Make ECDHE_PSK + AES_GCM unmatchable.
These are probably a good idea to ship so long as we have the PSK
callbacks at all, but they're not *completely* standard yet and Android
tests otherwise need updating to know about them. We don't care enough
about PSK to be in a rush to ship them, and taking them out is an easier
default action until then.
Change-Id: Ic646053d29b69a114e2efea61d593d5e912bdcd0
Reviewed-on: https://boringssl-review.googlesource.com/10225
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c
index 957f032..3810667 100644
--- a/ssl/ssl_cipher.c
+++ b/ssl/ssl_cipher.c
@@ -1136,13 +1136,22 @@
if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
continue;
}
- } else if (!(alg_mkey & cp->algorithm_mkey) ||
- !(alg_auth & cp->algorithm_auth) ||
- !(alg_enc & cp->algorithm_enc) ||
- !(alg_mac & cp->algorithm_mac) ||
- (min_version != 0 &&
- SSL_CIPHER_get_min_version(cp) != min_version)) {
- continue;
+ } else {
+ if (!(alg_mkey & cp->algorithm_mkey) ||
+ !(alg_auth & cp->algorithm_auth) ||
+ !(alg_enc & cp->algorithm_enc) ||
+ !(alg_mac & cp->algorithm_mac) ||
+ (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
+ continue;
+ }
+
+ /* The following ciphers are internal implementation details of TLS 1.3
+ * resumption but are not yet finalized. Disable them by default until
+ * then. */
+ if (cp->id == TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256 ||
+ cp->id == TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384) {
+ continue;
+ }
}
/* add the cipher if it has not been added yet. */
