From 07d56292ca281d30d9bbfa01bcde20fd9cc10382 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 7 Sep 2016 11:50:02 +0200
Subject: ssl: Make sure test has correct input

---
 lib/ssl/test/ssl_crl_SUITE.erl | 92 +++++++++++++++++++++++++-----------------
 1 file changed, 55 insertions(+), 37 deletions(-)

diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index bc2822f0c4..e293d183f7 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -99,32 +99,37 @@ init_per_group(check_peer, Config) ->
 init_per_group(check_best_effort, Config) ->
     [{crl_check, best_effort} | Config];
 init_per_group(Group, Config0) ->
-    case is_idp(Group) of
-	true ->
-	    [{idp_crl, true} | Config0];
-	false ->
-	    DataDir = proplists:get_value(data_dir, Config0), 
-	    CertDir = filename:join(proplists:get_value(priv_dir, Config0), Group),
-	    {CertOpts, Config} = init_certs(CertDir, Group, Config0),
-	    {ok, _} =  make_certs:all(DataDir, CertDir, CertOpts),
-	    case Group of
-		crl_hash_dir ->
-		    CrlDir = filename:join(CertDir, "crls"),
-		    %% Copy CRLs to their hashed filenames.
-		    %% Find the hashes with 'openssl crl -noout -hash -in crl.pem'.
-		    populate_crl_hash_dir(CertDir, CrlDir,
-					  [{"erlangCA", "d6134ed3"},
-					   {"otpCA", "d4c8d7e5"}],
-					  replace),
-		    CrlCacheOpts = [{crl_cache,
-				     {ssl_crl_hash_dir,
-				      {internal, [{dir, CrlDir}]}}}];
-		_ ->
-		    CrlCacheOpts = []
-	    end,
-	    [{crl_cache_opts, CrlCacheOpts},
-	     {cert_dir, CertDir},
-	     {idp_crl, false} | Config]
+    try 
+	case is_idp(Group) of
+	    true ->
+		[{idp_crl, true} | Config0];
+	    false ->
+		DataDir = proplists:get_value(data_dir, Config0), 
+		CertDir = filename:join(proplists:get_value(priv_dir, Config0), Group),
+		{CertOpts, Config} = init_certs(CertDir, Group, Config0),
+		{ok, _} =  make_certs:all(DataDir, CertDir, CertOpts),
+		CrlCacheOpts = case Group of
+				   crl_hash_dir ->
+				       CrlDir = filename:join(CertDir, "crls"),
+				       %% Copy CRLs to their hashed filenames.
+				       %% Find the hashes with 'openssl crl -noout -hash -in crl.pem'.
+				       populate_crl_hash_dir(CertDir, CrlDir,
+							     [{"erlangCA", "d6134ed3"},
+							      {"otpCA", "d4c8d7e5"}],
+							     replace),
+				       [{crl_cache,
+					 {ssl_crl_hash_dir,
+					  {internal, [{dir, CrlDir}]}}}];
+				   _ ->
+				       []
+			       end,
+		[{crl_cache_opts, CrlCacheOpts},
+		 {cert_dir, CertDir},
+		 {idp_crl, false} | Config]
+	end
+    catch
+	_:_ ->
+	    {skip, "Unable to create crls"}
     end.
 
 end_per_group(_GroupName, Config) ->
@@ -187,7 +192,7 @@ crl_verify_valid(Config) when is_list(Config) ->
 			   {crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}},
 			   {verify, verify_peer}];
 		      false ->
-			  ?config(crl_cache_opts, Config) ++
+			  proplists:get_value(crl_cache_opts, Config) ++
 			      [{cacertfile, filename:join([PrivDir, "server", "cacerts.pem"])},
 			       {crl_check, Check},
 			       {verify, verify_peer}]
@@ -220,7 +225,7 @@ crl_verify_revoked(Config)  when is_list(Config) ->
 			   {crl_check, Check},
 			   {verify, verify_peer}];
 		      false ->
-			  ?config(crl_cache_opts, Config) ++
+			  proplists:get_value(crl_cache_opts, Config) ++
 			      [{cacertfile, filename:join([PrivDir, "revoked", "cacerts.pem"])},
 			       {crl_check, Check},
 			       {verify, verify_peer}]
@@ -279,8 +284,8 @@ crl_verify_no_crl(Config) when is_list(Config) ->
 crl_hash_dir_collision() ->
     [{doc,"Verify ssl_crl_hash_dir behaviour with hash collisions"}].
 crl_hash_dir_collision(Config) when is_list(Config) ->
-    PrivDir = ?config(cert_dir, Config),
-    Check = ?config(crl_check, Config),
+    PrivDir = proplists:get_value(cert_dir, Config),
+    Check = proplists:get_value(crl_check, Config),
 
     %% Create two CAs whose names hash to the same value
     CA1 = "hash-collision-0000000000",
@@ -307,13 +312,17 @@ crl_hash_dir_collision(Config) when is_list(Config) ->
 			   {CA2, "b68fc624"}],
 			 replace),
 
-    ClientOpts = ?config(crl_cache_opts, Config) ++
-	[{cacertfile, filename:join([PrivDir, "erlangCA", "cacerts.pem"])},
+    NewCA = new_ca(filename:join([PrivDir, "new_ca"]),
+		   filename:join([PrivDir, "erlangCA", "cacerts.pem"]),
+		   filename:join([PrivDir, "server", "cacerts.pem"])),
+    
+    ClientOpts = proplists:get_value(crl_cache_opts, Config) ++
+	[{cacertfile, NewCA},
 	 {crl_check, Check},
 	 {verify, verify_peer}],
-
+    
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-
+    
     %% Neither certificate revoked; both succeed.
     crl_verify_valid(Hostname, ServerNode, ServerOpts1, ClientNode, ClientOpts),
     crl_verify_valid(Hostname, ServerNode, ServerOpts2, ClientNode, ClientOpts),
@@ -346,8 +355,8 @@ crl_hash_dir_collision(Config) when is_list(Config) ->
 crl_hash_dir_expired() ->
     [{doc,"Verify ssl_crl_hash_dir behaviour with expired CRLs"}].
 crl_hash_dir_expired(Config) when is_list(Config) ->
-    PrivDir = ?config(cert_dir, Config),
-    Check = ?config(crl_check, Config),
+    PrivDir = proplists:get_value(cert_dir, Config),
+    Check = proplists:get_value(crl_check, Config),
 
     CA = "CRL-maybe-expired-CA",
     %% Add "issuing distribution point", to ensure that verification
@@ -362,7 +371,7 @@ crl_hash_dir_expired(Config) when is_list(Config) ->
     ServerOpts =  [{keyfile, filename:join([PrivDir, EndUser, "key.pem"])},
 		   {certfile, filename:join([PrivDir, EndUser, "cert.pem"])},
 		   {cacertfile, filename:join([PrivDir, EndUser, "cacerts.pem"])}],
-    ClientOpts = ?config(crl_cache_opts, Config) ++
+    ClientOpts = proplists:get_value(crl_cache_opts, Config) ++
 	[{cacertfile, filename:join([PrivDir, CA, "cacerts.pem"])},
 	 {crl_check, Check},
 	 {verify, verify_peer}],
@@ -492,3 +501,12 @@ find_free_name(CrlDir, Hash, N) ->
 	false ->
 	    Name
     end.
+
+new_ca(FileName, CA1, CA2) ->
+    {ok, P1} = file:read_file(CA1),
+    E1 = public_key:pem_decode(P1),
+    {ok, P2} = file:read_file(CA2),
+    E2 = public_key:pem_decode(P2),
+    Pem = public_key:pem_encode(E1 ++E2),
+    file:write_file(FileName,  Pem),
+    FileName.
-- 
cgit v1.2.3


From 7980bced99e4c00b8b0d8a7f589723c2f7fd8873 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?D=C3=A1niel=20Szoboszlay?= <dszoboszlay@gmail.com>
Date: Tue, 6 May 2014 15:11:40 +0200
Subject: Properly filter ssl cipher suites reported as supported

Adapted from commit 675ee6860d2c273bcc6c6a0536634a107e2a3d9f.

Conflicts:
	lib/ssl/src/ssl_cipher.erl
---
 lib/ssl/src/ssl_cipher.erl | 66 ++++++++++++++++++++++++++++++++++------------
 1 file changed, 49 insertions(+), 17 deletions(-)

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 542dab11b8..605bbd859a 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -1447,28 +1447,60 @@ filter_suites(Suites) ->
 			     is_acceptable_prf(Prf, Hashs)
 		 end, Suites).
 
-is_acceptable_keyexchange(KeyExchange, Algos)
-  when KeyExchange == ecdh_ecdsa;
-       KeyExchange == ecdhe_ecdsa;
-       KeyExchange == ecdh_rsa;
-       KeyExchange == ecdhe_rsa;
-       KeyExchange == ecdh_anon ->
+is_acceptable_keyexchange(KeyExchange, _Algos) when KeyExchange == psk;
+                                                    KeyExchange == null ->
+    true;
+is_acceptable_keyexchange(KeyExchange, Algos) when KeyExchange == dh_anon;
+                                                   KeyExchange == dhe_psk ->
+    proplists:get_bool(dh, Algos);
+is_acceptable_keyexchange(dhe_dss, Algos) ->
+    proplists:get_bool(dh, Algos) andalso
+        proplists:get_bool(dss, Algos);
+is_acceptable_keyexchange(dhe_rsa, Algos) ->
+    proplists:get_bool(dh, Algos) andalso
+        proplists:get_bool(rsa, Algos);
+is_acceptable_keyexchange(ecdh_anon, Algos) ->
     proplists:get_bool(ecdh, Algos);
-is_acceptable_keyexchange(_, _) ->
-    true.
-
+is_acceptable_keyexchange(KeyExchange, Algos) when KeyExchange == ecdh_ecdsa;
+                                                   KeyExchange == ecdhe_ecdsa ->
+    proplists:get_bool(ecdh, Algos) andalso
+        proplists:get_bool(ecdsa, Algos);
+is_acceptable_keyexchange(KeyExchange, Algos) when KeyExchange == ecdh_rsa;
+                                                   KeyExchange == ecdhe_rsa ->
+    proplists:get_bool(ecdh, Algos) andalso
+        proplists:get_bool(rsa, Algos);
+is_acceptable_keyexchange(KeyExchange, Algos) when KeyExchange == rsa;
+                                                   KeyExchange == rsa_psk ->
+    proplists:get_bool(rsa, Algos);
+is_acceptable_keyexchange(srp_anon, Algos) ->
+    proplists:get_bool(srp, Algos);
+is_acceptable_keyexchange(srp_dss, Algos) ->
+    proplists:get_bool(srp, Algos) andalso
+        proplists:get_bool(dss, Algos);
+is_acceptable_keyexchange(srp_rsa, Algos) ->
+    proplists:get_bool(srp, Algos) andalso
+        proplists:get_bool(rsa, Algos);
+is_acceptable_keyexchange(_KeyExchange, _Algos) ->
+    false.
+
+is_acceptable_cipher(null, _Algos) ->
+    true;
+is_acceptable_cipher(rc4_128, Algos) ->
+    proplists:get_bool(rc4, Algos);
+is_acceptable_cipher(des_cbc, Algos) ->
+    proplists:get_bool(des_cbc, Algos);
+is_acceptable_cipher('3des_ede_cbc', Algos) ->
+    proplists:get_bool(des3_cbc, Algos);
+is_acceptable_cipher(aes_128_cbc, Algos) ->
+    proplists:get_bool(aes_cbc128, Algos);
+is_acceptable_cipher(aes_256_cbc, Algos) ->
+    proplists:get_bool(aes_cbc256, Algos);
 is_acceptable_cipher(Cipher, Algos)
   when Cipher == aes_128_gcm;
        Cipher == aes_256_gcm ->
     proplists:get_bool(aes_gcm, Algos);
-is_acceptable_cipher(Cipher, Algos)
-  when Cipher == chacha20_poly1305 ->
-    proplists:get_bool(Cipher, Algos);
-is_acceptable_cipher(Cipher, Algos)
-  when Cipher == rc4_128 ->
-    proplists:get_bool(rc4, Algos);
-is_acceptable_cipher(_, _) ->
-    true.
+is_acceptable_cipher(Cipher, Algos) ->
+    proplists:get_bool(Cipher, Algos).
 
 is_acceptable_hash(null, _Algos) ->
     true;
-- 
cgit v1.2.3