kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Forbid PSK ciphers in TLS 1.3 for now.

Browse Source 
We'll enable them once we've gotten it working. For now, our TLS 1.3
believes there is no PSK.

Change-Id: I5ae51266927c8469c671844da9a0f7387c297050
Reviewed-on: https://boringssl-review.googlesource.com/8760
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-07-13 12:35:25 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent 7944a9f008
commit 54c217cc6b
2 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ssl/ssl_cipher.c
View File

@ -1730,7 +1730,9 @@ uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
if (cipher->algorithm_mac == SSL_AEAD &&
(cipher->algorithm_enc & SSL_CHACHA20POLY1305_OLD) == 0 &&
(cipher->algorithm_mkey & SSL_kECDHE) != 0) {
(cipher->algorithm_mkey & SSL_kECDHE) != 0 &&
/* TODO(davidben,svaldez): Support PSK-based ciphers in TLS 1.3. */
(cipher->algorithm_auth & SSL_aCERT) != 0) {
return TLS1_3_VERSION;
}
return TLS1_2_VERSION;

21
ssl/test/runner/runner.go
View File

@ -1016,7 +1016,24 @@ func isTLS12Only(suiteName string) bool {
}
func isTLS13Suite(suiteName string) bool {
return (hasComponent(suiteName, "GCM") || hasComponent(suiteName, "POLY1305")) && hasComponent(suiteName, "ECDHE") && !hasComponent(suiteName, "OLD")
// Only AEADs.
if !hasComponent(suiteName, "GCM") && !hasComponent(suiteName, "POLY1305") {
return false
}
// No old CHACHA20_POLY1305.
if hasComponent(suiteName, "CHACHA20-POLY1305-OLD") {
return false
}
// Must have ECDHE.
// TODO(davidben,svaldez): Add pure PSK support.
if !hasComponent(suiteName, "ECDHE") {
return false
}
// TODO(davidben,svaldez): Add PSK support.
if hasComponent(suiteName, "PSK") {
return false
}
return true
}
func isDTLSCipher(suiteName string) bool {
@ -2150,7 +2167,7 @@ func addCipherSuiteTests() {
shouldClientFail = true
shouldServerFail = true
}
if !isTLS13Suite(suite.name) && ver.version == VersionTLS13 {
if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
shouldClientFail = true
shouldServerFail = true
}