diff options
author | Ingela Anderton Andin <[email protected]> | 2018-09-03 12:07:17 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2018-09-04 17:53:15 +0200 |
commit | f90d75a081f6d5a9a3cfe6f8d387abd7a1489aca (patch) | |
tree | 2bdffc3f9e857167f7bbea9f0a4791913932e038 /lib/ssl | |
parent | f4dd73f0363f3ccf894f17274d5b0d6cdb89fced (diff) | |
download | otp-f90d75a081f6d5a9a3cfe6f8d387abd7a1489aca.tar.gz otp-f90d75a081f6d5a9a3cfe6f8d387abd7a1489aca.tar.bz2 otp-f90d75a081f6d5a9a3cfe6f8d387abd7a1489aca.zip |
ssl: Initial cipher suites adoption for TLS-1.3
This commit filters out cipher suites not to be used in TLS-1.3
We still need to add new cipher suites for TLS-1.3 and possible
add new information to the suite data structure.
Diffstat (limited to 'lib/ssl')
-rw-r--r-- | lib/ssl/src/ssl.erl | 4 | ||||
-rw-r--r-- | lib/ssl/src/ssl_cipher.erl | 11 | ||||
-rw-r--r-- | lib/ssl/src/tls_v1.erl | 8 |
3 files changed, 16 insertions, 7 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index 6460a57b11..166ffac1c0 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -488,9 +488,9 @@ cipher_suites(Base, Version) -> [ssl_cipher_format:suite_definition(Suite) || Suite <- supported_suites(Base, Version)]. %%-------------------------------------------------------------------- --spec filter_cipher_suites([ssl_cipher_format:erl_cipher_suite()], +-spec filter_cipher_suites([ssl_cipher_format:erl_cipher_suite()] | [ssl_cipher_format:cipher_suite()], [{key_exchange | cipher | mac | prf, fun()}] | []) -> - [ssl_cipher_format:erl_cipher_suite()]. + [ssl_cipher_format:erl_cipher_suite() ] | [ssl_cipher_format:cipher_suite()]. %% Description: Removes cipher suites if any of the filter functions returns false %% for any part of the cipher suite. This function also calls default filter functions %% to make sure the cipher suite are supported by crypto. diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index 863e7e4b3d..00e0ff7986 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -301,8 +301,11 @@ suites({3, Minor}) -> suites({_, Minor}) -> dtls_v1:suites(Minor). -all_suites({3, 4}) -> - all_suites({3, 3}); +all_suites({3, 4} = Version) -> + Default = suites(Version), + Rest = ssl:filter_cipher_suites(chacha_suites(Version) ++ psk_suites(Version), + tls_v1:v1_3_filters()), + Default ++ Rest; all_suites({3, _} = Version) -> suites(Version) ++ chacha_suites(Version) @@ -340,6 +343,8 @@ anonymous_suites({3, N}) -> srp_suites_anon() ++ anonymous_suites(N); anonymous_suites({254, _} = Version) -> dtls_v1:anonymous_suites(Version); +anonymous_suites(4) -> + []; %% Raw public key negotiation may be used instead anonymous_suites(N) when N >= 3 -> psk_suites_anon(N) ++ @@ -374,6 +379,8 @@ anonymous_suites(N) when N == 0; %%-------------------------------------------------------------------- psk_suites({3, N}) -> psk_suites(N); +psk_suites(4) -> + []; %% TODO Add new PSK, PSK_(EC)DHE suites psk_suites(N) when N >= 3 -> [ diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index 9bd82e4953..79d50684f1 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -32,7 +32,7 @@ -export([master_secret/4, finished/5, certificate_verify/3, mac_hash/7, hmac_hash/3, setup_keys/8, suites/1, prf/5, ecc_curves/1, ecc_curves/2, oid_to_enum/1, enum_to_oid/1, - default_signature_algs/1, signature_algs/2]). + default_signature_algs/1, signature_algs/2, v1_3_filters/0]). -type named_curve() :: sect571r1 | sect571k1 | secp521r1 | brainpoolP512r1 | sect409k1 | sect409r1 | brainpoolP384r1 | secp384r1 | @@ -247,10 +247,12 @@ suites(3) -> %% ?TLS_DH_DSS_WITH_AES_128_GCM_SHA256 ] ++ suites(2); - suites(4) -> - suites(3). + ssl:filter_cipher_suites(suites(3), v1_3_filters()). +v1_3_filters() -> + [{mac, fun(aead) -> true; (_) -> false end}, + {key_exchange, fun(dhe_dss) -> false;(rsa) -> false; (rsa_psk) -> false;(_) -> true end}]. signature_algs({3, 4}, HashSigns) -> signature_algs({3, 3}, HashSigns); |