aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2020-11-28 10:55:31 -0500
committerJack Lloyd <[email protected]>2021-04-01 14:38:30 -0400
commit587f178d75fe327feb84df32c3d1b8a479f01d23 (patch)
tree6a3bd7ce31b01263c749a807f73d4b0fa4d0fe23 /src/lib/tls
parent3a432a91e4c3c1b89bafbb706bb6712851756525 (diff)
Remove TLS 1.0/1.1 and DTLS 1.0
Diffstat (limited to 'src/lib/tls')
-rw-r--r--src/lib/tls/info.txt2
-rw-r--r--src/lib/tls/msg_cert_req.cpp27
-rw-r--r--src/lib/tls/msg_cert_verify.cpp9
-rw-r--r--src/lib/tls/msg_client_hello.cpp6
-rw-r--r--src/lib/tls/msg_hello_verify.cpp5
-rw-r--r--src/lib/tls/msg_server_hello.cpp14
-rw-r--r--src/lib/tls/msg_server_kex.cpp6
-rw-r--r--src/lib/tls/tls_10/info.txt10
-rw-r--r--src/lib/tls/tls_cbc/tls_cbc.cpp2
-rw-r--r--src/lib/tls/tls_channel.cpp28
-rw-r--r--src/lib/tls/tls_ciphersuite.cpp20
-rw-r--r--src/lib/tls/tls_client.cpp2
-rw-r--r--src/lib/tls/tls_extensions.cpp10
-rw-r--r--src/lib/tls/tls_handshake_hash.cpp4
-rw-r--r--src/lib/tls/tls_handshake_io.cpp4
-rw-r--r--src/lib/tls/tls_handshake_state.cpp54
-rw-r--r--src/lib/tls/tls_messages.h9
-rw-r--r--src/lib/tls/tls_policy.cpp30
-rw-r--r--src/lib/tls/tls_policy.h36
-rw-r--r--src/lib/tls/tls_server.cpp67
-rw-r--r--src/lib/tls/tls_text_policy.cpp15
-rw-r--r--src/lib/tls/tls_version.cpp31
-rw-r--r--src/lib/tls/tls_version.h21
23 files changed, 63 insertions, 349 deletions
diff --git a/src/lib/tls/info.txt b/src/lib/tls/info.txt
index 18f811f25..3ed102e9c 100644
--- a/src/lib/tls/info.txt
+++ b/src/lib/tls/info.txt
@@ -1,5 +1,5 @@
<defines>
-TLS -> 20191210
+TLS -> 20201128
</defines>
<header:public>
diff --git a/src/lib/tls/msg_cert_req.cpp b/src/lib/tls/msg_cert_req.cpp
index a80fbf2b9..ea9ae3711 100644
--- a/src/lib/tls/msg_cert_req.cpp
+++ b/src/lib/tls/msg_cert_req.cpp
@@ -54,24 +54,18 @@ uint8_t cert_type_name_to_code(const std::string& name)
Certificate_Req::Certificate_Req(Handshake_IO& io,
Handshake_Hash& hash,
const Policy& policy,
- const std::vector<X509_DN>& ca_certs,
- Protocol_Version version) :
+ const std::vector<X509_DN>& ca_certs) :
m_names(ca_certs),
m_cert_key_types({ "RSA", "ECDSA", "DSA" })
{
- if(version.supports_negotiable_signature_algorithms())
- {
- m_schemes = policy.acceptable_signature_schemes();
- }
-
+ m_schemes = policy.acceptable_signature_schemes();
hash.update(io.send(*this));
}
/**
* Deserialize a Certificate Request message
*/
-Certificate_Req::Certificate_Req(const std::vector<uint8_t>& buf,
- Protocol_Version version)
+Certificate_Req::Certificate_Req(const std::vector<uint8_t>& buf)
{
if(buf.size() < 4)
throw Decoding_Error("Certificate_Req: Bad certificate request");
@@ -90,17 +84,14 @@ Certificate_Req::Certificate_Req(const std::vector<uint8_t>& buf,
m_cert_key_types.emplace_back(cert_type_name);
}
- if(version.supports_negotiable_signature_algorithms())
- {
- const std::vector<uint8_t> algs = reader.get_range_vector<uint8_t>(2, 2, 65534);
+ const std::vector<uint8_t> algs = reader.get_range_vector<uint8_t>(2, 2, 65534);
- if(algs.size() % 2 != 0)
- throw Decoding_Error("Bad length for signature IDs in certificate request");
+ if(algs.size() % 2 != 0)
+ throw Decoding_Error("Bad length for signature IDs in certificate request");
- for(size_t i = 0; i != algs.size(); i += 2)
- {
- m_schemes.push_back(static_cast<Signature_Scheme>(make_uint16(algs[i], algs[i+1])));
- }
+ for(size_t i = 0; i != algs.size(); i += 2)
+ {
+ m_schemes.push_back(static_cast<Signature_Scheme>(make_uint16(algs[i], algs[i+1])));
}
const uint16_t purported_size = reader.get_uint16_t();
diff --git a/src/lib/tls/msg_cert_verify.cpp b/src/lib/tls/msg_cert_verify.cpp
index 711566bd0..6fff19b59 100644
--- a/src/lib/tls/msg_cert_verify.cpp
+++ b/src/lib/tls/msg_cert_verify.cpp
@@ -40,16 +40,11 @@ Certificate_Verify::Certificate_Verify(Handshake_IO& io,
/*
* Deserialize a Certificate Verify message
*/
-Certificate_Verify::Certificate_Verify(const std::vector<uint8_t>& buf,
- Protocol_Version version)
+Certificate_Verify::Certificate_Verify(const std::vector<uint8_t>& buf)
{
TLS_Data_Reader reader("CertificateVerify", buf);
- if(version.supports_negotiable_signature_algorithms())
- {
- m_scheme = static_cast<Signature_Scheme>(reader.get_uint16_t());
- }
-
+ m_scheme = static_cast<Signature_Scheme>(reader.get_uint16_t());
m_signature = reader.get_range<uint8_t>(2, 0, 65535);
reader.assert_done();
}
diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp
index dfc5df6f7..33fc8b72c 100644
--- a/src/lib/tls/msg_client_hello.cpp
+++ b/src/lib/tls/msg_client_hello.cpp
@@ -119,8 +119,7 @@ Client_Hello::Client_Hello(Handshake_IO& io,
if(reneg_info.empty() && !next_protocols.empty())
m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols));
- if(m_version.supports_negotiable_signature_algorithms())
- m_extensions.add(new Signature_Algorithms(policy.acceptable_signature_schemes()));
+ m_extensions.add(new Signature_Algorithms(policy.acceptable_signature_schemes()));
if(m_version.is_datagram_protocol())
m_extensions.add(new SRTP_Protection_Profiles(policy.srtp_profiles()));
@@ -192,8 +191,7 @@ Client_Hello::Client_Hello(Handshake_IO& io,
if(session.supports_encrypt_then_mac())
m_extensions.add(new Encrypt_then_MAC);
- if(m_version.supports_negotiable_signature_algorithms())
- m_extensions.add(new Signature_Algorithms(policy.acceptable_signature_schemes()));
+ m_extensions.add(new Signature_Algorithms(policy.acceptable_signature_schemes()));
if(reneg_info.empty() && !next_protocols.empty())
m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols));
diff --git a/src/lib/tls/msg_hello_verify.cpp b/src/lib/tls/msg_hello_verify.cpp
index bc93af9d6..3e9360cc7 100644
--- a/src/lib/tls/msg_hello_verify.cpp
+++ b/src/lib/tls/msg_hello_verify.cpp
@@ -19,8 +19,7 @@ Hello_Verify_Request::Hello_Verify_Request(const std::vector<uint8_t>& buf)
Protocol_Version version(buf[0], buf[1]);
- if(version != Protocol_Version::DTLS_V10 &&
- version != Protocol_Version::DTLS_V12)
+ if(!version.is_datagram_protocol())
{
throw Decoding_Error("Unknown version from server in hello verify request");
}
@@ -54,7 +53,7 @@ std::vector<uint8_t> Hello_Verify_Request::serialize() const
negotiated (RFC 6347, section 4.2.1)
*/
- Protocol_Version format_version(Protocol_Version::DTLS_V10);
+ Protocol_Version format_version(254, 255); // DTLS 1.0
std::vector<uint8_t> bits;
bits.push_back(format_version.major_version());
diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp
index 651fd14f8..527352e78 100644
--- a/src/lib/tls/msg_server_hello.cpp
+++ b/src/lib/tls/msg_server_hello.cpp
@@ -30,20 +30,8 @@ make_server_hello_random(RandomNumberGenerator& rng,
Protocol_Version offered_version,
const Policy& policy)
{
+ BOTAN_UNUSED(offered_version, policy);
auto random = make_hello_random(rng, policy);
-
- if((offered_version == Protocol_Version::TLS_V10 ||
- offered_version == Protocol_Version::TLS_V11) &&
- policy.allow_tls12())
- {
- store_be(DOWNGRADE_TLS11, &random[24]);
- }
-
- if(offered_version == Protocol_Version::DTLS_V10 && policy.allow_dtls12())
- {
- store_be(DOWNGRADE_TLS11, &random[24]);
- }
-
return random;
}
diff --git a/src/lib/tls/msg_server_kex.cpp b/src/lib/tls/msg_server_kex.cpp
index 9aac7df7b..f0f481066 100644
--- a/src/lib/tls/msg_server_kex.cpp
+++ b/src/lib/tls/msg_server_kex.cpp
@@ -217,11 +217,7 @@ Server_Key_Exchange::Server_Key_Exchange(const std::vector<uint8_t>& buf,
if(auth_method != Auth_Method::IMPLICIT)
{
- if(version.supports_negotiable_signature_algorithms())
- {
- m_scheme = static_cast<Signature_Scheme>(reader.get_uint16_t());
- }
-
+ m_scheme = static_cast<Signature_Scheme>(reader.get_uint16_t());
m_signature = reader.get_range<uint8_t>(2, 0, 65535);
}
diff --git a/src/lib/tls/tls_10/info.txt b/src/lib/tls/tls_10/info.txt
deleted file mode 100644
index f85a19992..000000000
--- a/src/lib/tls/tls_10/info.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-<defines>
-TLS_V10 -> 20191109
-</defines>
-
-<requires>
-md5
-sha1
-par_hash
-tls_cbc
-</requires>
diff --git a/src/lib/tls/tls_cbc/tls_cbc.cpp b/src/lib/tls/tls_cbc/tls_cbc.cpp
index f8e4e9af4..d2270e3b0 100644
--- a/src/lib/tls/tls_cbc/tls_cbc.cpp
+++ b/src/lib/tls/tls_cbc/tls_cbc.cpp
@@ -40,7 +40,7 @@ TLS_CBC_HMAC_AEAD_Mode::TLS_CBC_HMAC_AEAD_Mode(Cipher_Dir dir,
m_tag_size = mac->output_length();
m_block_size = cipher->block_size();
- m_iv_size = version.supports_explicit_cbc_ivs() ? m_block_size : 0;
+ m_iv_size = m_block_size;
m_is_datagram = version.is_datagram_protocol();
diff --git a/src/lib/tls/tls_channel.cpp b/src/lib/tls/tls_channel.cpp
index f6198a1c2..3dce68a3a 100644
--- a/src/lib/tls/tls_channel.cpp
+++ b/src/lib/tls/tls_channel.cpp
@@ -559,31 +559,13 @@ void Channel::send_record_array(uint16_t epoch, uint8_t type, const uint8_t inpu
auto cipher_state = write_cipher_state_epoch(epoch);
- if(type == APPLICATION_DATA && m_active_state->version().supports_explicit_cbc_ivs() == false)
+ while(length)
{
- while(length)
- {
- write_record(cipher_state.get(), epoch, type, input, 1);
- input += 1;
- length -= 1;
-
- const size_t sending = std::min<size_t>(length, MAX_PLAINTEXT_SIZE);
- write_record(cipher_state.get(), epoch, type, input, sending);
+ const size_t sending = std::min<size_t>(length, MAX_PLAINTEXT_SIZE);
+ write_record(cipher_state.get(), epoch, type, input, sending);
- input += sending;
- length -= sending;
- }
- }
- else
- {
- while(length)
- {
- const size_t sending = std::min<size_t>(length, MAX_PLAINTEXT_SIZE);
- write_record(cipher_state.get(), epoch, type, input, sending);
-
- input += sending;
- length -= sending;
- }
+ input += sending;
+ length -= sending;
}
}
diff --git a/src/lib/tls/tls_ciphersuite.cpp b/src/lib/tls/tls_ciphersuite.cpp
index cab63bf5c..3e72848e0 100644
--- a/src/lib/tls/tls_ciphersuite.cpp
+++ b/src/lib/tls/tls_ciphersuite.cpp
@@ -39,19 +39,11 @@ size_t Ciphersuite::nonce_bytes_from_handshake() const
size_t Ciphersuite::nonce_bytes_from_record(Protocol_Version version) const
{
+ BOTAN_UNUSED(version);
switch(m_nonce_format)
{
case Nonce_Format::CBC_MODE:
- {
- if(version.supports_explicit_cbc_ivs())
- {
- return cipher_algo() == "3DES" ? 8 : 16;
- }
- else
- {
- return 0;
- }
- }
+ return cipher_algo() == "3DES" ? 8 : 16;
case Nonce_Format::AEAD_IMPLICIT_4:
return 8;
case Nonce_Format::AEAD_XOR_12:
@@ -82,13 +74,7 @@ bool Ciphersuite::ecc_ciphersuite() const
bool Ciphersuite::usable_in_version(Protocol_Version version) const
{
- if(!version.supports_aead_modes())
- {
- // Old versions do not support AEAD, or any MAC but SHA-1
- if(mac_algo() != "SHA-1")
- return false;
- }
-
+ BOTAN_UNUSED(version);
return true;
}
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 7ce9952e6..59a092867 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -558,7 +558,7 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
else if(type == CERTIFICATE_REQUEST)
{
state.set_expected_next(SERVER_HELLO_DONE);
- state.cert_req(new Certificate_Req(contents, state.version()));
+ state.cert_req(new Certificate_Req(contents));
}
else if(type == SERVER_HELLO_DONE)
{
diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp
index ce067d7c0..645c036ea 100644
--- a/src/lib/tls/tls_extensions.cpp
+++ b/src/lib/tls/tls_extensions.cpp
@@ -581,21 +581,11 @@ Supported_Versions::Supported_Versions(Protocol_Version offer, const Policy& pol
{
if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12())
m_versions.push_back(Protocol_Version::DTLS_V12);
-#if defined(BOTAN_HAS_TLS_V10)
- if(offer >= Protocol_Version::DTLS_V10 && policy.allow_dtls10())
- m_versions.push_back(Protocol_Version::DTLS_V10);
-#endif
}
else
{
if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12())
m_versions.push_back(Protocol_Version::TLS_V12);
-#if defined(BOTAN_HAS_TLS_V10)
- if(offer >= Protocol_Version::TLS_V11 && policy.allow_tls11())
- m_versions.push_back(Protocol_Version::TLS_V11);
- if(offer >= Protocol_Version::TLS_V10 && policy.allow_tls10())
- m_versions.push_back(Protocol_Version::TLS_V10);
-#endif
}
}
diff --git a/src/lib/tls/tls_handshake_hash.cpp b/src/lib/tls/tls_handshake_hash.cpp
index a48251d06..ee0e5e4e9 100644
--- a/src/lib/tls/tls_handshake_hash.cpp
+++ b/src/lib/tls/tls_handshake_hash.cpp
@@ -19,9 +19,7 @@ secure_vector<uint8_t> Handshake_Hash::final(Protocol_Version version,
const std::string& mac_algo) const
{
std::string hash_algo = mac_algo;
- if(!version.supports_ciphersuite_specific_prf())
- hash_algo = "Parallel(MD5,SHA-160)";
- else if(mac_algo == "MD5" || mac_algo == "SHA-1")
+ if(mac_algo == "MD5" || mac_algo == "SHA-1")
hash_algo = "SHA-256";
std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_algo));
diff --git a/src/lib/tls/tls_handshake_io.cpp b/src/lib/tls/tls_handshake_io.cpp
index 58aa785b1..28a3254b9 100644
--- a/src/lib/tls/tls_handshake_io.cpp
+++ b/src/lib/tls/tls_handshake_io.cpp
@@ -44,7 +44,7 @@ uint64_t steady_clock_ms()
Protocol_Version Stream_Handshake_IO::initial_record_version() const
{
- return Protocol_Version::TLS_V10;
+ return Protocol_Version::TLS_V12;
}
void Stream_Handshake_IO::add_record(const uint8_t record[],
@@ -136,7 +136,7 @@ std::vector<uint8_t> Stream_Handshake_IO::send(const Handshake_Message& msg)
Protocol_Version Datagram_Handshake_IO::initial_record_version() const
{
- return Protocol_Version::DTLS_V10;
+ return Protocol_Version::DTLS_V12;
}
void Datagram_Handshake_IO::retransmit_last_flight()
diff --git a/src/lib/tls/tls_handshake_state.cpp b/src/lib/tls/tls_handshake_state.cpp
index 1129dc58f..3d80c8d91 100644
--- a/src/lib/tls/tls_handshake_state.cpp
+++ b/src/lib/tls/tls_handshake_state.cpp
@@ -369,18 +369,12 @@ std::vector<uint8_t> Handshake_State::session_ticket() const
KDF* Handshake_State::protocol_specific_prf() const
{
- if(version().supports_ciphersuite_specific_prf())
- {
- const std::string prf_algo = ciphersuite().prf_algo();
-
- if(prf_algo == "MD5" || prf_algo == "SHA-1")
- return get_kdf("TLS-12-PRF(SHA-256)");
+ const std::string prf_algo = ciphersuite().prf_algo();
- return get_kdf("TLS-12-PRF(" + prf_algo + ")");
- }
+ if(prf_algo == "MD5" || prf_algo == "SHA-1")
+ return get_kdf("TLS-12-PRF(SHA-256)");
- // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0
- return get_kdf("TLS-PRF");
+ return get_kdf("TLS-12-PRF(" + prf_algo + ")");
}
std::pair<std::string, Signature_Format>
@@ -391,8 +385,6 @@ Handshake_State::choose_sig_format(const Private_Key& key,
{
const std::string sig_algo = key.algo_name();
- if(this->version().supports_negotiable_signature_algorithms())
- {
const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
std::vector<Signature_Scheme> requested =
@@ -431,20 +423,6 @@ Handshake_State::choose_sig_format(const Private_Key& key,
{
return std::make_pair(padding_string_for_scheme(chosen_scheme), DER_SEQUENCE);
}
- }
- else
- {
- if(sig_algo == "RSA")
- {
- const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
- return std::make_pair(padding, IEEE_1363);
- }
- else if(sig_algo == "DSA" || sig_algo == "ECDSA")
- {
- const std::string padding = "EMSA1(SHA-1)";
- return std::make_pair(padding, DER_SEQUENCE);
- }
- }
throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
}
@@ -485,30 +463,6 @@ Handshake_State::parse_sig_format(const Public_Key& key,
"Rejecting " + key_type + " signature");
}
- if(this->version().supports_negotiable_signature_algorithms() == false)
- {
- if(scheme != Signature_Scheme::NONE)
- throw Decoding_Error("Counterparty sent hash/sig IDs with old version");
-
- /*
- There is no check on the acceptability of a v1.0/v1.1 hash type,
- since it's implicit with use of the protocol
- */
-
- if(key_type == "RSA")
- {
- const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
- return std::make_pair(padding, IEEE_1363);
- }
- else if(key_type == "DSA" || key_type == "ECDSA")
- {
- const std::string padding = "EMSA1(SHA-1)";
- return std::make_pair(padding, DER_SEQUENCE);
- }
- else
- throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
- }
-
if(scheme == Signature_Scheme::NONE)
throw Decoding_Error("Counterparty did not send hash/sig IDS");
diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h
index 82b8b593c..08c3682f7 100644
--- a/src/lib/tls/tls_messages.h
+++ b/src/lib/tls/tls_messages.h
@@ -429,11 +429,9 @@ class BOTAN_UNSTABLE_API Certificate_Req final : public Handshake_Message
Certificate_Req(Handshake_IO& io,
Handshake_Hash& hash,
const Policy& policy,
- const std::vector<X509_DN>& allowed_cas,
- Protocol_Version version);
+ const std::vector<X509_DN>& allowed_cas);
- Certificate_Req(const std::vector<uint8_t>& buf,
- Protocol_Version version);
+ Certificate_Req(const std::vector<uint8_t>& buf);
private:
std::vector<uint8_t> serialize() const override;
@@ -467,8 +465,7 @@ class BOTAN_UNSTABLE_API Certificate_Verify final : public Handshake_Message
RandomNumberGenerator& rng,
const Private_Key* key);
- Certificate_Verify(const std::vector<uint8_t>& buf,
- Protocol_Version version);
+ Certificate_Verify(const std::vector<uint8_t>& buf);
private:
std::vector<uint8_t> serialize() const override;
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index f54b65aa9..cf9cc249b 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -270,17 +270,6 @@ bool Policy::acceptable_protocol_version(Protocol_Version version) const
if(version == Protocol_Version::DTLS_V12 && allow_dtls12())
return true;
-#if defined(BOTAN_HAS_TLS_V10)
-
- if(version == Protocol_Version::TLS_V11 && allow_tls11())
- return true;
- if(version == Protocol_Version::TLS_V10 && allow_tls10())
- return true;
- if(version == Protocol_Version::DTLS_V10 && allow_dtls10())
- return true;
-
-#endif
-
return false;
}
@@ -290,22 +279,12 @@ Protocol_Version Policy::latest_supported_version(bool datagram) const
{
if(acceptable_protocol_version(Protocol_Version::DTLS_V12))
return Protocol_Version::DTLS_V12;
-#if defined(BOTAN_HAS_TLS_V10)
- if(acceptable_protocol_version(Protocol_Version::DTLS_V10))
- return Protocol_Version::DTLS_V10;
-#endif
throw Invalid_State("Policy forbids all available DTLS version");
}
else
{
if(acceptable_protocol_version(Protocol_Version::TLS_V12))
return Protocol_Version::TLS_V12;
-#if defined(BOTAN_HAS_TLS_V10)
- if(acceptable_protocol_version(Protocol_Version::TLS_V11))
- return Protocol_Version::TLS_V11;
- if(acceptable_protocol_version(Protocol_Version::TLS_V10))
- return Protocol_Version::TLS_V10;
-#endif
throw Invalid_State("Policy forbids all available TLS version");
}
}
@@ -319,10 +298,7 @@ bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const
bool Policy::allow_client_initiated_renegotiation() const { return false; }
bool Policy::allow_server_initiated_renegotiation() const { return false; }
bool Policy::allow_insecure_renegotiation() const { return false; }
-bool Policy::allow_tls10() const { return false; }
-bool Policy::allow_tls11() const { return false; }
bool Policy::allow_tls12() const { return true; }
-bool Policy::allow_dtls10() const { return false; }
bool Policy::allow_dtls12() const { return true; }
bool Policy::include_time_in_hello_random() const { return true; }
bool Policy::hide_unknown_users() const { return false; }
@@ -534,10 +510,7 @@ void print_bool(std::ostream& o,
void Policy::print(std::ostream& o) const
{
- print_bool(o, "allow_tls10", allow_tls10());
- print_bool(o, "allow_tls11", allow_tls11());
print_bool(o, "allow_tls12", allow_tls12());
- print_bool(o, "allow_dtls10", allow_dtls10());
print_bool(o, "allow_dtls12", allow_dtls12());
print_vec(o, "ciphers", allowed_ciphers());
print_vec(o, "macs", allowed_macs());
@@ -587,10 +560,7 @@ std::vector<std::string> Strict_Policy::allowed_key_exchange_methods() const
return { "CECPQ1", "ECDH" };
}
-bool Strict_Policy::allow_tls10() const { return false; }
-bool Strict_Policy::allow_tls11() const { return false; }
bool Strict_Policy::allow_tls12() const { return true; }
-bool Strict_Policy::allow_dtls10() const { return false; }
bool Strict_Policy::allow_dtls12() const { return true; }
}
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index b53c08bb6..bfe067650 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -138,26 +138,11 @@ class BOTAN_PUBLIC_API(2,0) Policy
virtual bool only_resume_with_exact_version() const;
/**
- * Allow TLS v1.0
- */
- virtual bool allow_tls10() const;
-
- /**
- * Allow TLS v1.1
- */
- virtual bool allow_tls11() const;
-
- /**
* Allow TLS v1.2
*/
virtual bool allow_tls12() const;
/**
- * Allow DTLS v1.0
- */
- virtual bool allow_dtls10() const;
-
- /**
* Allow DTLS v1.2
*/
virtual bool allow_dtls12() const;
@@ -371,10 +356,7 @@ class BOTAN_PUBLIC_API(2,0) NSA_Suite_B_128 : public Policy
size_t minimum_signature_strength() const override { return 128; }
- bool allow_tls10() const override { return false; }
- bool allow_tls11() const override { return false; }
bool allow_tls12() const override { return true; }
- bool allow_dtls10() const override { return false; }
bool allow_dtls12() const override { return false; }
};
@@ -404,10 +386,7 @@ class BOTAN_PUBLIC_API(2,7) NSA_Suite_B_192 : public Policy
size_t minimum_signature_strength() const override { return 192; }
- bool allow_tls10() const override { return false; }
- bool allow_tls11() const override { return false; }
bool allow_tls12() const override { return true; }
- bool allow_dtls10() const override { return false; }
bool allow_dtls12() const override { return false; }
};
@@ -467,10 +446,7 @@ class BOTAN_PUBLIC_API(2,0) BSI_TR_02102_2 : public Policy
size_t minimum_ecdh_group_size() const override { return 250; }
size_t minimum_ecdsa_group_size() const override { return 250; }
- bool allow_tls10() const override { return false; }
- bool allow_tls11() const override { return false; }
bool allow_tls12() const override { return true; }
- bool allow_dtls10() const override { return false; }
bool allow_dtls12() const override { return false; }
};
@@ -483,10 +459,7 @@ class BOTAN_PUBLIC_API(2,0) Datagram_Policy : public Policy
std::vector<std::string> allowed_macs() const override
{ return std::vector<std::string>({"AEAD"}); }
- bool allow_tls10() const override { return false; }
- bool allow_tls11() const override { return false; }
bool allow_tls12() const override { return false; }
- bool allow_dtls10() const override { return false; }
bool allow_dtls12() const override { return true; }
};
@@ -508,10 +481,7 @@ class BOTAN_PUBLIC_API(2,0) Strict_Policy : public Policy
std::vector<std::string> allowed_key_exchange_methods() const override;
- bool allow_tls10() const override;
- bool allow_tls11() const override;
bool allow_tls12() const override;
- bool allow_dtls10() const override;
bool allow_dtls12() const override;
};
@@ -533,14 +503,8 @@ class BOTAN_PUBLIC_API(2,0) Text_Policy : public Policy
bool use_ecc_point_compression() const override;
- bool allow_tls10() const override;
-
- bool allow_tls11() const override;
-
bool allow_tls12() const override;
- bool allow_dtls10() const override;
-
bool allow_dtls12() const override;
bool allow_insecure_renegotiation() const override;
diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index 27832e779..60ee19172 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -200,43 +200,35 @@ uint16_t choose_ciphersuite(
continue;
}
- if(version.supports_negotiable_signature_algorithms())
- {
- const std::vector<Signature_Scheme> client_sig_methods =
- client_hello.signature_schemes();
+ const std::vector<Signature_Scheme> allowed =
+ policy.allowed_signature_schemes();
- /*
- If the vector is empty (eg because the client did not send the
- extension), then the loop will fail to find a match and we will
- reject with a handshake failure.
+ std::vector<Signature_Scheme> client_sig_methods =
+ client_hello.signature_schemes();
- The TLS v1.2 logic said that a client not sending the extension implicitly
- supported SHA-1 but with draft-ietf-tls-md5-sha1-deprecate instead we
- are removing support for SHA-1 signatures entirely.
+ /*
+ Contrary to the wording of draft-ietf-tls-md5-sha1-deprecate we do
+ not enforce that clients do not offer support SHA-1 or MD5
+ signatures; we just ignore it.
+ */
+ bool we_support_some_hash_by_client = false;
- Contrary to the wording of draft-ietf-tls-md5-sha1-deprecate we do
- not enforce that clients do not offer support SHA-1 or MD5
- signatures; we just ignore it.
- */
- bool we_support_some_hash_by_client = false;
+ for(Signature_Scheme scheme : client_sig_methods)
+ {
+ if(signature_scheme_is_known(scheme) == false)
+ continue;
- for(Signature_Scheme scheme : client_sig_methods)
+ if(signature_algorithm_of_scheme(scheme) == suite.sig_algo() &&
+ policy.allowed_signature_hash(hash_function_of_scheme(scheme)))
{
- if(signature_scheme_is_known(scheme) == false)
- continue;
-
- if(signature_algorithm_of_scheme(scheme) == suite.sig_algo() &&
- policy.allowed_signature_hash(hash_function_of_scheme(scheme)))
- {
- we_support_some_hash_by_client = true;
- }
+ we_support_some_hash_by_client = true;
}
+ }
- if(we_support_some_hash_by_client == false)
- {
- throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
- "Policy does not accept any hash function supported by client");
- }
+ if(we_support_some_hash_by_client == false)
+ {
+ throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
+ "Policy does not accept any hash function supported by client");
}
}
@@ -343,22 +335,12 @@ Protocol_Version select_version(const Botan::TLS::Policy& policy,
{
if(policy.allow_dtls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V12)))
return Protocol_Version::DTLS_V12;
-#if defined(BOTAN_HAS_TLS_V10)
- if(policy.allow_dtls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V10)))
- return Protocol_Version::DTLS_V10;
-#endif
throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared DTLS version");
}
else
{
if(policy.allow_tls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V12)))
return Protocol_Version::TLS_V12;
-#if defined(BOTAN_HAS_TLS_V10)
- if(policy.allow_tls11() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V11)))
- return Protocol_Version::TLS_V11;
- if(policy.allow_tls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V10)))
- return Protocol_Version::TLS_V10;
-#endif
throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared TLS version");
}
}
@@ -601,7 +583,7 @@ void Server::process_certificate_verify_msg(Server_Handshake_State& pending_stat
Handshake_Type type,
const std::vector<uint8_t>& contents)
{
- pending_state.client_verify(new Certificate_Verify(contents, pending_state.version()));
+ pending_state.client_verify(new Certificate_Verify(contents));
const std::vector<X509_Certificate>& client_certs =
pending_state.client_certs()->cert_chain();
@@ -956,8 +938,7 @@ void Server::session_create(Server_Handshake_State& pending_state,
new Certificate_Req(pending_state.handshake_io(),
pending_state.hash(),
policy(),
- client_auth_CAs,
- pending_state.version()));
+ client_auth_CAs));
/*
SSLv3 allowed clients to skip the Certificate message entirely
diff --git a/src/lib/tls/tls_text_policy.cpp b/src/lib/tls/tls_text_policy.cpp
index d04879a1b..b1b3de13c 100644
--- a/src/lib/tls/tls_text_policy.cpp
+++ b/src/lib/tls/tls_text_policy.cpp
@@ -45,26 +45,11 @@ bool Text_Policy::use_ecc_point_compression() const
return get_bool("use_ecc_point_compression", Policy::use_ecc_point_compression());
}
-bool Text_Policy::allow_tls10() const
- {
- return get_bool("allow_tls10", Policy::allow_tls10());
- }
-
-bool Text_Policy::allow_tls11() const
- {
- return get_bool("allow_tls11", Policy::allow_tls11());
- }
-
bool Text_Policy::allow_tls12() const
{
return get_bool("allow_tls12", Policy::allow_tls12());
}
-bool Text_Policy::allow_dtls10() const
- {
- return get_bool("allow_dtls10", Policy::allow_dtls10());
- }
-
bool Text_Policy::allow_dtls12() const
{
return get_bool("allow_dtls12", Policy::allow_dtls12());
diff --git a/src/lib/tls/tls_version.cpp b/src/lib/tls/tls_version.cpp
index ecbe94897..40a9a83cf 100644
--- a/src/lib/tls/tls_version.cpp
+++ b/src/lib/tls/tls_version.cpp
@@ -50,39 +50,10 @@ bool Protocol_Version::operator>(const Protocol_Version& other) const
bool Protocol_Version::known_version() const
{
- return (m_version == Protocol_Version::TLS_V10 ||
- m_version == Protocol_Version::TLS_V11 ||
- m_version == Protocol_Version::TLS_V12 ||
- m_version == Protocol_Version::DTLS_V10 ||
+ return (m_version == Protocol_Version::TLS_V12 ||
m_version == Protocol_Version::DTLS_V12);
}
-bool Protocol_Version::supports_negotiable_signature_algorithms() const
- {
- return (m_version != Protocol_Version::TLS_V10 &&
- m_version != Protocol_Version::TLS_V11 &&
- m_version != Protocol_Version::DTLS_V10);
- }
-
-bool Protocol_Version::supports_explicit_cbc_ivs() const
- {
- return (m_version != Protocol_Version::TLS_V10);
- }
-
-bool Protocol_Version::supports_ciphersuite_specific_prf() const
- {
- return (m_version != Protocol_Version::TLS_V10 &&
- m_version != Protocol_Version::TLS_V11 &&
- m_version != Protocol_Version::DTLS_V10);
- }
-
-bool Protocol_Version::supports_aead_modes() const
- {
- return (m_version != Protocol_Version::TLS_V10 &&
- m_version != Protocol_Version::TLS_V11 &&
- m_version != Protocol_Version::DTLS_V10);
- }
-
}
}
diff --git a/src/lib/tls/tls_version.h b/src/lib/tls/tls_version.h
index 18e2c0f65..e116819a6 100644
--- a/src/lib/tls/tls_version.h
+++ b/src/lib/tls/tls_version.h
@@ -22,11 +22,7 @@ class BOTAN_PUBLIC_API(2,0) Protocol_Version final
{
public:
enum Version_Code {
- TLS_V10 = 0x0301,
- TLS_V11 = 0x0302,
TLS_V12 = 0x0303,
-
- DTLS_V10 = 0xFEFF,
DTLS_V12 = 0xFEFD
};
@@ -99,23 +95,6 @@ class BOTAN_PUBLIC_API(2,0) Protocol_Version final
bool is_datagram_protocol() const;
/**
- * @return true if this version supports negotiable signature algorithms
- */
- bool supports_negotiable_signature_algorithms() const;
-
- /**
- * @return true if this version uses explicit IVs for block ciphers
- */
- bool supports_explicit_cbc_ivs() const;
-
- /**
- * @return true if this version uses a ciphersuite specific PRF
- */
- bool supports_ciphersuite_specific_prf() const;
-
- bool supports_aead_modes() const;
-
- /**
* @return if this version is equal to other
*/
bool operator==(const Protocol_Version& other) const