diff options
author | Jack Lloyd <[email protected]> | 2017-12-21 15:37:39 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-01-28 12:14:07 -0500 |
commit | b2b55e6c2fdb824f49923b60d2c3ffff8f0fb99a (patch) | |
tree | 8d5650816329cbe176a4e1fee639094c9387b260 /src/lib/tls/tls_policy.cpp | |
parent | 1c667d34bf71336d33bb76309176a993f13a2aac (diff) |
Use enums to represent TLS signature and kex algorithms.
Adds support for PSS signatures (currently verifying only).
Diffstat (limited to 'src/lib/tls/tls_policy.cpp')
-rw-r--r-- | src/lib/tls/tls_policy.cpp | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index a46fcee92..2c63aa840 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -20,6 +20,24 @@ namespace Botan { namespace TLS { +std::vector<Signature_Scheme> Policy::allowed_signature_schemes() const + { + std::vector<Signature_Scheme> schemes; + + for(Signature_Scheme scheme : all_signature_schemes()) + { + const bool sig_allowed = allowed_signature_method(signature_algorithm_of_scheme(scheme)); + const bool hash_allowed = allowed_signature_hash(hash_function_of_scheme(scheme)); + + if(sig_allowed && hash_allowed) + { + schemes.push_back(scheme); + } + } + + return schemes; + } + std::vector<std::string> Policy::allowed_ciphers() const { return { @@ -90,7 +108,8 @@ std::vector<std::string> Policy::allowed_signature_methods() const "ECDSA", "RSA", //"DSA", - //"" (anon) + //"IMPLICIT", + //"ANONYMOUS" (anon) }; } @@ -153,6 +172,9 @@ std::string Policy::choose_curve(const std::vector<std::string>& curve_names) co */ std::string Policy::choose_dh_group(const std::vector<std::string>& dh_groups) const { + if(dh_groups.empty()) + return dh_group(); + const std::vector<std::string> our_groups = allowed_groups(); for(size_t i = 0; i != our_groups.size(); ++i) @@ -365,7 +387,7 @@ class Ciphersuite_Preference_Ordering final bool operator()(const Ciphersuite& a, const Ciphersuite& b) const { - if(a.kex_algo() != b.kex_algo()) + if(a.kex_method() != b.kex_method()) { for(size_t i = 0; i != m_kex.size(); ++i) { @@ -395,7 +417,7 @@ class Ciphersuite_Preference_Ordering final return true; } - if(a.sig_algo() != b.sig_algo()) + if(a.auth_method() != b.auth_method()) { for(size_t i = 0; i != m_sigs.size(); ++i) { @@ -446,7 +468,7 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version, continue; // Are we doing SRP? - if(!have_srp && suite.kex_algo() == "SRP_SHA") + if(!have_srp && suite.kex_method() == Kex_Algo::SRP_SHA) continue; if(!version.supports_aead_modes()) @@ -472,7 +494,7 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version, if(!value_exists(sigs, suite.sig_algo())) { // allow if it's an empty sig algo and we want to use PSK - if(suite.sig_algo() != "" || !suite.psk_ciphersuite()) + if(suite.auth_method() != Auth_Method::IMPLICIT || !suite.psk_ciphersuite()) continue; } @@ -481,7 +503,7 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version, removal of x25519 from the ECC curve list as equivalent to saying they do not trust CECPQ1 */ - if(suite.kex_algo() == "CECPQ1" && allowed_ecc_curve("x25519") == false) + if(suite.kex_method() == Kex_Algo::CECPQ1 && allowed_ecc_curve("x25519") == false) continue; // OK, consider it |