diff options
Diffstat (limited to 'lib/ssl')
-rw-r--r-- | lib/ssl/src/ssl_cipher.erl | 32 | ||||
-rw-r--r-- | lib/ssl/src/ssl_handshake.erl | 9 | ||||
-rw-r--r-- | lib/ssl/src/ssl_record.erl | 3 | ||||
-rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 12 |
4 files changed, 33 insertions, 23 deletions
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index dc413d6dfc..898b421dff 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -1024,30 +1024,32 @@ filter(DerCert, Ciphers) -> %% Description: filter suites for algorithms %%------------------------------------------------------------------- filter_suites(Suites = [{_,_,_}|_]) -> - Algos = crypto:algorithms(), + Algos = crypto:supports(), lists:filter(fun({KeyExchange, Cipher, Hash}) -> - is_acceptable_keyexchange(KeyExchange, Algos) andalso - is_acceptable_cipher(Cipher, Algos) andalso - is_acceptable_hash(Hash, Algos) + is_acceptable_keyexchange(KeyExchange, proplists:get_value(public_keys, Algos)) andalso + is_acceptable_cipher(Cipher, proplists:get_value(ciphers, Algos)) andalso + is_acceptable_hash(Hash, proplists:get_value(hashs, Algos)) end, Suites); filter_suites(Suites = [{_,_,_,_}|_]) -> - Algos = crypto:algorithms(), + Algos = crypto:supports(), + Hashs = proplists:get_value(hashs, Algos), lists:filter(fun({KeyExchange, Cipher, Hash, Prf}) -> - is_acceptable_keyexchange(KeyExchange, Algos) andalso - is_acceptable_cipher(Cipher, Algos) andalso - is_acceptable_hash(Hash, Algos) andalso - is_acceptable_prf(Prf, Algos) + is_acceptable_keyexchange(KeyExchange, proplists:get_value(public_keys, Algos)) andalso + is_acceptable_cipher(Cipher, proplists:get_value(ciphers, Algos)) andalso + is_acceptable_hash(Hash, Hashs) andalso + is_acceptable_prf(Prf, Hashs) end, Suites); filter_suites(Suites) -> - Algos = crypto:algorithms(), + Algos = crypto:supports(), + Hashs = proplists:get_value(hashs, Algos), lists:filter(fun(Suite) -> {KeyExchange, Cipher, Hash, Prf} = ssl_cipher:suite_definition(Suite), - is_acceptable_keyexchange(KeyExchange, Algos) andalso - is_acceptable_cipher(Cipher, Algos) andalso - is_acceptable_hash(Hash, Algos) andalso - is_acceptable_prf(Prf, Algos) + is_acceptable_keyexchange(KeyExchange, proplists:get_value(public_keys, Algos)) andalso + is_acceptable_cipher(Cipher, proplists:get_value(ciphers, Algos)) andalso + is_acceptable_hash(Hash, Hashs) andalso + is_acceptable_prf(Prf, Hashs) end, Suites). is_acceptable_keyexchange(KeyExchange, Algos) @@ -1056,7 +1058,7 @@ is_acceptable_keyexchange(KeyExchange, Algos) KeyExchange == ecdh_rsa; KeyExchange == ecdhe_rsa; KeyExchange == ecdh_anon -> - proplists:get_bool(ec, Algos); + proplists:get_bool(ecdh, Algos); is_acceptable_keyexchange(_, _) -> true. diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index e358cbe9bb..24ea86311f 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -840,7 +840,8 @@ select_next_protocol(Protocols, NextProtocolSelector) -> end. default_ecc_extensions(Version) -> - case proplists:get_bool(ec, crypto:algorithms()) of + CryptoSupport = proplists:get_value(public_keys, crypto:supports()), + case proplists:get_bool(ecdh, CryptoSupport) of true -> EcPointFormats = #ec_point_formats{ec_point_format_list = [?ECPOINT_UNCOMPRESSED]}, EllipticCurves = #elliptic_curves{elliptic_curve_list = ssl_tls1:ecc_curves(Version)}, @@ -850,7 +851,8 @@ default_ecc_extensions(Version) -> end. handle_ecc_extensions(Version, EcPointFormats0, EllipticCurves0) -> - case proplists:get_bool(ec, crypto:algorithms()) of + CryptoSupport = proplists:get_value(public_keys, crypto:supports()), + case proplists:get_bool(ecdh, CryptoSupport) of true -> EcPointFormats1 = handle_ecc_point_fmt_extension(EcPointFormats0), EllipticCurves1 = handle_ecc_curves_extension(Version, EllipticCurves0), @@ -1767,7 +1769,8 @@ default_hash_signs() -> ?TLSEXT_SIGALG(sha), ?TLSEXT_SIGALG_DSA(sha), ?TLSEXT_SIGALG_RSA(md5)], - HasECC = proplists:get_bool(ec, crypto:algorithms()), + CryptoSupport = proplists:get_value(public_keys, crypto:supports()), + HasECC = proplists:get_bool(ecdsa, CryptoSupport), #hash_sign_algos{hash_sign_algos = lists:filter(fun({_, ecdsa}) -> HasECC; (_) -> true end, HashSigns)}. diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl index 50b1b2cda9..2a3356d60f 100644 --- a/lib/ssl/src/ssl_record.erl +++ b/lib/ssl/src/ssl_record.erl @@ -712,4 +712,5 @@ mac_hash({3, N} = Version, MacAlg, MacSecret, SeqNo, Type, Length, Fragment) Length, Fragment). sufficient_tlsv1_2_crypto_support() -> - proplists:get_bool(sha256, crypto:algorithms()). + CryptoSupport = crypto:supports(), + proplists:get_bool(sha256, proplists:get_value(hashs, CryptoSupport)). diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index ac7cbab883..255df92d77 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -405,7 +405,8 @@ make_dsa_cert(Config) -> | Config]. make_ecdsa_cert(Config) -> - case proplists:get_bool(ec, crypto:algorithms()) of + CryptoSupport = crypto:supports(), + case proplists:get_bool(ecdsa, proplists:get_value(public_keys, CryptoSupport)) of true -> {ServerCaCertFile, ServerCertFile, ServerKeyFile} = make_cert_files("server", Config, ec, ec, ""), {ClientCaCertFile, ClientCertFile, ClientKeyFile} = make_cert_files("client", Config, ec, ec, ""), @@ -429,7 +430,8 @@ make_ecdsa_cert(Config) -> %% This key exchange algorithm is the same as ECDH_ECDSA except that the %% server's certificate MUST be signed with RSA rather than ECDSA. make_ecdh_rsa_cert(Config) -> - case proplists:get_bool(ec, crypto:algorithms()) of + CryptoSupport = crypto:supports(), + case proplists:get_bool(ecdh, proplists:get_value(public_keys, CryptoSupport)) of true -> {ServerCaCertFile, ServerCertFile, ServerKeyFile} = make_cert_files("server", Config, rsa, ec, "rsa_"), {ClientCaCertFile, ClientCertFile, ClientKeyFile} = make_cert_files("client", Config, rsa, ec, "rsa_"), @@ -939,9 +941,11 @@ init_tls_version(Version) -> ssl:start(). sufficient_crypto_support('tlsv1.2') -> - proplists:get_bool(sha256, crypto:algorithms()); + CryptoSupport = crypto:supports(), + proplists:get_bool(sha256, proplists:get_value(hashs, CryptoSupport)); sufficient_crypto_support(ciphers_ec) -> - proplists:get_bool(ec, crypto:algorithms()); + CryptoSupport = crypto:supports(), + proplists:get_bool(ecdh, proplists:get_value(public_keys, CryptoSupport)); sufficient_crypto_support(_) -> true. |