Allow disabling TLS 1.0/1.1 and DTLS 1.0 at build time

author: Jack Lloyd <[email protected]> 2019-11-09 14:18:46 -0500
committer: Jack Lloyd <[email protected]> 2019-11-10 11:49:05 -0500
commit: 7bb6053c8c707bdab21a4d5d79e383b935f8bea0 (patch)
tree: 14684cf4cdc81396c98ccedddfbd04b94f3a4dbe /src/lib
parent: e9c552d99d1fcf43b624ab436da1bfc6e00e8543 (diff)
5 files changed, 40 insertions, 14 deletions
diff --git a/src/lib/tls/info.txt b/src/lib/tls/info.txt
index 5fe957217..d81cbb997 100644
--- a/src/lib/tls/info.txt
+++ b/src/lib/tls/info.txt
@@ -45,12 +45,9 @@ eme_pkcs1
 emsa_pkcs1
 gcm
 hmac
-md5
-par_hash
 prf_tls
 rng
 rsa
-sha1
 sha2_32
 sha2_64
 x509
diff --git a/src/lib/tls/tls_10/info.txt b/src/lib/tls/tls_10/info.txt
new file mode 100644
index 000000000..f85a19992
--- /dev/null
+++ b/src/lib/tls/tls_10/info.txt
@@ -0,0 +1,10 @@
+<defines>
+TLS_V10 -> 20191109
+</defines>
+
+<requires>
+md5
+sha1
+par_hash
+tls_cbc
+</requires>
diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp
index 588fee561..631868703 100644
--- a/src/lib/tls/tls_extensions.cpp
+++ b/src/lib/tls/tls_extensions.cpp
@@ -607,17 +607,21 @@ Supported_Versions::Supported_Versions(Protocol_Version offer, const Policy& pol
       {
       if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12())
          m_versions.push_back(Protocol_Version::DTLS_V12);
+#if defined(BOTAN_HAS_TLS_V10)
       if(offer >= Protocol_Version::DTLS_V10 && policy.allow_dtls10())
          m_versions.push_back(Protocol_Version::DTLS_V10);
+#endif
       }
    else
       {
       if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12())
          m_versions.push_back(Protocol_Version::TLS_V12);
+#if defined(BOTAN_HAS_TLS_V10)
       if(offer >= Protocol_Version::TLS_V11 && policy.allow_tls11())
          m_versions.push_back(Protocol_Version::TLS_V11);
       if(offer >= Protocol_Version::TLS_V10 && policy.allow_tls10())
          m_versions.push_back(Protocol_Version::TLS_V10);
+#endif
       }
    }
 
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 0e627fdea..17fe288f1 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -277,17 +277,24 @@ bool Policy::send_fallback_scsv(Protocol_Version version) const
 
 bool Policy::acceptable_protocol_version(Protocol_Version version) const
    {
-   // Uses boolean optimization:
-   // First check the current version (left part), then if it is allowed
-   // (right part)
-   // checks are ordered according to their probability
-   return (
-           ( ( version == Protocol_Version::TLS_V12)  && allow_tls12()  ) ||
-           ( ( version == Protocol_Version::TLS_V10)  && allow_tls10()  ) ||
-           ( ( version == Protocol_Version::TLS_V11)  && allow_tls11()  ) ||
-           ( ( version == Protocol_Version::DTLS_V12) && allow_dtls12() ) ||
-           ( ( version == Protocol_Version::DTLS_V10) && allow_dtls10() )
-        );
+   if(version == Protocol_Version::TLS_V12 && allow_tls12())
+      return true;
+
+   if(version == Protocol_Version::DTLS_V12 && allow_dtls12())
+      return true;
+
+#if defined(BOTAN_HAS_TLS_V10)
+
+   if(version == Protocol_Version::TLS_V11 && allow_tls11())
+      return true;
+   if(version == Protocol_Version::TLS_V10 && allow_tls10())
+      return true;
+   if(version == Protocol_Version::DTLS_V10 && allow_dtls10())
+      return true;
+
+#endif
+
+   return false;
    }
 
 Protocol_Version Policy::latest_supported_version(bool datagram) const
@@ -296,18 +303,22 @@ Protocol_Version Policy::latest_supported_version(bool datagram) const
       {
       if(acceptable_protocol_version(Protocol_Version::DTLS_V12))
          return Protocol_Version::DTLS_V12;
+#if defined(BOTAN_HAS_TLS_V10)
       if(acceptable_protocol_version(Protocol_Version::DTLS_V10))
          return Protocol_Version::DTLS_V10;
+#endif
       throw Invalid_State("Policy forbids all available DTLS version");
       }
    else
       {
       if(acceptable_protocol_version(Protocol_Version::TLS_V12))
          return Protocol_Version::TLS_V12;
+#if defined(BOTAN_HAS_TLS_V10)
       if(acceptable_protocol_version(Protocol_Version::TLS_V11))
          return Protocol_Version::TLS_V11;
       if(acceptable_protocol_version(Protocol_Version::TLS_V10))
          return Protocol_Version::TLS_V10;
+#endif
       throw Invalid_State("Policy forbids all available TLS version");
       }
    }
diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index 33d45b852..e2a0bf242 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -403,18 +403,22 @@ Protocol_Version select_version(const Botan::TLS::Policy& policy,
          {
          if(policy.allow_dtls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V12)))
             return Protocol_Version::DTLS_V12;
+#if defined(BOTAN_HAS_TLS_V10)
          if(policy.allow_dtls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V10)))
             return Protocol_Version::DTLS_V10;
+#endif
          throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared DTLS version");
          }
       else
          {
          if(policy.allow_tls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V12)))
             return Protocol_Version::TLS_V12;
+#if defined(BOTAN_HAS_TLS_V10)
          if(policy.allow_tls11() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V11)))
             return Protocol_Version::TLS_V11;
          if(policy.allow_tls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V10)))
             return Protocol_Version::TLS_V10;
+#endif
          throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared TLS version");
          }
       }
author	Jack Lloyd <[email protected]>	2019-11-09 14:18:46 -0500
committer	Jack Lloyd <[email protected]>	2019-11-10 11:49:05 -0500
commit	7bb6053c8c707bdab21a4d5d79e383b935f8bea0 (patch)
tree	14684cf4cdc81396c98ccedddfbd04b94f3a4dbe /src/lib
parent	e9c552d99d1fcf43b624ab436da1bfc6e00e8543 (diff)