From d0f06594e4c441a182fbc18a65222ae62ca44425 Mon Sep 17 00:00:00 2001
From: Andreas Schultz <aschultz@tpip.net>
Date: Tue, 19 Feb 2013 18:06:26 +0100
Subject: SSL: filter TLS cipher suites for supported algorithms

---
 lib/ssl/src/ssl.erl           | 17 ++++++------
 lib/ssl/src/ssl_cipher.erl    | 48 +++++++++++++++++++++++++++++++++-
 lib/ssl/test/ssl_test_lib.erl | 60 ++++++++++++++++++++++++-------------------
 3 files changed, 90 insertions(+), 35 deletions(-)

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index dac9d53f94..5a1c8bb731 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -364,11 +364,11 @@ cipher_suites() ->
   
 cipher_suites(erlang) ->
     Version = ssl_record:highest_protocol_version([]),
-    [suite_definition(S) || S <- ssl_cipher:suites(Version)];
+    [suite_definition(S) || S <- cipher_suites(Version, [])];
 
 cipher_suites(openssl) ->
     Version = ssl_record:highest_protocol_version([]),
-    [ssl_cipher:openssl_suite_name(S) || S <- ssl_cipher:suites(Version)].
+    [ssl_cipher:openssl_suite_name(S) || S <- cipher_suites(Version, [])].
 
 %%--------------------------------------------------------------------
 -spec getopts(#sslsocket{}, [gen_tcp:option_name()]) ->
@@ -933,21 +933,22 @@ emulated_options([], Inet,Emulated) ->
     {Inet, Emulated}.
 
 cipher_suites(Version, []) ->
-    ssl_cipher:suites(Version);
+    ssl_cipher:filter_suites(ssl_cipher:suites(Version));
 cipher_suites(Version, [{_,_,_,_}| _] = Ciphers0) -> %% Backwards compatibility
     Ciphers = [{KeyExchange, Cipher, Hash} || {KeyExchange, Cipher, Hash, _} <- Ciphers0],
-    cipher_suites(Version, Ciphers);
+    ssl_cipher:filter_suites(cipher_suites(Version, Ciphers));
 cipher_suites(Version, [{_,_,_}| _] = Ciphers0) ->
     Ciphers = [ssl_cipher:suite(C) || C <- Ciphers0],
-    cipher_suites(Version, Ciphers);
+    ssl_cipher:filter_suites(cipher_suites(Version, Ciphers));
 cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
-    Supported = ssl_cipher:suites(Version)
+    Supported0 = ssl_cipher:suites(Version)
 	++ ssl_cipher:anonymous_suites()
 	++ ssl_cipher:psk_suites(Version)
 	++ ssl_cipher:srp_suites(),
-    case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported)] of
+    Supported1 = ssl_cipher:filter_suites(Supported0),
+    case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported1)] of
 	[] ->
-	    Supported;
+	    Supported1;
 	Ciphers ->
 	    Ciphers
     end;
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index e3231effd4..13f599133c 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -35,7 +35,7 @@
 -export([security_parameters/3, suite_definition/1,
 	 decipher/5, cipher/5,
 	 suite/1, suites/1, anonymous_suites/0, psk_suites/1, srp_suites/0,
-	 openssl_suite/1, openssl_suite_name/1, filter/2,
+	 openssl_suite/1, openssl_suite_name/1, filter/2, filter_suites/1,
 	 hash_algorithm/1, sign_algorithm/1]).
 
 -compile(inline).
@@ -737,6 +737,52 @@ filter(DerCert, Ciphers) ->
 	    Ciphers -- rsa_signed_suites()
     end.
 	
+%%--------------------------------------------------------------------
+-spec filter_suites([cipher_suite()]) -> [cipher_suite()].
+%%
+%% Description: filter suites for algorithms
+%%-------------------------------------------------------------------
+filter_suites(Suites = [{_,_,_}|_]) ->
+    Algos = crypto:algorithms(),
+    lists:filter(fun({KeyExchange, Cipher, Hash}) ->
+			 is_acceptable_keyexchange(KeyExchange, Algos) andalso
+			     is_acceptable_cipher(Cipher, Algos) andalso
+			     is_acceptable_hash(Hash, Algos)
+		 end, Suites);
+
+filter_suites(Suites = [{_,_,_,_}|_]) ->
+    Algos = crypto:algorithms(),
+    lists:filter(fun({KeyExchange, Cipher, Hash, Prf}) ->
+			 is_acceptable_keyexchange(KeyExchange, Algos) andalso
+			     is_acceptable_cipher(Cipher, Algos) andalso
+			     is_acceptable_hash(Hash, Algos) andalso
+			     is_acceptable_prf(Prf, Algos)
+		 end, Suites);
+
+filter_suites(Suites) ->
+    Algos = crypto:algorithms(),
+    lists:filter(fun(Suite) ->
+			 {KeyExchange, Cipher, Hash, Prf} = ssl_cipher:suite_definition(Suite),
+			 is_acceptable_keyexchange(KeyExchange, Algos) andalso
+			     is_acceptable_cipher(Cipher, Algos) andalso
+			     is_acceptable_hash(Hash, Algos) andalso
+			     is_acceptable_prf(Prf, Algos)
+		 end, Suites).
+
+is_acceptable_keyexchange(_, _) ->
+    true.
+
+is_acceptable_cipher(_, _) ->
+    true.
+
+is_acceptable_hash(Hash, Algos) ->
+    proplists:get_bool(Hash, Algos).
+
+is_acceptable_prf(default_prf, _) ->
+    true;
+is_acceptable_prf(Prf, Algos) ->
+    proplists:get_bool(Prf, Algos).
+
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 3e5f7b1dcb..8e462fd7a0 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -704,38 +704,46 @@ openssl_dsa_suites() ->
 		 end, Ciphers).
 
 anonymous_suites() ->
-    [{dh_anon, rc4_128, md5},
-     {dh_anon, des_cbc, sha},
-     {dh_anon, '3des_ede_cbc', sha},
-     {dh_anon, aes_128_cbc, sha},
-     {dh_anon, aes_256_cbc, sha}].
+    Suites =
+	[{dh_anon, rc4_128, md5},
+	 {dh_anon, des_cbc, sha},
+	 {dh_anon, '3des_ede_cbc', sha},
+	 {dh_anon, aes_128_cbc, sha},
+	 {dh_anon, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 psk_suites() ->
-    [{psk, rc4_128, sha},
-     {psk, '3des_ede_cbc', sha},
-     {psk, aes_128_cbc, sha},
-     {psk, aes_256_cbc, sha},
-     {dhe_psk, rc4_128, sha},
-     {dhe_psk, '3des_ede_cbc', sha},
-     {dhe_psk, aes_128_cbc, sha},
-     {dhe_psk, aes_256_cbc, sha},
-     {rsa_psk, rc4_128, sha},
-     {rsa_psk, '3des_ede_cbc', sha},
-     {rsa_psk, aes_128_cbc, sha},
-     {rsa_psk, aes_256_cbc, sha}].
+    Suites =
+	[{psk, rc4_128, sha},
+	 {psk, '3des_ede_cbc', sha},
+	 {psk, aes_128_cbc, sha},
+	 {psk, aes_256_cbc, sha},
+	 {dhe_psk, rc4_128, sha},
+	 {dhe_psk, '3des_ede_cbc', sha},
+	 {dhe_psk, aes_128_cbc, sha},
+	 {dhe_psk, aes_256_cbc, sha},
+	 {rsa_psk, rc4_128, sha},
+	 {rsa_psk, '3des_ede_cbc', sha},
+	 {rsa_psk, aes_128_cbc, sha},
+	 {rsa_psk, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 srp_suites() ->
-    [{srp_anon, '3des_ede_cbc', sha},
-     {srp_rsa, '3des_ede_cbc', sha},
-     {srp_anon, aes_128_cbc, sha},
-     {srp_rsa, aes_128_cbc, sha},
-     {srp_anon, aes_256_cbc, sha},
-     {srp_rsa, aes_256_cbc, sha}].
+    Suites =
+	[{srp_anon, '3des_ede_cbc', sha},
+	 {srp_rsa, '3des_ede_cbc', sha},
+	 {srp_anon, aes_128_cbc, sha},
+	 {srp_rsa, aes_128_cbc, sha},
+	 {srp_anon, aes_256_cbc, sha},
+	 {srp_rsa, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 srp_dss_suites() ->
-    [{srp_dss, '3des_ede_cbc', sha},
-     {srp_dss, aes_128_cbc, sha},
-     {srp_dss, aes_256_cbc, sha}].
+    Suites =
+	[{srp_dss, '3des_ede_cbc', sha},
+	 {srp_dss, aes_128_cbc, sha},
+	 {srp_dss, aes_256_cbc, sha}],
+    ssl_cipher:filter_suites(Suites).
 
 pem_to_der(File) ->
     {ok, PemBin} = file:read_file(File),
-- 
cgit v1.2.1