Instead of using a hardcoded value for signature_algothms, go with

policy. Only functional change here from before is we now send DSA
with SHA-2. This is fine, OpenSSL does it as well and while the spec
says to wait until NIST comes up with a way to prevent hash
impersonation, it doesn't really make sense to avoid possible hash
substitution attacks by using the weakest available hash...

7 files changed, 32 insertions, 20 deletions

diff --git a/src/tls/c_hello.cpp b/src/tls/c_hello.cpp
index e56996ee5..d821482fd 100644
--- a/src/tls/c_hello.cpp
+++ b/src/tls/c_hello.cpp
@@ -94,6 +94,13 @@ Client_Hello::Client_Hello(Record_Writer& writer,
    m_secure_renegotiation(true),
    m_renegotiation_info(reneg_info)
    {
+   std::vector<std::string> hashes = policy.allowed_hashes();
+   std::vector<std::string> sigs = policy.allowed_signature_methods();
+
+   for(size_t i = 0; i != hashes.size(); ++i)
+      for(size_t j = 0; j != sigs.size(); ++j)
+         m_supported_algos.push_back(std::make_pair(hashes[i], sigs[j]));
+
    send(writer, hash);
    }
 
@@ -117,6 +124,8 @@ Client_Hello::Client_Hello(Record_Writer& writer,
    m_suites.push_back(session.ciphersuite());
    m_comp_methods.push_back(session.compression_method());
 
+   // set m_supported_algos here?
+
    send(writer, hash);
    }
 
@@ -164,7 +173,7 @@ MemoryVector<byte> Client_Hello::serialize() const
       extensions.add(new SRP_Identifier(m_srp_identifier));
 
       if(m_version >= TLS_V12)
-         extensions.add(new Signature_Algorithms());
+         extensions.add(new Signature_Algorithms(m_supported_algos));
 
       if(m_next_protocol)
          extensions.add(new Next_Protocol_Notification());
diff --git a/src/tls/cert_req.cpp b/src/tls/cert_req.cpp
index c3e46a5ae..4e86a3270 100644
--- a/src/tls/cert_req.cpp
+++ b/src/tls/cert_req.cpp
@@ -22,6 +22,7 @@ namespace Botan {
 */
 Certificate_Req::Certificate_Req(Record_Writer& writer,
                                  TLS_Handshake_Hash& hash,
+                                 const TLS_Policy& policy,
                                  const std::vector<X509_Certificate>& ca_certs,
                                  Version_Code version)
    {
@@ -32,7 +33,14 @@ Certificate_Req::Certificate_Req(Record_Writer& writer,
    cert_types.push_back(DSS_CERT);
 
    if(version >= TLS_V12)
-      sig_and_hash_algos = Signature_Algorithms().serialize();
+      {
+      std::vector<std::string> hashes = policy.allowed_hashes();
+      std::vector<std::string> sigs = policy.allowed_signature_methods();
+
+      for(size_t i = 0; i != hashes.size(); ++i)
+         for(size_t j = 0; j != sigs.size(); ++j)
+            m_supported_algos.push_back(std::make_pair(hashes[i], sigs[j]));
+      }
 
    send(writer, hash);
    }
@@ -82,7 +90,10 @@ MemoryVector<byte> Certificate_Req::serialize() const
 
    append_tls_length_value(buf, cert_types, 1);
 
-   buf += sig_and_hash_algos;
+   if(!m_supported_algos.empty())
+      {
+      buf += Signature_Algorithms(m_supported_algos).serialize();
+      }
 
    for(size_t i = 0; i != names.size(); ++i)
       {
diff --git a/src/tls/tls_extensions.cpp b/src/tls/tls_extensions.cpp
index 41977f975..4fbcdbad1 100644
--- a/src/tls/tls_extensions.cpp
+++ b/src/tls/tls_extensions.cpp
@@ -365,21 +365,6 @@ MemoryVector<byte> Signature_Algorithms::serialize() const
    return buf;
    }
 
-Signature_Algorithms::Signature_Algorithms()
-   {
-   /*
-   Declare we support everything except MD5 for RSA, and SHA-1 with DSA.
-   We prefer hashes strongest (SHA-512) to weakest (SHA-1).
-   */
-
-   m_supported_algos.push_back(std::make_pair("SHA-512", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-384", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-256", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-224", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-1", "RSA"));
-   m_supported_algos.push_back(std::make_pair("SHA-1", "DSA"));
-   }
-
 Signature_Algorithms::Signature_Algorithms(TLS_Data_Reader& reader,
                                            u16bit extension_size)
    {
diff --git a/src/tls/tls_extensions.h b/src/tls/tls_extensions.h
index fea700756..2b386d9f5 100644
--- a/src/tls/tls_extensions.h
+++ b/src/tls/tls_extensions.h
@@ -215,7 +215,8 @@ class Signature_Algorithms : public TLS_Extension
 
       bool empty() const { return false; }
 
-      Signature_Algorithms();
+      Signature_Algorithms(const std::vector<std::pair<std::string, std::string> >& algos) :
+         m_supported_algos(algos) {}
 
       Signature_Algorithms(TLS_Data_Reader& reader,
                            u16bit extension_size);
diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h
index b0f6b503f..c86d71045 100644
--- a/src/tls/tls_messages.h
+++ b/src/tls/tls_messages.h
@@ -259,6 +259,7 @@ class Certificate_Req : public Handshake_Message
 
       Certificate_Req(Record_Writer& writer,
                       TLS_Handshake_Hash& hash,
+                      const TLS_Policy& policy,
                       const std::vector<X509_Certificate>& allowed_cas,
                       Version_Code version);
 
@@ -269,7 +270,8 @@ class Certificate_Req : public Handshake_Message
 
       std::vector<X509_DN> names;
       std::vector<byte> cert_types;
-      MemoryVector<byte> sig_and_hash_algos; // for TLS 1.2
+
+      std::vector<std::pair<std::string, std::string> > m_supported_algos;
    };
 
 /**
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp
index bc0cd53f5..b041d84b0 100644
--- a/src/tls/tls_policy.cpp
+++ b/src/tls/tls_policy.cpp
@@ -26,7 +26,10 @@ std::vector<std::string> TLS_Policy::allowed_ciphers() const
 std::vector<std::string> TLS_Policy::allowed_hashes() const
    {
    std::vector<std::string> allowed;
+   allowed.push_back("SHA-512");
+   allowed.push_back("SHA-384");
    allowed.push_back("SHA-256");
+   allowed.push_back("SHA-224");
    allowed.push_back("SHA-1");
    // Note that MD5 is not included by default
    return allowed;
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index 90ce3bf88..5d07d22ba 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -274,6 +274,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
             {
             state->cert_req = new Certificate_Req(writer,
                                                   state->hash,
+                                                  policy,
                                                   client_auth_CAs,
                                                   state->version);