[erlang-patches] new version elliptic curve support

Andreas Schultz <>
Fri Mar 8 14:06:45 CET 2013


Hi,

I have tested with various openssl versions and the earliest to
pass the crypto test is 0.9.8o. I have adjusted the ifdef's
in crypto to take that and then NO_ECDH and NO_ECDSA defines
into account. I've also discovered a bug where an EC cipher was
chosen when the certificate was actually not compatible with
it.

Update version is here:

git fetch git://github.com/RoadRunnr/otp.git tls-psk-srp-suites-ECC

https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC
https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC.patch


In case anybody is interested, I also have an very early version of
AES-GCM cipher support (not for -pu inclusion yet):

https://github.com/RoadRunnr/otp/compare/tls-psk-srp-suites-ECC-GCM

Andreas

----- Original Message -----
> Hello again,
> 
> Since we want Erlang/OTP to be runnable on OS X Leopard we have to make
> an exception to the OpenSSL supported version and make it work here. So
> somekind of workaround needs to be done. I'm not sure if this problem is
> for all 0.9.7, or if it is Apple which have decided to do things a
> specific way. So maybe the best way would be to check if the header
> files exist in configure and then ifdef based on that. Alternatively if
> you can determine that this is the way it works in 0.9.7, then you
> should just be able to ifdef on the openssl version define.
> 
> Lukas
> 
> On 05/03/13 19:25, Lukas Larsson wrote:
> > hmm, now that you mention it, it's 0.9.7l which is unsupported by us.
> > I'll get back to you if we need to work around this, or if we can just
> > leave it.
> >
> > Lukas
> >
> > On 05/03/13 19:12, Andreas Schultz wrote:
> >> Hi,
> >>
> >> ----- Original Message -----
> >>> Hello!
> >>>
> >>> I just noticed that this patch seems to break the OS X Leopard build.
> >>>
> >>> ./otp_build autoconf
> >>> ./otp_build configure --enable-smp-support --enable-darwin-universal
> >>> make
> >>> ...
> >>> Lots of text
> >>> ...
> >> [...]
> >>
> >>> It would seem like OPENSSL_NO_EC is not defined on OS X Leopard,
> >>> even if
> >>> the feature is not supported. The feature is supported on Snow Leopard
> >>> and Lion.
> >>>
> >>> I don't really know how this is meant to work, but maybe a configure
> >>> test for osx leopard could work?
> >> A test for the openssl version possibly combined with a platform check
> >> might be sufficient. I checked openssl 0.9.7 and they did support EC
> >> and the OPENSSL_NO_EC define. Could you find out what openssl version
> >> leopard has?
> >>
> >>> As a side note, strangely openssl/ec.h exists, but not ecdh and
> >>> ecdsa.... maybe that's why it is not defined? Let me know if you need
> >>> any more info.
> >> I'll extend the check for NO_ECDH and NO_ECDSA, that should take care of
> >> such a situation.
> >>
> >> Andreas
> >>
> >>> Lukas
> >>>
> >>> On 28/02/13 09:43, Fredrik wrote:
> >>>> On 02/27/2013 07:33 PM, Andreas Schultz wrote:
> >>>>> Hi,
> >>>>>
> >>>>> I have fixed the ssl_to_openssl_SUITE failure. The test suite
> >>>>> tried to
> >>>>> use an EC cipher on an openssl version that has no support for that
> >>>>> cipher.
> >>>>>
> >>>>> I have also tried to reproduced the failing crypto ec test on Ubuntu
> >>>>> natty 32bit and 64bit with halfword and m32-build, but it does pass
> >>>>> the test on all those variants.
> >>>>>
> >>>>> Is there anything special or non-standard in your test setup
> >>>>> (e.g. configuration switches, manually installed libraries, ...)???
> >>>>>
> >>>>> New version with fixed ssl_to_openssl_SUITE here:
> >>>>>
> >>>>> git fetch git://github.com/RoadRunnr/otp.git tls-psk-srp-suites-ECC
> >>>>>
> >>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC
> >>>>>
> >>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC.patch
> >>>>>
> >>>>>
> >>>>>
> >>>>> Andreas
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> Hi!
> >>>>>>
> >>>>>> Andreas Schultz wrote:
> >>>>>>> ----- Original Message -----
> >>>>>>>> Hi!
> >>>>>>>>
> >>>>>>>> I took a look at the failing test cases  and found that whit
> >>>>>>>> openssl
> >>>>>>>> 0.9.8k,  openssl
> >>>>>>>>
> >>>>>>>> will crash with errors like the following:
> >>>>>>>>
> >>>>>>>> openssl 25966:error:14092073:SSL
> >>>>>>>> routines:SSL3_GET_SERVER_HELLO:bad packet
> >>>>>>>> length:s3_clnt.c:879:
> >>>>>>>> CONNECTED(00000003)
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> **** User 2013-02-25 11:01:47.291 ****
> >>>>>>>> ssl_to_openssl_SUITE:basic_erlang_server_openssl_client failed on
> >>>>>>>> line
> >>>>>>>> 249 Reason: {test_case_failed,{{expected,{<0.11346.0>,ok}},
> >>>>>>>> {got,{'EXIT',#Port<0.11738>,normal}}}}
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> That is why the the test case gets {EXIT',#Port<0.11738>,normal}
> >>>>>>>>
> >>>>>>>> for the test cases erlang_server_openssl_client,
> >>>>>>>> erlang_server_openssl_client_client_cert,
> >>>>>>>> erlang_server_openssl_client_dsa_cert,
> >>>>>>>> erlang_server_openssl_client_reuse_session
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> and with openssl openssl 0.9.8k and 0.9.8.o  there is a hanshake
> >>>>>>>> failure
> >>>>>>>> in the ciphers_rsa_signed_certs test case
> >>>>>>>> <http://otp.ericsson.se:8000/product/internal/test/test_results/pu_R16B/2013_02_25/otp_r16b_elbereth_linux-gnu_x86_64_64_s4_a6_meamax/ct_run.test_server@elbereth.2013-02-26_04.53.56/test.ssl_test.logs/run.2013-02-26_04.53.59/ssl_to_openssl_suite.src.html#ciphers_rsa_signed_certs-1>
> >>>>>>>>
> >>>>>>>>
> >>>>>>> Got that too. Will investigate.
> >>>>>>>
> >>>>>>> Yet this still doesn't explain why the i386 build is showing
> >>>>>>> a failure in the crypto EC tests (this also cause a lot of
> >>>>>>> the ssl failures later on).
> >>>>>> Yes it could be good to investigate that first.
> >>>>>> Looking at the crypto testruns it fails on openssl 0.9.8k.
> >>>>>>
> >>>>>> Regards Ingela Erlang/OTP team - Ericsson AB
> >>>>>>
> >>>>>> [...]
> >>>>>>
> >>>> Hello,
> >>>> Re-fetched. Let's see how the testing go now!
> >>>> There should be no special configurations as far as I know..
> >>>>
> >>>
> >
> > _______________________________________________
> > erlang-patches mailing list
> > 
> > http://erlang.org/mailman/listinfo/erlang-patches
> >
> 
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: 
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------


More information about the erlang-patches mailing list