SSL: always filter the full list of supported ciphers against the sup…

…ported algorithms With the addition of more ciphers that are not supported in all configurations, using a manually prefiltered cipher list (e.g. EC vs. non-EC ciphers) becomes to complex. Replace the manual split with ssl_cipher:filter_suites/1 in all places. Conflicts: lib/ssl/src/ssl.erl lib/ssl/src/tls_v1.erl
marianoguerra · Jun 3, 2014 · ae68f7e · ae68f7e
1 parent 3bfc126
commit ae68f7e
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 65 deletions.
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
@@ -346,17 +346,22 @@ negotiated_next_protocol(#sslsocket{pid = Pid}) ->
 %%--------------------------------------------------------------------
 cipher_suites() ->
     cipher_suites(erlang).
-  
+
 cipher_suites(erlang) ->
     Version = tls_record:highest_protocol_version([]),
-    [suite_definition(S) || S <- ssl_cipher:suites(Version)];
-
+    ssl_cipher:filter_suites([suite_definition(S)
+                              || S <- ssl_cipher:suites(Version)]);
 cipher_suites(openssl) ->
     Version = tls_record:highest_protocol_version([]),
-    [ssl_cipher:openssl_suite_name(S) || S <- ssl_cipher:suites(Version)];
+    [ssl_cipher:openssl_suite_name(S)
+     || S <- ssl_cipher:filter_suites(ssl_cipher:suites(Version))];
 cipher_suites(all) ->
     Version = tls_record:highest_protocol_version([]),
-    [suite_definition(S) || S <- ssl_cipher:all_suites(Version)].
+    Supported = ssl_cipher:all_suites(Version)
+	++ ssl_cipher:anonymous_suites(Version)
+	++ ssl_cipher:psk_suites(Version)
+	++ ssl_cipher:srp_suites(),
+    ssl_cipher:filter_suites([suite_definition(S) || S <- Supported]).
 
 %%--------------------------------------------------------------------
 -spec getopts(#sslsocket{}, [gen_tcp:option_name()]) ->
@@ -929,6 +934,7 @@ handle_cipher_option(Value, Version)  when is_list(Value) ->
 	error:_->
 	    throw({error, {options, {ciphers, Value}}})
     end.
+
 binary_cipher_suites(Version, []) -> 
     %% Defaults to all supported suites that does
     %% not require explicit configuration

diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl
@@ -183,23 +183,7 @@ mac_hash(Method, Mac_write_secret, Seq_num, Type, {Major, Minor},
 
 -spec suites(1|2|3) -> [ssl_cipher:cipher_suite()].
 
-suites(Minor) when Minor == 1; Minor == 2->
-    case sufficent_ec_support() of
-	true ->
-	    all_suites(Minor);
-	false ->
-	    no_ec_suites(Minor)
-    end;
-
-suites(Minor) when Minor == 3 ->
-    case sufficent_ec_support() of
-	true ->
-	    all_suites(3) ++ all_suites(2);
-	false ->
-	    no_ec_suites(3) ++ no_ec_suites(2)
-    end.
-
-all_suites(Minor) when Minor == 1; Minor == 2->
+suites(Minor) when Minor == 1; Minor == 2 ->
     [
       ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
       ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
@@ -235,7 +219,7 @@ all_suites(Minor) when Minor == 1; Minor == 2->
 
       ?TLS_RSA_WITH_DES_CBC_SHA
     ];
-all_suites(3) ->
+suites(3) ->
     [
      ?TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
      ?TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
@@ -254,33 +238,7 @@ all_suites(3) ->
      ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
      ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
      ?TLS_RSA_WITH_AES_128_CBC_SHA256
-    ].
-
-no_ec_suites(Minor) when Minor == 1; Minor == 2->
-    [
-      ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-      ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-      ?TLS_RSA_WITH_AES_256_CBC_SHA,
-      ?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-      ?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-      ?TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-      ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-      ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
-      ?TLS_RSA_WITH_AES_128_CBC_SHA,
-      ?TLS_RSA_WITH_RC4_128_SHA,
-      ?TLS_RSA_WITH_RC4_128_MD5,
-      ?TLS_DHE_RSA_WITH_DES_CBC_SHA,
-      ?TLS_RSA_WITH_DES_CBC_SHA
-    ];
-no_ec_suites(3) ->
-    [
-     ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-     ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
-     ?TLS_RSA_WITH_AES_256_CBC_SHA256,
-     ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
-     ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
-     ?TLS_RSA_WITH_AES_128_CBC_SHA256
-    ].
+    ] ++ suites(2).
 
 %%--------------------------------------------------------------------
 %%% Internal functions
@@ -442,7 +400,3 @@ enum_to_oid(27) -> ?brainpoolP384r1;
 enum_to_oid(28) -> ?brainpoolP512r1;
 enum_to_oid(_) ->
     undefined.
-
-sufficent_ec_support() ->
-    CryptoSupport = crypto:supports(),
-    proplists:get_bool(ecdh, proplists:get_value(public_keys, CryptoSupport)).
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
@@ -883,14 +883,16 @@ psk_suites() ->
     ssl_cipher:filter_suites(Suites).
 
 psk_anon_suites() ->
-    [{psk, rc4_128, sha},
-     {psk, '3des_ede_cbc', sha},
-     {psk, aes_128_cbc, sha},
-     {psk, aes_256_cbc, sha},
-     {dhe_psk, rc4_128, sha},
-     {dhe_psk, '3des_ede_cbc', sha},
-     {dhe_psk, aes_128_cbc, sha},
-     {dhe_psk, aes_256_cbc, sha}].
+    Suites =
+	[{psk, rc4_128, sha},
+	 {psk, '3des_ede_cbc', sha},
+	 {psk, aes_128_cbc, sha},
+	 {psk, aes_256_cbc, sha},
+	 {dhe_psk, rc4_128, sha},
+	 {dhe_psk, '3des_ede_cbc', sha},
+	 {dhe_psk, aes_128_cbc, sha},
+	 {dhe_psk, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 srp_suites() ->
     Suites =
@@ -903,9 +905,11 @@ srp_suites() ->
     ssl_cipher:filter_suites(Suites).
 
 srp_anon_suites() ->
-    [{srp_anon, '3des_ede_cbc', sha},
-     {srp_anon, aes_128_cbc, sha},
-     {srp_anon, aes_256_cbc, sha}].
+    Suites =
+	[{srp_anon, '3des_ede_cbc', sha},
+	 {srp_anon, aes_128_cbc, sha},
+	 {srp_anon, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 srp_dss_suites() ->
     Suites =