diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-04-23 15:01:48 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-04-30 08:58:29 +0200 |
commit | 790cb112552bef3c366e55b7eaf956566231ea96 (patch) | |
tree | 523d8b72823b504332e123e15c66368c1eaed9c0 | |
parent | ba6c2592a85f81714a20cf0ff0607b0d2e423ea7 (diff) | |
download | gnutls-790cb112552bef3c366e55b7eaf956566231ea96.tar.gz |
priority: handle RSA-PSK ciphersuites similar to SRP
That is, when specified disable TLS1.3.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/priority.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/lib/priority.c b/lib/priority.c index 065728fa0b..0d2498d998 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1199,7 +1199,10 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) const version_entry_st *tlsmin = NULL; const version_entry_st *dtlsmin = NULL; unsigned have_tls13 = 0, have_srp = 0; - unsigned have_psk = 0, have_null = 0; + unsigned have_psk = 0, have_null = 0, have_rsa_psk = 0; + + /* have_psk indicates that a PSK key exchange compatible + * with TLS1.3 is enabled. */ priority_cache->cs.size = 0; priority_cache->sigalg.size = 0; @@ -1217,7 +1220,10 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) if (IS_SRP_KX(priority_cache->_kx.priority[i])) { have_srp = 1; } else if (_gnutls_kx_is_psk(priority_cache->_kx.priority[i])) { - have_psk = 1; + if (priority_cache->_kx.priority[i] == GNUTLS_KX_RSA_PSK) + have_rsa_psk = 1; + else + have_psk = 1; } } @@ -1226,9 +1232,9 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache) if (!vers) continue; - /* if we have NULL ciphersuites enabled, remove TLS1.3+ protocol versions; - * they cannot be negotiated under TLS1.3. */ - if (have_null || have_srp) { + /* if we have NULL ciphersuites, SRP or RSA-PSK enabled, remove TLS1.3+ protocol + * versions; they cannot be negotiated under TLS1.3. */ + if (have_null || have_srp || have_rsa_psk) { if (vers->tls13_sem) { for (j=i+1;j<priority_cache->protocol.algorithms;j++) priority_cache->protocol.priority[j-1] = priority_cache->protocol.priority[j]; |