Merge branch 'ingela/ssl/maint/algo-fixes/OTP-13525' into maint-18

* ingela/ssl/maint/algo-fixes/OTP-13525:
  ssl: Correct guard expression
  ssl: Correct cipher suites conversion

3 files changed, 21 insertions, 11 deletions

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 6ea1bdbdaf..af53d4abf9 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -979,21 +979,21 @@ suite({ecdh_rsa, aes_256_cbc, sha384, sha384}) ->
 %% RFC 5288 AES-GCM Cipher Suites
 suite({rsa, aes_128_gcm, null, sha256}) ->
     ?TLS_RSA_WITH_AES_128_GCM_SHA256;
-suite({rsa, aes_256_gcm, null}) ->
+suite({rsa, aes_256_gcm, null, sha384}) ->
     ?TLS_RSA_WITH_AES_256_GCM_SHA384;
-suite({dhe_rsa, aes_128_gcm, null, sha384}) ->
+suite({dhe_rsa, aes_128_gcm, null, sha256}) ->
     ?TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;
-suite({dhe_rsa, aes_256_gcm, null, sha256}) ->
+suite({dhe_rsa, aes_256_gcm, null, sha384}) ->
     ?TLS_DHE_RSA_WITH_AES_256_GCM_SHA384;
-suite({dh_rsa, aes_128_gcm, null, sha384}) ->
+suite({dh_rsa, aes_128_gcm, null, sha256}) ->
     ?TLS_DH_RSA_WITH_AES_128_GCM_SHA256;
-suite({dh_rsa, aes_256_gcm, null, sha256}) ->
+suite({dh_rsa, aes_256_gcm, null, sha384}) ->
     ?TLS_DH_RSA_WITH_AES_256_GCM_SHA384;
-suite({dhe_dss, aes_128_gcm, null, sha384}) ->
+suite({dhe_dss, aes_128_gcm, null, sha256}) ->
     ?TLS_DHE_DSS_WITH_AES_128_GCM_SHA256;
-suite({dhe_dss, aes_256_gcm, null, sha256}) ->
+suite({dhe_dss, aes_256_gcm, null, sha384}) ->
     ?TLS_DHE_DSS_WITH_AES_256_GCM_SHA384;
-suite({dh_dss, aes_128_gcm, null, sha384}) ->
+suite({dh_dss, aes_128_gcm, null, sha256}) ->
     ?TLS_DH_DSS_WITH_AES_128_GCM_SHA256;
 suite({dh_dss, aes_256_gcm, null, sha384}) ->
     ?TLS_DH_DSS_WITH_AES_256_GCM_SHA384;
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index ef718c13df..102dbba198 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -278,10 +278,11 @@ handle_server_hello_extensions(Version, SessionId, Random, CipherSuite,
 	    {Version, SessionId, ConnectionStates, ProtoExt, Protocol}
     end.
 
-available_signature_algs(undefined, SupportedHashSigns, _, {Major, Minor}) when (Major < 3) andalso (Minor < 3) ->
+available_signature_algs(undefined, SupportedHashSigns, _, {Major, Minor}) when 
+      (Major >= 3) andalso (Minor >= 3) ->
     SupportedHashSigns;
 available_signature_algs(#hash_sign_algos{hash_sign_algos = ClientHashSigns}, SupportedHashSigns, 
-		     _, {Major, Minor}) when (Major < 3) andalso (Minor < 3) ->
+		     _, {Major, Minor}) when (Major >= 3) andalso (Minor >= 3) ->
     ordsets:intersection(ClientHashSigns, SupportedHashSigns);
 available_signature_algs(_, _, _, _) -> 
     undefined.
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 585975c64c..89cdd40b4c 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -88,7 +88,8 @@ basic_tests() ->
      connect_dist,
      clear_pem_cache,
      defaults,
-     fallback
+     fallback,
+     cipher_format
     ].
 
 options_tests() ->
@@ -762,6 +763,14 @@ fallback(Config) when is_list(Config) ->
 			      Client, {error,{tls_alert,"inappropriate fallback"}}).
 
 %%--------------------------------------------------------------------
+cipher_format() ->
+    [{doc, "Test that cipher conversion from tuples to binarys works"}].
+cipher_format(Config) when is_list(Config) ->
+    {ok, Socket} = ssl:listen(0, [{ciphers, ssl:cipher_suites()}]),
+    ssl:close(Socket).
+
+%%--------------------------------------------------------------------
+
 peername() ->
     [{doc,"Test API function peername/1"}].