aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls/tls_policy.cpp
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-01-25 01:30:42 +0000
committerlloyd <[email protected]>2012-01-25 01:30:42 +0000
commit2e228d51c23ff2633d520fe6b6c05a2b093bccee (patch)
tree5727eefdc267ad94d22e28d3604e849c71faf14a /src/tls/tls_policy.cpp
parentf4874a59ade430938992b00ad5f8939f38003d93 (diff)
Go back to choosing the ciphersuite based on the server's preferences.
The client can constrain their offering if they want to. Add identifiers for PSK suites (not implemented) Rename hide_unknown_srp_users to hide_unknown_users as it can be used for PSK as well.
Diffstat (limited to 'src/tls/tls_policy.cpp')
-rw-r--r--src/tls/tls_policy.cpp22
1 files changed, 9 insertions, 13 deletions
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp
index 38dd21a55..ea3e4f144 100644
--- a/src/tls/tls_policy.cpp
+++ b/src/tls/tls_policy.cpp
@@ -47,6 +47,8 @@ std::vector<std::string> Policy::allowed_key_exchange_methods() const
std::vector<std::string> allowed;
//allowed.push_back("SRP");
+ //allowed.push_back("DH_PSK");
+ //allowed.push_back("PSK");
allowed.push_back("ECDH");
allowed.push_back("DH");
allowed.push_back(""); // means RSA via server cert
@@ -223,29 +225,23 @@ u16bit Policy::choose_suite(const std::vector<u16bit>& client_suites,
bool have_shared_ecc_curve,
bool have_srp) const
{
- for(size_t i = 0; i != client_suites.size(); ++i)
+ std::vector<u16bit> ciphersuites = ciphersuite_list(have_srp);
+
+ for(size_t i = 0; i != ciphersuites.size(); ++i)
{
- const u16bit suite_id = client_suites[i];
+ const u16bit suite_id = ciphersuites[i];
Ciphersuite suite = Ciphersuite::lookup_ciphersuite(suite_id);
- if(suite.cipher_keylen() == 0)
- continue; // not a ciphersuite we know
-
if(!have_shared_ecc_curve)
{
if(suite.kex_algo() == "ECDH" || suite.sig_algo() == "ECDSA")
continue;
}
- if(suite.kex_algo() == "SRP")
- {
- if(have_srp)
- return suite_id;
- else
- continue;
- }
+ if(!value_exists(available_cert_types, suite.sig_algo()))
+ continue;
- if(value_exists(available_cert_types, suite.sig_algo()))
+ if(value_exists(client_suites, suite_id))
return suite_id;
}