kris
/
boringssl
1
0
複製 0
程式碼 問題 0 合併請求 0 版本發佈 0 Wiki 活動
瀏覽代碼

Forbid PSK ciphers in TLS 1.3 for now. 

We'll enable them once we've gotten it working. For now, our TLS 1.3
believes there is no PSK.

Change-Id: I5ae51266927c8469c671844da9a0f7387c297050
Reviewed-on: https://boringssl-review.googlesource.com/8760
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
kris/onging/CECPQ3_patch15
David Benjamin 8 年之前
committed by CQ bot account: commit-bot@chromium.org
父節點
7944a9f008
當前提交
54c217cc6b
共有 2 個檔案被更改,包括 22 行新增3 行删除
分割檢視
Diff Options
Show Stats Download Patch File Download Diff File
  1. +3
    -1
      ssl/ssl_cipher.c
  2. +19
    -2
      ssl/test/runner/runner.go

+ 3
- 1
ssl/ssl_cipher.c 查看文件

@@ -1730,7 +1730,9 @@ uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
if (cipher->algorithm_mac == SSL_AEAD &&
(cipher->algorithm_enc & SSL_CHACHA20POLY1305_OLD) == 0 &&
(cipher->algorithm_mkey & SSL_kECDHE) != 0) {
(cipher->algorithm_mkey & SSL_kECDHE) != 0 &&
/* TODO(davidben,svaldez): Support PSK-based ciphers in TLS 1.3. */
(cipher->algorithm_auth & SSL_aCERT) != 0) {
return TLS1_3_VERSION;
}
return TLS1_2_VERSION;


+ 19
- 2
ssl/test/runner/runner.go 查看文件

@@ -1016,7 +1016,24 @@ func isTLS12Only(suiteName string) bool {
}

func isTLS13Suite(suiteName string) bool {
return (hasComponent(suiteName, "GCM") || hasComponent(suiteName, "POLY1305")) && hasComponent(suiteName, "ECDHE") && !hasComponent(suiteName, "OLD")
// Only AEADs.
if !hasComponent(suiteName, "GCM") && !hasComponent(suiteName, "POLY1305") {
return false
}
// No old CHACHA20_POLY1305.
if hasComponent(suiteName, "CHACHA20-POLY1305-OLD") {
return false
}
// Must have ECDHE.
// TODO(davidben,svaldez): Add pure PSK support.
if !hasComponent(suiteName, "ECDHE") {
return false
}
// TODO(davidben,svaldez): Add PSK support.
if hasComponent(suiteName, "PSK") {
return false
}
return true
}

func isDTLSCipher(suiteName string) bool {
@@ -2150,7 +2167,7 @@ func addCipherSuiteTests() {
shouldClientFail = true
shouldServerFail = true
}
if !isTLS13Suite(suite.name) && ver.version == VersionTLS13 {
if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
shouldClientFail = true
shouldServerFail = true
}


Write Preview
Loading…
取消
儲存