aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-04-02 17:03:04 +0000
committerlloyd <[email protected]>2012-04-02 17:03:04 +0000
commit0b7fb2651b187097e9c89e37e2672ff28830371a (patch)
tree72a3866681bd2299d1651a66e05f9ec374cf80d8 /src/tls
parent7f0df78e77eedaf299a8dcbea2d10290b99d3521 (diff)
Add anonymous DH/ECDH ciphersuites to the cipher list. Interop checked
against OpenSSL. One big issue that needs to be resolved is that with these ciphersuites available to be negotiated, we want to make sure they only are used when the application/user expects them to. Problem is that PSK and SRP are "anonymous" but authenticated via the shared secret. We need to be able to distinguish these on a policy level. Otherwise a MITM could simply offer anon DH, which would be somewhat unfortunate. A client could detect this in the handshake callback, but might not. In the short term to ensure this doesn't occur, disable both anon DH and PSK/SRP in the default policy.
Diffstat (limited to 'src/tls')
-rw-r--r--src/tls/tls_policy.cpp7
-rw-r--r--src/tls/tls_suite_info.cpp73
2 files changed, 62 insertions, 18 deletions
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp
index 59f3ce50c..a2c0d01f8 100644
--- a/src/tls/tls_policy.cpp
+++ b/src/tls/tls_policy.cpp
@@ -23,7 +23,8 @@ std::vector<std::string> Policy::allowed_ciphers() const
allowed.push_back("AES-128");
allowed.push_back("3DES");
allowed.push_back("ARC4");
- // Note that Camellia and SEED are not included by default
+ //allowed.push_back("Camellia");
+ //allowed.push_back("SEED");
return allowed;
}
@@ -37,7 +38,7 @@ std::vector<std::string> Policy::allowed_hashes() const
allowed.push_back("SHA-256");
allowed.push_back("SHA-224");
allowed.push_back("SHA-1");
- // Note that MD5 is not included by default
+ //allowed.push_back("MD5");
return allowed;
}
@@ -64,7 +65,7 @@ std::vector<std::string> Policy::allowed_signature_methods() const
allowed.push_back("ECDSA");
allowed.push_back("RSA");
allowed.push_back("DSA");
- allowed.push_back("");
+ //allowed.push_back("");
return allowed;
}
diff --git a/src/tls/tls_suite_info.cpp b/src/tls/tls_suite_info.cpp
index 12cf818b2..0b76842af 100644
--- a/src/tls/tls_suite_info.cpp
+++ b/src/tls/tls_suite_info.cpp
@@ -13,13 +13,12 @@ namespace TLS {
Ciphersuite Ciphersuite::by_id(u16bit suite)
{
+ // Automatically generated by a Python script from the IANA values
+
switch(suite)
{
-
- // Automatically generated by a Python script from the IANA values
-
case 0x0013: // DHE_DSS_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("DSA", "DH", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("DSA", "DH", "SHA-1", "3DES", 24);
case 0x0032: // DHE_DSS_WITH_AES_128_CBC_SHA
return Ciphersuite("DSA", "DH", "SHA-1", "AES-128", 16);
@@ -52,7 +51,7 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
return Ciphersuite("DSA", "DH", "SHA-1", "SEED", 16);
case 0x008F: // DHE_PSK_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("", "DHE_PSK", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("", "DHE_PSK", "SHA-1", "3DES", 24);
case 0x0090: // DHE_PSK_WITH_AES_128_CBC_SHA
return Ciphersuite("", "DHE_PSK", "SHA-1", "AES-128", 16);
@@ -76,7 +75,7 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
return Ciphersuite("", "DHE_PSK", "SHA-1", "ARC4", 16);
case 0x0016: // DHE_RSA_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("RSA", "DH", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("RSA", "DH", "SHA-1", "3DES", 24);
case 0x0033: // DHE_RSA_WITH_AES_128_CBC_SHA
return Ciphersuite("RSA", "DH", "SHA-1", "AES-128", 16);
@@ -105,8 +104,41 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
case 0x009A: // DHE_RSA_WITH_SEED_CBC_SHA
return Ciphersuite("RSA", "DH", "SHA-1", "SEED", 16);
+ case 0x001B: // DH_anon_WITH_3DES_EDE_CBC_SHA
+ return Ciphersuite("", "DH", "SHA-1", "3DES", 24);
+
+ case 0x0034: // DH_anon_WITH_AES_128_CBC_SHA
+ return Ciphersuite("", "DH", "SHA-1", "AES-128", 16);
+
+ case 0x006C: // DH_anon_WITH_AES_128_CBC_SHA256
+ return Ciphersuite("", "DH", "SHA-256", "AES-128", 16);
+
+ case 0x003A: // DH_anon_WITH_AES_256_CBC_SHA
+ return Ciphersuite("", "DH", "SHA-1", "AES-256", 32);
+
+ case 0x006D: // DH_anon_WITH_AES_256_CBC_SHA256
+ return Ciphersuite("", "DH", "SHA-256", "AES-256", 32);
+
+ case 0x0046: // DH_anon_WITH_CAMELLIA_128_CBC_SHA
+ return Ciphersuite("", "DH", "SHA-1", "Camellia", 16);
+
+ case 0x00BF: // DH_anon_WITH_CAMELLIA_128_CBC_SHA256
+ return Ciphersuite("", "DH", "SHA-256", "Camellia", 16);
+
+ case 0x0089: // DH_anon_WITH_CAMELLIA_256_CBC_SHA
+ return Ciphersuite("", "DH", "SHA-1", "Camellia", 32);
+
+ case 0x00C5: // DH_anon_WITH_CAMELLIA_256_CBC_SHA256
+ return Ciphersuite("", "DH", "SHA-256", "Camellia", 32);
+
+ case 0x0018: // DH_anon_WITH_RC4_128_MD5
+ return Ciphersuite("", "DH", "MD5", "ARC4", 16);
+
+ case 0x009B: // DH_anon_WITH_SEED_CBC_SHA
+ return Ciphersuite("", "DH", "SHA-1", "SEED", 16);
+
case 0xC008: // ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("ECDSA", "ECDH", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("ECDSA", "ECDH", "SHA-1", "3DES", 24);
case 0xC009: // ECDHE_ECDSA_WITH_AES_128_CBC_SHA
return Ciphersuite("ECDSA", "ECDH", "SHA-1", "AES-128", 16);
@@ -130,7 +162,7 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
return Ciphersuite("ECDSA", "ECDH", "SHA-1", "ARC4", 16);
case 0xC034: // ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("", "ECDHE_PSK", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("", "ECDHE_PSK", "SHA-1", "3DES", 24);
case 0xC035: // ECDHE_PSK_WITH_AES_128_CBC_SHA
return Ciphersuite("", "ECDHE_PSK", "SHA-1", "AES-128", 16);
@@ -154,7 +186,7 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
return Ciphersuite("", "ECDHE_PSK", "SHA-1", "ARC4", 16);
case 0xC012: // ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("RSA", "ECDH", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("RSA", "ECDH", "SHA-1", "3DES", 24);
case 0xC013: // ECDHE_RSA_WITH_AES_128_CBC_SHA
return Ciphersuite("RSA", "ECDH", "SHA-1", "AES-128", 16);
@@ -177,8 +209,20 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
case 0xC011: // ECDHE_RSA_WITH_RC4_128_SHA
return Ciphersuite("RSA", "ECDH", "SHA-1", "ARC4", 16);
+ case 0xC017: // ECDH_anon_WITH_3DES_EDE_CBC_SHA
+ return Ciphersuite("", "ECDH", "SHA-1", "3DES", 24);
+
+ case 0xC018: // ECDH_anon_WITH_AES_128_CBC_SHA
+ return Ciphersuite("", "ECDH", "SHA-1", "AES-128", 16);
+
+ case 0xC019: // ECDH_anon_WITH_AES_256_CBC_SHA
+ return Ciphersuite("", "ECDH", "SHA-1", "AES-256", 32);
+
+ case 0xC016: // ECDH_anon_WITH_RC4_128_SHA
+ return Ciphersuite("", "ECDH", "SHA-1", "ARC4", 16);
+
case 0x008B: // PSK_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("", "PSK", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("", "PSK", "SHA-1", "3DES", 24);
case 0x008C: // PSK_WITH_AES_128_CBC_SHA
return Ciphersuite("", "PSK", "SHA-1", "AES-128", 16);
@@ -202,7 +246,7 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
return Ciphersuite("", "PSK", "SHA-1", "ARC4", 16);
case 0x000A: // RSA_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("RSA", "RSA", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("RSA", "RSA", "SHA-1", "3DES", 24);
case 0x002F: // RSA_WITH_AES_128_CBC_SHA
return Ciphersuite("RSA", "RSA", "SHA-1", "AES-128", 16);
@@ -238,7 +282,7 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
return Ciphersuite("RSA", "RSA", "SHA-1", "SEED", 16);
case 0xC01C: // SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("DSA", "SRP_SHA", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("DSA", "SRP_SHA", "SHA-1", "3DES", 24);
case 0xC01F: // SRP_SHA_DSS_WITH_AES_128_CBC_SHA
return Ciphersuite("DSA", "SRP_SHA", "SHA-1", "AES-128", 16);
@@ -247,7 +291,7 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
return Ciphersuite("DSA", "SRP_SHA", "SHA-1", "AES-256", 32);
case 0xC01B: // SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("RSA", "SRP_SHA", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("RSA", "SRP_SHA", "SHA-1", "3DES", 24);
case 0xC01E: // SRP_SHA_RSA_WITH_AES_128_CBC_SHA
return Ciphersuite("RSA", "SRP_SHA", "SHA-1", "AES-128", 16);
@@ -256,14 +300,13 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
return Ciphersuite("RSA", "SRP_SHA", "SHA-1", "AES-256", 32);
case 0xC01A: // SRP_SHA_WITH_3DES_EDE_CBC_SHA
- return Ciphersuite("", "SRP_SHA", "SHA-1", "TripleDES", 24);
+ return Ciphersuite("", "SRP_SHA", "SHA-1", "3DES", 24);
case 0xC01D: // SRP_SHA_WITH_AES_128_CBC_SHA
return Ciphersuite("", "SRP_SHA", "SHA-1", "AES-128", 16);
case 0xC020: // SRP_SHA_WITH_AES_256_CBC_SHA
return Ciphersuite("", "SRP_SHA", "SHA-1", "AES-256", 32);
-
}
return Ciphersuite(); // some unknown ciphersuite