From 4727af125358883bf5d51e3b9e8443a71854bbba Mon Sep 17 00:00:00 2001
From: Per Andersson <avtobiff@foo.nu>
Date: Thu, 28 Dec 2023 00:29:13 +0100
Subject: [PATCH] ssl: Get dhfile ssl option

The fallback after "dh" ssl option was undefined was to get "dh" from
ssl options again. This is clearly wrong and now changed to the
documented fallback "dhfile" ssl option.

Add test for passing an invalid dhparams file to server ssl options.

Signed-off-by: Per Andersson <avtobiff@foo.nu>
---
 lib/ssl/src/ssl_config.erl                    |  2 +-
 lib/ssl/test/ssl_api_SUITE.erl                | 46 +++++++++++++++++++
 .../ssl_api_SUITE_data/dHParam-invalid.pem    |  2 +
 3 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 lib/ssl/test/ssl_api_SUITE_data/dHParam-invalid.pem

diff --git a/lib/ssl/src/ssl_config.erl b/lib/ssl/src/ssl_config.erl
index 761a4f431561..2b8002d71592 100644
--- a/lib/ssl/src/ssl_config.erl
+++ b/lib/ssl/src/ssl_config.erl
@@ -331,7 +331,7 @@ init_diffie_hellman(DbHandle, Opts, server) ->
         Bin when is_binary(Bin) ->
             public_key:der_decode('DHParameter', Bin);
         _ ->
-            case maps:get(dh, Opts, undefined) of
+            case maps:get(dhfile, Opts, undefined) of
                 undefined ->
                     ?DEFAULT_DIFFIE_HELLMAN_PARAMS;
                 DHParamFile ->
diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
index aa93a021a02e..9090f29baaa6 100644
--- a/lib/ssl/test/ssl_api_SUITE.erl
+++ b/lib/ssl/test/ssl_api_SUITE.erl
@@ -72,6 +72,8 @@
          active_n/1,
          dh_params/0,
          dh_params/1,
+         invalid_dhfile/0,
+         invalid_dhfile/1,
          prf/0,
          prf/1,
          hibernate_client/0,
@@ -278,6 +280,7 @@ simple_api_tests() ->
      invalid_keyfile,
      invalid_certfile,
      invalid_cacertfile,
+     invalid_dhfile,
      invalid_options,
      options_not_proplist,
      options_whitebox,
@@ -799,6 +802,49 @@ dh_params(Config) when is_list(Config) ->
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
 
+
+%%--------------------------------------------------------------------
+invalid_dhfile() ->
+    [{doc,"Test to check invalid DH-params file in server."}].
+invalid_dhfile(Config) when is_list(Config) ->
+    ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+    DataDir = proplists:get_value(data_dir, Config),
+    DHParamFile = filename:join(DataDir, "dHParam-invalid.pem"),
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
+                                              {from, self()},
+                                              {mfa, {ssl_test_lib,
+                                                     send_recv_result_active,
+                                                     []}},
+                                               {options, [{dhfile, DHParamFile}
+                                                          | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+                                              {host, Hostname}, {from, self()},
+                                              {mfa, {ssl_test_lib,
+                                                     send_recv_result_active,
+                                                     []}},
+                                              {options, [{ciphers,
+                                                          [{dhe_rsa,
+                                                            aes_256_cbc, sha}]}
+                                                         | ClientOpts]}]),
+
+    %% assert server error
+    [{Server, {error, {options, {dhfile, DHParamFile,
+                                 {error, {asn1,
+                                          {{invalid_value, 0}, _Stack}}}}}}}] =
+        ssl_test_lib:get_result([Server]),
+
+    %% assert client error
+    ssl_test_lib:check_result(Client, {error, closed}),
+
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+
 %%--------------------------------------------------------------------
 conf_signature_algs() ->
     [{doc,"Test to set the signature_algs option on both client and server"}].
diff --git a/lib/ssl/test/ssl_api_SUITE_data/dHParam-invalid.pem b/lib/ssl/test/ssl_api_SUITE_data/dHParam-invalid.pem
new file mode 100644
index 000000000000..17d88ffc4ad9
--- /dev/null
+++ b/lib/ssl/test/ssl_api_SUITE_data/dHParam-invalid.pem
@@ -0,0 +1,2 @@
+-----BEGIN DH PARAMETERS-----
+-----END DH PARAMETERS-----