ssl: Implement option honor_cipher_order in TLS 1.3

author: Péter Dimitrov <[email protected]> 2019-07-24 11:11:07 +0200
committer: Péter Dimitrov <[email protected]> 2019-07-25 14:55:37 +0200
commit: 73b526ce765dc7ac71fdae349da44941d8201d9c (patch)
tree: 38804420f8fee583de943296a25de99433f6de3a /lib/ssl/src
parent: b4fddea062fc13b0562bf8bf2f4cc3dc02cd193c (diff)
download: otp-73b526ce765dc7ac71fdae349da44941d8201d9c.tar.gz
otp-73b526ce765dc7ac71fdae349da44941d8201d9c.tar.bz2
otp-73b526ce765dc7ac71fdae349da44941d8201d9c.zip
1 files changed, 10 insertions, 5 deletions
diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl
index 6aeb9f5663..c29366e717 100644
--- a/lib/ssl/src/tls_handshake_1_3.erl
+++ b/lib/ssl/src/tls_handshake_1_3.erl
@@ -504,7 +504,8 @@ do_start(#client_hello{cipher_suites = ClientCiphers,
                 ssl_options = #ssl_options{ciphers = ServerCiphers,
                                            signature_algs = ServerSignAlgs,
                                            supported_groups = ServerGroups0,
-                                           alpn_preferred_protocols = ALPNPreferredProtocols},
+                                           alpn_preferred_protocols = ALPNPreferredProtocols,
+                                           honor_cipher_order = HonorCipherOrder},
                 session = #session{own_certificate = Cert}} = State0) ->
     ClientGroups0 = maps:get(elliptic_curves, Extensions, undefined),
     ClientGroups = get_supported_groups(ClientGroups0),
@@ -531,7 +532,7 @@ do_start(#client_hello{cipher_suites = ClientCiphers,
         %% cipher suite, an (EC)DHE group and key share for key establishment,
         %% and a signature algorithm/certificate pair to authenticate itself to
         %% the client.
-        Cipher = Maybe(select_cipher_suite(ClientCiphers, ServerCiphers)),
+        Cipher = Maybe(select_cipher_suite(HonorCipherOrder, ClientCiphers, ServerCiphers)),
         Groups = Maybe(select_common_groups(ServerGroups, ClientGroups)),
         Maybe(validate_client_key_share(ClientGroups, ClientShares)),
 
@@ -1731,15 +1732,19 @@ handle_alpn([ServerProtocol|T], ClientProtocols) ->
     end.
 
 
-select_cipher_suite([], _) ->
+select_cipher_suite(_, [], _) ->
     {error, no_suitable_cipher};
-select_cipher_suite([Cipher|ClientCiphers], ServerCiphers) ->
+%% If honor_cipher_order is set to true, use the server's preference for
+%% cipher suite selection.
+select_cipher_suite(true, ClientCiphers, ServerCiphers) ->
+    select_cipher_suite(false, ServerCiphers, ClientCiphers);
+select_cipher_suite(false, [Cipher|ClientCiphers], ServerCiphers) ->
     case lists:member(Cipher, tls_v1:suites('TLS_v1.3')) andalso
         lists:member(Cipher, ServerCiphers) of
         true ->
             {ok, Cipher};
         false ->
-            select_cipher_suite(ClientCiphers, ServerCiphers)
+            select_cipher_suite(false, ClientCiphers, ServerCiphers)
     end.
author	Péter Dimitrov <[email protected]>	2019-07-24 11:11:07 +0200
committer	Péter Dimitrov <[email protected]>	2019-07-25 14:55:37 +0200
commit	73b526ce765dc7ac71fdae349da44941d8201d9c (patch)
tree	38804420f8fee583de943296a25de99433f6de3a /lib/ssl/src
parent	b4fddea062fc13b0562bf8bf2f4cc3dc02cd193c (diff)
download	otp-73b526ce765dc7ac71fdae349da44941d8201d9c.tar.gz otp-73b526ce765dc7ac71fdae349da44941d8201d9c.tar.bz2 otp-73b526ce765dc7ac71fdae349da44941d8201d9c.zip