aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/tls_policy.cpp
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-12-21 15:37:39 -0500
committerJack Lloyd <[email protected]>2018-01-28 12:14:07 -0500
commitb2b55e6c2fdb824f49923b60d2c3ffff8f0fb99a (patch)
tree8d5650816329cbe176a4e1fee639094c9387b260 /src/lib/tls/tls_policy.cpp
parent1c667d34bf71336d33bb76309176a993f13a2aac (diff)
Use enums to represent TLS signature and kex algorithms.
Adds support for PSS signatures (currently verifying only).
Diffstat (limited to 'src/lib/tls/tls_policy.cpp')
-rw-r--r--src/lib/tls/tls_policy.cpp34
1 files changed, 28 insertions, 6 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index a46fcee92..2c63aa840 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -20,6 +20,24 @@ namespace Botan {
namespace TLS {
+std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const
+ {
+ std::vector<Signature_Scheme> schemes;
+
+ for(Signature_Scheme scheme : all_signature_schemes())
+ {
+ const bool sig_allowed = allowed_signature_method(signature_algorithm_of_scheme(scheme));
+ const bool hash_allowed = allowed_signature_hash(hash_function_of_scheme(scheme));
+
+ if(sig_allowed && hash_allowed)
+ {
+ schemes.push_back(scheme);
+ }
+ }
+
+ return schemes;
+ }
+
std::vector<std::string> Policy::allowed_ciphers() const
{
return {
@@ -90,7 +108,8 @@ std::vector<std::string> Policy::allowed_signature_methods() const
"ECDSA",
"RSA",
//"DSA",
- //"" (anon)
+ //"IMPLICIT",
+ //"ANONYMOUS" (anon)
};
}
@@ -153,6 +172,9 @@ std::string Policy::choose_curve(const std::vector<std::string>& curve_names) co
*/
std::string Policy::choose_dh_group(const std::vector<std::string>& dh_groups) const
{
+ if(dh_groups.empty())
+ return dh_group();
+
const std::vector<std::string> our_groups = allowed_groups();
for(size_t i = 0; i != our_groups.size(); ++i)
@@ -365,7 +387,7 @@ class Ciphersuite_Preference_Ordering final
bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
{
- if(a.kex_algo() != b.kex_algo())
+ if(a.kex_method() != b.kex_method())
{
for(size_t i = 0; i != m_kex.size(); ++i)
{
@@ -395,7 +417,7 @@ class Ciphersuite_Preference_Ordering final
return true;
}
- if(a.sig_algo() != b.sig_algo())
+ if(a.auth_method() != b.auth_method())
{
for(size_t i = 0; i != m_sigs.size(); ++i)
{
@@ -446,7 +468,7 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
continue;
// Are we doing SRP?
- if(!have_srp && suite.kex_algo() == "SRP_SHA")
+ if(!have_srp && suite.kex_method() == Kex_Algo::SRP_SHA)
continue;
if(!version.supports_aead_modes())
@@ -472,7 +494,7 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
if(!value_exists(sigs, suite.sig_algo()))
{
// allow if it's an empty sig algo and we want to use PSK
- if(suite.sig_algo() != "" || !suite.psk_ciphersuite())
+ if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite())
continue;
}
@@ -481,7 +503,7 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
removal of x25519 from the ECC curve list as equivalent to
saying they do not trust CECPQ1
*/
- if(suite.kex_algo() == "CECPQ1" && allowed_ecc_curve("x25519") == false)
+ if(suite.kex_method() == Kex_Algo::CECPQ1 && allowed_ecc_curve("x25519") == false)
continue;
// OK, consider it