diff options
| author | Péter Dimitrov <[email protected]> | 2018-11-27 16:44:11 +0100 |
|---|---|---|
| committer | Péter Dimitrov <[email protected]> | 2019-01-11 09:59:12 +0100 |
| commit | 1ed5fdcb034b4930f1a7243313d40f80fd281287 (patch) | |
| tree | 4d813884460a23d698f995867184f2cc6eb3be44 | |
| parent | 64332e9bc1f05a23c442e14e920082f8b444ef80 (diff) | |
| download | otp-1ed5fdcb034b4930f1a7243313d40f80fd281287.tar.gz otp-1ed5fdcb034b4930f1a7243313d40f80fd281287.tar.bz2 otp-1ed5fdcb034b4930f1a7243313d40f80fd281287.zip | |
ssl: Fix cipher suite selection
Accept only TLS 1.3 ciphers when TLS 1.3 is selected.
Change-Id: I4e934d344f52208263ffdeb31c357dd5727472b9
| -rw-r--r-- | lib/ssl/src/ssl_cipher.erl | 3 | ||||
| -rw-r--r-- | lib/ssl/src/tls_handshake_1_3.erl | 3 | ||||
| -rw-r--r-- | lib/ssl/src/tls_v1.erl | 14 |
3 files changed, 16 insertions, 4 deletions
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index 1b6072dbcc..32a60fe5aa 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -578,7 +578,8 @@ crypto_support_filters() -> end]}. is_acceptable_keyexchange(KeyExchange, _Algos) when KeyExchange == psk; - KeyExchange == null -> + KeyExchange == null; + KeyExchange == any -> true; is_acceptable_keyexchange(KeyExchange, Algos) when KeyExchange == dh_anon; KeyExchange == dhe_psk -> diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl index f381e038cf..4c18e76ad9 100644 --- a/lib/ssl/src/tls_handshake_1_3.erl +++ b/lib/ssl/src/tls_handshake_1_3.erl @@ -331,7 +331,8 @@ get_client_public_key(Group, ClientShares) -> select_cipher_suite([], _) -> {error, no_suitable_cipher}; select_cipher_suite([Cipher|ClientCiphers], ServerCiphers) -> - case lists:member(Cipher, ServerCiphers) of + case lists:member(Cipher, tls_v1:suites('TLS_v1.3')) andalso + lists:member(Cipher, ServerCiphers) of true -> {ok, Cipher}; false -> diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index c964908122..d018f613c9 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -411,7 +411,7 @@ mac_hash(Method, Mac_write_secret, Seq_num, Type, {Major, Minor}, %% TODO 1.3 same as above? --spec suites(1|2|3|4) -> [ssl_cipher_format:cipher_suite()]. +-spec suites(1|2|3|4|'TLS_v1.3') -> [ssl_cipher_format:cipher_suite()]. suites(Minor) when Minor == 1; Minor == 2 -> [ @@ -472,7 +472,17 @@ suites(4) -> %% Not supported %% ?TLS_AES_128_CCM_SHA256, %% ?TLS_AES_128_CCM_8_SHA256 - ] ++ suites(3). + ] ++ suites(3); + +suites('TLS_v1.3') -> + [?TLS_AES_256_GCM_SHA384, + ?TLS_AES_128_GCM_SHA256, + ?TLS_CHACHA20_POLY1305_SHA256 + %% Not supported + %% ?TLS_AES_128_CCM_SHA256, + %% ?TLS_AES_128_CCM_8_SHA256 + ]. + signature_algs({3, 4}, HashSigns) -> signature_algs({3, 3}, HashSigns); |