File 0597-ssl-Backport-more-specific-alert-for-no-common-ellip.patch of Package erlang
From ceb3ee86580e8ea857ad0cb673cff25476b7e238 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 16 Feb 2024 10:27:57 +0100
Subject: [PATCH] ssl: Backport more specific alert for no common elliptic
curves in ecdhe_rsa
---
lib/ssl/src/tls_dtls_connection.erl | 11 ++++++++++-
lib/ssl/test/ssl_ECC_SUITE.erl | 29 ++++++++++++++++++++++-------
2 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/lib/ssl/src/tls_dtls_connection.erl b/lib/ssl/src/tls_dtls_connection.erl
index c2edbffe30..d0799b923a 100644
--- a/lib/ssl/src/tls_dtls_connection.erl
+++ b/lib/ssl/src/tls_dtls_connection.erl
@@ -1089,7 +1089,7 @@ key_exchange(#state{static_env = #static_env{role = server},
when KexAlg == ecdhe_ecdsa;
KexAlg == ecdhe_rsa;
KexAlg == ecdh_anon ->
-
+ assert_curve(ECCCurve),
ECDHKeys = public_key:generate_key(ECCCurve),
#{security_parameters := SecParams} =
ssl_record:pending_connection_state(ConnectionStates0, read),
@@ -1153,6 +1153,7 @@ key_exchange(#state{static_env = #static_env{role = server},
session = #session{ecc = ECCCurve, private_key = PrivateKey},
connection_states = ConnectionStates0
} = State0, Connection) ->
+ assert_curve(ECCCurve),
ECDHKeys = public_key:generate_key(ECCCurve),
#{security_parameters := SecParams} =
ssl_record:pending_connection_state(ConnectionStates0, read),
@@ -1738,3 +1739,11 @@ default_cert_key_pair_return(undefined, Session) ->
Session;
default_cert_key_pair_return(Default, _) ->
Default.
+
+assert_curve(ECCCurve) ->
+ case ECCCurve of
+ no_curve ->
+ throw(?ALERT_REC(?FATAL, ?INSUFFICIENT_SECURITY, no_suitable_elliptic_curve));
+ _ ->
+ ok
+ end.
diff --git a/lib/ssl/test/ssl_ECC_SUITE.erl b/lib/ssl/test/ssl_ECC_SUITE.erl
index d605f0bdae..b2ad692792 100644
--- a/lib/ssl/test/ssl_ECC_SUITE.erl
+++ b/lib/ssl/test/ssl_ECC_SUITE.erl
@@ -46,7 +46,8 @@
ecc_default_order_custom_curves/1,
ecc_client_order/1,
ecc_client_order_custom_curves/1,
- ecc_unknown_curve/1,
+ ecc_unknown_curve_ecdhe_ecdsa/1,
+ ecc_unknown_curve_ecdhe_rsa/1,
client_ecdh_rsa_server_ecdhe_ecdsa_server_custom/1,
client_ecdh_rsa_server_ecdhe_rsa_server_custom/1,
client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom/1,
@@ -93,7 +94,8 @@ ecc_negotiation() ->
ecc_default_order_custom_curves,
ecc_client_order,
ecc_client_order_custom_curves,
- ecc_unknown_curve,
+ ecc_unknown_curve_ecdhe_ecdsa,
+ ecc_unknown_curve_ecdhe_rsa,
client_ecdh_rsa_server_ecdhe_ecdsa_server_custom,
client_ecdh_rsa_server_ecdhe_rsa_server_custom,
client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom,
@@ -173,9 +175,10 @@ client_ecdsa_server_ecdsa_with_raw_key(Config) when is_list(Config) ->
ServerKey = {'ECPrivateKey', Key},
SType = proplists:get_value(server_type, Config),
CType = proplists:get_value(client_type, Config),
- {Server, Port} = ssl_test_lib:start_server_with_raw_key(SType,
- [{key, ServerKey} | proplists:delete(keyfile, SOpts)],
- Config),
+ {Server, Port} =
+ ssl_test_lib:start_server_with_raw_key(SType,
+ [{key, ServerKey} | proplists:delete(keyfile, SOpts)],
+ Config),
Client = ssl_test_lib:start_client(CType, Port, COpts, Config),
ssl_test_lib:gen_check_result(Server, SType, Client, CType),
ssl_test_lib:stop(Server, Client).
@@ -240,11 +243,23 @@ ecc_client_order_custom_curves(Config) ->
false -> {skip, "unsupported named curves"}
end.
-ecc_unknown_curve(Config) ->
+ecc_unknown_curve_ecdhe_ecdsa(Config) ->
Default = ssl_test_lib:default_cert_chain_conf(),
{COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
{client_chain, Default}],
- ecdhe_ecdsa, ecdhe_ecdsa, Config),
+ ecdhe_ecdsa, ecdhe_ecdsa, Config),
+ COpts = ssl_test_lib:ssl_options(COpts0, Config),
+ SOpts = ssl_test_lib:ssl_options(SOpts0, Config),
+ ECCALL = ssl:eccs(),
+ SECCOpts = [{eccs, [hd(ECCALL)]}],
+ CECCOpts = [{eccs, tl(ECCALL)}],
+ ssl_test_lib:ecc_test_error(COpts, SOpts, CECCOpts, SECCOpts, Config).
+
+ecc_unknown_curve_ecdhe_rsa(Config) ->
+ Default = ssl_test_lib:default_cert_chain_conf(),
+ {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
+ {client_chain, Default}],
+ ecdhe_rsa, ecdhe_rsa, Config),
COpts = ssl_test_lib:ssl_options(COpts0, Config),
SOpts = ssl_test_lib:ssl_options(SOpts0, Config),
ECCOpts = [{eccs, ['123_fake_curve']}],
--
2.35.3
