[erlang-patches] new version elliptic curve support

Fredrik <>
Tue Mar 12 17:21:10 CET 2013


On 03/08/2013 02:06 PM, Andreas Schultz wrote:
> Hi,
>
> I have tested with various openssl versions and the earliest to
> pass the crypto test is 0.9.8o. I have adjusted the ifdef's
> in crypto to take that and then NO_ECDH and NO_ECDSA defines
> into account. I've also discovered a bug where an EC cipher was
> chosen when the certificate was actually not compatible with
> it.
>
> Update version is here:
>
> git fetch git://github.com/RoadRunnr/otp.git tls-psk-srp-suites-ECC
>
> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC
> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC.patch
>
>
> In case anybody is interested, I also have an very early version of
> AES-GCM cipher support (not for -pu inclusion yet):
>
> https://github.com/RoadRunnr/otp/compare/tls-psk-srp-suites-ECC-GCM
>
> Andreas
>
> ----- Original Message -----
>> Hello again,
>>
>> Since we want Erlang/OTP to be runnable on OS X Leopard we have to make
>> an exception to the OpenSSL supported version and make it work here. So
>> somekind of workaround needs to be done. I'm not sure if this problem is
>> for all 0.9.7, or if it is Apple which have decided to do things a
>> specific way. So maybe the best way would be to check if the header
>> files exist in configure and then ifdef based on that. Alternatively if
>> you can determine that this is the way it works in 0.9.7, then you
>> should just be able to ifdef on the openssl version define.
>>
>> Lukas
>>
>> On 05/03/13 19:25, Lukas Larsson wrote:
>>> hmm, now that you mention it, it's 0.9.7l which is unsupported by us.
>>> I'll get back to you if we need to work around this, or if we can just
>>> leave it.
>>>
>>> Lukas
>>>
>>> On 05/03/13 19:12, Andreas Schultz wrote:
>>>> Hi,
>>>>
>>>> ----- Original Message -----
>>>>> Hello!
>>>>>
>>>>> I just noticed that this patch seems to break the OS X Leopard build.
>>>>>
>>>>> ./otp_build autoconf
>>>>> ./otp_build configure --enable-smp-support --enable-darwin-universal
>>>>> make
>>>>> ...
>>>>> Lots of text
>>>>> ...
>>>> [...]
>>>>
>>>>> It would seem like OPENSSL_NO_EC is not defined on OS X Leopard,
>>>>> even if
>>>>> the feature is not supported. The feature is supported on Snow Leopard
>>>>> and Lion.
>>>>>
>>>>> I don't really know how this is meant to work, but maybe a configure
>>>>> test for osx leopard could work?
>>>> A test for the openssl version possibly combined with a platform check
>>>> might be sufficient. I checked openssl 0.9.7 and they did support EC
>>>> and the OPENSSL_NO_EC define. Could you find out what openssl version
>>>> leopard has?
>>>>
>>>>> As a side note, strangely openssl/ec.h exists, but not ecdh and
>>>>> ecdsa.... maybe that's why it is not defined? Let me know if you need
>>>>> any more info.
>>>> I'll extend the check for NO_ECDH and NO_ECDSA, that should take care of
>>>> such a situation.
>>>>
>>>> Andreas
>>>>
>>>>> Lukas
>>>>>
>>>>> On 28/02/13 09:43, Fredrik wrote:
>>>>>> On 02/27/2013 07:33 PM, Andreas Schultz wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have fixed the ssl_to_openssl_SUITE failure. The test suite
>>>>>>> tried to
>>>>>>> use an EC cipher on an openssl version that has no support for that
>>>>>>> cipher.
>>>>>>>
>>>>>>> I have also tried to reproduced the failing crypto ec test on Ubuntu
>>>>>>> natty 32bit and 64bit with halfword and m32-build, but it does pass
>>>>>>> the test on all those variants.
>>>>>>>
>>>>>>> Is there anything special or non-standard in your test setup
>>>>>>> (e.g. configuration switches, manually installed libraries, ...)???
>>>>>>>
>>>>>>> New version with fixed ssl_to_openssl_SUITE here:
>>>>>>>
>>>>>>> git fetch git://github.com/RoadRunnr/otp.git tls-psk-srp-suites-ECC
>>>>>>>
>>>>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC
>>>>>>>
>>>>>>> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites-ECC.patch
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Andreas
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> Hi!
>>>>>>>>
>>>>>>>> Andreas Schultz wrote:
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> Hi!
>>>>>>>>>>
>>>>>>>>>> I took a look at the failing test cases  and found that whit
>>>>>>>>>> openssl
>>>>>>>>>> 0.9.8k,  openssl
>>>>>>>>>>
>>>>>>>>>> will crash with errors like the following:
>>>>>>>>>>
>>>>>>>>>> openssl 25966:error:14092073:SSL
>>>>>>>>>> routines:SSL3_GET_SERVER_HELLO:bad packet
>>>>>>>>>> length:s3_clnt.c:879:
>>>>>>>>>> CONNECTED(00000003)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> **** User 2013-02-25 11:01:47.291 ****
>>>>>>>>>> ssl_to_openssl_SUITE:basic_erlang_server_openssl_client failed on
>>>>>>>>>> line
>>>>>>>>>> 249 Reason: {test_case_failed,{{expected,{<0.11346.0>,ok}},
>>>>>>>>>> {got,{'EXIT',#Port<0.11738>,normal}}}}
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> That is why the the test case gets {EXIT',#Port<0.11738>,normal}
>>>>>>>>>>
>>>>>>>>>> for the test cases erlang_server_openssl_client,
>>>>>>>>>> erlang_server_openssl_client_client_cert,
>>>>>>>>>> erlang_server_openssl_client_dsa_cert,
>>>>>>>>>> erlang_server_openssl_client_reuse_session
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> and with openssl openssl 0.9.8k and 0.9.8.o  there is a hanshake
>>>>>>>>>> failure
>>>>>>>>>> in the ciphers_rsa_signed_certs test case
>>>>>>>>>> <http://otp.ericsson.se:8000/product/internal/test/test_results/pu_R16B/2013_02_25/otp_r16b_elbereth_linux-gnu_x86_64_64_s4_a6_meamax/ct_run.test_server@elbereth.2013-02-26_04.53.56/test.ssl_test.logs/run.2013-02-26_04.53.59/ssl_to_openssl_suite.src.html#ciphers_rsa_signed_certs-1>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Got that too. Will investigate.
>>>>>>>>>
>>>>>>>>> Yet this still doesn't explain why the i386 build is showing
>>>>>>>>> a failure in the crypto EC tests (this also cause a lot of
>>>>>>>>> the ssl failures later on).
>>>>>>>> Yes it could be good to investigate that first.
>>>>>>>> Looking at the crypto testruns it fails on openssl 0.9.8k.
>>>>>>>>
>>>>>>>> Regards Ingela Erlang/OTP team - Ericsson AB
>>>>>>>>
>>>>>>>> [...]
>>>>>>>>
>>>>>> Hello,
>>>>>> Re-fetched. Let's see how the testing go now!
>>>>>> There should be no special configurations as far as I know..
>>>>>>
>>> _______________________________________________
>>> erlang-patches mailing list
>>> 
>>> http://erlang.org/mailman/listinfo/erlang-patches
>>>
>>
Hello again,
This seems suspicious that these two openssl versions
0.9.8a
0.9.7l
is failing some testcases that other versions are not. We are thinking 
that it could be a bug in openssl but we are not sure. Could you match 
your tests upon your branch on these openssl versions and see if you can 
reproduce them.
The failing testcases are:

ciphers_rsa_signed_certs
erlang_server_openssl_client
erlang_server_openssl_client_client_cert
erlang_server_openssl_client_dsa_cert
erlang_server_openssl_client_reuse_session

in the ssl_to_openssl_SUITE suite.

-- 

BR Fredrik Gustafsson
Erlang OTP Team



More information about the erlang-patches mailing list