diff options
| author | lloyd <[email protected]> | 2013-03-27 16:57:59 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2013-03-27 16:57:59 +0000 |
| commit | 4d69a574d050e010fdc1792ea0c8020bc1a5f55c (patch) | |
| tree | e356db2f929f59c00fc7739641eb30d7de262fda /src/tls | |
| parent | 3bf1f1321c3c78c499d7e44c9fb2ca97b927f5a1 (diff) | |
| parent | 11c7544fe0576571f01973c8861a068895aa8c87 (diff) | |
propagate from branch 'net.randombit.botan' (head b7ac11f48ca4fe8e5aafa01979c5bf087b156d77)
to branch 'net.randombit.botan.aead-modes' (head 061b249cd586d4ff849aaa48c3ec8cf7587acc56)
Diffstat (limited to 'src/tls')
| -rw-r--r-- | src/tls/tls_policy.cpp | 8 | ||||
| -rw-r--r-- | src/tls/tls_policy.h | 7 | ||||
| -rw-r--r-- | src/tls/tls_server.cpp | 15 | ||||
| -rw-r--r-- | src/tls/tls_version.h | 8 |
4 files changed, 33 insertions, 5 deletions
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp index 98e3c6bca..1048e0a62 100644 --- a/src/tls/tls_policy.cpp +++ b/src/tls/tls_policy.cpp @@ -131,6 +131,14 @@ u32bit Policy::session_ticket_lifetime() const bool Policy::acceptable_protocol_version(Protocol_Version version) const { return version.known_version(); // accept any version we know about + + // maybe someday... + //return version >= Protocol_Version::TLS_V11; + } + +bool Policy::server_uses_own_ciphersuite_preferences() const + { + return true; } namespace { diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h index 125faa665..7176f7fd5 100644 --- a/src/tls/tls_policy.h +++ b/src/tls/tls_policy.h @@ -126,6 +126,13 @@ class BOTAN_DLL Policy */ virtual bool acceptable_protocol_version(Protocol_Version version) const; + /** + * @return true if servers should choose the ciphersuite matching + * their highest preference, rather than the clients. + * Has no effect on client side. + */ + virtual bool server_uses_own_ciphersuite_preferences() const; + virtual ~Policy() {} }; diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index 2c393b32d..d8e827b39 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -112,6 +112,8 @@ u16bit choose_ciphersuite( const std::map<std::string, std::vector<X509_Certificate> >& cert_chains, const Client_Hello* client_hello) { + const bool our_choice = policy.server_uses_own_ciphersuite_preferences(); + const bool have_srp = creds.attempt_srp("tls-server", client_hello->sni_hostname()); @@ -128,12 +130,15 @@ u16bit choose_ciphersuite( const bool have_shared_ecc_curve = (policy.choose_curve(client_hello->supported_ecc_curves()) != ""); - // Ordering by our preferences rather than by clients - for(size_t i = 0; i != server_suites.size(); ++i) - { - const u16bit suite_id = server_suites[i]; + std::vector<u16bit> pref_list = server_suites; + std::vector<u16bit> other_list = client_suites; - if(!value_exists(client_suites, suite_id)) + if(!our_choice) + std::swap(pref_list, other_list); + + for(auto suite_id : pref_list) + { + if(!value_exists(other_list, suite_id)) continue; Ciphersuite suite = Ciphersuite::by_id(suite_id); diff --git a/src/tls/tls_version.h b/src/tls/tls_version.h index 39712db27..2fb5365dc 100644 --- a/src/tls/tls_version.h +++ b/src/tls/tls_version.h @@ -129,6 +129,14 @@ class BOTAN_DLL Protocol_Version */ bool operator>(const Protocol_Version& other) const; + /** + * @return if this version is later than or equal to other + */ + bool operator>=(const Protocol_Version& other) const + { + return (*this == other || *this > other); + } + private: u16bit m_version; }; |