diff options
author | lloyd <[email protected]> | 2012-01-25 01:30:42 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2012-01-25 01:30:42 +0000 |
commit | 2e228d51c23ff2633d520fe6b6c05a2b093bccee (patch) | |
tree | 5727eefdc267ad94d22e28d3604e849c71faf14a /src/tls/tls_policy.cpp | |
parent | f4874a59ade430938992b00ad5f8939f38003d93 (diff) |
Go back to choosing the ciphersuite based on the server's preferences.
The client can constrain their offering if they want to.
Add identifiers for PSK suites (not implemented)
Rename hide_unknown_srp_users to hide_unknown_users as it can be used
for PSK as well.
Diffstat (limited to 'src/tls/tls_policy.cpp')
-rw-r--r-- | src/tls/tls_policy.cpp | 22 |
1 files changed, 9 insertions, 13 deletions
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp index 38dd21a55..ea3e4f144 100644 --- a/src/tls/tls_policy.cpp +++ b/src/tls/tls_policy.cpp @@ -47,6 +47,8 @@ std::vector<std::string> Policy::allowed_key_exchange_methods() const std::vector<std::string> allowed; //allowed.push_back("SRP"); + //allowed.push_back("DH_PSK"); + //allowed.push_back("PSK"); allowed.push_back("ECDH"); allowed.push_back("DH"); allowed.push_back(""); // means RSA via server cert @@ -223,29 +225,23 @@ u16bit Policy::choose_suite(const std::vector<u16bit>& client_suites, bool have_shared_ecc_curve, bool have_srp) const { - for(size_t i = 0; i != client_suites.size(); ++i) + std::vector<u16bit> ciphersuites = ciphersuite_list(have_srp); + + for(size_t i = 0; i != ciphersuites.size(); ++i) { - const u16bit suite_id = client_suites[i]; + const u16bit suite_id = ciphersuites[i]; Ciphersuite suite = Ciphersuite::lookup_ciphersuite(suite_id); - if(suite.cipher_keylen() == 0) - continue; // not a ciphersuite we know - if(!have_shared_ecc_curve) { if(suite.kex_algo() == "ECDH" || suite.sig_algo() == "ECDSA") continue; } - if(suite.kex_algo() == "SRP") - { - if(have_srp) - return suite_id; - else - continue; - } + if(!value_exists(available_cert_types, suite.sig_algo())) + continue; - if(value_exists(available_cert_types, suite.sig_algo())) + if(value_exists(client_suites, suite_id)) return suite_id; } |