diff options
author | Ingela Anderton Andin <[email protected]> | 2018-09-06 15:49:47 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2018-09-11 10:49:32 +0200 |
commit | b7138087d757f3e4190af92386145a1d942b7b8b (patch) | |
tree | f9cf7f85b45ebc937edcddc3508f632fc390e330 | |
parent | fd591b6f7bb681dd5335a67e66b1d0b8ecf2a76f (diff) | |
download | otp-b7138087d757f3e4190af92386145a1d942b7b8b.tar.gz otp-b7138087d757f3e4190af92386145a1d942b7b8b.tar.bz2 otp-b7138087d757f3e4190af92386145a1d942b7b8b.zip |
ssl: Correct handling of all PSK cipher suites
Before only some PSK suites would be correctly negotiated and most PSK
ciphers suites would fail the connection.
PSK cipher suites are anonymous in the sense that they do not use
certificates except for rsa_psk.
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 4 | ||||
-rw-r--r-- | lib/ssl/test/ssl_basic_SUITE.erl | 30 | ||||
-rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 4 |
3 files changed, 23 insertions, 15 deletions
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index fa446081b3..3888f9dcf6 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -1058,7 +1058,9 @@ select_curve(undefined, _, _) -> select_hashsign(_, _, KeyExAlgo, _, _Version) when KeyExAlgo == dh_anon; KeyExAlgo == ecdh_anon; KeyExAlgo == srp_anon; - KeyExAlgo == psk -> + KeyExAlgo == psk; + KeyExAlgo == dhe_psk; + KeyExAlgo == ecdhe_psk -> {null, anon}; %% The signature_algorithms extension was introduced with TLS 1.2. Ignore it if we have %% negotiated a lower version. diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index b6d38ee9db..cae491b882 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -5033,18 +5033,22 @@ run_suites(Ciphers, Config, Type) -> [{ciphers, Ciphers} | ssl_test_lib:ssl_options(server_ecdsa_opts, Config)]} end, - ct:pal("ssl_test_lib:filter_suites(~p ~p) -> ~p ", [Ciphers, Version, ssl_test_lib:filter_suites(Ciphers, Version)]), - Result = lists:map(fun(Cipher) -> - cipher(Cipher, Version, Config, ClientOpts, ServerOpts) end, - ssl_test_lib:filter_suites(Ciphers, Version)), - case lists:flatten(Result) of - [] -> - ok; - Error -> - ct:log("Cipher suite errors: ~p~n", [Error]), - ct:fail(cipher_suite_failed_see_test_case_log) - end. - + Suites = ssl_test_lib:filter_suites(Ciphers, Version), + ct:pal("ssl_test_lib:filter_suites(~p ~p) -> ~p ", [Ciphers, Version, Suites]), + Results0 = lists:map(fun(Cipher) -> + cipher(Cipher, Version, Config, ClientOpts, ServerOpts) end, + ssl_test_lib:filter_suites(Ciphers, Version)), + Results = lists:flatten(Results0), + true = length(Results) == length(Suites), + check_cipher_result(Results). + +check_cipher_result([]) -> + ok; +check_cipher_result([ok | Rest]) -> + check_cipher_result(Rest); +check_cipher_result([_ |_] = Error) -> + ct:fail(Error). + erlang_cipher_suite(Suite) when is_list(Suite)-> ssl_cipher_format:suite_definition(ssl_cipher_format:openssl_suite(Suite)); erlang_cipher_suite(Suite) -> @@ -5081,7 +5085,7 @@ cipher(CipherSuite, Version, Config, ClientOpts, ServerOpts) -> case Result of ok -> - []; + [ok]; Error -> [{ErlangCipherSuite, Error}] end. diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 57877d4517..a391b52c1a 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -1325,7 +1325,9 @@ psk_anon_suites({3,_} = Version) -> [{key_exchange, fun(psk) -> true; - (psk_dhe) -> + (dhe_psk) -> + true; + (ecdhe_psk) -> true; (_) -> false |