Make ECDHE_PSK + AES_GCM unmatchable.
These are probably a good idea to ship so long as we have the PSK callbacks at all, but they're not *completely* standard yet and Android tests otherwise need updating to know about them. We don't care enough about PSK to be in a rush to ship them, and taking them out is an easier default action until then. Change-Id: Ic646053d29b69a114e2efea61d593d5e912bdcd0 Reviewed-on: https://boringssl-review.googlesource.com/10225 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
parent
79c576c0e1
commit
881f196075
@ -1136,15 +1136,24 @@ static void ssl_cipher_apply_rule(
|
|||||||
if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
|
if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
} else if (!(alg_mkey & cp->algorithm_mkey) ||
|
} else {
|
||||||
|
if (!(alg_mkey & cp->algorithm_mkey) ||
|
||||||
!(alg_auth & cp->algorithm_auth) ||
|
!(alg_auth & cp->algorithm_auth) ||
|
||||||
!(alg_enc & cp->algorithm_enc) ||
|
!(alg_enc & cp->algorithm_enc) ||
|
||||||
!(alg_mac & cp->algorithm_mac) ||
|
!(alg_mac & cp->algorithm_mac) ||
|
||||||
(min_version != 0 &&
|
(min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
|
||||||
SSL_CIPHER_get_min_version(cp) != min_version)) {
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* The following ciphers are internal implementation details of TLS 1.3
|
||||||
|
* resumption but are not yet finalized. Disable them by default until
|
||||||
|
* then. */
|
||||||
|
if (cp->id == TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256 ||
|
||||||
|
cp->id == TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* add the cipher if it has not been added yet. */
|
/* add the cipher if it has not been added yet. */
|
||||||
if (rule == CIPHER_ADD) {
|
if (rule == CIPHER_ADD) {
|
||||||
/* reverse == 0 */
|
/* reverse == 0 */
|
||||||
|
@ -2269,6 +2269,11 @@ func addCipherSuiteTests() {
|
|||||||
// CECPQ1 ciphers must be explicitly enabled.
|
// CECPQ1 ciphers must be explicitly enabled.
|
||||||
flags = append(flags, "-cipher", "DEFAULT:kCECPQ1")
|
flags = append(flags, "-cipher", "DEFAULT:kCECPQ1")
|
||||||
}
|
}
|
||||||
|
if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") {
|
||||||
|
// ECDHE_PSK AES_GCM ciphers must be explicitly enabled
|
||||||
|
// for now.
|
||||||
|
flags = append(flags, "-cipher", suite.name)
|
||||||
|
}
|
||||||
|
|
||||||
for _, ver := range tlsVersions {
|
for _, ver := range tlsVersions {
|
||||||
for _, protocol := range []protocol{tls, dtls} {
|
for _, protocol := range []protocol{tls, dtls} {
|
||||||
|
Loading…
Reference in New Issue
Block a user