File 0797-ssl-Make-sure-the-listing-of-all-cipher-su... of Package erlang

Overview Repositories Revisions Requests Users Attributes Meta

File 0797-ssl-Make-sure-the-listing-of-all-cipher-suites-is-co.patch of Package erlang

From 690458ebdc76c0a54b48b1e23ec6698e4ebda784 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 21 Dec 2021 13:51:47 +0100
Subject: [PATCH] ssl: Make sure the listing of all cipher suites is complete.

Some RSA key-exchange ciphers suites where not included in the
listing of all ciphers suites.
---
 lib/ssl/src/tls_v1.erl         | 39 +++++++++++++-------
 lib/ssl/test/ssl_api_SUITE.erl | 67 +++++++++++++++++++++++++++++++++-
 2 files changed, 90 insertions(+), 16 deletions(-)

diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index e788086c5d..e6b08a20bf 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -43,9 +43,13 @@
          psk_suites_anon/1,
          srp_suites/1,
          srp_suites_anon/1,
+         srp_exclusive/1,
 	 rc4_suites/1,
+         rc4_exclusive/1,
          des_suites/1,
+         des_exclusive/1,
          rsa_suites/1,
+         rsa_exclusive/1,
          prf/5,
 	 ecc_curves/1, 
          ecc_curves/2, 
@@ -731,7 +735,9 @@ srp_exclusive(1) ->
      ?TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
      ?TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
      ?TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
-    ].
+    ];
+srp_exclusive(_) ->
+    [].
 
 %%--------------------------------------------------------------------
 -spec srp_suites_anon(tls_record:tls_version()) -> [ssl_cipher_format:cipher_suite()].
@@ -760,15 +766,17 @@ srp_exclusive_anon(1) ->
 %% belonged to the user configured only category.
 %%--------------------------------------------------------------------
 rc4_suites({3, _}) ->
-    exclusive_rc4(1).
+    rc4_exclusive(1).
 
-exclusive_rc4(1) ->
+rc4_exclusive(1) ->
     [?TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
      ?TLS_ECDHE_RSA_WITH_RC4_128_SHA,
      ?TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
      ?TLS_ECDH_RSA_WITH_RC4_128_SHA,
      ?TLS_RSA_WITH_RC4_128_SHA,
-     ?TLS_RSA_WITH_RC4_128_MD5].
+     ?TLS_RSA_WITH_RC4_128_MD5];
+rc4_exclusive(_) ->
+    [].
 
 %%--------------------------------------------------------------------
 -spec des_suites(Version::ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()].
@@ -778,9 +786,9 @@ exclusive_rc4(1) ->
 %% Are not considered secure any more.
 %%--------------------------------------------------------------------
 des_suites({3, _}) ->
-    exclusive_des_suites(1).
+    des_exclusive(1).
 
-exclusive_des_suites(1)->
+des_exclusive(1)->
     [?TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
      ?TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
      ?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
@@ -788,8 +796,9 @@ exclusive_des_suites(1)->
      ?TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
      ?TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
      ?TLS_DHE_RSA_WITH_DES_CBC_SHA,
-     ?TLS_RSA_WITH_DES_CBC_SHA].
-
+     ?TLS_RSA_WITH_DES_CBC_SHA];
+des_exclusive(_) ->
+    [].
 %%--------------------------------------------------------------------
 -spec rsa_suites(Version::ssl_record:ssl_version() | integer()) -> [ssl_cipher_format:cipher_suite()].
 %%
@@ -798,24 +807,26 @@ exclusive_des_suites(1)->
 %% Are not considered secure any more.
 %%--------------------------------------------------------------------
 rsa_suites({3, 3}) ->
-    rsa_suites_exclusive(3) -- [?TLS_RSA_WITH_3DES_EDE_CBC_SHA];
+    rsa_exclusive(3) ++ rsa_exclusive(1) -- [?TLS_RSA_WITH_3DES_EDE_CBC_SHA];
 rsa_suites({3, 2}) ->
-    rsa_suites_exclusive(1);
+    rsa_exclusive(1);
 rsa_suites({3, 1}) ->
-    rsa_suites_exclusive(1).
+    rsa_exclusive(1).
 
-rsa_suites_exclusive(3) ->
+rsa_exclusive(3) ->
     [
      ?TLS_RSA_WITH_AES_256_GCM_SHA384,
      ?TLS_RSA_WITH_AES_256_CBC_SHA256,
      ?TLS_RSA_WITH_AES_128_GCM_SHA256,
      ?TLS_RSA_WITH_AES_128_CBC_SHA256
     ];
-rsa_suites_exclusive(1) ->
+rsa_exclusive(1) ->
     [?TLS_RSA_WITH_AES_256_CBC_SHA,
      ?TLS_RSA_WITH_AES_128_CBC_SHA,
      ?TLS_RSA_WITH_3DES_EDE_CBC_SHA
-    ].
+    ];
+rsa_exclusive(_) ->
+    [].
 
 signature_algs({3, 4}, HashSigns) ->
     signature_algs({3, 3}, HashSigns);
diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
index 08b1da51af..2c29c791d0 100644
--- a/lib/ssl/test/ssl_api_SUITE.erl
+++ b/lib/ssl/test/ssl_api_SUITE.erl
@@ -171,7 +171,9 @@
          invalid_options_tls13/0,
          invalid_options_tls13/1,
          cookie/0,
-         cookie/1
+         cookie/1,
+         cipher_listing/0,
+         cipher_listing/1
         ]).
 
 %% Apply export
@@ -292,7 +294,8 @@ gen_api_tests() ->
      invalid_options,
      cb_info,
      log_alert,
-     getstat
+     getstat,
+     cipher_listing
     ].
 
 handshake_paus_tests() ->
@@ -2484,6 +2487,16 @@ cookie() ->
 cookie(Config) when is_list(Config) ->
     cookie_extension(Config, true),
     cookie_extension(Config, false).
+%%--------------------------------------------------------------------
+cipher_listing() ->
+    [{doc, "Check that exclusive cipher for possible supported version adds up to all cipher " 
+      "for the max version. Note that TLS-1.3 will contain two distinct sets of ciphers "
+      "one for TLS-1.3 and one pre TLS-1.3"}].
+cipher_listing(Config) when is_list(Config) ->
+    Version = ssl_test_lib:protocol_version(Config, tuple),
+    length_exclusive(Version) == length_all(Version).
+
+%%--------------------------------------------------------------------
 
 %%% Checker functions
 connection_information_result(Socket) ->
@@ -2909,3 +2922,53 @@ ssl_getstat(Socket) ->
         _  ->
             ok
     end.
+
+length_exclusive({3,_} = Version) ->
+    length(exclusive_default_up_to_version(Version, [])) +
+        length(exclusive_non_default_up_to_version(Version, []));
+length_exclusive({254,_} = Version) ->
+    length(dtls_exclusive_default_up_to_version(Version, [])) +
+        length(dtls_exclusive_non_default_up_to_version(Version, [])).
+
+length_all(Version) ->
+    length(ssl:cipher_suites(all, Version)).
+
+exclusive_default_up_to_version({3, 1} = Version, Acc) ->
+    ssl:cipher_suites(exclusive, Version) ++ Acc;
+exclusive_default_up_to_version({3, Minor} = Version, Acc) when Minor =< 4 ->
+    Suites = ssl:cipher_suites(exclusive, Version),
+    exclusive_default_up_to_version({3, Minor-1}, Suites ++ Acc).
+
+dtls_exclusive_default_up_to_version({254, 255} = Version, Acc) ->
+    ssl:cipher_suites(exclusive, Version) ++ Acc;
+dtls_exclusive_default_up_to_version({254, 253} = Version, Acc) ->
+    Suites = ssl:cipher_suites(exclusive, Version),
+    dtls_exclusive_default_up_to_version({254, 255}, Suites ++ Acc).
+
+exclusive_non_default_up_to_version({3, 1} = Version, Acc) ->
+    exclusive_non_default_version(Version) ++ Acc;
+exclusive_non_default_up_to_version({3, 4}, Acc) ->
+    exclusive_non_default_up_to_version({3, 3}, Acc);
+exclusive_non_default_up_to_version({3, Minor} = Version, Acc) when Minor =< 3 ->
+    Suites = exclusive_non_default_version(Version),
+    exclusive_non_default_up_to_version({3, Minor-1}, Suites ++ Acc).
+
+dtls_exclusive_non_default_up_to_version({254, 255} = Version, Acc) ->
+    dtls_exclusive_non_default_version(Version) ++ Acc;
+dtls_exclusive_non_default_up_to_version({254, 253} = Version, Acc) ->
+    Suites = dtls_exclusive_non_default_version(Version),
+    dtls_exclusive_non_default_up_to_version({254, 255}, Suites ++ Acc).
+
+exclusive_non_default_version({_, Minor}) ->
+    tls_v1:psk_exclusive(Minor) ++
+        tls_v1:srp_exclusive(Minor) ++
+        tls_v1:rsa_exclusive(Minor) ++
+        tls_v1:des_exclusive(Minor) ++
+        tls_v1:rc4_exclusive(Minor).
+
+dtls_exclusive_non_default_version(DTLSVersion) ->        
+    {_,Minor} = ssl:tls_version(DTLSVersion),
+    tls_v1:psk_exclusive(Minor) ++
+        tls_v1:srp_exclusive(Minor) ++
+        tls_v1:rsa_exclusive(Minor) ++ 
+        tls_v1:des_exclusive(Minor).
-- 
2.31.1

Places

File 0797-ssl-Make-sure-the-listing-of-all-cipher-suites-is-co.patch of Package erlang

Places