From 8a090f6a082f82a3ff4d2ec07bec4d8c309b9bff Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 2 Sep 2016 11:11:28 +0200
Subject: ssl: Add check in test framework for crypto support

Avoid to run tests of algorithms not supported by crypto.
---
 lib/ssl/test/ssl_test_lib.erl | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index fd8af5efaa..a92b978ca9 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -807,22 +807,24 @@ send_selected_port(_,_,_) ->
 rsa_suites(CounterPart) ->
     ECC = is_sane_ecc(CounterPart),
     FIPS = is_fips(CounterPart),
+    CryptoSupport = crypto:supports(),
+    Ciphers = proplists:get_value(ciphers, CryptoSupport),
     lists:filter(fun({rsa, des_cbc, sha}) when FIPS == true ->
 			 false;
 		    ({dhe_rsa, des_cbc, sha}) when FIPS == true ->
 			 false;
-		    ({rsa, _, _}) ->
-			 true;
-		    ({dhe_rsa, _, _}) ->
-			 true;
-		    ({ecdhe_rsa, _, _}) when ECC == true ->
-			 true;
-		    ({rsa, _, _, _}) ->
-			 true;
-		    ({dhe_rsa, _, _,_}) ->
-			 true;
-		    ({ecdhe_rsa, _, _,_}) when ECC == true ->
-			 true;
+		    ({rsa, Cipher, _}) ->
+			 lists:member(Cipher, Ciphers);
+		    ({dhe_rsa, Cipher, _}) ->
+			 lists:member(Cipher, Ciphers);
+		    ({ecdhe_rsa, Cipher, _}) when ECC == true ->
+			 lists:member(Cipher, Ciphers);
+		    ({rsa, Cipher, _, _}) ->
+			 lists:member(Cipher, Ciphers);
+		    ({dhe_rsa, Cipher, _,_}) ->
+			 lists:member(Cipher, Ciphers);
+		    ({ecdhe_rsa, Cipher, _,_}) when ECC == true ->
+			 lists:member(Cipher, Ciphers);
 		    (_) ->
 			 false
 		 end,
-- 
cgit v1.2.3


From 66f1ea7d6bdc03240cd118ae54d80e2f07cc5047 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 2 Sep 2016 11:50:25 +0200
Subject: ssl: Test ssl v2 clients rejection depending on configuration

Even though v2 is never supported v2 hellos can be.
No support for v2 client hellos gives "handshake failiure" alert.

Support for v2 hello but no higher SSL/TLS version offered
gives "protocol version" alert.
---
 lib/ssl/test/ssl_to_openssl_SUITE.erl | 56 ++++++++++++++++++++++++++++++++---
 1 file changed, 52 insertions(+), 4 deletions(-)

diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 83a4dae0a1..06f419f8c6 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -55,7 +55,9 @@ groups() ->
 basic_tests() ->
     [basic_erlang_client_openssl_server,
      basic_erlang_server_openssl_client,
-     expired_session].
+     expired_session,
+     ssl2_erlang_server_openssl_client_comp
+    ].
 
 all_versions_tests() ->
     [
@@ -74,7 +76,8 @@ all_versions_tests() ->
      ciphers_dsa_signed_certs,
      erlang_client_bad_openssl_server,
      expired_session,
-     ssl2_erlang_server_openssl_client].
+     ssl2_erlang_server_openssl_client
+    ].
 
 alpn_tests() ->
     [erlang_client_alpn_openssl_server_alpn,
@@ -181,7 +184,8 @@ special_init(TestCase, Config)
     {ok, Version} = application:get_env(ssl, protocol_version),
     check_sane_openssl_renegotaite(Config, Version);
 
-special_init(ssl2_erlang_server_openssl_client, Config) ->
+special_init(Case, Config) when Case == ssl2_erlang_server_openssl_client;
+				Case == ssl2_erlang_server_openssl_client_comp ->
     case ssl_test_lib:supports_ssl_tls_version(sslv2) of
 	true ->
 	     Config;
@@ -954,9 +958,53 @@ ssl2_erlang_server_openssl_client(Config) when is_list(Config) ->
     
     Data = "From openssl to erlang",
 
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 
+					      {from, self()}, 
+					      {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    
+    Exe = "openssl",
+    Args = ["s_client", "-connect", "localhost:" ++ integer_to_list(Port), 
+	"-ssl2", "-msg"],
+    
+    OpenSslPort = ssl_test_lib:portable_open_port(Exe, Args),  
+    true = port_command(OpenSslPort, Data),
+    
+    ct:log("Ports ~p~n", [[erlang:port_info(P) || P <- erlang:ports()]]), 
+    receive
+	{'EXIT', OpenSslPort, _} = Exit ->
+	    ct:log("Received: ~p ~n", [Exit]),
+	    ok
+    end,
+    receive 
+	{'EXIT', _, _} = UnkownExit ->
+	    Msg = lists:flatten(io_lib:format("Received: ~p ~n", [UnkownExit])),
+	    ct:log(Msg),
+	    ct:comment(Msg),
+	    ok
+    after 0 ->
+	    ok
+    end,		
+    ssl_test_lib:check_result(Server, {error, {tls_alert, "handshake failure"}}),
+    process_flag(trap_exit, false).
+%%--------------------------------------------------------------------
+ssl2_erlang_server_openssl_client_comp() ->
+    [{doc,"Test that ssl v2 clients are rejected"}].
+
+ssl2_erlang_server_openssl_client_comp(Config) when is_list(Config) ->
+    process_flag(trap_exit, true),
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    V2Compat = proplists:get_value(v2_hello_compatible, Config), 
+
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+
+    {_, ServerNode, _} = ssl_test_lib:run_where(Config),
+    
+    Data = "From openssl to erlang",
+
     Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, 
 					{from, self()}, 
-			   {options, ServerOpts}]),
+			   {options, [{v2_hello_compatible, V2Compat} | ServerOpts]}]),
     Port = ssl_test_lib:inet_port(Server),
     
     Exe = "openssl",
-- 
cgit v1.2.3