once_big;
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index b3109b5de9..86c875b57e 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -1264,7 +1264,7 @@ client_check_result(Port, DataExpected, DataReceived) ->
                 _ ->
                     client_check_result(Port, DataExpected, NewData)
             end
-    after 3000 ->
+    after 20000 ->
 	    ct:fail({"Time out on openSSL Client", {expected, DataExpected},
 		     {got, DataReceived}})   
     end.