aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
authorIngela Anderton Andin <[email protected]>2018-09-03 12:07:17 +0200
committerIngela Anderton Andin <[email protected]>2018-09-04 17:53:15 +0200
commitf90d75a081f6d5a9a3cfe6f8d387abd7a1489aca (patch)
tree2bdffc3f9e857167f7bbea9f0a4791913932e038 /lib/ssl
parentf4dd73f0363f3ccf894f17274d5b0d6cdb89fced (diff)
downloadotp-f90d75a081f6d5a9a3cfe6f8d387abd7a1489aca.tar.gz
otp-f90d75a081f6d5a9a3cfe6f8d387abd7a1489aca.tar.bz2
otp-f90d75a081f6d5a9a3cfe6f8d387abd7a1489aca.zip
ssl: Initial cipher suites adoption for TLS-1.3
This commit filters out cipher suites not to be used in TLS-1.3 We still need to add new cipher suites for TLS-1.3 and possible add new information to the suite data structure.
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/src/ssl.erl4
-rw-r--r--lib/ssl/src/ssl_cipher.erl11
-rw-r--r--lib/ssl/src/tls_v1.erl8
3 files changed, 16 insertions, 7 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 6460a57b11..166ffac1c0 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -488,9 +488,9 @@ cipher_suites(Base, Version) ->
[ssl_cipher_format:suite_definition(Suite) || Suite <- supported_suites(Base, Version)].
%%--------------------------------------------------------------------
--spec filter_cipher_suites([ssl_cipher_format:erl_cipher_suite()],
+-spec filter_cipher_suites([ssl_cipher_format:erl_cipher_suite()] | [ssl_cipher_format:cipher_suite()],
[{key_exchange | cipher | mac | prf, fun()}] | []) ->
- [ssl_cipher_format:erl_cipher_suite()].
+ [ssl_cipher_format:erl_cipher_suite() ] | [ssl_cipher_format:cipher_suite()].
%% Description: Removes cipher suites if any of the filter functions returns false
%% for any part of the cipher suite. This function also calls default filter functions
%% to make sure the cipher suite are supported by crypto.
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 863e7e4b3d..00e0ff7986 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -301,8 +301,11 @@ suites({3, Minor}) ->
suites({_, Minor}) ->
dtls_v1:suites(Minor).
-all_suites({3, 4}) ->
- all_suites({3, 3});
+all_suites({3, 4} = Version) ->
+ Default = suites(Version),
+ Rest = ssl:filter_cipher_suites(chacha_suites(Version) ++ psk_suites(Version),
+ tls_v1:v1_3_filters()),
+ Default ++ Rest;
all_suites({3, _} = Version) ->
suites(Version)
++ chacha_suites(Version)
@@ -340,6 +343,8 @@ anonymous_suites({3, N}) ->
srp_suites_anon() ++ anonymous_suites(N);
anonymous_suites({254, _} = Version) ->
dtls_v1:anonymous_suites(Version);
+anonymous_suites(4) ->
+ []; %% Raw public key negotiation may be used instead
anonymous_suites(N)
when N >= 3 ->
psk_suites_anon(N) ++
@@ -374,6 +379,8 @@ anonymous_suites(N) when N == 0;
%%--------------------------------------------------------------------
psk_suites({3, N}) ->
psk_suites(N);
+psk_suites(4) ->
+ []; %% TODO Add new PSK, PSK_(EC)DHE suites
psk_suites(N)
when N >= 3 ->
[
diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
index 9bd82e4953..79d50684f1 100644
--- a/lib/ssl/src/tls_v1.erl
+++ b/lib/ssl/src/tls_v1.erl
@@ -32,7 +32,7 @@
-export([master_secret/4, finished/5, certificate_verify/3, mac_hash/7, hmac_hash/3,
setup_keys/8, suites/1, prf/5,
ecc_curves/1, ecc_curves/2, oid_to_enum/1, enum_to_oid/1,
- default_signature_algs/1, signature_algs/2]).
+ default_signature_algs/1, signature_algs/2, v1_3_filters/0]).
-type named_curve() :: sect571r1 | sect571k1 | secp521r1 | brainpoolP512r1 |
sect409k1 | sect409r1 | brainpoolP384r1 | secp384r1 |
@@ -247,10 +247,12 @@ suites(3) ->
%% ?TLS_DH_DSS_WITH_AES_128_GCM_SHA256
] ++ suites(2);
-
suites(4) ->
- suites(3).
+ ssl:filter_cipher_suites(suites(3), v1_3_filters()).
+v1_3_filters() ->
+ [{mac, fun(aead) -> true; (_) -> false end},
+ {key_exchange, fun(dhe_dss) -> false;(rsa) -> false; (rsa_psk) -> false;(_) -> true end}].
signature_algs({3, 4}, HashSigns) ->
signature_algs({3, 3}, HashSigns);