From 39fb981193c137ba6e3621bae49c07eb0b4d92cf Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Fri, 5 Jan 2018 22:35:43 +0100
Subject: dtls: Filter out rc4 for DTLS psk suites

Stream ciphers are not valid fro DTLS
---
 lib/ssl/src/ssl_cipher.erl    |  2 +-
 lib/ssl/test/ssl_test_lib.erl | 29 ++++++++++++++++++++---------
 2 files changed, 21 insertions(+), 10 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 18271f325a..7efc39e659 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -2148,7 +2148,7 @@ calc_mac_hash(Type, Version,
 	     MacSecret, SeqNo, Type,
 	     Length, PlainFragment).
 
-is_stream_ciphersuite({_, rc4_128, _, _}) ->
+is_stream_ciphersuite(#{cipher := rc4_128}) ->
     true;
 is_stream_ciphersuite(_) ->
     false.
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 29af57605c..f9cc6ab8b7 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -1024,15 +1024,26 @@ string_regex_filter(Str, Search) when is_list(Str) ->
 string_regex_filter(_Str, _Search) ->
     false.
 
-anonymous_suites(Version) ->
-    [ssl_cipher:erl_suite_definition(S) || S <- ssl_cipher:filter_suites(ssl_cipher:anonymous_suites(Version))].
-
-psk_suites(Version) ->
-    [ssl_cipher:erl_suite_definition(S) || S <-  ssl_cipher:filter_suites(ssl_cipher:psk_suites(Version))].
-
-psk_anon_suites(Version) ->
-    [Suite || Suite <-  psk_suites(Version), is_psk_anon_suite(Suite)].
-
+anonymous_suites({3,_ } = Version) ->
+    [ssl_cipher:erl_suite_definition(S) || S <- ssl_cipher:filter_suites(ssl_cipher:anonymous_suites(Version))];
+anonymous_suites(DTLSVersion) ->
+    Version = dtls_v1:corresponding_tls_version(DTLSVersion),
+    [ssl_cipher:erl_suite_definition(S) || S <- ssl_cipher:filter_suites(ssl_cipher:anonymous_suites(Version)), 
+                                           not ssl_cipher:is_stream_ciphersuite(tuple_to_map(ssl_cipher:erl_suite_definition(S)))].
+
+psk_suites({3,_ } = Version) ->
+    [ssl_cipher:erl_suite_definition(S) || S <-  ssl_cipher:filter_suites(ssl_cipher:psk_suites(Version))];
+psk_suites(DTLSVersion) ->
+    Version = dtls_v1:corresponding_tls_version(DTLSVersion),
+    [ssl_cipher:erl_suite_definition(S) || S <-  ssl_cipher:filter_suites(ssl_cipher:psk_suites(Version)),  
+                                           not ssl_cipher:is_stream_ciphersuite(tuple_to_map(ssl_cipher:erl_suite_definition(S)))].
+
+psk_anon_suites({3,_ } = Version) ->
+    [Suite || Suite <-  psk_suites(Version), is_psk_anon_suite(Suite)];
+psk_anon_suites(DTLSVersion) ->
+    Version = dtls_v1:corresponding_tls_version(DTLSVersion),
+    [Suite || Suite <- psk_suites(Version), is_psk_anon_suite(Suite),  
+              not ssl_cipher:is_stream_ciphersuite(tuple_to_map(Suite))].
 srp_suites() ->
     [ssl_cipher:erl_suite_definition(Suite) || 
         Suite  <-
-- 
cgit v1.2.3