aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-08-21 15:43:34 -0400
committerJack Lloyd <[email protected]>2018-08-22 15:13:14 -0400
commite05a7337add6c5f61d5abc05bb69c8d0698aa3ef (patch)
tree8bb911536d39c43385a59d1bc9a09b2b14bd7075 /src
parent2fc2598ebab23aa63f7be30c8a2eff6afb262fb3 (diff)
Default disable support for TLS v1.0/v1.1 and all CBC and CCM suites
Diffstat (limited to 'src')
-rw-r--r--src/cli/tls_utils.cpp6
-rw-r--r--src/lib/tls/tls_policy.cpp12
-rwxr-xr-xsrc/scripts/test_cli.py18
-rw-r--r--src/tests/data/tls-policy/datagram.txt2
-rw-r--r--src/tests/data/tls-policy/default.txt6
5 files changed, 30 insertions, 14 deletions
diff --git a/src/cli/tls_utils.cpp b/src/cli/tls_utils.cpp
index de5c93fe6..2429b5de6 100644
--- a/src/cli/tls_utils.cpp
+++ b/src/cli/tls_utils.cpp
@@ -34,6 +34,8 @@ class TLS_All_Policy final : public Botan::TLS::Policy
"AES-128/CCM(8)",
"Camellia-256/GCM",
"Camellia-128/GCM",
+ "ARIA-256/GCM",
+ "ARIA-128/GCM",
"AES-256",
"AES-128",
"Camellia-256",
@@ -52,6 +54,10 @@ class TLS_All_Policy final : public Botan::TLS::Policy
{
return { "ECDSA", "RSA", "DSA" };
}
+
+ bool allow_tls10() const override { return false; }
+ bool allow_tls11() const override { return false; }
+ bool allow_tls12() const override { return true; }
};
class TLS_Ciphersuites final : public Command
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 5e8150e4f..c2d3ccf26 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -45,16 +45,16 @@ std::vector<std::string> Policy::allowed_ciphers() const
"ChaCha20Poly1305",
"AES-256/GCM",
"AES-128/GCM",
- "AES-256/CCM",
- "AES-128/CCM",
+ //"AES-256/CCM",
+ //"AES-128/CCM",
//"AES-256/CCM(8)",
//"AES-128/CCM(8)",
//"Camellia-256/GCM",
//"Camellia-128/GCM",
//"ARIA-256/GCM",
//"ARIA-128/GCM",
- "AES-256",
- "AES-128",
+ //"AES-256",
+ //"AES-128",
//"Camellia-256",
//"Camellia-128",
//"SEED"
@@ -319,8 +319,8 @@ bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const
bool Policy::allow_client_initiated_renegotiation() const { return false; }
bool Policy::allow_server_initiated_renegotiation() const { return false; }
bool Policy::allow_insecure_renegotiation() const { return false; }
-bool Policy::allow_tls10() const { return true; }
-bool Policy::allow_tls11() const { return true; }
+bool Policy::allow_tls10() const { return false; }
+bool Policy::allow_tls11() const { return false; }
bool Policy::allow_tls12() const { return true; }
bool Policy::allow_dtls10() const { return false; }
bool Policy::allow_dtls12() const { return true; }
diff --git a/src/scripts/test_cli.py b/src/scripts/test_cli.py
index 0a76d7465..2f5e5bba4 100755
--- a/src/scripts/test_cli.py
+++ b/src/scripts/test_cli.py
@@ -425,7 +425,7 @@ def cli_tls_ciphersuite_tests():
for policy in policies:
for version in versions:
- if policy in ['suiteb_128', 'suiteb_192', 'strict'] and version != 'tls1.2':
+ if version != 'tls1.2' and policy != 'all':
continue
output = test_cli("tls_ciphers", ["--version=" + version, "--policy=" + policy], None).split('\n')
@@ -648,8 +648,8 @@ def main(args=None):
setup_logging(options)
- if len(args) != 2:
- logging.error("Usage: ./cli_tests.py path_to_botan_cli")
+ if len(args) < 2:
+ logging.error("Usage: ./cli_tests.py path_to_botan_cli [test_regex]")
return 1
if not os.access(args[1], os.X_OK):
@@ -659,6 +659,10 @@ def main(args=None):
global CLI_PATH
CLI_PATH = args[1]
+ test_regex = None
+ if len(args) == 3:
+ test_regex = re.compile(args[2])
+
start_time = time.time()
test_fns = [
@@ -694,10 +698,16 @@ def main(args=None):
]
for fn in test_fns:
+ fn_name = fn.__name__
+
+ if test_regex is not None:
+ if test_regex.match(fn_name) is None:
+ continue
+
start = time.time()
fn()
end = time.time()
- logging.debug("Ran %s in %.02f", fn.__name__, end-start)
+ logging.debug("Ran %s in %.02f", fn_name, end-start)
end_time = time.time()
diff --git a/src/tests/data/tls-policy/datagram.txt b/src/tests/data/tls-policy/datagram.txt
index 9006c6e87..8c787490d 100644
--- a/src/tests/data/tls-policy/datagram.txt
+++ b/src/tests/data/tls-policy/datagram.txt
@@ -3,7 +3,7 @@ allow_tls11 = false
allow_tls12 = false
allow_dtls10 = false
allow_dtls12 = true
-ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128
+ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM
macs = AEAD
signature_hashes = SHA-512 SHA-384 SHA-256
signature_methods = ECDSA RSA
diff --git a/src/tests/data/tls-policy/default.txt b/src/tests/data/tls-policy/default.txt
index 5ed7890c6..4ff6c293d 100644
--- a/src/tests/data/tls-policy/default.txt
+++ b/src/tests/data/tls-policy/default.txt
@@ -1,9 +1,9 @@
-allow_tls10 = true
-allow_tls11 = true
+allow_tls10 = false
+allow_tls11 = false
allow_tls12 = true
allow_dtls10 = false
allow_dtls12 = true
-ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128
+ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM
macs = AEAD SHA-256 SHA-384 SHA-1
signature_hashes = SHA-512 SHA-384 SHA-256
signature_methods = ECDSA RSA