From c5545f2b6d10f4d524d6dcbc9013cb9aa19ccaa9 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 22 Jul 2019 16:10:07 +0200
Subject: ssl: Move der_input and rizzo tests

Also refactor Rizzo tests to minimize them to only test
what actually can be tested. In practice this was already
done but a lot of legacy code remained. In the past timing
happened to make it look like it was possible to test
Rizzo-Dungeon mitigation in more detail, but it was based on
false assumptions that can not be applied to streams.
---
 lib/ssl/test/ssl_api_SUITE.erl   | 113 ++++++++++++-
 lib/ssl/test/ssl_basic_SUITE.erl | 335 +--------------------------------------
 2 files changed, 110 insertions(+), 338 deletions(-)

(limited to 'lib')

diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
index eb6d2282ca..75075dff74 100644
--- a/lib/ssl/test/ssl_api_SUITE.erl
+++ b/lib/ssl/test/ssl_api_SUITE.erl
@@ -48,8 +48,8 @@ groups() ->
      {'tlsv1.3', [], gen_api_tests() -- [secret_connection_info, dh_params, honor_server_cipher_order, honor_client_cipher_order]},
      {'tlsv1.2', [],  gen_api_tests() ++ handshake_paus_tests()},
      {'tlsv1.1', [],  gen_api_tests() ++ handshake_paus_tests()},
-     {'tlsv1', [],  gen_api_tests() ++ handshake_paus_tests()},
-     {'sslv3', [],  gen_api_tests()},
+     {'tlsv1', [],  gen_api_tests() ++ handshake_paus_tests() ++ beast_mitigation_test()},
+     {'sslv3', [],  gen_api_tests() ++ beast_mitigation_test()},
      {'dtlsv1.2', [], gen_api_tests() -- [invalid_keyfile, invalid_certfile, invalid_cacertfile]  ++ handshake_paus_tests()},
      {'dtlsv1', [],  gen_api_tests() -- [invalid_keyfile, invalid_certfile, invalid_cacertfile] ++ handshake_paus_tests()}
     ].
@@ -82,6 +82,7 @@ gen_api_tests() ->
      honor_server_cipher_order,
      honor_client_cipher_order,
      ipv6,
+     der_input,
      invalid_certfile,
      invalid_cacertfile,
      invalid_keyfile
@@ -95,6 +96,15 @@ handshake_paus_tests() ->
      hello_server_cancel
     ].
 
+%% Only relevant for SSL 3.0 and TLS 1.1
+beast_mitigation_test() ->
+    [%% Original option
+     rizzo_disabled,
+     %% Same effect as disable
+     rizzo_zero_n, 
+     %% Same as default
+     rizzo_one_n_minus_one 
+    ].
 
 init_per_suite(Config0) ->
     catch crypto:stop(),
@@ -117,7 +127,8 @@ init_per_group(GroupName, Config) ->
 	true ->
 	    case ssl_test_lib:sufficient_crypto_support(GroupName) of
 		true ->
-		    ssl_test_lib:init_tls_version(GroupName, Config);
+		    [{client_type, erlang},
+                     {server_type, erlang} | ssl_test_lib:init_tls_version(GroupName, Config)];
 		false ->
 		    {skip, "Missing crypto support"}
 	    end;
@@ -1121,8 +1132,8 @@ ipv6(Config) when is_list(Config) ->
     
     case lists:member(list_to_atom(Hostname0), ct:get_config(ipv6_hosts)) of
 	true ->
-	    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
-	    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+	    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),
+	    ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
 	    {ClientNode, ServerNode, Hostname} = 
 		ssl_test_lib:run_where(Config, ipv6),
 	    Server = ssl_test_lib:start_server([{node, ServerNode}, 
@@ -1148,6 +1159,51 @@ ipv6(Config) when is_list(Config) ->
 	false ->
 	    {skip, "Host does not support IPv6"}
     end.
+
+%%--------------------------------------------------------------------
+der_input() ->
+    [{doc,"Test to input certs and key as der"}].
+
+der_input(Config) when is_list(Config) ->
+    DataDir = proplists:get_value(data_dir, Config),
+    DHParamFile = filename:join(DataDir, "dHParam.pem"),
+
+    {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)),
+    [_, _,_, _, Prop] = StatusInfo,
+    State = ssl_test_lib:state(Prop),
+    [CADb | _] = element(6, State),
+
+    Size = ets:info(CADb, size),
+
+    SeverVerifyOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+    {ServerCert, ServerKey, ServerCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} |
+								       SeverVerifyOpts]),
+    ClientVerifyOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),
+    {ClientCert, ClientKey, ClientCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} |
+								       ClientVerifyOpts]),
+    ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true},
+		  {dh, DHParams},
+		  {cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCaCerts}],
+    ClientOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true},
+		  {dh, DHParams},
+		  {cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCaCerts}],
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result, []}},
+					{options, [{active, false} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result, []}},
+					{options, [{active, false} | ClientOpts]}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client),
+    Size = ets:info(CADb, size).
+
 %%--------------------------------------------------------------------
 invalid_certfile() ->
     [{doc,"Test what happens with an invalid cert file"}].
@@ -1233,6 +1289,38 @@ invalid_cacertfile(Config) when is_list(Config) ->
 			      Client1, {error, closed}),
     ok.
 
+%% Note that these test only test that the options are valid to set. As application data
+%% is a stream you can not test that the send acctually splits it up as when it arrives
+%% again at the user layer it may be concatenated. But COVER can show that the split up
+%% code has been run.
+   
+rizzo_disabled() ->
+     [{doc, "Test original beast mitigation disable option for SSL 3.0 and TLS 1.0"}].
+
+rizzo_disabled(Config) ->
+    ClientOpts = [{beast_mitigation, disabled} | ssl_test_lib:ssl_options(client_rsa_opts, Config)],
+    ServerOpts =  [{beast_mitigation, disabled} | ssl_test_lib:ssl_options(server_rsa_opts, Config)],
+    
+    ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
+
+rizzo_zero_n() ->
+     [{doc, "Test zero_n beast mitigation option (same affect as original disable option) for SSL 3.0 and TLS 1.0"}].
+
+rizzo_zero_n(Config) ->
+    ClientOpts = [{beast_mitigation, zero_n} | ssl_test_lib:ssl_options(client_rsa_opts, Config)],
+    ServerOpts =  [{beast_mitigation, zero_n} | ssl_test_lib:ssl_options(server_rsa_opts, Config)],
+    
+    ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
+
+rizzo_one_n_minus_one () ->
+     [{doc, "Test beast_mitigation option one_n_minus_one (same affect as default) for SSL 3.0 and TLS 1.0"}].
+
+rizzo_one_n_minus_one (Config) ->
+    ClientOpts = [{beast_mitigation, one_n_minus_one } | ssl_test_lib:ssl_options(client_rsa_opts, Config)],
+    ServerOpts =  [{beast_mitigation, one_n_minus_one} | ssl_test_lib:ssl_options(server_rsa_opts, Config)],
+    
+    ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
+
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
 %%--------------------------------------------------------------------
@@ -1535,3 +1623,18 @@ honor_cipher_order(Config, Honor, ServerCiphers, ClientCiphers, Expected) ->
 connection_info_result(Socket) ->
     {ok, Info} = ssl:connection_information(Socket, [protocol, selected_cipher_suite]),
     {ok, {proplists:get_value(protocol, Info), proplists:get_value(selected_cipher_suite, Info)}}.
+
+der_input_opts(Opts) ->
+    Certfile = proplists:get_value(certfile, Opts),
+    CaCertsfile = proplists:get_value(cacertfile, Opts),
+    Keyfile = proplists:get_value(keyfile, Opts),
+    Dhfile = proplists:get_value(dhfile, Opts),
+    [{_, Cert, _}] = ssl_test_lib:pem_to_der(Certfile),
+    [{Asn1Type, Key, _}]  = ssl_test_lib:pem_to_der(Keyfile),
+    [{_, DHParams, _}]  = ssl_test_lib:pem_to_der(Dhfile),
+    CaCerts =
+	lists:map(fun(Entry) ->
+			  {_, CaCert, _} = Entry,
+			  CaCert
+		  end, ssl_test_lib:pem_to_der(CaCertsfile)),
+    {Cert, {Asn1Type, Key}, CaCerts, DHParams}.
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 3fd88183ea..64e5635005 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -111,7 +111,6 @@ basic_tests_tls() ->
 
 options_tests() ->
     [
-     %%der_input, Move/remove as redundent
      ssl_options_not_proplist,
      raw_ssl_option,
      invalid_inet_get_option,
@@ -123,12 +122,10 @@ options_tests() ->
      invalid_options,
      protocol_versions,
      empty_protocol_versions,
-     ipv6,
      reuseaddr,
      unordered_protocol_versions_server,
      unordered_protocol_versions_client,
-     max_handshake_size
-].
+     max_handshake_size].
 
 options_tests_tls() ->
     [tls_misc_ssl_options,
@@ -163,11 +160,7 @@ error_handling_tests_tls()->
     ].
 
 rizzo_tests() ->
-    [rizzo,
-     no_rizzo_rc4,
-     rizzo_one_n_minus_one,
-     rizzo_zero_n,
-     rizzo_disabled].
+    [].
 
 
 %%--------------------------------------------------------------------
@@ -287,30 +280,6 @@ init_per_testcase(reuse_session, Config) ->
     ct:timetrap({seconds, 10}),
     Config;
 
-init_per_testcase(rizzo, Config) ->
-    ssl_test_lib:ct_log_supported_protocol_versions(Config),
-    ct:timetrap({seconds, 60}),
-    Config;
-
-init_per_testcase(no_rizzo_rc4, Config) ->
-    ssl_test_lib:ct_log_supported_protocol_versions(Config),
-    ct:timetrap({seconds, 60}),
-    Config;
-
-init_per_testcase(rizzo_one_n_minus_one, Config) ->
-    ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
-    ct:timetrap({seconds, 60}),
-    rizzo_add_mitigation_option(one_n_minus_one, Config);
-
-init_per_testcase(rizzo_zero_n, Config) ->
-    ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
-    ct:timetrap({seconds, 60}),
-    rizzo_add_mitigation_option(zero_n, Config);
-
-init_per_testcase(rizzo_disabled, Config) ->
-    ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
-    ct:timetrap({seconds, 60}),
-    rizzo_add_mitigation_option(disabled, Config);
 
 init_per_testcase(TestCase, Config) when TestCase == clear_pem_cache;
 						TestCase == der_input;
@@ -1229,46 +1198,6 @@ internal_active_1(Config) when is_list(Config) ->
     
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
-
-
-%%--------------------------------------------------------------------
-ipv6() ->
-    [{require, ipv6_hosts},
-     {doc,"Test ipv6."}].
-ipv6(Config) when is_list(Config) ->
-    {ok, Hostname0} = inet:gethostname(),
-    
-    case lists:member(list_to_atom(Hostname0), ct:get_config(ipv6_hosts)) of
-	true ->
-	    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
-	    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
-	    {ClientNode, ServerNode, Hostname} = 
-		ssl_test_lib:run_where(Config, ipv6),
-	    Server = ssl_test_lib:start_server([{node, ServerNode}, 
-				   {port, 0}, {from, self()}, 
-				   {mfa, {ssl_test_lib, send_recv_result, []}},
-				   {options,  
-				    [inet6, {active, false} | ServerOpts]}]),
-	    Port = ssl_test_lib:inet_port(Server), 
-	    Client = ssl_test_lib:start_client([{node, ClientNode}, 
-				   {port, Port}, {host, Hostname},
-				   {from, self()}, 
-				   {mfa, {ssl_test_lib, send_recv_result, []}},
-				   {options, 
-				    [inet6, {active, false} | ClientOpts]}]),
-	    
-	    ct:log("Testcase ~p, Client ~p  Server ~p ~n",
-			       [self(), Client, Server]),
-	    
-	    ssl_test_lib:check_result(Server, ok, Client, ok),
-	    
-	    ssl_test_lib:close(Server),
-	    ssl_test_lib:close(Client);
-	false ->
-	    {skip, "Host does not support IPv6"}
-    end.
-
-
     
 
 %%--------------------------------------------------------------------
@@ -1356,68 +1285,6 @@ default_reject_anonymous(Config) when is_list(Config) ->
 
     ssl_test_lib:check_server_alert(Server, Client, insufficient_security).
 
-
-%%--------------------------------------------------------------------
-der_input() ->
-    [{doc,"Test to input certs and key as der"}].
-
-der_input(Config) when is_list(Config) ->
-    DataDir = proplists:get_value(data_dir, Config),
-    DHParamFile = filename:join(DataDir, "dHParam.pem"),
-
-    {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)),
-    [_, _,_, _, Prop] = StatusInfo,
-    State = ssl_test_lib:state(Prop),
-    [CADb | _] = element(6, State),
-
-    Size = ets:info(CADb, size),
-
-    SeverVerifyOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
-    {ServerCert, ServerKey, ServerCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} |
-								       SeverVerifyOpts]),
-    ClientVerifyOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),
-    {ClientCert, ClientKey, ClientCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} |
-								       ClientVerifyOpts]),
-    ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true},
-		  {dh, DHParams},
-		  {cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCaCerts}],
-    ClientOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true},
-		  {dh, DHParams},
-		  {cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCaCerts}],
-    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
-					{from, self()},
-					{mfa, {ssl_test_lib, send_recv_result, []}},
-					{options, [{active, false} | ServerOpts]}]),
-    Port = ssl_test_lib:inet_port(Server),
-    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
-					{host, Hostname},
-					{from, self()},
-					{mfa, {ssl_test_lib, send_recv_result, []}},
-					{options, [{active, false} | ClientOpts]}]),
-
-    ssl_test_lib:check_result(Server, ok, Client, ok),
-    ssl_test_lib:close(Server),
-    ssl_test_lib:close(Client),
-    Size = ets:info(CADb, size).
-
-%%--------------------------------------------------------------------
-der_input_opts(Opts) ->
-    Certfile = proplists:get_value(certfile, Opts),
-    CaCertsfile = proplists:get_value(cacertfile, Opts),
-    Keyfile = proplists:get_value(keyfile, Opts),
-    Dhfile = proplists:get_value(dhfile, Opts),
-    [{_, Cert, _}] = ssl_test_lib:pem_to_der(Certfile),
-    [{Asn1Type, Key, _}]  = ssl_test_lib:pem_to_der(Keyfile),
-    [{_, DHParams, _}]  = ssl_test_lib:pem_to_der(Dhfile),
-    CaCerts =
-	lists:map(fun(Entry) ->
-			  {_, CaCert, _} = Entry,
-			  CaCert
-		  end, ssl_test_lib:pem_to_der(CaCertsfile)),
-    {Cert, {Asn1Type, Key}, CaCerts, DHParams}.
-
-
 %%--------------------------------------------------------------------
 defaults(Config) when is_list(Config)->
     Versions = ssl:versions(),
@@ -1652,113 +1519,6 @@ connect_twice(Config) when is_list(Config) ->
     ssl_test_lib:close(Client),
     ssl_test_lib:close(Client1).
 
-%%--------------------------------------------------------------------
-
-rizzo() ->
-    [{doc, "Test that there is a 1/n-1-split for non RC4 in 'TLS < 1.1' as it is
-    vunrable to Rizzo/Dungon attack"}].
-
-rizzo(Config) when is_list(Config) ->
-    Prop = proplists:get_value(tc_group_properties, Config),
-    Version = proplists:get_value(name, Prop),
-    NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(all, NVersion),  
-                                        [{key_exchange, 
-                                          fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa-> 
-                                                  true;
-                                             (_) -> 
-                                                  false 
-                                          end},
-                                         {cipher, 
-                                          fun(rc4_128) -> 
-                                                  false;
-                                             (chacha20_poly1305) ->
-                                                  false;
-                                             (_) -> 
-                                                  true 
-                                          end}]),
-
-    run_send_recv_rizzo(Ciphers, Config, Version,
-			 {?MODULE, send_recv_result_active_rizzo, []}).
-%%--------------------------------------------------------------------
-no_rizzo_rc4() ->
-    [{doc,"Test that there is no 1/n-1-split for RC4 as it is not vunrable to Rizzo/Dungon attack"}].
-
-no_rizzo_rc4(Config) when is_list(Config) ->
-    Prop = proplists:get_value(tc_group_properties, Config),
-    Version = proplists:get_value(name, Prop),
-    NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    %% Test uses RSA certs
-    Ciphers  = ssl:filter_cipher_suites(ssl_test_lib:rc4_suites(NVersion),  
-                                        [{key_exchange, 
-                                          fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa-> 
-                                                  true;
-                                             (_) -> 
-                                                  false 
-                                          end}]),
-    run_send_recv_rizzo(Ciphers, Config, Version,
-			{?MODULE, send_recv_result_active_no_rizzo, []}).
-
-rizzo_one_n_minus_one() ->
-    [{doc,"Test that the 1/n-1-split mitigation of Rizzo/Dungon attack can be explicitly selected"}].
-
-rizzo_one_n_minus_one(Config) when is_list(Config) ->
-    Prop = proplists:get_value(tc_group_properties, Config),
-    Version = proplists:get_value(name, Prop),
-    NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(all, NVersion),
-                                        [{key_exchange, 
-                                          fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa-> 
-                                                  true;
-                                             (_) -> 
-                                                  false 
-                                          end}, 
-                                         {cipher, 
-                                          fun(rc4_128) ->
-                                                  false;
-                                             %% TODO: remove this clause when chacha is fixed!
-                                             (chacha20_poly1305) ->
-                                                  false;
-                                             (_) -> 
-                                                  true 
-                                          end}]),
-    run_send_recv_rizzo(Ciphers, Config, Version,
-                        {?MODULE, send_recv_result_active_rizzo, []}).
-
-rizzo_zero_n() ->
-    [{doc,"Test that the 0/n-split mitigation of Rizzo/Dungon attack can be explicitly selected"}].
-
-rizzo_zero_n(Config) when is_list(Config) ->
-    Prop = proplists:get_value(tc_group_properties, Config),
-    Version = proplists:get_value(name, Prop),
-    NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(default, NVersion),
-                                        [{cipher, 
-                                          fun(rc4_128) ->
-                                                  false;
-                                             (_) -> 
-                                                  true 
-                                          end}]),
-    run_send_recv_rizzo(Ciphers, Config, Version,
-			 {?MODULE, send_recv_result_active_no_rizzo, []}).
-
-rizzo_disabled() ->
-    [{doc,"Test that the mitigation of Rizzo/Dungon attack can be explicitly disabled"}].
-
-rizzo_disabled(Config) when is_list(Config) ->
-    Prop = proplists:get_value(tc_group_properties, Config),
-    Version = proplists:get_value(name, Prop),
-    NVersion = ssl_test_lib:protocol_version(Config, tuple),
-    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(default, NVersion),
-                                        [{cipher, 
-                                          fun(rc4_128) ->
-                                                  false;
-                                             (_) -> 
-                                                  true 
-                                          end}]),
-    run_send_recv_rizzo(Ciphers, Config, Version,
-			 {?MODULE, send_recv_result_active_no_rizzo, []}).
-
 %%--------------------------------------------------------------------
 new_server_wants_peer_cert() ->
     [{doc, "Test that server configured to do client certification does"
@@ -2031,100 +1791,11 @@ basic_test(Config) ->
 
 
 
-send_recv_result_active_rizzo(Socket) ->
-    ssl:send(Socket, "Hello world"),
-    "Hello world" = ssl_test_lib:active_recv(Socket, 11),
-    ok.
 
-send_recv_result_active_no_rizzo(Socket) ->
-    ssl:send(Socket, "Hello world"),
-    "Hello world" = ssl_test_lib:active_recv(Socket, 11),
-    ok.
 
 result_ok(_Socket) ->
     ok.
 
-rizzo_add_mitigation_option(Value, Config) ->
-    lists:foldl(fun(Opt, Acc) ->
-                    case proplists:get_value(Opt, Acc) of
-                      undefined -> Acc;
-                      C ->
-                        N = lists:keystore(beast_mitigation, 1, C,
-                                           {beast_mitigation, Value}),
-                        lists:keystore(Opt, 1, Acc, {Opt, N})
-                    end
-                end, Config,
-                [client_opts, client_dsa_opts, server_opts, server_dsa_opts,
-                 server_ecdsa_opts, server_ecdh_rsa_opts]).
-    
-
-erlang_ssl_receive(Socket, Data) ->
-    case ssl_test_lib:active_recv(Socket, length(Data)) of
-        Data ->
-            ok;
-        Other ->
-            ct:fail({{expected, Data}, {got, Other}})
-    end.
-
-
-
-run_send_recv_rizzo(Ciphers, Config, Version, Mfa) ->
-    Result =  lists:map(fun(Cipher) ->
-				rizzo_test(Cipher, Config, Version, Mfa) end,
-			Ciphers),
-    case lists:flatten(Result) of
-	[] ->
-	    ok;
-	Error ->
-	    ct:log("Cipher suite errors: ~p~n", [Error]),
-	    ct:fail(cipher_suite_failed_see_test_case_log)
-    end.
-
-
-
-rizzo_test(Cipher, Config, Version, Mfa) ->
-   {ClientOpts, ServerOpts} = client_server_opts(Cipher, Config),
-    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
-					{from, self()},
-			   {mfa, Mfa},
-			   {options, [{active, true}, {ciphers, [Cipher]},
-				       {versions, [Version]}
-				      | ServerOpts]}]),
-    Port  = ssl_test_lib:inet_port(Server),
-    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
-					{host, Hostname},
-			   {from, self()},
-			   {mfa, Mfa},
-			   {options, [{active, true}, {ciphers, [Cipher]}| ClientOpts]}]),
-
-    Result = ssl_test_lib:check_result(Server, ok, Client, ok),
-    ssl_test_lib:close(Server),
-    ssl_test_lib:close(Client),
-    case Result of
-	ok ->
-	    [];
-	Error ->
-	    [{Cipher, Error}]
-    end.
-
-client_server_opts(#{key_exchange := KeyAlgo}, Config)
-  when KeyAlgo == rsa orelse
-       KeyAlgo == dhe_rsa orelse
-       KeyAlgo == ecdhe_rsa orelse
-       KeyAlgo == rsa_psk orelse
-       KeyAlgo == srp_rsa ->
-    {ssl_test_lib:ssl_options(client_opts, Config),
-     ssl_test_lib:ssl_options(server_opts, Config)};
-client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == dss orelse KeyAlgo == dhe_dss ->
-    {ssl_test_lib:ssl_options(client_dsa_opts, Config),
-     ssl_test_lib:ssl_options(server_dsa_opts, Config)};
-client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == ecdh_ecdsa orelse KeyAlgo == ecdhe_ecdsa ->
-    {ssl_test_lib:ssl_options(client_opts, Config),
-     ssl_test_lib:ssl_options(server_ecdsa_opts, Config)};
-client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == ecdh_rsa ->
-    {ssl_test_lib:ssl_options(client_opts, Config),
-     ssl_test_lib:ssl_options(server_ecdh_rsa_opts, Config)}.
 
 protocol_info_result(Socket) ->
     {ok, [{protocol, PVersion}]} = ssl:connection_information(Socket, [protocol]),
@@ -2145,8 +1816,6 @@ connect_dist_c(S) ->
     ok.
 
 
-
-
 get_invalid_inet_option(Socket) ->
     {error, {options, {socket_options, foo, _}}} = ssl:getopts(Socket, [foo]),
     ok.
-- 
cgit v1.2.3


From e01231b85d641a9b993995ad711ad21591c8b780 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 22 Jul 2019 16:37:53 +0200
Subject: ssl: Move alert test to own suite

Also clean up code after previous test moves
---
 lib/ssl/test/Makefile            |   1 +
 lib/ssl/test/ssl_alert_SUITE.erl | 100 ++++++++++++++++++++++++++++
 lib/ssl/test/ssl_basic_SUITE.erl | 136 +++------------------------------------
 lib/ssl/test/tls_api_SUITE.erl   |  26 +++++++-
 4 files changed, 134 insertions(+), 129 deletions(-)
 create mode 100644 lib/ssl/test/ssl_alert_SUITE.erl

(limited to 'lib')

diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile
index 598b3248b7..06cafd124f 100644
--- a/lib/ssl/test/Makefile
+++ b/lib/ssl/test/Makefile
@@ -37,6 +37,7 @@ VSN=$(SSL_VSN)
 
 MODULES = \
 	ssl_test_lib \
+	ssl_alert_SUITE\
 	ssl_bench_test_lib \
 	ssl_dist_test_lib \
 	ssl_api_SUITE\
diff --git a/lib/ssl/test/ssl_alert_SUITE.erl b/lib/ssl/test/ssl_alert_SUITE.erl
new file mode 100644
index 0000000000..cc0b636580
--- /dev/null
+++ b/lib/ssl/test/ssl_alert_SUITE.erl
@@ -0,0 +1,100 @@
+%%
+%% Copyright Ericsson AB 2019-2019. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+-module(ssl_alert_SUITE).
+
+%% Note: This directive should only be used in test suites.
+-compile(export_all).
+
+-include_lib("common_test/include/ct.hrl").
+-include_lib("public_key/include/public_key.hrl").
+
+-include_lib("ssl/src/ssl_alert.hrl").
+
+%%--------------------------------------------------------------------
+%% Common Test interface functions -----------------------------------
+%%--------------------------------------------------------------------
+all() -> 
+    [
+     alerts,
+     alert_details,
+     alert_details_not_too_big
+    ].
+
+init_per_testcase(_TestCase, Config) ->
+    ct:timetrap({seconds, 5}),
+    Config.
+
+end_per_testcase(_TestCase, Config) ->     
+    Config.
+
+%%--------------------------------------------------------------------
+%% Test Cases --------------------------------------------------------
+%%--------------------------------------------------------------------
+alerts() ->
+    [{doc, "Test ssl_alert:alert_txt/1"}].
+alerts(Config) when is_list(Config) ->
+    Descriptions = [?CLOSE_NOTIFY, ?UNEXPECTED_MESSAGE, ?BAD_RECORD_MAC,
+		    ?DECRYPTION_FAILED_RESERVED, ?RECORD_OVERFLOW, ?DECOMPRESSION_FAILURE,
+		    ?HANDSHAKE_FAILURE, ?BAD_CERTIFICATE, ?UNSUPPORTED_CERTIFICATE,
+		    ?CERTIFICATE_REVOKED,?CERTIFICATE_EXPIRED, ?CERTIFICATE_UNKNOWN,
+		    ?ILLEGAL_PARAMETER, ?UNKNOWN_CA, ?ACCESS_DENIED, ?DECODE_ERROR,
+		    ?DECRYPT_ERROR, ?EXPORT_RESTRICTION, ?PROTOCOL_VERSION, 
+		    ?INSUFFICIENT_SECURITY, ?INTERNAL_ERROR, ?USER_CANCELED,
+		    ?NO_RENEGOTIATION, ?UNSUPPORTED_EXTENSION, ?CERTIFICATE_UNOBTAINABLE,
+		    ?UNRECOGNISED_NAME, ?BAD_CERTIFICATE_STATUS_RESPONSE,
+		    ?BAD_CERTIFICATE_HASH_VALUE, ?UNKNOWN_PSK_IDENTITY, 
+		    255 %% Unsupported/unknow alert will result in a description too
+		   ],
+    Alerts = [?ALERT_REC(?WARNING, ?CLOSE_NOTIFY) | 
+	      [?ALERT_REC(?FATAL, Desc) || Desc <- Descriptions]],
+    lists:foreach(fun(Alert) ->
+                          try ssl_alert:alert_txt(Alert)
+                          catch
+			    C:E:T ->
+                                  ct:fail({unexpected, {C, E, T}})
+			end 
+		  end, Alerts).
+%%--------------------------------------------------------------------
+alert_details() ->
+    [{doc, "Test that ssl_alert:alert_txt/1 result contains extendend error description"}].
+alert_details(Config) when is_list(Config) ->
+    Unique = make_ref(),
+    UniqueStr = lists:flatten(io_lib:format("~w", [Unique])),
+    Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Unique),
+    case string:str(ssl_alert:alert_txt(Alert), UniqueStr) of
+        0 ->
+            ct:fail(error_details_missing);
+        _ ->
+            ok
+    end.
+
+%%--------------------------------------------------------------------
+alert_details_not_too_big() ->
+    [{doc, "Test that ssl_alert:alert_txt/1 limits printed depth of extended error description"}].
+alert_details_not_too_big(Config) when is_list(Config) ->
+    Reason = lists:duplicate(10, lists:duplicate(10, lists:duplicate(10, {some, data}))),
+    Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Reason),
+    case length(ssl_alert:alert_txt(Alert)) < 1000 of
+        true ->
+            ok;
+        false ->
+            ct:fail(ssl_alert_text_too_big)
+    end.
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 64e5635005..542876a1b7 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -49,7 +49,6 @@
 all() -> 
     [
      {group, basic},
-     {group, basic_tls},
      {group, options},
      {group, options_tls},
      {group, 'dtlsv1.2'},
@@ -63,39 +62,31 @@ all() ->
 
 groups() ->
     [{basic, [], basic_tests()},
-     {basic_tls, [], basic_tests_tls()},
      {options, [], options_tests()},
      {options_tls, [], options_tests_tls()},
      {'dtlsv1.2', [], all_versions_groups()},
      {'dtlsv1', [], all_versions_groups()},
      {'tlsv1.2', [], all_versions_groups() ++ tls_versions_groups() ++ [conf_signature_algs, no_common_signature_algs]},
      {'tlsv1.1', [], all_versions_groups() ++ tls_versions_groups()},
-     {'tlsv1', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests()},
-     {'sslv3', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests() -- [tls_ciphersuite_vs_version]},
+     {'tlsv1', [], all_versions_groups() ++ tls_versions_groups()},
+     {'sslv3', [], all_versions_groups() ++ tls_versions_groups() -- [tls_ciphersuite_vs_version]},
      {api,[], api_tests()},
      {api_tls,[], api_tests_tls()},
-     {ciphers, [], cipher_tests()},
-     {error_handling_tests, [], error_handling_tests()},
-     {error_handling_tests_tls, [], error_handling_tests_tls()}
+     {ciphers, [], cipher_tests()}
     ].
 
 tls_versions_groups ()->
     [
-     {group, api_tls},
-     {group, error_handling_tests_tls}].
+     {group, api_tls}].
 
 all_versions_groups ()->
     [{group, api},
-     {group, ciphers},
-     {group, error_handling_tests}].
+     {group, ciphers}].
 
 
 basic_tests() ->
     [app,
-     appup,
-     alerts,
-     alert_details,
-     alert_details_not_too_big,
+     appup,    
      version_option,
      connect_twice,
      connect_dist,
@@ -105,10 +96,6 @@ basic_tests() ->
      cipher_format
     ].
 
-basic_tests_tls() ->
-    [tls_send_close
-    ].
-
 options_tests() ->
     [
      ssl_options_not_proplist,
@@ -151,18 +138,6 @@ cipher_tests() ->
      cipher_suites_mix,     
      default_reject_anonymous].
 
-error_handling_tests()->
-    [
-    ].
-
-error_handling_tests_tls()->
-    [
-    ].
-
-rizzo_tests() ->
-    [].
-
-
 %%--------------------------------------------------------------------
 init_per_suite(Config0) ->
     catch crypto:stop(),
@@ -187,12 +162,10 @@ end_per_suite(_Config) ->
 
 %%--------------------------------------------------------------------
 
-init_per_group(GroupName, Config) when GroupName == basic_tls;
-                                       GroupName == options_tls;
+init_per_group(GroupName, Config) when GroupName == options_tls;
                                        GroupName == options;
                                        GroupName == basic;
-                                       GroupName == session;
-                                       GroupName == error_handling_tests_tls ->
+                                       GroupName == session ->
     ssl_test_lib:clean_tls_version(Config);
 %% Do not automatically configure TLS version for the 'tlsv1.3' group
 init_per_group('tlsv1.3' = GroupName, Config) ->
@@ -264,12 +237,6 @@ init_per_testcase(fallback, Config)  ->
 	    {skip, "Not relevant if highest supported version is less than 3.2"}
     end;
 
-init_per_testcase(TestCase, Config) when TestCase == versions_option;
-					 TestCase == tls_tcp_connect_big ->
-    ssl_test_lib:ct_log_supported_protocol_versions(Config),
-    ct:timetrap({seconds, 60}),
-    Config;
-
 init_per_testcase(version_option, Config) ->
     ssl_test_lib:ct_log_supported_protocol_versions(Config),
     ct:timetrap({seconds, 10}),
@@ -361,58 +328,6 @@ appup() ->
 appup(Config) when is_list(Config) ->
     ok = ?t:appup_test(ssl).
 %%--------------------------------------------------------------------
-alerts() ->
-    [{doc, "Test ssl_alert:alert_txt/1"}].
-alerts(Config) when is_list(Config) ->
-    Descriptions = [?CLOSE_NOTIFY, ?UNEXPECTED_MESSAGE, ?BAD_RECORD_MAC,
-		    ?DECRYPTION_FAILED_RESERVED, ?RECORD_OVERFLOW, ?DECOMPRESSION_FAILURE,
-		    ?HANDSHAKE_FAILURE, ?BAD_CERTIFICATE, ?UNSUPPORTED_CERTIFICATE,
-		    ?CERTIFICATE_REVOKED,?CERTIFICATE_EXPIRED, ?CERTIFICATE_UNKNOWN,
-		    ?ILLEGAL_PARAMETER, ?UNKNOWN_CA, ?ACCESS_DENIED, ?DECODE_ERROR,
-		    ?DECRYPT_ERROR, ?EXPORT_RESTRICTION, ?PROTOCOL_VERSION, 
-		    ?INSUFFICIENT_SECURITY, ?INTERNAL_ERROR, ?USER_CANCELED,
-		    ?NO_RENEGOTIATION, ?UNSUPPORTED_EXTENSION, ?CERTIFICATE_UNOBTAINABLE,
-		    ?UNRECOGNISED_NAME, ?BAD_CERTIFICATE_STATUS_RESPONSE,
-		    ?BAD_CERTIFICATE_HASH_VALUE, ?UNKNOWN_PSK_IDENTITY, 
-		    255 %% Unsupported/unknow alert will result in a description too
-		   ],
-    Alerts = [?ALERT_REC(?WARNING, ?CLOSE_NOTIFY) | 
-	      [?ALERT_REC(?FATAL, Desc) || Desc <- Descriptions]],
-    lists:foreach(fun(Alert) ->
-                          try ssl_alert:alert_txt(Alert)
-                          catch
-			    C:E:T ->
-                                  ct:fail({unexpected, {C, E, T}})
-			end 
-		  end, Alerts).
-%%--------------------------------------------------------------------
-alert_details() ->
-    [{doc, "Test that ssl_alert:alert_txt/1 result contains extendend error description"}].
-alert_details(Config) when is_list(Config) ->
-    Unique = make_ref(),
-    UniqueStr = lists:flatten(io_lib:format("~w", [Unique])),
-    Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Unique),
-    case string:str(ssl_alert:alert_txt(Alert), UniqueStr) of
-        0 ->
-            ct:fail(error_details_missing);
-        _ ->
-            ok
-    end.
-
-%%--------------------------------------------------------------------
-alert_details_not_too_big() ->
-    [{doc, "Test that ssl_alert:alert_txt/1 limits printed depth of extended error description"}].
-alert_details_not_too_big(Config) when is_list(Config) ->
-    Reason = lists:duplicate(10, lists:duplicate(10, lists:duplicate(10, {some, data}))),
-    Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Reason),
-    case length(ssl_alert:alert_txt(Alert)) < 1000 of
-        true ->
-            ok;
-        false ->
-            ct:fail(ssl_alert_text_too_big)
-    end.
-
-%%--------------------------------------------------------------------
 new_options_in_accept() ->
     [{doc,"Test that you can set ssl options in ssl_accept/3 and not only in tcp upgrade"}].
 new_options_in_accept(Config) when is_list(Config) -> 
@@ -540,10 +455,6 @@ getstat(Config) when is_list(Config) ->
 
     ok.
 
-
-
-
-
 %%--------------------------------------------------------------------
 connect_dist() ->
     [{doc,"Test a simple connect as is used by distribution"}].
@@ -1141,31 +1052,6 @@ send_recv(Config) when is_list(Config) ->
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
 
-%%--------------------------------------------------------------------
-tls_send_close() ->
-    [{doc,""}].
-tls_send_close(Config) when is_list(Config) -> 
-    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
-    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
-    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
-    Server = 
-	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
-				   {from, self()}, 
-				   {mfa, {ssl_test_lib, send_recv_result, []}},
-				   {options,  [{active, false} | ServerOpts]}]),
-    Port = ssl_test_lib:inet_port(Server),
-    {ok, TcpS} = rpc:call(ClientNode, gen_tcp, connect, 
-			  [Hostname,Port,[binary, {active, false}]]),
-    {ok, SslS} = rpc:call(ClientNode, ssl, connect, 
-			  [TcpS,[{active, false}|ClientOpts]]),
-    
-    ct:log("Testcase ~p, Client ~p  Server ~p ~n",
-		       [self(), self(), Server]),
-    ok = ssl:send(SslS, "Hello world"),      
-    {ok,<<"Hello world">>} = ssl:recv(SslS, 11),    
-    gen_tcp:close(TcpS),    
-    {error, _} = ssl:send(SslS, "Hello world").
-
 %%--------------------------------------------------------------------
 version_option() ->
     [{doc, "Use version option and do no specify ciphers list. Bug specified incorrect ciphers"}].
@@ -1787,12 +1673,6 @@ basic_test(Config) ->
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
 
-
-
-
-
-
-
 result_ok(_Socket) ->
     ok.
 
diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl
index 18e17679ac..6a61e844c5 100644
--- a/lib/ssl/test/tls_api_SUITE.erl
+++ b/lib/ssl/test/tls_api_SUITE.erl
@@ -69,7 +69,8 @@ api_tests() ->
      tls_tcp_error_propagation_in_active_mode,
      peername,
      sockname,
-     tls_server_handshake_timeout
+     tls_server_handshake_timeout,
+     transport_close
     ].
 
 init_per_suite(Config0) ->
@@ -575,6 +576,29 @@ tls_server_handshake_timeout(Config) ->
 		    [] = supervisor:which_children(tls_connection_sup)
 	    end
     end.
+transport_close() ->
+    [{doc, "Test what happens if socket is closed on TCP level after a while of normal operation"}].
+transport_close(Config) when is_list(Config) -> 
+    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = 
+	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+				   {from, self()}, 
+				   {mfa, {ssl_test_lib, send_recv_result, []}},
+				   {options,  [{active, false} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    {ok, TcpS} = rpc:call(ClientNode, gen_tcp, connect, 
+			  [Hostname,Port,[binary, {active, false}]]),
+    {ok, SslS} = rpc:call(ClientNode, ssl, connect, 
+			  [TcpS,[{active, false}|ClientOpts]]),
+    
+    ct:log("Testcase ~p, Client ~p  Server ~p ~n",
+		       [self(), self(), Server]),
+    ok = ssl:send(SslS, "Hello world"),      
+    {ok,<<"Hello world">>} = ssl:recv(SslS, 11),    
+    gen_tcp:close(TcpS),    
+    {error, _} = ssl:send(SslS, "Hello world").
 
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
-- 
cgit v1.2.3