diff options
author | lloyd <[email protected]> | 2012-01-18 17:51:57 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2012-01-18 17:51:57 +0000 |
commit | 8d1787751a15605dfd2729a9ddf67ce826d739f4 (patch) | |
tree | f183ae5af46deda0b8e27b29a707b69ebe28908f /src | |
parent | 3e2efbde4ef272336c85c5ed880ecf31442d6db8 (diff) |
Read only support for signature_algorithms extension used in TLS 1.2
Diffstat (limited to 'src')
-rw-r--r-- | src/tls/info.txt | 2 | ||||
-rw-r--r-- | src/tls/tls_extensions.cpp | 139 | ||||
-rw-r--r-- | src/tls/tls_extensions.h | 33 | ||||
-rw-r--r-- | src/tls/tls_magic.h | 27 | ||||
-rw-r--r-- | src/tls/tls_suites.cpp | 92 |
5 files changed, 239 insertions, 54 deletions
diff --git a/src/tls/info.txt b/src/tls/info.txt index dae015be3..16d112df2 100644 --- a/src/tls/info.txt +++ b/src/tls/info.txt @@ -70,7 +70,9 @@ prf_ssl3 prf_tls rng rsa +seed sha1 +sha2_32 ssl3mac x509cert </requires> diff --git a/src/tls/tls_extensions.cpp b/src/tls/tls_extensions.cpp index c57f7cc81..d414a979d 100644 --- a/src/tls/tls_extensions.cpp +++ b/src/tls/tls_extensions.cpp @@ -25,6 +25,8 @@ TLS_Extension* make_extension(TLS_Data_Reader& reader, return new SRP_Identifier(reader, size); else if(code == TLSEXT_SAFE_RENEGOTIATION) return new Renegotation_Extension(reader, size); + else if(code == TLSEXT_SIGNATURE_ALGORITHMS) + return new Signature_Algorithms(reader, size); else if(code == TLSEXT_NEXT_PROTOCOL) return new Next_Protocol_Notification(reader, size); else @@ -269,4 +271,141 @@ MemoryVector<byte> Next_Protocol_Notification::serialize() const return buf; } +TLS_Ciphersuite_Algos Signature_Algorithms::hash_algo_code(byte code) + { + switch(code) + { + case 1: + return TLS_ALGO_HASH_MD5; + case 2: + return TLS_ALGO_HASH_SHA1; + case 3: + return TLS_ALGO_HASH_SHA224; + case 4: + return TLS_ALGO_HASH_SHA256; + case 5: + return TLS_ALGO_HASH_SHA384; + case 6: + return TLS_ALGO_HASH_SHA512; + default: + return TLS_ALGO_UNKNOWN; + } + } + +byte Signature_Algorithms::hash_algo_code(TLS_Ciphersuite_Algos code) + { + switch(code) + { + case TLS_ALGO_HASH_MD5: + return 1; + case TLS_ALGO_HASH_SHA1: + return 2; + case TLS_ALGO_HASH_SHA224: + return 3; + case TLS_ALGO_HASH_SHA256: + return 4; + case TLS_ALGO_HASH_SHA384: + return 5; + case TLS_ALGO_HASH_SHA512: + return 6; + default: + throw Algorithm_Not_Found("Unknown hash ID for signature_algorithms"); + } + } + +TLS_Ciphersuite_Algos Signature_Algorithms::sig_algo_code(byte code) + { + switch(code) + { + case 1: + return TLS_ALGO_SIGNER_RSA; + case 2: + return TLS_ALGO_SIGNER_DSA; + case 3: + return TLS_ALGO_SIGNER_ECDSA; + default: + return TLS_ALGO_UNKNOWN; + } + } + +byte Signature_Algorithms::sig_algo_code(TLS_Ciphersuite_Algos code) + { + switch(code) + { + case TLS_ALGO_SIGNER_RSA: + return 1; + case TLS_ALGO_SIGNER_DSA: + return 2; + case TLS_ALGO_SIGNER_ECDSA: + return 3; + default: + throw Algorithm_Not_Found("Unknown sig ID for signature_algorithms"); + } + } + +MemoryVector<byte> Signature_Algorithms::serialize() const + { + MemoryVector<byte> buf(2); + + for(size_t i = 0; i != m_supported_algos.size(); ++i) + { + buf.push_back(hash_algo_code(m_supported_algos[i].first)); + buf.push_back(sig_algo_code(m_supported_algos[i].second)); + } + + buf[0] = get_byte<u16bit>(0, buf.size()-2); + buf[1] = get_byte<u16bit>(1, buf.size()-2); + + return buf; + } + +Signature_Algorithms::Signature_Algorithms() + { + /* + Declare we support everything except MD5 for RSA, and SHA-1 with DSA. + We prefer hashes strongest (SHA-512) to weakest (SHA-1). + */ + + m_supported_algos.push_back(std::make_pair(TLS_ALGO_HASH_SHA512, + TLS_ALGO_SIGNER_RSA)); + + m_supported_algos.push_back(std::make_pair(TLS_ALGO_HASH_SHA384, + TLS_ALGO_SIGNER_RSA)); + + m_supported_algos.push_back(std::make_pair(TLS_ALGO_HASH_SHA256, + TLS_ALGO_SIGNER_RSA)); + + m_supported_algos.push_back(std::make_pair(TLS_ALGO_HASH_SHA224, + TLS_ALGO_SIGNER_RSA)); + + m_supported_algos.push_back(std::make_pair(TLS_ALGO_HASH_SHA1, + TLS_ALGO_SIGNER_RSA)); + + m_supported_algos.push_back(std::make_pair(TLS_ALGO_HASH_SHA1, + TLS_ALGO_SIGNER_DSA)); + } + +Signature_Algorithms::Signature_Algorithms(TLS_Data_Reader& reader, + u16bit extension_size) + { + u16bit len = reader.get_u16bit(); + + if(len + 2 != extension_size) + throw Decoding_Error("Bad encoding on signature algorithms extension"); + + while(len) + { + TLS_Ciphersuite_Algos hash_code = hash_algo_code(reader.get_byte()); + TLS_Ciphersuite_Algos sig_code = sig_algo_code(reader.get_byte()); + + // If not something we know, ignore completely + if(hash_code == TLS_ALGO_UNKNOWN || sig_code == TLS_ALGO_UNKNOWN) + continue; + + m_supported_algos.push_back(std::make_pair(hash_code, sig_code)); + + len -= 2; + } + } + } diff --git a/src/tls/tls_extensions.h b/src/tls/tls_extensions.h index 62f179998..94be97d7f 100644 --- a/src/tls/tls_extensions.h +++ b/src/tls/tls_extensions.h @@ -177,6 +177,39 @@ class Next_Protocol_Notification : public TLS_Extension }; /** +* Signature Algorithms Extension for TLS 1.2 (RFC 5246) +*/ +class Signature_Algorithms : public TLS_Extension + { + public: + TLS_Handshake_Extension_Type type() const + { return TLSEXT_NEXT_PROTOCOL; } + + std::vector<std::pair<TLS_Ciphersuite_Algos, TLS_Ciphersuite_Algos> > + supported_signature_algorthms() const + { + return m_supported_algos; + } + + MemoryVector<byte> serialize() const; + + bool empty() const { return false; } + + Signature_Algorithms(); + + Signature_Algorithms(TLS_Data_Reader& reader, + u16bit extension_size); + private: + static TLS_Ciphersuite_Algos hash_algo_code(byte code); + static byte hash_algo_code(TLS_Ciphersuite_Algos code); + + static TLS_Ciphersuite_Algos sig_algo_code(byte code); + static byte sig_algo_code(TLS_Ciphersuite_Algos code); + + std::vector<std::pair<TLS_Ciphersuite_Algos, TLS_Ciphersuite_Algos> > m_supported_algos; + }; + +/** * Represents a block of extensions in a hello message */ class TLS_Extensions diff --git a/src/tls/tls_magic.h b/src/tls/tls_magic.h index 5a35d4c46..51fe91e8b 100644 --- a/src/tls/tls_magic.h +++ b/src/tls/tls_magic.h @@ -26,7 +26,8 @@ enum Version_Code { NO_VERSION_SET = 0x0000, SSL_V3 = 0x0300, TLS_V10 = 0x0301, - TLS_V11 = 0x0302 + TLS_V11 = 0x0302, + TLS_V12 = 0x0303 }; enum Connection_Side { CLIENT = 1, SERVER = 2 }; @@ -162,6 +163,8 @@ enum Ciphersuite_Code { * being randomly assigned codepoints. */ enum TLS_Ciphersuite_Algos { + TLS_ALGO_UNKNOWN = 0x00000000, + TLS_ALGO_SIGNER_MASK = 0xFF000000, TLS_ALGO_SIGNER_ANON = 0x01000000, TLS_ALGO_SIGNER_RSA = 0x02000000, @@ -169,16 +172,18 @@ enum TLS_Ciphersuite_Algos { TLS_ALGO_SIGNER_ECDSA = 0x04000000, TLS_ALGO_KEYEXCH_MASK = 0x00FF0000, - TLS_ALGO_KEYEXCH_NOKEX = 0x00010000, // exchange via key in server cert - TLS_ALGO_KEYEXCH_DH = 0x00020000, - TLS_ALGO_KEYEXCH_ECDH = 0x00030000, + TLS_ALGO_KEYEXCH_NOKEX = 0x00010000, // RSA using server cert key + TLS_ALGO_KEYEXCH_DH = 0x00020000, // Ephemeral DH + TLS_ALGO_KEYEXCH_ECDH = 0x00030000, // Ephemeral ECDH TLS_ALGO_KEYEXCH_SRP = 0x00040000, - TLS_ALGO_MAC_MASK = 0x0000FF00, - TLS_ALGO_MAC_MD5 = 0x00000100, - TLS_ALGO_MAC_SHA1 = 0x00000200, - TLS_ALGO_MAC_SHA256 = 0x00000300, - TLS_ALGO_MAC_SHA384 = 0x00000400, + TLS_ALGO_HASH_MASK = 0x0000FF00, + TLS_ALGO_HASH_MD5 = 0x00000100, + TLS_ALGO_HASH_SHA1 = 0x00000200, + TLS_ALGO_HASH_SHA224 = 0x00000300, + TLS_ALGO_HASH_SHA256 = 0x00000400, + TLS_ALGO_HASH_SHA384 = 0x00000500, + TLS_ALGO_HASH_SHA512 = 0x00000600, TLS_ALGO_CIPHER_MASK = 0x000000FF, TLS_ALGO_CIPHER_RC4_128 = 0x00000001, @@ -200,12 +205,12 @@ enum TLS_Handshake_Extension_Type { TLSEXT_TRUSTED_CA_KEYS = 3, TLSEXT_TRUNCATED_HMAC = 4, + TLSEXT_CERTIFICATE_TYPES = 9, TLSEXT_USABLE_ELLIPTIC_CURVES = 10, TLSEXT_EC_POINT_FORMATS = 11, - TLSEXT_SRP_IDENTIFIER = 12, + TLSEXT_SIGNATURE_ALGORITHMS = 13, - TLSEXT_CERTIFICATE_TYPES = 9, TLSEXT_SESSION_TICKET = 35, TLSEXT_NEXT_PROTOCOL = 13172, diff --git a/src/tls/tls_suites.cpp b/src/tls/tls_suites.cpp index aff15d68f..3b715b04c 100644 --- a/src/tls/tls_suites.cpp +++ b/src/tls/tls_suites.cpp @@ -18,237 +18,237 @@ TLS_Ciphersuite_Algos TLS_Cipher_Suite::lookup_ciphersuite(u16bit suite) if(suite == TLS_RSA_WITH_RC4_128_MD5) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_MAC_MD5 | + TLS_ALGO_HASH_MD5 | TLS_ALGO_CIPHER_RC4_128); if(suite == TLS_RSA_WITH_RC4_128_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_RC4_128); if(suite == TLS_RSA_WITH_3DES_EDE_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_3DES_CBC); if(suite == TLS_RSA_WITH_AES_128_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_RSA_WITH_AES_256_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES256_CBC); if(suite == TLS_RSA_WITH_SEED_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_SEED_CBC); if(suite == TLS_RSA_WITH_AES_128_CBC_SHA256) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_MAC_SHA256 | + TLS_ALGO_HASH_SHA256 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_RSA_WITH_AES_256_CBC_SHA256) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_NOKEX | - TLS_ALGO_MAC_SHA256 | + TLS_ALGO_HASH_SHA256 | TLS_ALGO_CIPHER_AES256_CBC); if(suite == TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_3DES_CBC); if(suite == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_DHE_DSS_WITH_SEED_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_SEED_CBC); if(suite == TLS_DHE_DSS_WITH_RC4_128_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_RC4_128); if(suite == TLS_DHE_DSS_WITH_AES_256_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES256_CBC); if(suite == TLS_DHE_DSS_WITH_AES_128_CBC_SHA256) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA256 | + TLS_ALGO_HASH_SHA256 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_DHE_DSS_WITH_AES_256_CBC_SHA256) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA256 | + TLS_ALGO_HASH_SHA256 | TLS_ALGO_CIPHER_AES256_CBC); if(suite == TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_3DES_CBC); if(suite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_DHE_DSS_WITH_SEED_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_SEED_CBC); if(suite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES256_CBC); if(suite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA256 | + TLS_ALGO_HASH_SHA256 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_DH | - TLS_ALGO_MAC_SHA256 | + TLS_ALGO_HASH_SHA256 | TLS_ALGO_CIPHER_AES256_CBC); // SRP ciphersuites if(suite == TLS_SRP_SHA_RSA_WITH_3DES_EDE_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_3DES_CBC); if(suite == TLS_SRP_SHA_DSS_WITH_3DES_EDE_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_3DES_CBC); if(suite == TLS_SRP_SHA_RSA_WITH_AES_128_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_SRP_SHA_DSS_WITH_AES_128_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_SRP_SHA_RSA_WITH_AES_256_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES256_CBC); if(suite == TLS_SRP_SHA_DSS_WITH_AES_256_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_DSA | TLS_ALGO_KEYEXCH_SRP | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES256_CBC); // ECC ciphersuites if(suite == TLS_ECDHE_ECDSA_WITH_RC4_128_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_RC4_128); if(suite == TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_3DES_CBC); if(suite == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES256_CBC); if(suite == TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA256 | + TLS_ALGO_HASH_SHA256 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA384 | + TLS_ALGO_HASH_SHA384 | TLS_ALGO_CIPHER_AES256_CBC); if(suite == TLS_ECDHE_RSA_WITH_RC4_128_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_RC4_128); if(suite == TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_3DES_CBC); if(suite == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_RSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA1 | + TLS_ALGO_HASH_SHA1 | TLS_ALGO_CIPHER_AES256_CBC); if(suite == TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA256 | + TLS_ALGO_HASH_SHA256 | TLS_ALGO_CIPHER_AES128_CBC); if(suite == TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) return TLS_Ciphersuite_Algos(TLS_ALGO_SIGNER_ECDSA | TLS_ALGO_KEYEXCH_ECDH | - TLS_ALGO_MAC_SHA384 | + TLS_ALGO_HASH_SHA384 | TLS_ALGO_CIPHER_AES256_CBC); return TLS_Ciphersuite_Algos(0); @@ -279,18 +279,24 @@ std::pair<std::string, size_t> cipher_code_to_name(TLS_Ciphersuite_Algos algo) std::string mac_code_to_name(TLS_Ciphersuite_Algos algo) { - if((algo & TLS_ALGO_MAC_MASK) == TLS_ALGO_MAC_MD5) + if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_MD5) return "MD5"; - if((algo & TLS_ALGO_MAC_MASK) == TLS_ALGO_MAC_SHA1) + if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA1) return "SHA-1"; - if((algo & TLS_ALGO_MAC_MASK) == TLS_ALGO_MAC_SHA256) + if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA224) + return "SHA-224"; + + if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA256) return "SHA-256"; - if((algo & TLS_ALGO_MAC_MASK) == TLS_ALGO_MAC_SHA384) + if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA384) return "SHA-384"; + if((algo & TLS_ALGO_HASH_MASK) == TLS_ALGO_HASH_SHA512) + return "SHA-512"; + throw TLS_Exception(INTERNAL_ERROR, "TLS_Cipher_Suite: Unknown MAC type " + to_string(algo)); } |