Merge branch '3087-tls-ephemeral-ecc-gnutls-nss-compat' into 'main'

Use uncompressed point conversion form for 'tls ephemeral' ECC keys Closes #3087 See merge request isc-projects/bind9!5705
2026-06-09 10:02:07 -04:00 · 2022-01-13 13:11:14 +00:00 · 2022-01-13 13:11:14 +00:00 · 6441646ead
commit 6441646ead
parent 2eee9242e3 daf11421df
7 changed files with 42 additions and 4 deletions
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@ -114,6 +114,9 @@ SHELL=@SHELL@
 # CURL will be empty if no program was found by configure
 CURL=@CURL@

+# GNUTLS_CLI will be empty if no program was found by configure
+GNUTLS_CLI=@GNUTLS_CLI@
+
 # NC will be empty if no program was found by configure
 NC=@NC@

--- a/bin/tests/system/doth/clean.sh
+++ b/bin/tests/system/doth/clean.sh
@ -20,5 +20,6 @@ rm -f ./*/named.memstats
 rm -f ./*/named.run
 rm -f ./*/named.run.prev
 rm -f ./dig.out.*
+rm -f ./example-soa-*.test*
 rm -f ./*/example*.db
 rm -rf ./headers.*
--- a/bin/tests/system/doth/example-soa-answer.good
+++ b/bin/tests/system/doth/example-soa-answer.good
--- a/bin/tests/system/doth/example-soa-request.saved
+++ b/bin/tests/system/doth/example-soa-request.saved
--- a/bin/tests/system/doth/tests.sh
+++ b/bin/tests/system/doth/tests.sh
@ -582,5 +582,29 @@ if [ -n "$testcurl" ]; then
 	status=$((status + ret))
 fi

+# check whether we can use gnutls-cli for sending test queries.
+if [ -x "${GNUTLS_CLI}" ] ; then
+	GNUTLS_CLI_CHECK="$(${GNUTLS_CLI} --logfile=/dev/null 2>&1 | grep -i 'illegal option')"
+
+	if [ -n "$GNUTLS_CLI_CHECK" ]; then
+		echo_i "The available version of gnutls-cli does not support the required features"
+	else
+		testgnutls=1
+	fi
+fi
+
+if [ -n "${testgnutls}" ] ; then
+	n=$((n + 1))
+	echo_i "checking sending a DoT query using gnutls-cli ($n)"
+	ret=0
+	# use gnutls-cli to query for 'example/SOA',
+	# use a timeout with a second empty `cat` because EOF in `stdin`
+	# causes gnutls-cli to disconnect without waiting for the answer
+	( cat example-soa-request.saved && timeout 10 cat ) | "${GNUTLS_CLI}" --no-ca-verification --no-ocsp --alpn=dot --logfile=/dev/null --port=${TLSPORT} 10.53.0.1 > example-soa-answer.test$n 2>&1
+	diff example-soa-answer.good example-soa-answer.test$n > /dev/null 2>&1 || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status + ret))
+fi
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/configure.ac
+++ b/configure.ac
@ -1259,6 +1259,13 @@ AC_CONFIG_FILES([doc/doxygen/doxygen-input-filter],
 AC_PATH_PROG(CURL, curl, curl)
 AC_SUBST(CURL)

+#
+# Look for gnutls-cli
+#
+
+AC_PATH_PROG([GNUTLS_CLI], [gnutls-cli], [])
+AC_SUBST(GNUTLS_CLI)
+
 #
 # Look for nc
 #
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@ -36,6 +36,7 @@
 #include <isc/mutex.h>
 #include <isc/mutexblock.h>
 #include <isc/once.h>
+#include <isc/random.h>
 #include <isc/refcount.h>
 #include <isc/rwlock.h>
 #include <isc/thread.h>
@ -317,16 +318,16 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 			goto ssl_error;
 		}

-		/* We use a named curve and compressed point conversion form. */
+		/* Use a named curve and uncompressed point conversion form. */
 #if HAVE_EVP_PKEY_GET0_EC_KEY
 		EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey),
 				     OPENSSL_EC_NAMED_CURVE);
 		EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey),
-				     POINT_CONVERSION_COMPRESSED);
+				     POINT_CONVERSION_UNCOMPRESSED);
 #else
 		EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE);
 		EC_KEY_set_conv_form(pkey->pkey.ec,
-				     POINT_CONVERSION_COMPRESSED);
+				     POINT_CONVERSION_UNCOMPRESSED);
 #endif /* HAVE_EVP_PKEY_GET0_EC_KEY */

 #if defined(SSL_CTX_set_ecdh_auto)
@ -389,7 +390,9 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 		if (cert == NULL) {
 			goto ssl_error;
 		}
-		ASN1_INTEGER_set(X509_get_serialNumber(cert), 1);
+
+		ASN1_INTEGER_set(X509_get_serialNumber(cert),
+				 (long)isc_random32());

 #if OPENSSL_VERSION_NUMBER < 0x10101000L
 		X509_gmtime_adj(X509_get_notBefore(cert), 0);