aboutsummaryrefslogtreecommitdiffstats
path: root/src/ssl
diff options
context:
space:
mode:
authorlloyd <[email protected]>2010-04-17 18:56:53 +0000
committerlloyd <[email protected]>2010-04-17 18:56:53 +0000
commitaaa9e92697e16278fb91552f075c020f2b4c26cb (patch)
tree1393248e823a35f7134894e60174f0e65a62d876 /src/ssl
parent0abc80f498c6bc2e8f630e34b90d5c6d24c29f58 (diff)
Clean up ciphersuite handling
Diffstat (limited to 'src/ssl')
-rw-r--r--src/ssl/c_kex.cpp4
-rw-r--r--src/ssl/tls_client.cpp19
-rw-r--r--src/ssl/tls_magic.h75
-rw-r--r--src/ssl/tls_policy.cpp26
-rw-r--r--src/ssl/tls_server.cpp8
-rw-r--r--src/ssl/tls_suites.cpp216
-rw-r--r--src/ssl/tls_suites.h16
7 files changed, 273 insertions, 91 deletions
diff --git a/src/ssl/c_kex.cpp b/src/ssl/c_kex.cpp
index e09e18ce1..db2198627 100644
--- a/src/ssl/c_kex.cpp
+++ b/src/ssl/c_kex.cpp
@@ -67,9 +67,7 @@ Client_Key_Exchange::Client_Key_Exchange(const MemoryRegion<byte>& contents,
{
include_length = true;
- if(using_version == SSL_V3 &&
- (suite.kex_type() == CipherSuite::NO_KEX ||
- suite.kex_type() == CipherSuite::RSA_KEX))
+ if(using_version == SSL_V3 && (suite.kex_type() == TLS_ALGO_KEYEXCH_RSA))
include_length = false;
deserialize(contents);
diff --git a/src/ssl/tls_client.cpp b/src/ssl/tls_client.cpp
index fbad1f838..f12dccd69 100644
--- a/src/ssl/tls_client.cpp
+++ b/src/ssl/tls_client.cpp
@@ -123,6 +123,7 @@ TLS_Client::~TLS_Client()
*/
void TLS_Client::initialize()
{
+ std::string error_str;
Alert_Type error_type = NO_ALERT_TYPE;
try {
@@ -133,10 +134,12 @@ void TLS_Client::initialize()
}
catch(TLS_Exception& e)
{
+ error_str = e.what();
error_type = e.type();
}
catch(std::exception& e)
{
+ error_str = e.what();
error_type = HANDSHAKE_FAILURE;
}
@@ -157,7 +160,7 @@ void TLS_Client::initialize()
state = 0;
}
- throw Stream_IO_Error("TLS_Client: Handshake failed");
+ throw Stream_IO_Error("TLS_Client: Handshake failed: " + error_str);
}
}
@@ -419,7 +422,7 @@ void TLS_Client::process_handshake_msg(Handshake_Type type,
{
client_check_state(type, state);
- if(state->suite.sig_type() == CipherSuite::NO_SIG)
+ if(state->suite.sig_type() == TLS_ALGO_SIGNER_ANON)
throw Unexpected_Message("Recived certificate from anonymous server");
state->server_certs = new Certificate(contents);
@@ -445,8 +448,8 @@ void TLS_Client::process_handshake_msg(Handshake_Type type,
throw TLS_Exception(UNSUPPORTED_CERTIFICATE,
"Unknown key type recieved in server kex");
- if((is_dsa && state->suite.sig_type() != CipherSuite::DSA_SIG) ||
- (is_rsa && state->suite.sig_type() != CipherSuite::RSA_SIG))
+ if((is_dsa && state->suite.sig_type() != TLS_ALGO_SIGNER_DSA) ||
+ (is_rsa && state->suite.sig_type() != TLS_ALGO_SIGNER_RSA))
throw TLS_Exception(ILLEGAL_PARAMETER,
"Certificate key type did not match ciphersuite");
}
@@ -454,7 +457,7 @@ void TLS_Client::process_handshake_msg(Handshake_Type type,
{
client_check_state(type, state);
- if(state->suite.kex_type() == CipherSuite::NO_KEX)
+ if(state->suite.kex_type() == TLS_ALGO_KEYEXCH_NOKEX)
throw Unexpected_Message("Unexpected key exchange from server");
state->server_kex = new Server_Key_Exchange(contents);
@@ -474,12 +477,12 @@ void TLS_Client::process_handshake_msg(Handshake_Type type,
throw TLS_Exception(HANDSHAKE_FAILURE,
"Unknown key type recieved in server kex");
- if((is_dh && state->suite.kex_type() != CipherSuite::DH_KEX) ||
- (is_rsa && state->suite.kex_type() != CipherSuite::RSA_KEX))
+ if((is_dh && state->suite.kex_type() != TLS_ALGO_KEYEXCH_DH) ||
+ (is_rsa && state->suite.kex_type() != TLS_ALGO_KEYEXCH_RSA))
throw TLS_Exception(ILLEGAL_PARAMETER,
"Certificate key type did not match ciphersuite");
- if(state->suite.sig_type() != CipherSuite::NO_SIG)
+ if(state->suite.sig_type() != TLS_ALGO_SIGNER_ANON)
{
if(!state->server_kex->verify(peer_certs[0],
state->client_hello->random(),
diff --git a/src/ssl/tls_magic.h b/src/ssl/tls_magic.h
index a6ca1f8d6..35a9fc925 100644
--- a/src/ssl/tls_magic.h
+++ b/src/ssl/tls_magic.h
@@ -1,6 +1,6 @@
/**
-* SSL/TLS Protocol Constants
-* (C) 2004-2006 Jack Lloyd
+* SSL/TLS Protocol Constants
+* (C) 2004-2010 Jack Lloyd
*
* Released under the terms of the Botan license
*/
@@ -96,19 +96,64 @@ enum Certificate_Type {
};
enum Ciphersuite_Code {
- RSA_RC4_MD5 = 0x0004,
- RSA_RC4_SHA = 0x0005,
- RSA_3DES_SHA = 0x000A,
- RSA_AES128_SHA = 0x002F,
- RSA_AES256_SHA = 0x0035,
-
- DHE_RSA_3DES_SHA = 0x0016,
- DHE_RSA_AES128_SHA = 0x0033,
- DHE_RSA_AES256_SHA = 0x0039,
-
- DHE_DSS_3DES_SHA = 0x0013,
- DHE_DSS_AES128_SHA = 0x0032,
- DHE_DSS_AES256_SHA = 0x0038
+ TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
+ TLS_RSA_WITH_RC4_128_SHA = 0x0005,
+
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
+
+ TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
+ TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
+ TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
+ TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
+
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A,
+
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B,
+
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024,
+
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028
+};
+
+/*
+* Form of the ciphersuites broken down by field instead of
+* being randomly assigned codepoints.
+*/
+enum TLS_Ciphersuite_Algos {
+ TLS_ALGO_SIGNER_MASK = 0xFF000000,
+ TLS_ALGO_SIGNER_ANON = 0x01000000,
+ TLS_ALGO_SIGNER_RSA = 0x02000000,
+ TLS_ALGO_SIGNER_DSA = 0x03000000,
+ TLS_ALGO_SIGNER_ECDSA = 0x04000000,
+
+ TLS_ALGO_KEYEXCH_MASK = 0x00FF0000,
+ TLS_ALGO_KEYEXCH_NOKEX = 0x00010000,
+ TLS_ALGO_KEYEXCH_RSA = 0x00020000,
+ TLS_ALGO_KEYEXCH_DH = 0x00030000,
+ TLS_ALGO_KEYEXCH_ECDH = 0x00040000,
+
+ TLS_ALGO_MAC_MASK = 0x0000FF00,
+ TLS_ALGO_MAC_MD5 = 0x00000100,
+ TLS_ALGO_MAC_SHA1 = 0x00000200,
+ TLS_ALGO_MAC_SHA256 = 0x00000300,
+ TLS_ALGO_MAC_SHA384 = 0x00000400,
+
+ TLS_ALGO_CIPHER_MASK = 0x000000FF,
+ TLS_ALGO_CIPHER_RC4_128 = 0x00000001,
+ TLS_ALGO_CIPHER_3DES_CBC = 0x00000002,
+ TLS_ALGO_CIPHER_AES128_CBC = 0x00000003,
+ TLS_ALGO_CIPHER_AES256_CBC = 0x00000004,
+ TLS_ALGO_CIPHER_SEED_CBC = 0x00000005
};
enum Compression_Algo {
diff --git a/src/ssl/tls_policy.cpp b/src/ssl/tls_policy.cpp
index 6138ae193..594f20ebb 100644
--- a/src/ssl/tls_policy.cpp
+++ b/src/ssl/tls_policy.cpp
@@ -1,6 +1,6 @@
/**
-* Policies
-* (C) 2004-2006 Jack Lloyd
+* Policies for TLS
+* (C) 2004-2010 Jack Lloyd
*
* Released under the terms of the Botan license
*/
@@ -29,25 +29,25 @@ std::vector<u16bit> TLS_Policy::suite_list(bool use_rsa,
if(use_edh_dsa)
{
- suites.push_back(DHE_DSS_AES256_SHA);
- suites.push_back(DHE_DSS_AES128_SHA);
- suites.push_back(DHE_DSS_3DES_SHA);
+ suites.push_back(TLS_DHE_DSS_WITH_AES_256_CBC_SHA);
+ suites.push_back(TLS_DHE_DSS_WITH_AES_128_CBC_SHA);
+ suites.push_back(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
}
if(use_edh_rsa)
{
- suites.push_back(DHE_RSA_AES256_SHA);
- suites.push_back(DHE_RSA_AES128_SHA);
- suites.push_back(DHE_RSA_3DES_SHA);
+ suites.push_back(TLS_DHE_RSA_WITH_AES_256_CBC_SHA);
+ suites.push_back(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
+ suites.push_back(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
}
if(use_rsa)
{
- suites.push_back(RSA_AES256_SHA);
- suites.push_back(RSA_AES128_SHA);
- suites.push_back(RSA_3DES_SHA);
- suites.push_back(RSA_RC4_SHA);
- suites.push_back(RSA_RC4_MD5);
+ suites.push_back(TLS_RSA_WITH_AES_256_CBC_SHA);
+ suites.push_back(TLS_RSA_WITH_AES_128_CBC_SHA);
+ suites.push_back(TLS_RSA_WITH_3DES_EDE_CBC_SHA);
+ suites.push_back(TLS_RSA_WITH_RC4_128_SHA);
+ suites.push_back(TLS_RSA_WITH_RC4_128_MD5);
}
if(suites.size() == 0)
diff --git a/src/ssl/tls_server.cpp b/src/ssl/tls_server.cpp
index 47902a71c..4e9c3583f 100644
--- a/src/ssl/tls_server.cpp
+++ b/src/ssl/tls_server.cpp
@@ -358,7 +358,7 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
state->suite = CipherSuite(state->server_hello->ciphersuite());
- if(state->suite.sig_type() != CipherSuite::NO_SIG)
+ if(state->suite.sig_type() != TLS_ALGO_SIGNER_ANON)
{
// FIXME: should choose certs based on sig type
state->server_certs = new Certificate(writer, cert_chain,
@@ -366,14 +366,14 @@ void TLS_Server::process_handshake_msg(Handshake_Type type,
}
state->kex_priv = PKCS8::copy_key(*private_key, rng);
- if(state->suite.kex_type() != CipherSuite::NO_KEX)
+ if(state->suite.kex_type() != TLS_ALGO_KEYEXCH_NOKEX)
{
- if(state->suite.kex_type() == CipherSuite::RSA_KEX)
+ if(state->suite.kex_type() == TLS_ALGO_KEYEXCH_RSA)
{
state->kex_priv = new RSA_PrivateKey(rng,
policy->rsa_export_keysize());
}
- else if(state->suite.kex_type() == CipherSuite::DH_KEX)
+ else if(state->suite.kex_type() == TLS_ALGO_KEYEXCH_DH)
{
state->kex_priv = new DH_PrivateKey(rng, policy->dh_group());
}
diff --git a/src/ssl/tls_suites.cpp b/src/ssl/tls_suites.cpp
index 26fa75428..cf6bd45e5 100644
--- a/src/ssl/tls_suites.cpp
+++ b/src/ssl/tls_suites.cpp
@@ -1,40 +1,188 @@
/**
-* TLS Cipher Suites
-* (C) 2004-2006 Jack Lloyd
+* TLS Cipher Suites
+* (C) 2004-2010 Jack Lloyd
*
* Released under the terms of the Botan license
*/
#include <botan/tls_suites.h>
#include <botan/tls_exceptn.h>
-#include <botan/parsing.h>
-#include <vector>
-#include <string>
namespace Botan {
namespace {
/**
-* Convert an SSL/TLS ciphersuite to a string
+* Convert an SSL/TLS ciphersuite to algorithm fields
*/
-std::string lookup_ciphersuite(u16bit suite)
+TLS_Ciphersuite_Algos lookup_ciphersuite(u16bit suite)
{
- if(suite == RSA_RC4_MD5) return "RSA/NONE/ARC4/16/MD5";
- if(suite == RSA_RC4_SHA) return "RSA/NONE/ARC4/16/SHA1";
- if(suite == RSA_3DES_SHA) return "RSA/NONE/3DES/24/SHA1";
- if(suite == RSA_AES128_SHA) return "RSA/NONE/AES/16/SHA1";
- if(suite == RSA_AES256_SHA) return "RSA/NONE/AES/32/SHA1";
+ if(suite == TLS_RSA_WITH_RC4_128_MD5)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_NOKEX |
+ TLS_ALGO_MAC_MD5 |
+ TLS_ALGO_CIPHER_RC4_128);
+
+ if(suite == TLS_RSA_WITH_RC4_128_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_NOKEX |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_RC4_128);
+
+ if(suite == TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_NOKEX |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_3DES_CBC);
+
+ if(suite == TLS_RSA_WITH_AES_128_CBC_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_NOKEX |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_AES128_CBC);
+
+ if(suite == TLS_RSA_WITH_AES_256_CBC_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_NOKEX |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_AES256_CBC);
+
+ if(suite == TLS_RSA_WITH_AES_128_CBC_SHA256)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_NOKEX |
+ TLS_ALGO_MAC_SHA256 |
+ TLS_ALGO_CIPHER_AES128_CBC);
+
+ if(suite == TLS_RSA_WITH_AES_256_CBC_SHA256)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_NOKEX |
+ TLS_ALGO_MAC_SHA256 |
+ TLS_ALGO_CIPHER_AES256_CBC);
+
+ if(suite == TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_3DES_CBC);
+
+ if(suite == TLS_DHE_DSS_WITH_AES_128_CBC_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_AES128_CBC);
+
+ if(suite == TLS_DHE_DSS_WITH_AES_256_CBC_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_AES256_CBC);
+
+ if(suite == TLS_DHE_DSS_WITH_AES_128_CBC_SHA256)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA256 |
+ TLS_ALGO_CIPHER_AES128_CBC);
+
+ if(suite == TLS_DHE_DSS_WITH_AES_256_CBC_SHA256)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA256 |
+ TLS_ALGO_CIPHER_AES256_CBC);
+
+ if(suite == TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_3DES_CBC);
+
+ if(suite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_AES128_CBC);
+
+ if(suite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA1 |
+ TLS_ALGO_CIPHER_AES256_CBC);
+
+ if(suite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA256 |
+ TLS_ALGO_CIPHER_AES128_CBC);
+
+ if(suite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA |
+ TLS_ALGO_KEYEXCH_DH |
+ TLS_ALGO_MAC_SHA256 |
+ TLS_ALGO_CIPHER_AES256_CBC);
+
+ if(suite == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA |
+ TLS_ALGO_KEYEXCH_ECDH |
+ TLS_ALGO_MAC_SHA256 |
+ TLS_ALGO_CIPHER_AES128_CBC);
+
+ if(suite == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA |
+ TLS_ALGO_KEYEXCH_ECDH |
+ TLS_ALGO_MAC_SHA384 |
+ TLS_ALGO_CIPHER_AES256_CBC);
+
+ if(suite == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA |
+ TLS_ALGO_KEYEXCH_ECDH |
+ TLS_ALGO_MAC_SHA256 |
+ TLS_ALGO_CIPHER_AES128_CBC);
+
+ if(suite == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384)
+ return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA |
+ TLS_ALGO_KEYEXCH_ECDH |
+ TLS_ALGO_MAC_SHA384 |
+ TLS_ALGO_CIPHER_AES256_CBC);
+
+ return TLS_Ciphersuite_Algos(0);
+ }
+
+std::pair<std::string, u32bit> cipher_code_to_name(TLS_Ciphersuite_Algos algo)
+ {
+ if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_RC4_128)
+ return std::make_pair("RC4", 128);
+
+ if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_3DES_CBC)
+ return std::make_pair("3DES", 24);
- if(suite == DHE_RSA_3DES_SHA) return "RSA/DH/3DES/24/SHA1";
- if(suite == DHE_RSA_AES128_SHA) return "RSA/DH/AES/16/SHA1";
- if(suite == DHE_RSA_AES256_SHA) return "RSA/DH/AES/32/SHA1";
+ if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_AES128_CBC)
+ return std::make_pair("AES-128", 16);
- if(suite == DHE_DSS_3DES_SHA) return "DSA/DH/3DES/24/SHA1";
- if(suite == DHE_DSS_AES128_SHA) return "DSA/DH/AES/16/SHA1";
- if(suite == DHE_DSS_AES256_SHA) return "DSA/DH/AES/32/SHA1";
+ if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_AES256_CBC)
+ return std::make_pair("AES-256", 32);
- return "";
+ if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_SEED_CBC)
+ return std::make_pair("SEED", 16);
+
+ throw TLS_Exception(INTERNAL_ERROR,
+ "CipherSuite: Unknown cipher type " + to_string(algo));
+ }
+
+std::string mac_code_to_name(TLS_Ciphersuite_Algos algo)
+ {
+ if((algo & TLS_ALGO_MAC_MASK) == TLS_ALGO_MAC_MD5)
+ return "MD5";
+
+ if((algo & TLS_ALGO_MAC_MASK) == TLS_ALGO_MAC_SHA1)
+ return "SHA-1";
+
+ if((algo & TLS_ALGO_MAC_MASK) == TLS_ALGO_MAC_SHA256)
+ return "SHA-256";
+
+ if((algo & TLS_ALGO_MAC_MASK) == TLS_ALGO_MAC_SHA384)
+ return "SHA-384";
+
+ throw TLS_Exception(INTERNAL_ERROR,
+ "CipherSuite: Unknown MAC type " + to_string(algo));
}
}
@@ -47,31 +195,21 @@ CipherSuite::CipherSuite(u16bit suite_code)
if(suite_code == 0)
return;
- std::string suite_string = lookup_ciphersuite(suite_code);
+ TLS_Ciphersuite_Algos algos = lookup_ciphersuite(suite_code);
+
+ if(algos == 0)
+ throw Invalid_Argument("Unknown ciphersuite: " + to_string(suite_code));
- if(suite_string == "")
- throw Invalid_Argument("Unknown ciphersuite: " +
- to_string(suite_code));
+ sig_algo = TLS_Ciphersuite_Algos(algos & TLS_ALGO_SIGNER_MASK);
- std::vector<std::string> suite_info = split_on(suite_string, '/');
+ kex_algo = TLS_Ciphersuite_Algos(algos & TLS_ALGO_KEYEXCH_MASK);
- if(suite_info[0] == "RSA") sig_algo = RSA_SIG;
- else if(suite_info[0] == "DSA") sig_algo = DSA_SIG;
- else if(suite_info[0] == "NONE") sig_algo = NO_SIG;
- else
- throw TLS_Exception(INTERNAL_ERROR,
- "CipherSuite: Unknown sig type " + suite_info[0]);
+ std::pair<std::string, u32bit> cipher_info = cipher_code_to_name(algos);
- if(suite_info[1] == "DH") kex_algo = DH_KEX;
- else if(suite_info[1] == "RSA") kex_algo = RSA_KEX;
- else if(suite_info[1] == "NONE") kex_algo = NO_KEX;
- else
- throw TLS_Exception(INTERNAL_ERROR,
- "CipherSuite: Unknown kex type " + suite_info[1]);
+ cipher = cipher_info.first;
+ cipher_key_length = cipher_info.second;
- cipher = suite_info[2];
- cipher_key_length = to_u32bit(suite_info[3]);
- mac = suite_info[4];
+ mac = mac_code_to_name(algos);
}
}
diff --git a/src/ssl/tls_suites.h b/src/ssl/tls_suites.h
index b7008e8db..837d76422 100644
--- a/src/ssl/tls_suites.h
+++ b/src/ssl/tls_suites.h
@@ -1,6 +1,6 @@
/**
-* Cipher Suites
-* (C) 2004-2006 Jack Lloyd
+* Cipher Suites
+* (C) 2004-2010 Jack Lloyd
*
* Released under the terms of the Botan license
*/
@@ -9,6 +9,7 @@
#define BOTAN_TLS_CIPHERSUITES_H__
#include <botan/types.h>
+#include <botan/tls_magic.h>
#include <string>
namespace Botan {
@@ -19,20 +20,17 @@ namespace Botan {
class BOTAN_DLL CipherSuite
{
public:
- enum Kex_Type { NO_KEX, RSA_KEX, DH_KEX };
- enum Sig_Type { NO_SIG, RSA_SIG, DSA_SIG };
-
std::string cipher_algo() const { return cipher; }
std::string mac_algo() const { return mac; }
u32bit cipher_keylen() const { return cipher_key_length; }
- Kex_Type kex_type() const { return kex_algo; }
- Sig_Type sig_type() const { return sig_algo; }
+
+ TLS_Ciphersuite_Algos kex_type() const { return kex_algo; }
+ TLS_Ciphersuite_Algos sig_type() const { return sig_algo; }
CipherSuite(u16bit = 0);
private:
- Kex_Type kex_algo;
- Sig_Type sig_algo;
+ TLS_Ciphersuite_Algos kex_algo, sig_algo;
std::string cipher, mac;
u32bit cipher_key_length;
};