From 6ec1399aa8e6f80d8423acc37027eeda4394e7ad Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 22 May 2013 11:17:11 +0200
Subject: ssl: Do not advertise EC ciphers if crypto support is insufficient

---
 lib/ssl/src/ssl_tls1.erl              | 62 ++++++++++++++++++++++++++++++-----
 lib/ssl/test/ssl_basic_SUITE.erl      |  4 +--
 lib/ssl/test/ssl_test_lib.erl         | 24 +++++++++++---
 lib/ssl/test/ssl_to_openssl_SUITE.erl |  6 ++--
 4 files changed, 78 insertions(+), 18 deletions(-)

(limited to 'lib')

diff --git a/lib/ssl/src/ssl_tls1.erl b/lib/ssl/src/ssl_tls1.erl
index f8fd9efd07..8ab66d0627 100644
--- a/lib/ssl/src/ssl_tls1.erl
+++ b/lib/ssl/src/ssl_tls1.erl
@@ -184,6 +184,22 @@ mac_hash(Method, Mac_write_secret, Seq_num, Type, {Major, Minor},
 -spec suites(1|2|3) -> [cipher_suite()].
     
 suites(Minor) when Minor == 1; Minor == 2->
+    case sufficent_ec_support() of
+	true ->
+	    all_suites(Minor);
+	false ->
+	    no_ec_suites(Minor)
+    end;
+
+suites(Minor) when Minor == 3 ->
+    case sufficent_ec_support() of
+	true ->
+	    all_suites(3) ++ all_suites(2);
+	false ->
+	    no_ec_suites(3) ++ no_ec_suites(2)
+    end.
+
+all_suites(Minor) when Minor == 1; Minor == 2->		
     [ 
       ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
       ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
@@ -208,7 +224,7 @@ suites(Minor) when Minor == 1; Minor == 2->
       ?TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
       ?TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
       ?TLS_RSA_WITH_AES_128_CBC_SHA,
-      %%?TLS_RSA_WITH_IDEA_CBC_SHA,
+      
       ?TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
       ?TLS_ECDHE_RSA_WITH_RC4_128_SHA,
       ?TLS_RSA_WITH_RC4_128_SHA,
@@ -216,31 +232,55 @@ suites(Minor) when Minor == 1; Minor == 2->
       ?TLS_DHE_RSA_WITH_DES_CBC_SHA,
       ?TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
       ?TLS_ECDH_RSA_WITH_RC4_128_SHA,
+      
       ?TLS_RSA_WITH_DES_CBC_SHA
-     ];
-
-suites(Minor) when Minor == 3 ->
+    ];
+all_suites(3) ->	
     [
      ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
      ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
      ?TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
      ?TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
-
+     
      ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
      ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
      ?TLS_RSA_WITH_AES_256_CBC_SHA256,
-
+     
      ?TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
      ?TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
      ?TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
      ?TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+     
+     ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+     ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+     ?TLS_RSA_WITH_AES_128_CBC_SHA256
+    ].
 
+no_ec_suites(Minor) when Minor == 1; Minor == 2->		
+    [ 
+      ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+      ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+      ?TLS_RSA_WITH_AES_256_CBC_SHA,
+      ?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+      ?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+      ?TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+      ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+      ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+      ?TLS_RSA_WITH_AES_128_CBC_SHA,
+      ?TLS_RSA_WITH_RC4_128_SHA,
+      ?TLS_RSA_WITH_RC4_128_MD5,
+      ?TLS_DHE_RSA_WITH_DES_CBC_SHA,
+      ?TLS_RSA_WITH_DES_CBC_SHA
+    ];
+no_ec_suites(3) ->	
+    [
+     ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+     ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+     ?TLS_RSA_WITH_AES_256_CBC_SHA256,
      ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
      ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
      ?TLS_RSA_WITH_AES_128_CBC_SHA256
-     %% ?TLS_DH_anon_WITH_AES_128_CBC_SHA256,
-     %% ?TLS_DH_anon_WITH_AES_256_CBC_SHA256
-	] ++ suites(2).
+    ].
 
 %%--------------------------------------------------------------------
 %%% Internal functions
@@ -386,3 +426,7 @@ enum_to_oid(22) -> ?secp256k1;
 enum_to_oid(23) -> ?secp256r1;
 enum_to_oid(24) -> ?secp384r1;
 enum_to_oid(25) -> ?secp521r1.
+
+sufficent_ec_support() ->
+    CryptoSupport = crypto:supports(),
+    proplists:get_bool(ecdh, proplists:get_value(public_keys, CryptoSupport)).
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 165a8a5fcc..c4a6cf1407 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -1549,7 +1549,7 @@ ciphers_rsa_signed_certs(Config) when is_list(Config) ->
     Version = 
 	ssl_record:protocol_version(ssl_record:highest_protocol_version([])),
 
-    Ciphers = ssl_test_lib:rsa_suites(erlang),
+    Ciphers = ssl_test_lib:rsa_suites(crypto),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, rsa).
 %%-------------------------------------------------------------------
@@ -1559,7 +1559,7 @@ ciphers_rsa_signed_certs_openssl_names() ->
 ciphers_rsa_signed_certs_openssl_names(Config) when is_list(Config) ->
     Version = 
 	ssl_record:protocol_version(ssl_record:highest_protocol_version([])),
-    Ciphers = ssl_test_lib:openssl_rsa_suites(),  
+    Ciphers = ssl_test_lib:openssl_rsa_suites(crypto),  
     ct:log("tls1 openssl cipher suites ~p~n", [Ciphers]),
     run_suites(Ciphers, Version, Config, rsa).
 
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 255df92d77..34c52b10b3 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -756,14 +756,20 @@ ecdh_rsa_suites() ->
 		 end,
 		 ssl:cipher_suites()).
 
-openssl_rsa_suites() ->
+openssl_rsa_suites(CounterPart) ->
     Ciphers = ssl:cipher_suites(openssl),
+    Names = case is_sane_ecc(CounterPart) of
+		true ->
+		    "DSS | ECDSA";
+		false ->
+		    "DSS | ECDHE | ECDH"
+		end,
     lists:filter(fun(Str) ->
-			 case re:run(Str,"DSS|ECDH-RSA|ECDSA",[]) of
+			 case re:run(Str, Names,[]) of
 			     nomatch ->
-				 true;
+				 false;
 			     _ ->
-				 false
+				 true
 			 end 
 		     end, Ciphers).
 
@@ -994,6 +1000,16 @@ is_sane_ecc(openssl) ->
 	_ ->
 	    true
     end;
+is_sane_ecc(crypto) ->
+    [{_,_, Bin}]  = crypto:info_lib(), 
+    case binary_to_list(Bin) of
+	"OpenSSL 0.9.8" ++ _ -> % Does not support ECC
+	    false;
+	"OpenSSL 0.9.7" ++ _ -> % Does not support ECC
+	    false;
+	_ ->
+	    true
+    end;
 is_sane_ecc(_) ->
     true.
 
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 075b4b1ec4..7f91865a86 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -106,9 +106,9 @@ init_per_suite(Config0) ->
 					      ?config(priv_dir, Config0))),
 		    ct:log("Make certs  ~p~n", [Result]),
 		    Config1 = ssl_test_lib:make_dsa_cert(Config0),
-		    Config = ssl_test_lib:cert_options(Config1),
-		    NewConfig = [{watchdog, Dog} | Config],
-		    ssl_test_lib:cipher_restriction(NewConfig)
+		    Config2 = ssl_test_lib:cert_options(Config1),
+		    Config = [{watchdog, Dog} | Config2],
+		    ssl_test_lib:cipher_restriction(Config)
 		catch _:_  ->
 		    {skip, "Crypto did not start"}
 	    end
-- 
cgit v1.2.3