diff options
| author | Jack Lloyd <[email protected]> | 2017-12-21 15:37:39 -0500 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2018-01-28 12:14:07 -0500 |
| commit | b2b55e6c2fdb824f49923b60d2c3ffff8f0fb99a (patch) | |
| tree | 8d5650816329cbe176a4e1fee639094c9387b260 /src/lib/tls/tls_client.cpp | |
| parent | 1c667d34bf71336d33bb76309176a993f13a2aac (diff) | |
Use enums to represent TLS signature and kex algorithms.
Adds support for PSS signatures (currently verifying only).
Diffstat (limited to 'src/lib/tls/tls_client.cpp')
| -rw-r--r-- | src/lib/tls/tls_client.cpp | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index c35149d6b..39e69d8ea 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -361,11 +361,11 @@ void Client::process_handshake_msg(const Handshake_State* active_state, " is unacceptable by policy"); } - if(state.ciphersuite().sig_algo() != "") + if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() == Kex_Algo::STATIC_RSA) { state.set_expected_next(CERTIFICATE); } - else if(state.ciphersuite().kex_algo() == "PSK") + else if(state.ciphersuite().kex_method() == Kex_Algo::PSK) { /* PSK is anonymous so no certificate/cert req message is ever sent. The server may or may not send a server kex, @@ -378,7 +378,7 @@ void Client::process_handshake_msg(const Handshake_State* active_state, state.set_expected_next(SERVER_KEX); state.set_expected_next(SERVER_HELLO_DONE); } - else if(state.ciphersuite().kex_algo() != "RSA") + else if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA) { state.set_expected_next(SERVER_KEX); } @@ -408,13 +408,16 @@ void Client::process_handshake_msg(const Handshake_State* active_state, std::unique_ptr<Public_Key> peer_key(server_certs[0].subject_public_key()); - if(peer_key->algo_name() != state.ciphersuite().sig_algo()) + const std::string expected_key_type = + state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() : "RSA"; + + if(peer_key->algo_name() != expected_key_type) throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Certificate key type did not match ciphersuite"); state.server_public_key.reset(peer_key.release()); - if(state.ciphersuite().kex_algo() != "RSA") + if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA) { state.set_expected_next(SERVER_KEX); } @@ -451,7 +454,7 @@ void Client::process_handshake_msg(const Handshake_State* active_state, { state.server_cert_status(new Certificate_Status(contents)); - if(state.ciphersuite().kex_algo() != "RSA") + if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA) { state.set_expected_next(SERVER_KEX); } @@ -468,12 +471,12 @@ void Client::process_handshake_msg(const Handshake_State* active_state, state.server_kex( new Server_Key_Exchange(contents, - state.ciphersuite().kex_algo(), - state.ciphersuite().sig_algo(), + state.ciphersuite().kex_method(), + state.ciphersuite().auth_method(), state.version()) ); - if(state.ciphersuite().sig_algo() != "") + if(state.ciphersuite().signature_used()) { const Public_Key& server_key = state.get_server_public_key(); |