File 0797-ssl-Make-sure-the-listing-of-all-cipher-suites-is-co.patch of Package erlang
From 690458ebdc76c0a54b48b1e23ec6698e4ebda784 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 21 Dec 2021 13:51:47 +0100
Subject: [PATCH] ssl: Make sure the listing of all cipher suites is complete.
Some RSA key-exchange ciphers suites where not included in the
listing of all ciphers suites.
---
lib/ssl/src/tls_v1.erl | 39 +++++++++++++-------
lib/ssl/test/ssl_api_SUITE.erl | 67 +++++++++++++++++++++++++++++++++-
2 files changed, 90 insertions(+), 16 deletions(-)
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index e788086c5d..e6b08a20bf 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -43,9 +43,13 @@
psk_suites_anon/1,
srp_suites/1,
srp_suites_anon/1,
+ srp_exclusive/1,
rc4_suites/1,
+ rc4_exclusive/1,
des_suites/1,
+ des_exclusive/1,
rsa_suites/1,
+ rsa_exclusive/1,
prf/5,
ecc_curves/1,
ecc_curves/2,
@@ -731,7 +735,9 @@ srp_exclusive(1) ->
?TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
?TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
?TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
- ].
+ ];
+srp_exclusive(_) ->
+ [].
%%--------------------------------------------------------------------
-spec srp_suites_anon(tls_record:tls_version()) -> [ssl_cipher_format:cipher_suite()].
@@ -760,15 +766,17 @@ srp_exclusive_anon(1) ->
%% belonged to the user configured only category.
%%--------------------------------------------------------------------
rc4_suites({3, _}) ->
- exclusive_rc4(1).
+ rc4_exclusive(1).
-exclusive_rc4(1) ->
+rc4_exclusive(1) ->
[?TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
?TLS_ECDHE_RSA_WITH_RC4_128_SHA,
?TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
?TLS_ECDH_RSA_WITH_RC4_128_SHA,
?TLS_RSA_WITH_RC4_128_SHA,
- ?TLS_RSA_WITH_RC4_128_MD5].
+ ?TLS_RSA_WITH_RC4_128_MD5];
+rc4_exclusive(_) ->
+ [].
%%--------------------------------------------------------------------
-spec des_suites(Version::ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()].
@@ -778,9 +786,9 @@ exclusive_rc4(1) ->
%% Are not considered secure any more.
%%--------------------------------------------------------------------
des_suites({3, _}) ->
- exclusive_des_suites(1).
+ des_exclusive(1).
-exclusive_des_suites(1)->
+des_exclusive(1)->
[?TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
?TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
@@ -788,8 +796,9 @@ exclusive_des_suites(1)->
?TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
?TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
?TLS_DHE_RSA_WITH_DES_CBC_SHA,
- ?TLS_RSA_WITH_DES_CBC_SHA].
-
+ ?TLS_RSA_WITH_DES_CBC_SHA];
+des_exclusive(_) ->
+ [].
%%--------------------------------------------------------------------
-spec rsa_suites(Version::ssl_record:ssl_version() | integer()) -> [ssl_cipher_format:cipher_suite()].
%%
@@ -798,24 +807,26 @@ exclusive_des_suites(1)->
%% Are not considered secure any more.
%%--------------------------------------------------------------------
rsa_suites({3, 3}) ->
- rsa_suites_exclusive(3) -- [?TLS_RSA_WITH_3DES_EDE_CBC_SHA];
+ rsa_exclusive(3) ++ rsa_exclusive(1) -- [?TLS_RSA_WITH_3DES_EDE_CBC_SHA];
rsa_suites({3, 2}) ->
- rsa_suites_exclusive(1);
+ rsa_exclusive(1);
rsa_suites({3, 1}) ->
- rsa_suites_exclusive(1).
+ rsa_exclusive(1).
-rsa_suites_exclusive(3) ->
+rsa_exclusive(3) ->
[
?TLS_RSA_WITH_AES_256_GCM_SHA384,
?TLS_RSA_WITH_AES_256_CBC_SHA256,
?TLS_RSA_WITH_AES_128_GCM_SHA256,
?TLS_RSA_WITH_AES_128_CBC_SHA256
];
-rsa_suites_exclusive(1) ->
+rsa_exclusive(1) ->
[?TLS_RSA_WITH_AES_256_CBC_SHA,
?TLS_RSA_WITH_AES_128_CBC_SHA,
?TLS_RSA_WITH_3DES_EDE_CBC_SHA
- ].
+ ];
+rsa_exclusive(_) ->
+ [].
signature_algs({3, 4}, HashSigns) ->
signature_algs({3, 3}, HashSigns);
diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
index 08b1da51af..2c29c791d0 100644
--- a/lib/ssl/test/ssl_api_SUITE.erl
+++ b/lib/ssl/test/ssl_api_SUITE.erl
@@ -171,7 +171,9 @@
invalid_options_tls13/0,
invalid_options_tls13/1,
cookie/0,
- cookie/1
+ cookie/1,
+ cipher_listing/0,
+ cipher_listing/1
]).
%% Apply export
@@ -292,7 +294,8 @@ gen_api_tests() ->
invalid_options,
cb_info,
log_alert,
- getstat
+ getstat,
+ cipher_listing
].
handshake_paus_tests() ->
@@ -2484,6 +2487,16 @@ cookie() ->
cookie(Config) when is_list(Config) ->
cookie_extension(Config, true),
cookie_extension(Config, false).
+%%--------------------------------------------------------------------
+cipher_listing() ->
+ [{doc, "Check that exclusive cipher for possible supported version adds up to all cipher "
+ "for the max version. Note that TLS-1.3 will contain two distinct sets of ciphers "
+ "one for TLS-1.3 and one pre TLS-1.3"}].
+cipher_listing(Config) when is_list(Config) ->
+ Version = ssl_test_lib:protocol_version(Config, tuple),
+ length_exclusive(Version) == length_all(Version).
+
+%%--------------------------------------------------------------------
%%% Checker functions
connection_information_result(Socket) ->
@@ -2909,3 +2922,53 @@ ssl_getstat(Socket) ->
_ ->
ok
end.
+
+length_exclusive({3,_} = Version) ->
+ length(exclusive_default_up_to_version(Version, [])) +
+ length(exclusive_non_default_up_to_version(Version, []));
+length_exclusive({254,_} = Version) ->
+ length(dtls_exclusive_default_up_to_version(Version, [])) +
+ length(dtls_exclusive_non_default_up_to_version(Version, [])).
+
+length_all(Version) ->
+ length(ssl:cipher_suites(all, Version)).
+
+exclusive_default_up_to_version({3, 1} = Version, Acc) ->
+ ssl:cipher_suites(exclusive, Version) ++ Acc;
+exclusive_default_up_to_version({3, Minor} = Version, Acc) when Minor =< 4 ->
+ Suites = ssl:cipher_suites(exclusive, Version),
+ exclusive_default_up_to_version({3, Minor-1}, Suites ++ Acc).
+
+dtls_exclusive_default_up_to_version({254, 255} = Version, Acc) ->
+ ssl:cipher_suites(exclusive, Version) ++ Acc;
+dtls_exclusive_default_up_to_version({254, 253} = Version, Acc) ->
+ Suites = ssl:cipher_suites(exclusive, Version),
+ dtls_exclusive_default_up_to_version({254, 255}, Suites ++ Acc).
+
+exclusive_non_default_up_to_version({3, 1} = Version, Acc) ->
+ exclusive_non_default_version(Version) ++ Acc;
+exclusive_non_default_up_to_version({3, 4}, Acc) ->
+ exclusive_non_default_up_to_version({3, 3}, Acc);
+exclusive_non_default_up_to_version({3, Minor} = Version, Acc) when Minor =< 3 ->
+ Suites = exclusive_non_default_version(Version),
+ exclusive_non_default_up_to_version({3, Minor-1}, Suites ++ Acc).
+
+dtls_exclusive_non_default_up_to_version({254, 255} = Version, Acc) ->
+ dtls_exclusive_non_default_version(Version) ++ Acc;
+dtls_exclusive_non_default_up_to_version({254, 253} = Version, Acc) ->
+ Suites = dtls_exclusive_non_default_version(Version),
+ dtls_exclusive_non_default_up_to_version({254, 255}, Suites ++ Acc).
+
+exclusive_non_default_version({_, Minor}) ->
+ tls_v1:psk_exclusive(Minor) ++
+ tls_v1:srp_exclusive(Minor) ++
+ tls_v1:rsa_exclusive(Minor) ++
+ tls_v1:des_exclusive(Minor) ++
+ tls_v1:rc4_exclusive(Minor).
+
+dtls_exclusive_non_default_version(DTLSVersion) ->
+ {_,Minor} = ssl:tls_version(DTLSVersion),
+ tls_v1:psk_exclusive(Minor) ++
+ tls_v1:srp_exclusive(Minor) ++
+ tls_v1:rsa_exclusive(Minor) ++
+ tls_v1:des_exclusive(Minor).
--
2.31.1
