diff options
| author | lloyd <[email protected]> | 2012-01-20 16:04:08 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2012-01-20 16:04:08 +0000 |
| commit | b9980348ccd1687f44f53532f81c605aa4a1d752 (patch) | |
| tree | b4dc2953441827e1d670a886a9d6d6f5c30bf127 /src/tls/tls_suites.cpp | |
| parent | 27e2ba976a410d117b651541a42572d5743d41a0 (diff) | |
TLS_Ciphersuite_Algos was just a strange level of indirection between
the ciphersuite code and a set of strings specifying the underlying
suite algorithms. Remove it entirely.
Some things are likely broken. One I know about is that we always send
the hash/signature type indicator but should only do so for TLS >= 1.2
Diffstat (limited to 'src/tls/tls_suites.cpp')
| -rw-r--r-- | src/tls/tls_suites.cpp | 280 |
1 files changed, 54 insertions, 226 deletions
diff --git a/src/tls/tls_suites.cpp b/src/tls/tls_suites.cpp index f3a967b3e..46bc4d501 100644 --- a/src/tls/tls_suites.cpp +++ b/src/tls/tls_suites.cpp @@ -13,316 +13,144 @@ namespace Botan { /** * Convert an SSL/TLS ciphersuite to algorithm fields */ -TLS_Ciphersuite_Algos TLS_Cipher_Suite::lookup_ciphersuite(u16bit suite) +TLS_Ciphersuite TLS_Ciphersuite::lookup_ciphersuite(u16bit suite) { + // RSA ciphersuites if(suite == TLS_RSA_WITH_RC4_128_MD5) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_HASH_MD5 | - TLS_ALGO_CIPHER_RC4_128); + return TLS_Ciphersuite("RSA", "", "MD5", "ARC4", 16); if(suite == TLS_RSA_WITH_RC4_128_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_RC4_128); + return TLS_Ciphersuite("RSA", "", "SHA1", "ARC4", 16); if(suite == TLS_RSA_WITH_3DES_EDE_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_3DES_CBC); + return TLS_Ciphersuite("RSA", "", "SHA1", "TripleDES", 24); if(suite == TLS_RSA_WITH_AES_128_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("RSA", "", "SHA1", "AES-128", 16); if(suite == TLS_RSA_WITH_AES_256_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("RSA", "", "SHA1", "AES-256", 32); if(suite == TLS_RSA_WITH_SEED_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_SEED_CBC); + return TLS_Ciphersuite("RSA", "", "SHA1", "SEED", 16); if(suite == TLS_RSA_WITH_AES_128_CBC_SHA256) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_HASH_SHA256 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("RSA", "", "SHA-256", "AES-128", 16); if(suite == TLS_RSA_WITH_AES_256_CBC_SHA256) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_HASH_SHA256 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("RSA", "", "SHA-256", "AES-256", 32); + // DHE/DSS ciphersuites if(suite == TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_3DES_CBC); + return TLS_Ciphersuite("DSA", "DH", "SHA1", "TripleDES", 24); if(suite == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("DSA", "DH", "SHA1", "AES-128", 16); if(suite == TLS_DHE_DSS_WITH_SEED_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_SEED_CBC); + return TLS_Ciphersuite("DSA", "DH", "SHA1", "SEED", 16); if(suite == TLS_DHE_DSS_WITH_RC4_128_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_RC4_128); + return TLS_Ciphersuite("DSA", "DH", "SHA1", "ARC4", 16); if(suite == TLS_DHE_DSS_WITH_AES_256_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("DSA", "DH", "SHA1", "AES-256", 32); if(suite == TLS_DHE_DSS_WITH_AES_128_CBC_SHA256) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA256 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("DSA", "DH", "SHA-256", "AES-128", 16); if(suite == TLS_DHE_DSS_WITH_AES_256_CBC_SHA256) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA256 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("DSA", "DH", "SHA-256", "AES-256", 32); + // DHE/RSA ciphersuites if(suite == TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_3DES_CBC); + return TLS_Ciphersuite("RSA", "DH", "SHA1", "TripleDES", 24); if(suite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("RSA", "DH", "SHA1", "AES-128", 16); if(suite == TLS_DHE_DSS_WITH_SEED_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_SEED_CBC); + return TLS_Ciphersuite("RSA", "DH", "SHA1", "SEED", 16); if(suite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("RSA", "DH", "SHA1", "AES-256", 32); if(suite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA256 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("RSA", "DH", "SHA-256", "AES-128", 16); if(suite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_HASH_SHA256 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("RSA", "DH", "SHA-256", "AES-256", 32); // SRP ciphersuites if(suite == TLS_SRP_SHA_RSA_WITH_3DES_EDE_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_3DES_CBC); + return TLS_Ciphersuite("RSA", "SRP", "SHA1", "TripleDES", 24); if(suite == TLS_SRP_SHA_DSS_WITH_3DES_EDE_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_3DES_CBC); + return TLS_Ciphersuite("DSA", "SRP", "SHA1", "TripleDES", 24); if(suite == TLS_SRP_SHA_RSA_WITH_AES_128_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("RSA", "SRP", "SHA1", "AES-128", 16); if(suite == TLS_SRP_SHA_DSS_WITH_AES_128_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("DSA", "SRP", "SHA1", "AES-128", 16); if(suite == TLS_SRP_SHA_RSA_WITH_AES_256_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("RSA", "SRP", "SHA1", "AES-256", 32); if(suite == TLS_SRP_SHA_DSS_WITH_AES_256_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | - TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("DSA", "SRP", "SHA1", "AES-256", 32); // ECC ciphersuites if(suite == TLS_ECDHE_ECDSA_WITH_RC4_128_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_RC4_128); + return TLS_Ciphersuite("ECDSA", "ECDH", "SHA1", "ARC4", 16); if(suite == TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_3DES_CBC); + return TLS_Ciphersuite("ECDSA", "ECDH", "SHA1", "TripleDES", 24); if(suite == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("ECDSA", "ECDH", "SHA1", "AES-128", 16); if(suite == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("ECDSA", "ECDH", "SHA1", "AES-256", 32); if(suite == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA256 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("ECDSA", "ECDH", "SHA-256", "AES-128", 16); if(suite == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA384 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("ECDSA", "ECDH", "SHA384", "AES-256", 32); if(suite == TLS_ECDHE_RSA_WITH_RC4_128_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_RC4_128); + return TLS_Ciphersuite("RSA", "ECDH", "SHA1", "ARC4", 16); if(suite == TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_3DES_CBC); + return TLS_Ciphersuite("RSA", "ECDH", "SHA1", "TripleDES", 24); if(suite == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("RSA", "ECDH", "SHA1", "AES-128", 16); if(suite == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA1 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("RSA", "ECDH", "SHA1", "AES-256", 32); if(suite == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA256 | - TLS_ALGO_CIPHER_AES128_CBC); + return TLS_Ciphersuite("ECDSA", "ECDH", "SHA-256", "AES-128", 16); if(suite == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) - return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | - TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_HASH_SHA384 | - TLS_ALGO_CIPHER_AES256_CBC); + return TLS_Ciphersuite("ECDSA", "ECDH", "SHA384", "AES-256", 32); - return TLS_Ciphersuite_Algos(0); + return TLS_Ciphersuite(); // some unknown ciphersuite } -std::pair<std::string, size_t> -TLS_Cipher_Suite::cipher_code_to_name(TLS_Ciphersuite_Algos algo) +TLS_Ciphersuite::TLS_Ciphersuite(const std::string& sig_algo, + const std::string& kex_algo, + const std::string& mac_algo, + const std::string& cipher_algo, + size_t cipher_algo_keylen) : + m_sig_algo(sig_algo), + m_kex_algo(kex_algo), + m_mac_algo(mac_algo), + m_cipher_algo(cipher_algo), + m_cipher_keylen(cipher_algo_keylen) { - if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_RC4_128) - return std::make_pair("ARC4", 16); - - if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_3DES_CBC) - return std::make_pair("3DES", 24); - - if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_AES128_CBC) - return std::make_pair("AES-128", 16); - - if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_AES256_CBC) - return std::make_pair("AES-256", 32); - - if((algo & TLS_ALGO_CIPHER_MASK) == TLS_ALGO_CIPHER_SEED_CBC) - return std::make_pair("SEED", 16); - - throw TLS_Exception(INTERNAL_ERROR, - "TLS_Cipher_Suite: Unknown cipher type " + to_string(algo)); - } - -std::string TLS_Cipher_Suite::hash_code_to_name(TLS_Ciphersuite_Algos algo) - { - if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_MD5) - return "MD5"; - - if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA1) - return "SHA-1"; - - if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA224) - return "SHA-224"; - - if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA256) - return "SHA-256"; - - if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA384) - return "SHA-384"; - - if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA512) - return "SHA-512"; - - throw TLS_Exception(INTERNAL_ERROR, - "TLS_Cipher_Suite: Unknown MAC type " + to_string(algo)); - } - -/** -* TLS_Cipher_Suite Constructor -*/ -TLS_Cipher_Suite::TLS_Cipher_Suite(u16bit suite_code) - { - if(suite_code == 0) - return; - - TLS_Ciphersuite_Algos algos = lookup_ciphersuite(suite_code); - - if(algos == 0) - throw Invalid_Argument("Unknown ciphersuite: " + to_string(suite_code)); - - sig_algo = TLS_Ciphersuite_Algos(algos & TLS_ALGO_SIGNER_MASK); - - kex_algo = TLS_Ciphersuite_Algos(algos & TLS_ALGO_KEYEXCH_MASK); - - std::pair<std::string, size_t> cipher_info = cipher_code_to_name(algos); - - cipher = cipher_info.first; - cipher_key_length = cipher_info.second; - - mac = hash_code_to_name(algos); } } |