From 1b0448c1a96166813ac94cb39644912064d7d26c Mon Sep 17 00:00:00 2001
From: Todd Short <tshort@redhat.com>
Date: Tue, 14 Apr 2026 10:50:37 -0400
Subject: [PATCH] tlsprofiles: guard empty parse results; write JSON atomically

Panic in parseProfile if all curves or all pre-TLS-1.3 ciphers are
skipped, preventing a silent zero-value profile. Download mozilla_data.json
to a temp file and mv atomically to avoid leaving a corrupt file on
partial curl failure.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Todd Short <tshort@redhat.com>
---
 hack/tools/update-tls-profiles.sh                | 7 ++++++-
 internal/shared/util/tlsprofiles/mozilla_data.go | 7 +++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/hack/tools/update-tls-profiles.sh b/hack/tools/update-tls-profiles.sh
index 10a3e270c..9a3443f04 100755
--- a/hack/tools/update-tls-profiles.sh
+++ b/hack/tools/update-tls-profiles.sh
@@ -4,8 +4,13 @@ set -e
 
 OUTPUT=internal/shared/util/tlsprofiles/mozilla_data.json
 INPUT=https://ssl-config.mozilla.org/guidelines/latest.json
+tmp="$(mktemp "${OUTPUT}.tmp.XXXXXX")"
+trap 'rm -f "${tmp}"' EXIT
 
-if ! curl -L -s -f "${INPUT}" -o "${OUTPUT}"; then
+if ! curl -L -s -f "${INPUT}" -o "${tmp}"; then
     echo "ERROR: Failed to download ${INPUT} (HTTP error or connection failure)" >&2
     exit 1
 fi
+
+mv "${tmp}" "${OUTPUT}"
+trap - EXIT
diff --git a/internal/shared/util/tlsprofiles/mozilla_data.go b/internal/shared/util/tlsprofiles/mozilla_data.go
index 8b513172b..184c9787a 100644
--- a/internal/shared/util/tlsprofiles/mozilla_data.go
+++ b/internal/shared/util/tlsprofiles/mozilla_data.go
@@ -96,6 +96,13 @@ func parseProfile(name string, cfg mozillaConfiguration) (tlsProfile, []string,
 		panic(fmt.Sprintf("tlsprofiles: profile %q has unrecognized tls_versions[0] %q: %v", name, cfg.TLSVersions[0], err))
 	}
 
+	if len(curveNums) == 0 {
+		panic(fmt.Sprintf("tlsprofiles: profile %q resolved no supported tls_curves from embedded mozilla_data.json", name))
+	}
+	if version < tlsVersion(tls.VersionTLS13) && len(cipherNums) == 0 {
+		panic(fmt.Sprintf("tlsprofiles: profile %q resolved no supported cipher suites from embedded mozilla_data.json", name))
+	}
+
 	return tlsProfile{
 		ciphers:       cipherSlice{cipherNums: cipherNums},
 		curves:        curveSlice{curveNums: curveNums},