In earlier versions, key exchange == "RSA" meant export-style

ephemeral RSA, and key exchange == "" meant RSA via the key in the server certificate. However we don't support any of the export suites anymore (and in fact that code probably never worked), so use kex algo == "RSA" to represent the server cert case as it's much easier to read the code and to understand from a policy configuration perspective. Also fix the default policy, "TripleDES" != "3DES" so we would not offer (as a client) and would reject (as a server) any 3DES ciphersuites.
author: lloyd <[email protected]> 2012-01-25 13:01:02 +0000
committer: lloyd <[email protected]> 2012-01-25 13:01:02 +0000
commit: d9f9ef98ec1f554c7d9729f5d97cb4578b84691b (patch)
tree: e2a501e38fd0ac4d25fda5835660a1dda5ff8cfc
parent: 50bcbb4d8f09189cc669bb482487858234da7f6e (diff)
5 files changed, 22 insertions, 20 deletions
diff --git a/src/tls/c_kex.cpp b/src/tls/c_kex.cpp
index ea2e91972..df96d9dec 100644
--- a/src/tls/c_kex.cpp
+++ b/src/tls/c_kex.cpp
@@ -153,13 +153,13 @@ Client_Key_Exchange::Client_Key_Exchange(const MemoryRegion<byte>& contents,
                                          const Ciphersuite& suite,
                                          Protocol_Version using_version)
    {
-   if(suite.kex_algo() == "" && using_version == Protocol_Version::SSL_V3)
+   if(suite.kex_algo() == "RSA" && using_version == Protocol_Version::SSL_V3)
       key_material = contents;
    else
       {
       TLS_Data_Reader reader(contents);
 
-      if(suite.kex_algo() == "" || suite.kex_algo() == "DH")
+      if(suite.kex_algo() == "RSA" || suite.kex_algo() == "DH")
          key_material = reader.get_range<byte>(2, 0, 65535);
       else if(suite.kex_algo() == "ECDH")
          key_material = reader.get_range<byte>(1, 1, 255);
@@ -177,7 +177,7 @@ Client_Key_Exchange::pre_master_secret(RandomNumberGenerator& rng,
    {
    const std::string kex_algo = state->suite.kex_algo();
 
-   if(kex_algo == "")
+   if(kex_algo == "RSA")
       {
       BOTAN_ASSERT(state->server_certs && !state->server_certs->cert_chain().empty(),
                    "No server certificate to use for RSA");
diff --git a/src/tls/tls_ciphersuite.cpp b/src/tls/tls_ciphersuite.cpp
index a46be8404..b81d4adc4 100644
--- a/src/tls/tls_ciphersuite.cpp
+++ b/src/tls/tls_ciphersuite.cpp
@@ -25,32 +25,32 @@ Ciphersuite Ciphersuite::lookup_ciphersuite(u16bit suite)
       // RSA ciphersuites
 
       case TLS_RSA_WITH_AES_128_CBC_SHA:
-         return Ciphersuite("RSA", "", "SHA-1", "AES-128", 16);
+         return Ciphersuite("RSA", "RSA", "SHA-1", "AES-128", 16);
 
       case TLS_RSA_WITH_AES_256_CBC_SHA:
-         return Ciphersuite("RSA", "", "SHA-1", "AES-256", 32);
+         return Ciphersuite("RSA", "RSA", "SHA-1", "AES-256", 32);
 
       case TLS_RSA_WITH_AES_128_CBC_SHA256:
-         return Ciphersuite("RSA", "", "SHA-256", "AES-128", 16);
+         return Ciphersuite("RSA", "RSA", "SHA-256", "AES-128", 16);
 
       case TLS_RSA_WITH_AES_256_CBC_SHA256:
-         return Ciphersuite("RSA", "", "SHA-256", "AES-256", 32);
+         return Ciphersuite("RSA", "RSA", "SHA-256", "AES-256", 32);
 
       case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
-         return Ciphersuite("RSA", "", "SHA-1", "3DES", 24);
+         return Ciphersuite("RSA", "RSA", "SHA-1", "3DES", 24);
 
       case TLS_RSA_WITH_RC4_128_SHA:
-         return Ciphersuite("RSA", "", "SHA-1", "ARC4", 16);
+         return Ciphersuite("RSA", "RSA", "SHA-1", "ARC4", 16);
 
       case TLS_RSA_WITH_RC4_128_MD5:
-         return Ciphersuite("RSA", "", "MD5", "ARC4", 16);
+         return Ciphersuite("RSA", "RSA", "MD5", "ARC4", 16);
 
       case TLS_RSA_WITH_SEED_CBC_SHA:
-         return Ciphersuite("RSA", "", "SHA-1", "SEED", 16);
+         return Ciphersuite("RSA", "RSA", "SHA-1", "SEED", 16);
 
 #if defined(BOTAN_HAS_IDEA)
       case TLS_RSA_WITH_IDEA_CBC_SHA:
-         return Ciphersuite("RSA", "", "SHA-1", "IDEA", 16);
+         return Ciphersuite("RSA", "RSA", "SHA-1", "IDEA", 16);
 #endif
 
       // DH/DSS ciphersuites
@@ -185,7 +185,7 @@ std::string Ciphersuite::to_string() const
 
    out << "TLS_";
 
-   if(kex_algo() != "")
+   if(kex_algo() != "RSA")
       {
       if(kex_algo() == "DH")
          out << "DHE";
diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp
index ba0d1e506..e0fde4573 100644
--- a/src/tls/tls_client.cpp
+++ b/src/tls/tls_client.cpp
@@ -221,7 +221,7 @@ void Client::process_handshake_msg(Handshake_Type type,
             {
             state->set_expected_next(CERTIFICATE);
             }
-         else if(state->suite.kex_algo() != "")
+         else if(state->suite.kex_algo() != "RSA")
             {
             state->set_expected_next(SERVER_KEX);
             }
@@ -234,7 +234,7 @@ void Client::process_handshake_msg(Handshake_Type type,
       }
    else if(type == CERTIFICATE)
       {
-      if(state->suite.kex_algo() != "")
+      if(state->suite.kex_algo() != "RSA")
          {
          state->set_expected_next(SERVER_KEX);
          }
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp
index ea3e4f144..6d95ada40 100644
--- a/src/tls/tls_policy.cpp
+++ b/src/tls/tls_policy.cpp
@@ -20,9 +20,8 @@ std::vector<std::string> Policy::allowed_ciphers() const
 
    allowed.push_back("AES-256");
    allowed.push_back("AES-128");
-   allowed.push_back("TripleDES");
+   allowed.push_back("3DES");
    allowed.push_back("ARC4");
-
    // Note that SEED and IDEA are not included by default
 
    return allowed;
@@ -51,16 +50,19 @@ std::vector<std::string> Policy::allowed_key_exchange_methods() const
    //allowed.push_back("PSK");
    allowed.push_back("ECDH");
    allowed.push_back("DH");
-   allowed.push_back(""); // means RSA via server cert
+   allowed.push_back("RSA"); // RSA via server cert
+
    return allowed;
    }
 
 std::vector<std::string> Policy::allowed_signature_methods() const
    {
    std::vector<std::string> allowed;
+
    allowed.push_back("ECDSA");
    allowed.push_back("RSA");
    allowed.push_back("DSA");
+
    return allowed;
    }
 
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index 1253a7327..74d4106a2 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -269,7 +269,7 @@ void Server::process_handshake_msg(Handshake_Type type,
 
          std::auto_ptr<Private_Key> private_key(0);
 
-         if(kex_algo == "" || sig_algo != "")
+         if(kex_algo == "RSA" || sig_algo != "")
             {
             private_key.reset(
                creds.private_key_for(state->server_certs->cert_chain()[0],
@@ -277,7 +277,7 @@ void Server::process_handshake_msg(Handshake_Type type,
                                      m_hostname));
             }
 
-         if(kex_algo == "")
+         if(kex_algo == "RSA")
             {
             state->server_rsa_kex_key = private_key.release();
             }
author	lloyd <[email protected]>	2012-01-25 13:01:02 +0000
committer	lloyd <[email protected]>	2012-01-25 13:01:02 +0000
commit	d9f9ef98ec1f554c7d9729f5d97cb4578b84691b (patch)
tree	e2a501e38fd0ac4d25fda5835660a1dda5ff8cfc
parent	50bcbb4d8f09189cc669bb482487858234da7f6e (diff)