From 7c23f62c90b1cd01eff03215967a6eb75ab7218f Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 6 Aug 2018 13:04:25 +0200
Subject: ssl: Make sure that a correct cipher suite is selected

The keyexchange ECDHE-RSA requires an RSA-keyed server cert
(corresponding for ECDHE-ECDSA), the code did not assert this
resulting in that a incorrect cipher suite could be selected.

Alas test code was also wrong hiding the error.
---
 lib/ssl/src/ssl_cipher.erl    | 4 ++++
 lib/ssl/test/ssl_test_lib.erl | 5 -----
 2 files changed, 4 insertions(+), 5 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 50dadd0903..1aeb415bd9 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -2777,6 +2777,8 @@ ecdsa_signed_suites(Ciphers, Version) ->
 
 rsa_keyed(dhe_rsa) -> 
     true;
+rsa_keyed(ecdhe_rsa) -> 
+    true;
 rsa_keyed(rsa) -> 
     true;
 rsa_keyed(rsa_psk) -> 
@@ -2840,6 +2842,8 @@ ec_keyed(ecdh_ecdsa) ->
     true;
 ec_keyed(ecdh_rsa) ->
     true;
+ec_keyed(ecdhe_ecdsa) ->
+    true;
 ec_keyed(_) -> 
     false.
 
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 91a9c774a6..7202e3662c 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -1524,11 +1524,6 @@ v_1_2_check(ecdh_ecdsa, ecdh_rsa) ->
     true;
 v_1_2_check(ecdh_rsa, ecdh_ecdsa) ->
     true;
-v_1_2_check(ecdhe_ecdsa, ecdhe_rsa) ->
-    true;
-v_1_2_check(ecdhe_rsa, ecdhe_ecdsa) ->
-    true;
-
 v_1_2_check(_, _) ->
     false.
 
-- 
cgit v1.2.3