Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:24
erlang
0977-ssl-Backport-more-specific-alert-for-no-co...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0977-ssl-Backport-more-specific-alert-for-no-common-ellip.patch of Package erlang
From ceb3ee86580e8ea857ad0cb673cff25476b7e238 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin <ingela@erlang.org> Date: Fri, 16 Feb 2024 10:27:57 +0100 Subject: [PATCH] ssl: Backport more specific alert for no common elliptic curves in ecdhe_rsa --- lib/ssl/src/tls_dtls_connection.erl | 11 ++++++++++- lib/ssl/test/ssl_ECC_SUITE.erl | 29 ++++++++++++++++++++++------- 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/lib/ssl/src/tls_dtls_connection.erl b/lib/ssl/src/tls_dtls_connection.erl index c2edbffe30..d0799b923a 100644 --- a/lib/ssl/src/tls_dtls_connection.erl +++ b/lib/ssl/src/tls_dtls_connection.erl @@ -1089,7 +1089,7 @@ key_exchange(#state{static_env = #static_env{role = server}, when KexAlg == ecdhe_ecdsa; KexAlg == ecdhe_rsa; KexAlg == ecdh_anon -> - + assert_curve(ECCCurve), ECDHKeys = public_key:generate_key(ECCCurve), #{security_parameters := SecParams} = ssl_record:pending_connection_state(ConnectionStates0, read), @@ -1153,6 +1153,7 @@ key_exchange(#state{static_env = #static_env{role = server}, session = #session{ecc = ECCCurve, private_key = PrivateKey}, connection_states = ConnectionStates0 } = State0, Connection) -> + assert_curve(ECCCurve), ECDHKeys = public_key:generate_key(ECCCurve), #{security_parameters := SecParams} = ssl_record:pending_connection_state(ConnectionStates0, read), @@ -1738,3 +1739,11 @@ default_cert_key_pair_return(undefined, Session) -> Session; default_cert_key_pair_return(Default, _) -> Default. + +assert_curve(ECCCurve) -> + case ECCCurve of + no_curve -> + throw(?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY, no_suitable_elliptic_curve)); + _ -> + ok + end. diff --git a/lib/ssl/test/ssl_ECC_SUITE.erl b/lib/ssl/test/ssl_ECC_SUITE.erl index d605f0bdae..b2ad692792 100644 --- a/lib/ssl/test/ssl_ECC_SUITE.erl +++ b/lib/ssl/test/ssl_ECC_SUITE.erl @@ -46,7 +46,8 @@ ecc_default_order_custom_curves/1, ecc_client_order/1, ecc_client_order_custom_curves/1, - ecc_unknown_curve/1, + ecc_unknown_curve_ecdhe_ecdsa/1, + ecc_unknown_curve_ecdhe_rsa/1, client_ecdh_rsa_server_ecdhe_ecdsa_server_custom/1, client_ecdh_rsa_server_ecdhe_rsa_server_custom/1, client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom/1, @@ -93,7 +94,8 @@ ecc_negotiation() -> ecc_default_order_custom_curves, ecc_client_order, ecc_client_order_custom_curves, - ecc_unknown_curve, + ecc_unknown_curve_ecdhe_ecdsa, + ecc_unknown_curve_ecdhe_rsa, client_ecdh_rsa_server_ecdhe_ecdsa_server_custom, client_ecdh_rsa_server_ecdhe_rsa_server_custom, client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom, @@ -173,9 +175,10 @@ client_ecdsa_server_ecdsa_with_raw_key(Config) when is_list(Config) -> ServerKey = {'ECPrivateKey', Key}, SType = proplists:get_value(server_type, Config), CType = proplists:get_value(client_type, Config), - {Server, Port} = ssl_test_lib:start_server_with_raw_key(SType, - [{key, ServerKey} | proplists:delete(keyfile, SOpts)], - Config), + {Server, Port} = + ssl_test_lib:start_server_with_raw_key(SType, + [{key, ServerKey} | proplists:delete(keyfile, SOpts)], + Config), Client = ssl_test_lib:start_client(CType, Port, COpts, Config), ssl_test_lib:gen_check_result(Server, SType, Client, CType), ssl_test_lib:stop(Server, Client). @@ -240,11 +240,23 @@ ecc_client_order_custom_curves(Config) -> false -> {skip, "unsupported named curves"} end. -ecc_unknown_curve(Config) -> +ecc_unknown_curve_ecdhe_ecdsa(Config) -> Default = ssl_test_lib:default_cert_chain_conf(), {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, {client_chain, Default}], - ecdhe_ecdsa, ecdhe_ecdsa, Config), + ecdhe_ecdsa, ecdhe_ecdsa, Config), + COpts = ssl_test_lib:ssl_options(COpts0, Config), + SOpts = ssl_test_lib:ssl_options(SOpts0, Config), + ECCALL = ssl:eccs(), + SECCOpts = [{eccs, [hd(ECCALL)]}], + CECCOpts = [{eccs, tl(ECCALL)}], + ssl_test_lib:ecc_test_error(COpts, SOpts, CECCOpts, SECCOpts, Config). + +ecc_unknown_curve_ecdhe_rsa(Config) -> + Default = ssl_test_lib:default_cert_chain_conf(), + {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, + {client_chain, Default}], + ecdhe_rsa, ecdhe_rsa, Config), COpts = ssl_test_lib:ssl_options(COpts0, Config), SOpts = ssl_test_lib:ssl_options(SOpts0, Config), ECCOpts = [{eccs, ['123_fake_curve']}], -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor