diff options
| author | lloyd <[email protected]> | 2011-12-31 03:26:57 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2011-12-31 03:26:57 +0000 |
| commit | 52b9356cec6c5ad9a5d00a8ecbbad10a672787e8 (patch) | |
| tree | db360c3b39e550e24ad143c09ca087484d5cfd8d /src/tls | |
| parent | 074ea8fdee34a668c57b19b474468a7e4d581567 (diff) | |
Some basic infrastructure pieces for SRP (policy, etc)
Diffstat (limited to 'src/tls')
| -rw-r--r-- | src/tls/hello.cpp | 4 | ||||
| -rw-r--r-- | src/tls/tls_client.cpp | 9 | ||||
| -rw-r--r-- | src/tls/tls_client.h | 6 | ||||
| -rw-r--r-- | src/tls/tls_magic.h | 3 | ||||
| -rw-r--r-- | src/tls/tls_policy.cpp | 37 | ||||
| -rw-r--r-- | src/tls/tls_policy.h | 10 |
6 files changed, 46 insertions, 23 deletions
diff --git a/src/tls/hello.cpp b/src/tls/hello.cpp index 08d8eee8e..49115fd62 100644 --- a/src/tls/hello.cpp +++ b/src/tls/hello.cpp @@ -74,7 +74,7 @@ Client_Hello::Client_Hello(Record_Writer& writer, const std::string& srp_identifier) : c_version(policy.pref_version()), c_random(rng.random_vec(32)), - suites(policy.ciphersuites()), + suites(policy.ciphersuites(srp_identifier != "")), comp_methods(policy.compression()), requested_hostname(hostname), requested_srp_id(srp_identifier), @@ -303,7 +303,7 @@ Server_Hello::Server_Hello(Record_Writer& writer, have_dsa = true; } - suite = policy.choose_suite(c_hello.ciphersuites(), have_rsa, have_dsa); + suite = policy.choose_suite(c_hello.ciphersuites(), have_rsa, have_dsa, false); if(suite == 0) throw TLS_Exception(HANDSHAKE_FAILURE, diff --git a/src/tls/tls_client.cpp b/src/tls/tls_client.cpp index 9942c2d44..1d9554ee8 100644 --- a/src/tls/tls_client.cpp +++ b/src/tls/tls_client.cpp @@ -13,8 +13,6 @@ #include <botan/dsa.h> #include <botan/dh.h> -#include <stdio.h> - namespace Botan { /* @@ -27,7 +25,8 @@ TLS_Client::TLS_Client(std::tr1::function<void (const byte[], size_t)> output_fn const TLS_Policy& policy, RandomNumberGenerator& rng, const std::string& hostname, - const std::string& srp_identifier) : + const std::string& srp_identifier, + const std::string& srp_password) : TLS_Channel(output_fn, proc_fn, handshake_fn), policy(policy), rng(rng), @@ -176,8 +175,8 @@ void TLS_Client::process_handshake_msg(Handshake_Type type, // successful resumption /* - In this case, we offered the original session and the server - must resume with it + * In this case, we offered the original session and the server + * must resume with it */ if(state->server_hello->version() != state->client_hello->version()) throw TLS_Exception(HANDSHAKE_FAILURE, diff --git a/src/tls/tls_client.h b/src/tls/tls_client.h index 0f654a40f..eccddef6f 100644 --- a/src/tls/tls_client.h +++ b/src/tls/tls_client.h @@ -29,7 +29,8 @@ class BOTAN_DLL TLS_Client : public TLS_Channel * @param policy specifies other connection policy information * @param rng a random number generator * @param servername the server's DNS name, if known - * @param srp_username an identifier to use for SRP key exchange + * @param srp_username a SRP identifier to use for SRP key exchange + * @param srp_password a SRP password to use for SRP key exchange */ TLS_Client(std::tr1::function<void (const byte[], size_t)> socket_output_fn, std::tr1::function<void (const byte[], size_t, u16bit)> proc_fn, @@ -38,7 +39,8 @@ class BOTAN_DLL TLS_Client : public TLS_Channel const TLS_Policy& policy, RandomNumberGenerator& rng, const std::string& servername = "", - const std::string& srp_username = ""); + const std::string& srp_username = "", + const std::string& srp_password = ""); void add_client_cert(const X509_Certificate& cert, Private_Key* cert_key); diff --git a/src/tls/tls_magic.h b/src/tls/tls_magic.h index e20788ea3..a87739b5a 100644 --- a/src/tls/tls_magic.h +++ b/src/tls/tls_magic.h @@ -126,13 +126,10 @@ enum Ciphersuite_Code { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B, TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A, - TLS_SRP_SHA_WITH_3DES_EDE_SHA = 0xC01A, TLS_SRP_SHA_RSA_WITH_3DES_EDE_SHA = 0xC01B, TLS_SRP_SHA_DSS_WITH_3DES_EDE_SHA = 0xC01C, - TLS_SRP_SHA_WITH_AES_128_SHA = 0xC01D, TLS_SRP_SHA_RSA_WITH_AES_128_SHA = 0xC01E, TLS_SRP_SHA_DSS_WITH_AES_128_SHA = 0xC01F, - TLS_SRP_SHA_WITH_AES_256_SHA = 0xC020, TLS_SRP_SHA_RSA_WITH_AES_256_SHA = 0xC021, TLS_SRP_SHA_DSS_WITH_AES_256_SHA = 0xC022, diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp index b73ff7850..596f5e53e 100644 --- a/src/tls/tls_policy.cpp +++ b/src/tls/tls_policy.cpp @@ -13,9 +13,10 @@ namespace Botan { /* * Return allowed ciphersuites */ -std::vector<u16bit> TLS_Policy::ciphersuites() const +std::vector<u16bit> TLS_Policy::ciphersuites(bool have_srp) const { - return suite_list(allow_static_rsa(), allow_edh_rsa(), allow_edh_dsa()); + return suite_list(allow_static_rsa(), allow_edh_rsa(), allow_edh_dsa(), + allow_srp() && have_srp); } /* @@ -23,10 +24,28 @@ std::vector<u16bit> TLS_Policy::ciphersuites() const */ std::vector<u16bit> TLS_Policy::suite_list(bool use_rsa, bool use_edh_rsa, - bool use_edh_dsa) const + bool use_edh_dsa, + bool use_srp) const { std::vector<u16bit> suites; + if(use_srp) + { + if(use_edh_rsa) + { + suites.push_back(TLS_SRP_SHA_DSS_WITH_AES_256_SHA); + suites.push_back(TLS_SRP_SHA_DSS_WITH_AES_128_SHA); + suites.push_back(TLS_SRP_SHA_DSS_WITH_3DES_EDE_SHA); + } + + if(use_edh_dsa) + { + suites.push_back(TLS_SRP_SHA_RSA_WITH_AES_256_SHA); + suites.push_back(TLS_SRP_SHA_RSA_WITH_AES_128_SHA); + suites.push_back(TLS_SRP_SHA_RSA_WITH_3DES_EDE_SHA); + } + } + if(use_edh_dsa) { suites.push_back(TLS_DHE_DSS_WITH_AES_256_CBC_SHA); @@ -75,14 +94,16 @@ std::vector<byte> TLS_Policy::compression() const */ u16bit TLS_Policy::choose_suite(const std::vector<u16bit>& c_suites, bool have_rsa, - bool have_dsa) const + bool have_dsa, + bool have_srp) const { - bool use_static_rsa = allow_static_rsa() && have_rsa; - bool use_edh_rsa = allow_edh_rsa() && have_rsa; - bool use_edh_dsa = allow_edh_dsa() && have_dsa; + const bool use_static_rsa = allow_static_rsa() && have_rsa; + const bool use_edh_rsa = allow_edh_rsa() && have_rsa; + const bool use_edh_dsa = allow_edh_dsa() && have_dsa; + const bool use_srp = allow_srp() && have_srp; std::vector<u16bit> s_suites = suite_list(use_static_rsa, use_edh_rsa, - use_edh_dsa); + use_edh_dsa, use_srp); for(size_t i = 0; i != s_suites.size(); ++i) for(size_t j = 0; j != c_suites.size(); ++j) diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h index dd38f3574..48ff9185e 100644 --- a/src/tls/tls_policy.h +++ b/src/tls/tls_policy.h @@ -22,18 +22,21 @@ namespace Botan { class BOTAN_DLL TLS_Policy { public: - std::vector<u16bit> ciphersuites() const; + std::vector<u16bit> ciphersuites(bool have_srp) const; virtual std::vector<byte> compression() const; virtual u16bit choose_suite(const std::vector<u16bit>& client_suites, bool rsa_ok, - bool dsa_ok) const; + bool dsa_ok, + bool srp_ok) const; virtual byte choose_compression(const std::vector<byte>& client) const; virtual bool allow_static_rsa() const { return true; } virtual bool allow_edh_rsa() const { return true; } virtual bool allow_edh_dsa() const { return true; } + virtual bool allow_srp() const { return true; } + virtual bool require_client_auth() const { return false; } virtual bool require_secure_renegotiation() const { return true; } @@ -57,7 +60,8 @@ class BOTAN_DLL TLS_Policy private: virtual std::vector<u16bit> suite_list(bool use_rsa, bool use_edh_rsa, - bool use_edh_dsa) const; + bool use_edh_dsa, + bool use_srp) const; }; } |