From b16d7d7e4cfa15ab00e5ce43f50619d02bc2f986 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Thu, 1 Feb 2018 14:28:22 +0100
Subject: ssl: Make sure anonymous suites are handled separately

Preferably customized cipher suites will be based on the default value.
But all may be used as base and hence it will be good to
handle anonymous suites separately as they are intended for testing purposes.
---
 lib/ssl/doc/src/ssl.xml          |  4 +-
 lib/ssl/src/dtls_v1.erl          |  8 +++-
 lib/ssl/src/ssl.erl              | 12 +++---
 lib/ssl/src/ssl_cipher.erl       | 79 +++++++++++++++++++++++++---------------
 lib/ssl/test/ssl_basic_SUITE.erl | 78 +++++++++++++++++++++++++++++++--------
 lib/ssl/test/ssl_test_lib.erl    | 79 ++++++++++++++++++----------------------
 6 files changed, 164 insertions(+), 96 deletions(-)

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 70bb4f759b..3db5aa19ac 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -881,10 +881,10 @@ fun(srp, Username :: string(), UserState :: term()) ->
       <fsummary>Returns a list of all default or
       all supported cipher suites.</fsummary>
       <type>
-        <v> Supported = default | all </v>
+        <v> Supported = default | all | anonymous </v>
 	<v> Version = protocol_version() </v>
       </type>
-      <desc><p>Returns all default or all supported cipher suites for a
+      <desc><p>Returns all default or all supported (except anonymous), or all anonymous cipher suites for a
       TLS version</p>
     </desc>
     </func>
diff --git a/lib/ssl/src/dtls_v1.erl b/lib/ssl/src/dtls_v1.erl
index 51ee8ec047..0f6344b6f7 100644
--- a/lib/ssl/src/dtls_v1.erl
+++ b/lib/ssl/src/dtls_v1.erl
@@ -21,7 +21,7 @@
 
 -include("ssl_cipher.hrl").
 
--export([suites/1, all_suites/1, hmac_hash/3, ecc_curves/1, 
+-export([suites/1, all_suites/1, anonymous_suites/1,hmac_hash/3, ecc_curves/1, 
          corresponding_tls_version/1, corresponding_dtls_version/1,
          cookie_secret/0, cookie_timeout/0]).
 
@@ -40,6 +40,12 @@ all_suites(Version) ->
                  end,
                  ssl_cipher:all_suites(corresponding_tls_version(Version))).
 
+anonymous_suites(Version) ->
+    lists:filter(fun(Cipher) -> 
+                         is_acceptable_cipher(ssl_cipher:suite_definition(Cipher)) 
+                 end, 
+                 ssl_cipher:anonymous_suites(corresponding_tls_version(Version))).
+                 
 hmac_hash(MacAlg, MacSecret, Value) ->
     tls_v1:hmac_hash(MacAlg, MacSecret, Value).
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 575b4e2e11..fb4448e180 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -396,7 +396,7 @@ cipher_suites(all) ->
     [ssl_cipher:erl_suite_definition(Suite) || Suite <- available_suites(all)].
 
 %%--------------------------------------------------------------------
--spec cipher_suites(default | all, tls_record:tls_version() | dtls_record:dtls_version() |
+-spec cipher_suites(default | all | anonymous, tls_record:tls_version() | dtls_record:dtls_version() |
                     tls_record:tls_atom_version() |  dtls_record:dtls_atom_version()) -> 
                            [ssl_cipher:erl_cipher_suite()].
 %% Description: Returns all default and all supported cipher suites for a
@@ -718,9 +718,10 @@ available_suites(all) ->
 
 supported_suites(default, Version) ->  
     ssl_cipher:suites(Version);
-
 supported_suites(all, Version) ->  
-    ssl_cipher:all_suites(Version).
+    ssl_cipher:all_suites(Version);
+supported_suites(anonymous, Version) -> 
+    ssl_cipher:anonymous_suites(Version).
 
 do_listen(Port, #config{transport_info = {Transport, _, _, _}} = Config, tls_connection) ->
     tls_socket:listen(Transport, Port, Config);
@@ -1239,7 +1240,8 @@ binary_cipher_suites(Version, [Tuple|_] = Ciphers0) when is_tuple(Tuple) ->
     Ciphers = [ssl_cipher:suite(tuple_to_map(C)) || C <- Ciphers0],
     binary_cipher_suites(Version, Ciphers);
 binary_cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
-    All = ssl_cipher:all_suites(tls_version(Version)),
+    All = ssl_cipher:all_suites(Version) ++ 
+        ssl_cipher:anonymous_suites(Version),
     case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, All)] of
 	[] ->
 	    %% Defaults to all supported suites that does
@@ -1258,7 +1260,7 @@ binary_cipher_suites(Version, Ciphers0)  ->
     binary_cipher_suites(Version, Ciphers).
 
 default_binary_suites(Version) ->
-    ssl_cipher:filter_suites(ssl_cipher:suites(tls_version(Version))).
+    ssl_cipher:filter_suites(ssl_cipher:suites(Version)).
 
 tuple_to_map({Kex, Cipher, Mac}) ->
     #{key_exchange => Kex,
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 6258cbb047..c6927bd276 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -37,8 +37,8 @@
 	 erl_suite_definition/1,
 	 cipher_init/3, decipher/6, cipher/5, decipher_aead/6, cipher_aead/6,
 	 suite/1, suites/1, all_suites/1, crypto_support_filters/0,
-	 ec_keyed_suites/0, anonymous_suites/1, psk_suites/1, srp_suites/0,
-	 rc4_suites/1, des_suites/1, openssl_suite/1, openssl_suite_name/1, 
+	 ec_keyed_suites/0, anonymous_suites/1, psk_suites/1, psk_suites_anon/1, srp_suites/0,
+         srp_suites_anon/0, rc4_suites/1, des_suites/1, openssl_suite/1, openssl_suite_name/1, 
          filter/2, filter_suites/1, filter_suites/2,  
 	 hash_algorithm/1, sign_algorithm/1, is_acceptable_hash/2, is_fallback/1,
 	 random_bytes/1, calc_mac_hash/4,
@@ -321,7 +321,6 @@ suites({_, Minor}) ->
 
 all_suites({3, _} = Version) ->
     suites(Version)
-	++ anonymous_suites(Version)
 	++ psk_suites(Version)
 	++ srp_suites()
         ++ rc4_suites(Version)
@@ -337,12 +336,12 @@ all_suites(Version) ->
 %%--------------------------------------------------------------------
 
 anonymous_suites({3, N}) ->
-    anonymous_suites(N);
+    srp_suites_anon() ++ anonymous_suites(N);
 anonymous_suites({254, _} = Version) ->
-    anonymous_suites(dtls_v1:corresponding_tls_version(Version))
-        -- [?TLS_DH_anon_WITH_RC4_128_MD5];
+    dtls_v1:anonymous_suites(Version);
 anonymous_suites(N)
   when N >= 3 ->
+    psk_suites_anon(N) ++
     [?TLS_DH_anon_WITH_AES_128_GCM_SHA256,
      ?TLS_DH_anon_WITH_AES_256_GCM_SHA384,
      ?TLS_DH_anon_WITH_AES_128_CBC_SHA256,
@@ -351,20 +350,20 @@ anonymous_suites(N)
      ?TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
      ?TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
      ?TLS_DH_anon_WITH_RC4_128_MD5];
-
-anonymous_suites(2) ->
+anonymous_suites(2 = N) ->
+    psk_suites_anon(N) ++
     [?TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
      ?TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
      ?TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
      ?TLS_DH_anon_WITH_DES_CBC_SHA,
      ?TLS_DH_anon_WITH_RC4_128_MD5];
-
 anonymous_suites(N)  when N == 0;
 			  N == 1 ->
-    [?TLS_DH_anon_WITH_RC4_128_MD5,
-     ?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
-     ?TLS_DH_anon_WITH_DES_CBC_SHA
-    ].
+    psk_suites_anon(N) ++
+        [?TLS_DH_anon_WITH_RC4_128_MD5,
+         ?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
+         ?TLS_DH_anon_WITH_DES_CBC_SHA
+        ].
 
 %%--------------------------------------------------------------------
 -spec psk_suites(ssl_record:ssl_version() | integer()) -> [cipher_suite()].
@@ -374,38 +373,49 @@ anonymous_suites(N)  when N == 0;
 %%--------------------------------------------------------------------
 psk_suites({3, N}) ->
     psk_suites(N);
-
 psk_suites(N)
   when N >= 3 ->
     [
-     ?TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
      ?TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+     ?TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+     ?TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+     ?TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+    ] ++ psk_suites(0);
+psk_suites(_) ->
+    [?TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+     ?TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+     ?TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+     ?TLS_RSA_PSK_WITH_RC4_128_SHA].
+
+%%--------------------------------------------------------------------
+-spec psk_suites_anon(ssl_record:ssl_version() | integer()) -> [cipher_suite()].
+%%
+%% Description: Returns a list of the anonymous PSK cipher suites, only supported
+%% if explicitly set by user.
+%%--------------------------------------------------------------------
+psk_suites_anon({3, N}) ->
+    psk_suites_anon(N);
+psk_suites_anon(N)
+  when N >= 3 ->
+    [
+     ?TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
      ?TLS_PSK_WITH_AES_256_GCM_SHA384,
      ?TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
-     ?TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
      ?TLS_PSK_WITH_AES_256_CBC_SHA384,
      ?TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
-     ?TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
      ?TLS_PSK_WITH_AES_128_GCM_SHA256,
      ?TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
-     ?TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
      ?TLS_PSK_WITH_AES_128_CBC_SHA256
-    ] ++ psk_suites(0);
-
-psk_suites(_) ->
+    ] ++ psk_suites_anon(0);
+psk_suites_anon(_) ->
 	[?TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
-	 ?TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
 	 ?TLS_PSK_WITH_AES_256_CBC_SHA,
 	 ?TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
-	 ?TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
 	 ?TLS_PSK_WITH_AES_128_CBC_SHA,
 	 ?TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
-	 ?TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
 	 ?TLS_PSK_WITH_3DES_EDE_CBC_SHA,
 	 ?TLS_DHE_PSK_WITH_RC4_128_SHA,
-	 ?TLS_RSA_PSK_WITH_RC4_128_SHA,
 	 ?TLS_PSK_WITH_RC4_128_SHA].
-
 %%--------------------------------------------------------------------
 -spec srp_suites() -> [cipher_suite()].
 %%
@@ -413,15 +423,24 @@ psk_suites(_) ->
 %% if explicitly set by user.
 %%--------------------------------------------------------------------
 srp_suites() ->
-    [?TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
-     ?TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
+    [?TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
      ?TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
-     ?TLS_SRP_SHA_WITH_AES_128_CBC_SHA,
      ?TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
      ?TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
-     ?TLS_SRP_SHA_WITH_AES_256_CBC_SHA,
      ?TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
      ?TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA].
+
+%%--------------------------------------------------------------------
+-spec srp_suites_anon() -> [cipher_suite()].
+%%
+%% Description: Returns a list of the SRP anonymous cipher suites, only supported
+%% if explicitly set by user.
+%%--------------------------------------------------------------------
+srp_suites_anon() ->
+    [?TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+     ?TLS_SRP_SHA_WITH_AES_128_CBC_SHA,
+     ?TLS_SRP_SHA_WITH_AES_256_CBC_SHA].
+
 %%--------------------------------------------------------------------
 -spec rc4_suites(Version::ssl_record:ssl_version() | integer()) -> [cipher_suite()].
 %%
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 465acc084b..ce62017a7e 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -1296,6 +1296,7 @@ cipher_suites(Config) when is_list(Config) ->
     Version = ssl_test_lib:protocol_version(Config),
     All = [_|_] = ssl:cipher_suites(all, Version),
     Default = [_|_] = ssl:cipher_suites(default, Version),
+    Anonymous = [_|_] = ssl:cipher_suites(anonymous, Version),
     true = length(Default) < length(All),
     Filters = [{key_exchange, 
                 fun(dhe_rsa) -> 
@@ -1331,7 +1332,10 @@ cipher_suites(Config) when is_list(Config) ->
     [Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites([Cipher], Default)),
     [Cipher | Rest1] = lists:reverse(ssl:append_cipher_suites(Filters, Default)),
     true = lists:member(Cipher, Default),
-    false = lists:member(Cipher, Rest1).
+    false = lists:member(Cipher, Rest1),
+    [] = lists:dropwhile(fun(X) -> not lists:member(X, Default) end, Anonymous),
+    [] = lists:dropwhile(fun(X) -> not lists:member(X, All) end, Anonymous).
+
 
 %%--------------------------------------------------------------------
 
@@ -3820,9 +3824,23 @@ rizzo() ->
     vunrable to Rizzo/Dungon attack"}].
 
 rizzo(Config) when is_list(Config) ->
-    Ciphers  = [X || X ={_,Y,_} <- ssl:cipher_suites(), Y  =/= rc4_128],
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(all, NVersion),  
+                                        [{key_exchange, 
+                                          fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa-> 
+                                                  true;
+                                             (_) -> 
+                                                  false 
+                                          end},
+                                         {cipher, 
+                                          fun(rc4_128) -> 
+                                                  false;
+                                             (_) -> 
+                                                  true 
+                                          end}]),
+
     run_send_recv_rizzo(Ciphers, Config, Version,
 			 {?MODULE, send_recv_result_active_rizzo, []}).
 %%--------------------------------------------------------------------
@@ -3834,8 +3852,13 @@ no_rizzo_rc4(Config) when is_list(Config) ->
     Version = proplists:get_value(name, Prop),
     NVersion = ssl_test_lib:protocol_version(Config, tuple),
     %% Test uses RSA certs
-    Ciphers  = ssl_test_lib:rc4_suites(NVersion) -- [{ecdhe_ecdsa,rc4_128,sha},
-                                                     {ecdh_ecdsa,rc4_128,sha}],
+    Ciphers  = ssl:filter_cipher_suites(ssl_test_lib:rc4_suites(NVersion),  
+                                        [{key_exchange, 
+                                          fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa-> 
+                                                  true;
+                                             (_) -> 
+                                                  false 
+                                          end}]),
     run_send_recv_rizzo(Ciphers, Config, Version,
 			{?MODULE, send_recv_result_active_no_rizzo, []}).
 
@@ -3846,10 +3869,21 @@ rizzo_one_n_minus_one(Config) when is_list(Config) ->
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
     NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    AllSuites = ssl_test_lib:available_suites(NVersion),
-    Ciphers  = [X || X ={_,Y,_} <- AllSuites, Y  =/= rc4_128],
+    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(all, NVersion),
+                                        [{key_exchange, 
+                                          fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa-> 
+                                                  true;
+                                             (_) -> 
+                                                  false 
+                                          end}, 
+                                         {cipher, 
+                                          fun(rc4_128) ->
+                                                  false;
+                                             (_) -> 
+                                                  true 
+                                          end}]),
     run_send_recv_rizzo(Ciphers, Config, Version,
-			 {?MODULE, send_recv_result_active_rizzo, []}).
+                        {?MODULE, send_recv_result_active_rizzo, []}).
 
 rizzo_zero_n() ->
     [{doc,"Test that the 0/n-split mitigation of Rizzo/Dungon attack can be explicitly selected"}].
@@ -3858,8 +3892,13 @@ rizzo_zero_n(Config) when is_list(Config) ->
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
     NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    AllSuites = ssl_test_lib:available_suites(NVersion),
-    Ciphers  = [X || X ={_,Y,_} <- AllSuites, Y  =/= rc4_128],
+    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(default, NVersion),
+                                        [{cipher, 
+                                          fun(rc4_128) ->
+                                                  false;
+                                             (_) -> 
+                                                  true 
+                                          end}]),
     run_send_recv_rizzo(Ciphers, Config, Version,
 			 {?MODULE, send_recv_result_active_no_rizzo, []}).
 
@@ -3867,9 +3906,16 @@ rizzo_disabled() ->
     [{doc,"Test that the mitigation of Rizzo/Dungon attack can be explicitly disabled"}].
 
 rizzo_disabled(Config) when is_list(Config) ->
-    Ciphers  = [X || X ={_,Y,_} <- ssl:cipher_suites(), Y  =/= rc4_128],
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(default, NVersion),
+                                        [{cipher, 
+                                          fun(rc4_128) ->
+                                                  false;
+                                             (_) -> 
+                                                  true 
+                                          end}]),
     run_send_recv_rizzo(Ciphers, Config, Version,
 			 {?MODULE, send_recv_result_active_no_rizzo, []}).
 
@@ -4644,19 +4690,21 @@ rizzo_test(Cipher, Config, Version, Mfa) ->
 	    [{Cipher, Error}]
     end.
 
-client_server_opts({KeyAlgo,_,_}, Config)
+client_server_opts(#{key_exchange := KeyAlgo}, Config)
   when KeyAlgo == rsa orelse
        KeyAlgo == dhe_rsa orelse
-       KeyAlgo == ecdhe_rsa ->
+       KeyAlgo == ecdhe_rsa orelse
+       KeyAlgo == rsa_psk orelse
+       KeyAlgo == srp_rsa ->
     {ssl_test_lib:ssl_options(client_opts, Config),
      ssl_test_lib:ssl_options(server_opts, Config)};
-client_server_opts({KeyAlgo,_,_}, Config) when KeyAlgo == dss orelse KeyAlgo == dhe_dss ->
+client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == dss orelse KeyAlgo == dhe_dss ->
     {ssl_test_lib:ssl_options(client_dsa_opts, Config),
      ssl_test_lib:ssl_options(server_dsa_opts, Config)};
-client_server_opts({KeyAlgo,_,_}, Config) when KeyAlgo == ecdh_ecdsa orelse KeyAlgo == ecdhe_ecdsa ->
+client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == ecdh_ecdsa orelse KeyAlgo == ecdhe_ecdsa ->
     {ssl_test_lib:ssl_options(client_opts, Config),
      ssl_test_lib:ssl_options(server_ecdsa_opts, Config)};
-client_server_opts({KeyAlgo,_,_}, Config) when KeyAlgo == ecdh_rsa ->
+client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == ecdh_rsa ->
     {ssl_test_lib:ssl_options(client_opts, Config),
      ssl_test_lib:ssl_options(server_ecdh_rsa_opts, Config)}.
 
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 5c9ea068bf..f9cc976815 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -1024,55 +1024,46 @@ string_regex_filter(Str, Search) when is_list(Str) ->
 string_regex_filter(_Str, _Search) ->
     false.
 
-anonymous_suites({3,_ } = Version) ->
-    [ssl_cipher:erl_suite_definition(S) || S <- ssl_cipher:filter_suites(ssl_cipher:anonymous_suites(Version))];
-anonymous_suites(DTLSVersion) ->
-    Version = dtls_v1:corresponding_tls_version(DTLSVersion),
-    [ssl_cipher:erl_suite_definition(S) || S <- ssl_cipher:filter_suites(ssl_cipher:anonymous_suites(Version)), 
-                                           not ssl_cipher:is_stream_ciphersuite(tuple_to_map(ssl_cipher:erl_suite_definition(S)))].
-
-psk_suites({3,_ } = Version) ->
-    [ssl_cipher:erl_suite_definition(S) || S <-  ssl_cipher:filter_suites(ssl_cipher:psk_suites(Version))];
-psk_suites(DTLSVersion) ->
-    Version = dtls_v1:corresponding_tls_version(DTLSVersion),
-    [ssl_cipher:erl_suite_definition(S) || S <-  ssl_cipher:filter_suites(ssl_cipher:psk_suites(Version)),  
-                                           not ssl_cipher:is_stream_ciphersuite(tuple_to_map(ssl_cipher:erl_suite_definition(S)))].
-
-psk_anon_suites({3,_ } = Version) ->
-    [Suite || Suite <-  psk_suites(Version), is_psk_anon_suite(Suite)];
-psk_anon_suites(DTLSVersion) ->
-    Version = dtls_v1:corresponding_tls_version(DTLSVersion),
-    [Suite || Suite <- psk_suites(Version), is_psk_anon_suite(Suite),  
-              not ssl_cipher:is_stream_ciphersuite(tuple_to_map(Suite))].
+anonymous_suites(Version) ->
+    ssl:filter_cipher_suites([ssl_cipher:suite_definition(S) || S <- ssl_cipher:anonymous_suites(Version)],[]).
+psk_suites(Version) ->
+    ssl:filter_cipher_suites([ssl_cipher:suite_definition(S) || S <- ssl_cipher:psk_suites(Version)], []).
+
+psk_anon_suites(Version) ->
+    ssl:filter_cipher_suites([ssl_cipher:suite_definition(S) || S <- ssl_cipher:psk_suites_anon(Version)], 
+                             [{key_exchange, 
+                               fun(psk) -> 
+                                       true;
+                                  (psk_dhe) -> 
+                                       true;
+                                  (_) -> 
+                                       false 
+                               end}]).
+
 srp_suites() ->
-    [ssl_cipher:erl_suite_definition(Suite) || 
-        Suite  <-
-            ssl_cipher:filter_suites([tuple_to_map(S) || 
-                                         S <- [{srp_anon,'3des_ede_cbc', sha},
-                                               {srp_rsa, '3des_ede_cbc', sha},
-                                               {srp_anon, aes_128_cbc, sha},
-                                               {srp_rsa, aes_128_cbc, sha},
-                                               {srp_anon, aes_256_cbc, sha},
-                                               {srp_rsa, aes_256_cbc, sha}]])].
+    ssl:filter_cipher_suites([ssl_cipher:suite_definition(S) || S <- ssl_cipher:srp_suites()],
+                             [{key_exchange, 
+                               fun(srp_rsa) -> 
+                                       true;
+                                  (_) -> 
+                                       false 
+                               end}]).
 srp_anon_suites() ->
-    [ssl_cipher:erl_suite_definition(Suite) || 
-        Suite  <-
-            ssl_cipher:filter_suites([tuple_to_map(S) || 
-                                         S <-[{srp_anon, '3des_ede_cbc', sha},
-                                              {srp_anon, aes_128_cbc, sha},
-                                              {srp_anon, aes_256_cbc, sha}]])].
+    ssl:filter_cipher_suites([ssl_cipher:suite_definition(S) || S <-  ssl_cipher:srp_suites_anon()],
+                             []).
 srp_dss_suites() ->
-    [ssl_cipher:erl_suite_definition(Suite) || 
-        Suite  <-
-            ssl_cipher:filter_suites([tuple_to_map(S) || 
-                                         S <-	[{srp_dss, '3des_ede_cbc', sha},
-                                                 {srp_dss, aes_128_cbc, sha},
-                                                 {srp_dss, aes_256_cbc, sha}]])].
+    ssl:filter_cipher_suites([ssl_cipher:suite_definition(S) || S <- ssl_cipher:srp_suites()], 
+                             [{key_exchange, 
+                               fun(srp_dss) -> 
+                                       true;
+                                  (_) -> 
+                                       false 
+                               end}]).
 rc4_suites(Version) ->
-    [ssl_cipher:erl_suite_definition(S) || S <- ssl_cipher:filter_suites(ssl_cipher:rc4_suites(Version))].
+     ssl:filter_cipher_suites([ssl_cipher:suite_definition(S) || S <-ssl_cipher:rc4_suites(Version)], []).
 
 des_suites(Version) ->
-    [ssl_cipher:erl_suite_definition(S) || S <- ssl_cipher:filter_suites(ssl_cipher:des_suites(Version))].
+     ssl:filter_cipher_suites([ssl_cipher:suite_definition(S) || S <-ssl_cipher:des_suites(Version)], []).
 
 tuple_to_map({Kex, Cipher, Mac}) ->
     #{key_exchange => Kex,
@@ -1413,7 +1404,9 @@ filter_suites(Ciphers0, AtomVersion) ->
     Supported0 = ssl_cipher:suites(Version)
 	++ ssl_cipher:anonymous_suites(Version)
 	++ ssl_cipher:psk_suites(Version)
+        ++ ssl_cipher:psk_suites_anon(Version)
 	++ ssl_cipher:srp_suites() 
+        ++ ssl_cipher:srp_suites_anon() 
 	++ ssl_cipher:rc4_suites(Version),
     Supported1 = ssl_cipher:filter_suites(Supported0),
     Supported2 = [ssl_cipher:erl_suite_definition(S) || S <- Supported1],
-- 
cgit v1.2.3