Overview

File 1641-ssl-Improve-interoperability.patch of Package erlang

From d6bbb44e93bdcb04bafbae0017b2596bb15d6554 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 17 Oct 2025 15:04:34 +0200
Subject: [PATCH 1/3] ssl: Improve interoperability

Do not calculate something that we can know, especially
in a way that will not always work.
---
 lib/ssl/src/ssl_handshake.erl             |  6 ++++--
 lib/ssl/src/tls_client_connection_1_3.erl |  2 +-
 lib/ssl/src/tls_handshake_1_3.erl         | 25 ++++-------------------
 lib/ssl/src/tls_handshake_1_3.hrl         |  3 ++-
 4 files changed, 11 insertions(+), 25 deletions(-)

diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 3cba63840b..74af182533 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -433,7 +433,7 @@ certificate_verify(Signature, PublicKeyInfo, Version,
     end.
 %%--------------------------------------------------------------------
 -spec verify_signature(ssl_record:ssl_version(), binary(), {term(), term()}, binary(),
-				   public_key_info()) -> true | false.
+                       public_key_info()) -> true | false.
 %%
 %% Description: Checks that a public_key signature is valid.
 %%--------------------------------------------------------------------
@@ -3127,7 +3127,9 @@ decode_extensions(<<?UINT16(?PRE_SHARED_KEY_EXT), ?UINT16(Len),
                                #pre_shared_key_client_hello{
                                   offered_psks = #offered_psks{
                                                     identities = decode_psk_identities(Identities),
-                                                    binders = decode_psk_binders(Binders)}}});
+                                                    binders = decode_psk_binders(Binders)},
+                                  binder_length = BLen + 2}}
+                     );
 decode_extensions(<<?UINT16(?PRE_SHARED_KEY_EXT), ?UINT16(Len),
                        ExtData:Len/binary, Rest/binary>>,
                   Version, MessageType = server_hello, Acc) ->
diff --git a/lib/ssl/src/tls_client_connection_1_3.erl b/lib/ssl/src/tls_client_connection_1_3.erl
index 635dfb9210..a8185cc640 100644
--- a/lib/ssl/src/tls_client_connection_1_3.erl
+++ b/lib/ssl/src/tls_client_connection_1_3.erl
@@ -647,7 +647,7 @@ do_handle_exlusive_1_3_hello_or_hello_retry_request(
          connection_states = ConnectionStates0
         } = State0) ->
     {Ref,Maybe} = tls_gen_connection_1_3:do_maybe(),
-                                              try
+    try
         ClientGroups =
             Maybe(tls_handshake_1_3:get_supported_groups(ClientGroups0)),
         Cookie = maps:get(cookie, Extensions, undefined),
diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl
index 685e5ca5a6..6ecc881415 100644
--- a/lib/ssl/src/tls_handshake_1_3.erl
+++ b/lib/ssl/src/tls_handshake_1_3.erl
@@ -1832,28 +1832,11 @@ create_binders(Context, [#ticket_data{
 %% } OfferedPsks;
 truncate_client_hello(HelloBin0) ->
     <<?BYTE(Type), ?UINT24(_Length), Body/binary>> = HelloBin0,
-    CH0 = #client_hello{
-             extensions = #{pre_shared_key := PSK0} = Extensions0} =
+    #client_hello{
+       extensions = #{pre_shared_key := PSK0}} =
         tls_handshake:decode_handshake(?TLS_1_3, Type, Body),
-    #pre_shared_key_client_hello{offered_psks = OfferedPsks0} = PSK0,
-    OfferedPsks = OfferedPsks0#offered_psks{binders = []},
-    PSK = PSK0#pre_shared_key_client_hello{offered_psks = OfferedPsks},
-    Extensions = Extensions0#{pre_shared_key => PSK},
-    CH = CH0#client_hello{extensions = Extensions},
-
-    %% Decoding a ClientHello from an another TLS implementation can contain
-    %% unsupported extensions and thus executing decoding and encoding on
-    %% the input can result in a different handshake binary.
-    %% The original length of the binders can still be determined by
-    %% re-encoding the original ClientHello and using its size as reference
-    %% when we subtract the size of the truncated binary.
-    TruncatedSize = iolist_size(tls_handshake:encode_handshake(CH, ?TLS_1_3)),
-    RefSize = iolist_size(tls_handshake:encode_handshake(CH0, ?TLS_1_3)),
-    BindersSize = RefSize - TruncatedSize,
-
-    %% Return the truncated ClientHello by cutting of the binders from the original
-    %% ClientHello binary.
-    {Truncated, _} = split_binary(HelloBin0, byte_size(HelloBin0) - BindersSize - 2),
+    #pre_shared_key_client_hello{binder_length = BinderLen} = PSK0,
+    {Truncated, _} = split_binary(HelloBin0, byte_size(HelloBin0) - BinderLen),
     Truncated.
 
 maybe_add_early_data_indication(#client_hello{
diff --git a/lib/ssl/src/tls_handshake_1_3.hrl b/lib/ssl/src/tls_handshake_1_3.hrl
index df942d24f4..ac7c081336 100644
--- a/lib/ssl/src/tls_handshake_1_3.hrl
+++ b/lib/ssl/src/tls_handshake_1_3.hrl
@@ -117,7 +117,8 @@
 %% } PreSharedKeyExtension;
 -record(pre_shared_key_client_hello,
         {
-         offered_psks
+         offered_psks,
+         binder_length
         }).
 
 -record(pre_shared_key_server_hello,
-- 
2.51.0
openSUSE Build Service is sponsored by
Places