Go back to choosing the ciphersuite based on the server's preferences.

The client can constrain their offering if they want to.

Add identifiers for PSK suites (not implemented)

Rename hide_unknown_srp_users to hide_unknown_users as it can be used
for PSK as well.

5 files changed, 57 insertions, 25 deletions

diff --git a/src/tls/tls_ciphersuite.cpp b/src/tls/tls_ciphersuite.cpp
index ffd1c7810..8653b0841 100644
--- a/src/tls/tls_ciphersuite.cpp
+++ b/src/tls/tls_ciphersuite.cpp
@@ -129,6 +129,26 @@ Ciphersuite Ciphersuite::lookup_ciphersuite(u16bit suite)
       case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
          return Ciphersuite("ECDSA", "ECDH", "SHA-1", "3DES", 24);
 
+#if 0
+      case TLS_PSK_WITH_RC4_128_SHA:
+         return Ciphersuite("", "PSK", "SHA-1", "ARC4", 16);
+      case TLS_PSK_WITH_3DES_EDE_CBC_SHA:
+         return Ciphersuite("", "PSK", "SHA-1", "3DES", 24);
+      case TLS_PSK_WITH_AES_128_CBC_SHA:
+         return Ciphersuite("", "PSK", "SHA-1", "AES-128", 16);
+      case TLS_PSK_WITH_AES_256_CBC_SHA:
+         return Ciphersuite("", "PSK", "SHA-1", "AES-256", 32);
+
+      case TLS_DHE_PSK_WITH_RC4_128_SHA:
+         return Ciphersuite("", "DHE_PSK", "SHA-1", "ARC4", 16);
+      case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
+         return Ciphersuite("", "DHE_PSK", "SHA-1", "3DES", 24);
+      case TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
+         return Ciphersuite("", "DHE_PSK", "SHA-1", "AES-128", 16);
+      case TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
+         return Ciphersuite("", "DHE_PSK", "SHA-1", "AES-256", 32);
+#endif
+
       // SRP/RSA ciphersuites
 
       case TLS_SRP_SHA_RSA_WITH_AES_128_SHA:
diff --git a/src/tls/tls_magic.h b/src/tls/tls_magic.h
index c238f1324..e6a055b57 100644
--- a/src/tls/tls_magic.h
+++ b/src/tls/tls_magic.h
@@ -121,13 +121,6 @@ enum Ciphersuite_Code {
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      = 0x006B,
    TLS_DHE_RSA_WITH_SEED_CBC_SHA            = 0x009A,
 
-   TLS_SRP_SHA_RSA_WITH_3DES_EDE_SHA        = 0xC01B,
-   TLS_SRP_SHA_DSS_WITH_3DES_EDE_SHA        = 0xC01C,
-   TLS_SRP_SHA_RSA_WITH_AES_128_SHA         = 0xC01E,
-   TLS_SRP_SHA_DSS_WITH_AES_128_SHA         = 0xC01F,
-   TLS_SRP_SHA_RSA_WITH_AES_256_SHA         = 0xC021,
-   TLS_SRP_SHA_DSS_WITH_AES_256_SHA         = 0xC022,
-
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA         = 0xC007,
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    = 0xC008,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     = 0xC009,
@@ -142,6 +135,24 @@ enum Ciphersuite_Code {
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    = 0xC027,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    = 0xC028,
 
+   TLS_PSK_WITH_RC4_128_SHA                 = 0x008A,
+   TLS_PSK_WITH_3DES_EDE_CBC_SHA            = 0x008B,
+   TLS_PSK_WITH_AES_128_CBC_SHA             = 0x008C,
+   TLS_PSK_WITH_AES_256_CBC_SHA             = 0x008D,
+
+   TLS_DHE_PSK_WITH_RC4_128_SHA             = 0x008E,
+   TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA        = 0x008F,
+   TLS_DHE_PSK_WITH_AES_128_CBC_SHA         = 0x0090,
+   TLS_DHE_PSK_WITH_AES_256_CBC_SHA         = 0x0091,
+
+   TLS_SRP_SHA_DSS_WITH_3DES_EDE_SHA        = 0xC01C,
+   TLS_SRP_SHA_DSS_WITH_AES_128_SHA         = 0xC01F,
+   TLS_SRP_SHA_DSS_WITH_AES_256_SHA         = 0xC022,
+
+   TLS_SRP_SHA_RSA_WITH_3DES_EDE_SHA        = 0xC01B,
+   TLS_SRP_SHA_RSA_WITH_AES_128_SHA         = 0xC01E,
+   TLS_SRP_SHA_RSA_WITH_AES_256_SHA         = 0xC021,
+
    /* signalling values that cannot be negotiated */
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV        = 0x00FF
 };
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp
index 38dd21a55..ea3e4f144 100644
--- a/src/tls/tls_policy.cpp
+++ b/src/tls/tls_policy.cpp
@@ -47,6 +47,8 @@ std::vector<std::string> Policy::allowed_key_exchange_methods() const
    std::vector<std::string> allowed;
 
    //allowed.push_back("SRP");
+   //allowed.push_back("DH_PSK");
+   //allowed.push_back("PSK");
    allowed.push_back("ECDH");
    allowed.push_back("DH");
    allowed.push_back(""); // means RSA via server cert
@@ -223,29 +225,23 @@ u16bit Policy::choose_suite(const std::vector<u16bit>& client_suites,
                             bool have_shared_ecc_curve,
                             bool have_srp) const
    {
-   for(size_t i = 0; i != client_suites.size(); ++i)
+   std::vector<u16bit> ciphersuites = ciphersuite_list(have_srp);
+
+   for(size_t i = 0; i != ciphersuites.size(); ++i)
       {
-      const u16bit suite_id = client_suites[i];
+      const u16bit suite_id = ciphersuites[i];
       Ciphersuite suite = Ciphersuite::lookup_ciphersuite(suite_id);
 
-      if(suite.cipher_keylen() == 0)
-         continue; // not a ciphersuite we know
-
       if(!have_shared_ecc_curve)
          {
          if(suite.kex_algo() == "ECDH" || suite.sig_algo() == "ECDSA")
             continue;
          }
 
-      if(suite.kex_algo() == "SRP")
-         {
-         if(have_srp)
-            return suite_id;
-         else
-            continue;
-         }
+      if(!value_exists(available_cert_types, suite.sig_algo()))
+         continue;
 
-      if(value_exists(available_cert_types, suite.sig_algo()))
+      if(value_exists(client_suites, suite_id))
          return suite_id;
       }
 
diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h
index 3a926949a..cd00331a5 100644
--- a/src/tls/tls_policy.h
+++ b/src/tls/tls_policy.h
@@ -85,12 +85,14 @@ class BOTAN_DLL Policy
       virtual DL_Group dh_group() const { return DL_Group("modp/ietf/1536"); }
 
       /**
-      * If this function returns false, unknown SRP identifiers will be rejected
-      * with an unknown_psk_identifier alert. Otherwise, a false identifier value
-      * will be used, causing the login to fail without revealing that the username
-      * does not exist on this system.
+      * If this function returns false, unknown SRP/PSK identifiers
+      * will be rejected with an unknown_psk_identifier alert as soon
+      * as the non-existence is identified. Otherwise, a false
+      * identifier value will be used and the protocol allowed to
+      * proceed, causing the login to eventually fail without
+      * revealing that the username does not exist on this system.
       */
-      virtual bool hide_unknown_srp_users() const { return false; }
+      virtual bool hide_unknown_users() const { return false; }
 
       /**
       * @return the minimum version that we are willing to negotiate
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index 8aff79793..b4a5ee5bc 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -9,6 +9,7 @@
 #include <botan/internal/tls_handshake_state.h>
 #include <botan/internal/tls_messages.h>
 #include <botan/internal/stl_util.h>
+#include <botan/internal/assert.h>
 #include <botan/dh.h>
 #include <botan/ecdh.h>
 #include <memory>
@@ -262,6 +263,8 @@ void Server::process_handshake_msg(Handshake_Type type,
 
          if(sig_algo != "")
             {
+            BOTAN_ASSERT(!cert_chains[sig_algo].empty(), "Chose the wrong cert type");
+
             state->server_certs = new Certificate(writer,
                                                   state->hash,
                                                   cert_chains[sig_algo]);