aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls/tls_policy.cpp
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-06-29 14:55:56 +0000
committerlloyd <[email protected]>2012-06-29 14:55:56 +0000
commitc0a3a3046dbc39b05056f5539e68060c67a25f17 (patch)
treed3e0c8253125375a32bcd0c0ef0d281a981326cf /src/tls/tls_policy.cpp
parent4b1568e323f95015cb217bf3d1b6a80bf786230e (diff)
Split TLS::Policy::allowed_hashes into allowed_signature_hashes and
allowed_macs. This allows someone to turn on MD5 for message auth, which is a little sketchy but probably OK, without also (likely unintentionally) enabling MD5 for TLS v1.2 signatures, which would be a big problem. Prioritize RC4 over 3DES in default policy. Disable ECC curves smaller than 224 bits by default. More updates to the TLS policy documentation.
Diffstat (limited to 'src/tls/tls_policy.cpp')
-rw-r--r--src/tls/tls_policy.cpp43
1 files changed, 26 insertions, 17 deletions
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp
index 87f8b5a14..c48ed274e 100644
--- a/src/tls/tls_policy.cpp
+++ b/src/tls/tls_policy.cpp
@@ -21,15 +21,15 @@ std::vector<std::string> Policy::allowed_ciphers() const
return std::vector<std::string>({
"AES-256",
"AES-128",
- "3DES",
"ARC4",
+ "3DES",
//"Camellia-256",
//"Camellia-128",
//"SEED"
});
}
-std::vector<std::string> Policy::allowed_hashes() const
+std::vector<std::string> Policy::allowed_signature_hashes() const
{
return std::vector<std::string>({
"SHA-512",
@@ -41,6 +41,16 @@ std::vector<std::string> Policy::allowed_hashes() const
});
}
+std::vector<std::string> Policy::allowed_macs() const
+ {
+ return std::vector<std::string>({
+ "SHA-384",
+ "SHA-256",
+ "SHA-1",
+ //"MD5",
+ });
+ }
+
std::vector<std::string> Policy::allowed_key_exchange_methods() const
{
return std::vector<std::string>({
@@ -73,11 +83,11 @@ std::vector<std::string> Policy::allowed_ecc_curves() const
"secp256k1",
"secp224r1",
"secp224k1",
- "secp192r1",
- "secp192k1",
- "secp160r2",
- "secp160r1",
- "secp160k1",
+ //"secp192r1",
+ //"secp192k1",
+ //"secp160r2",
+ //"secp160r1",
+ //"secp160k1",
});
}
@@ -136,10 +146,10 @@ class Ciphersuite_Preference_Ordering
{
public:
Ciphersuite_Preference_Ordering(const std::vector<std::string>& ciphers,
- const std::vector<std::string>& hashes,
+ const std::vector<std::string>& macs,
const std::vector<std::string>& kex,
const std::vector<std::string>& sigs) :
- m_ciphers(ciphers), m_hashes(hashes), m_kex(kex), m_sigs(sigs) {}
+ m_ciphers(ciphers), m_macs(macs), m_kex(kex), m_sigs(sigs) {}
bool operator()(const Ciphersuite& a, const Ciphersuite& b) const
{
@@ -186,11 +196,11 @@ class Ciphersuite_Preference_Ordering
if(a.mac_algo() != b.mac_algo())
{
- for(size_t i = 0; i != m_hashes.size(); ++i)
+ for(size_t i = 0; i != m_macs.size(); ++i)
{
- if(a.mac_algo() == m_hashes[i])
+ if(a.mac_algo() == m_macs[i])
return true;
- if(b.mac_algo() == m_hashes[i])
+ if(b.mac_algo() == m_macs[i])
return false;
}
}
@@ -198,8 +208,7 @@ class Ciphersuite_Preference_Ordering
return false; // equal (?!?)
}
private:
- std::vector<std::string> m_ciphers, m_hashes, m_kex, m_sigs;
-
+ std::vector<std::string> m_ciphers, m_macs, m_kex, m_sigs;
};
}
@@ -208,11 +217,11 @@ std::vector<u16bit> ciphersuite_list(const Policy& policy,
bool have_srp)
{
const std::vector<std::string> ciphers = policy.allowed_ciphers();
- const std::vector<std::string> hashes = policy.allowed_hashes();
+ const std::vector<std::string> macs = policy.allowed_macs();
const std::vector<std::string> kex = policy.allowed_key_exchange_methods();
const std::vector<std::string> sigs = policy.allowed_signature_methods();
- Ciphersuite_Preference_Ordering order(ciphers, hashes, kex, sigs);
+ Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
std::set<Ciphersuite, Ciphersuite_Preference_Ordering> ciphersuites(order);
@@ -227,7 +236,7 @@ std::vector<u16bit> ciphersuite_list(const Policy& policy,
if(!value_exists(ciphers, suite.cipher_algo()))
continue; // unsupported cipher
- if(!value_exists(hashes, suite.mac_algo()))
+ if(!value_exists(macs, suite.mac_algo()))
continue; // unsupported MAC algo
if(!value_exists(sigs, suite.sig_algo()))