diff options
| author | Jack Lloyd <[email protected]> | 2016-03-17 15:32:08 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2016-03-17 15:32:08 -0400 |
| commit | f70a9de37d22282d8cca465632efd0044ab9008c (patch) | |
| tree | e5fa59c1d4d7d235a2e1be357ef2da53545c3c99 /src | |
| parent | cf5c88d07b44ad7c6b8702e7afb387fd8c13c3d3 (diff) | |
Remove support for TLS v1.2 MD5 and SHA-224 signatures.
Remove support for weak ECC curves (anything under P-256) from TLS.
This includes secp256k1 since we don't take advantage of the special
form for any performance advantage; might as well use P-256.
The manual still mentioned that it was possible to use MD5 in
Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/tls/tls_extensions.cpp | 45 | ||||
| -rw-r--r-- | src/lib/tls/tls_policy.cpp | 11 |
2 files changed, 3 insertions, 53 deletions
diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp index 4acf9a6fe..8befb2fbc 100644 --- a/src/lib/tls/tls_extensions.cpp +++ b/src/lib/tls/tls_extensions.cpp @@ -274,22 +274,6 @@ std::string Supported_Elliptic_Curves::curve_id_to_name(u16bit id) { switch(id) { - case 15: - return "secp160k1"; - case 16: - return "secp160r1"; - case 17: - return "secp160r2"; - case 18: - return "secp192k1"; - case 19: - return "secp192r1"; - case 20: - return "secp224k1"; - case 21: - return "secp224r1"; - case 22: - return "secp256k1"; case 23: return "secp256r1"; case 24: @@ -309,22 +293,6 @@ std::string Supported_Elliptic_Curves::curve_id_to_name(u16bit id) u16bit Supported_Elliptic_Curves::name_to_curve_id(const std::string& name) { - if(name == "secp160k1") - return 15; - if(name == "secp160r1") - return 16; - if(name == "secp160r2") - return 17; - if(name == "secp192k1") - return 18; - if(name == "secp192r1") - return 19; - if(name == "secp224k1") - return 20; - if(name == "secp224r1") - return 21; - if(name == "secp256k1") - return 22; if(name == "secp256r1") return 23; if(name == "secp384r1") @@ -385,14 +353,13 @@ std::string Signature_Algorithms::hash_algo_name(byte code) { switch(code) { - case 1: - return "MD5"; // code 1 is MD5 - ignore it case 2: return "SHA-1"; - case 3: - return "SHA-224"; + + // code 3 is SHA-224 + case 4: return "SHA-256"; case 5: @@ -406,15 +373,9 @@ std::string Signature_Algorithms::hash_algo_name(byte code) byte Signature_Algorithms::hash_algo_code(const std::string& name) { - if(name == "MD5") - return 1; - if(name == "SHA-1") return 2; - if(name == "SHA-224") - return 3; - if(name == "SHA-256") return 4; diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index f88860a71..10b193215 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -44,9 +44,7 @@ std::vector<std::string> Policy::allowed_signature_hashes() const "SHA-512", "SHA-384", "SHA-256", - //"SHA-224", //"SHA-1", - //"MD5", }; } @@ -57,7 +55,6 @@ std::vector<std::string> Policy::allowed_macs() const "SHA-384", "SHA-256", "SHA-1", - //"MD5", }; } @@ -98,14 +95,6 @@ std::vector<std::string> Policy::allowed_ecc_curves() const "secp384r1", "brainpool256r1", "secp256r1", - //"secp256k1", - //"secp224r1", - //"secp224k1", - //"secp192r1", - //"secp192k1", - //"secp160r2", - //"secp160r1", - //"secp160k1", }; } |