diff options
author | Jack Lloyd <[email protected]> | 2018-08-21 15:43:34 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-08-22 15:13:14 -0400 |
commit | e05a7337add6c5f61d5abc05bb69c8d0698aa3ef (patch) | |
tree | 8bb911536d39c43385a59d1bc9a09b2b14bd7075 /src | |
parent | 2fc2598ebab23aa63f7be30c8a2eff6afb262fb3 (diff) |
Default disable support for TLS v1.0/v1.1 and all CBC and CCM suites
Diffstat (limited to 'src')
-rw-r--r-- | src/cli/tls_utils.cpp | 6 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.cpp | 12 | ||||
-rwxr-xr-x | src/scripts/test_cli.py | 18 | ||||
-rw-r--r-- | src/tests/data/tls-policy/datagram.txt | 2 | ||||
-rw-r--r-- | src/tests/data/tls-policy/default.txt | 6 |
5 files changed, 30 insertions, 14 deletions
diff --git a/src/cli/tls_utils.cpp b/src/cli/tls_utils.cpp index de5c93fe6..2429b5de6 100644 --- a/src/cli/tls_utils.cpp +++ b/src/cli/tls_utils.cpp @@ -34,6 +34,8 @@ class TLS_All_Policy final : public Botan::TLS::Policy "AES-128/CCM(8)", "Camellia-256/GCM", "Camellia-128/GCM", + "ARIA-256/GCM", + "ARIA-128/GCM", "AES-256", "AES-128", "Camellia-256", @@ -52,6 +54,10 @@ class TLS_All_Policy final : public Botan::TLS::Policy { return { "ECDSA", "RSA", "DSA" }; } + + bool allow_tls10() const override { return false; } + bool allow_tls11() const override { return false; } + bool allow_tls12() const override { return true; } }; class TLS_Ciphersuites final : public Command diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 5e8150e4f..c2d3ccf26 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -45,16 +45,16 @@ std::vector<std::string> Policy::allowed_ciphers() const "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM", - "AES-256/CCM", - "AES-128/CCM", + //"AES-256/CCM", + //"AES-128/CCM", //"AES-256/CCM(8)", //"AES-128/CCM(8)", //"Camellia-256/GCM", //"Camellia-128/GCM", //"ARIA-256/GCM", //"ARIA-128/GCM", - "AES-256", - "AES-128", + //"AES-256", + //"AES-128", //"Camellia-256", //"Camellia-128", //"SEED" @@ -319,8 +319,8 @@ bool Policy::acceptable_ciphersuite(const Ciphersuite& ciphersuite) const bool Policy::allow_client_initiated_renegotiation() const { return false; } bool Policy::allow_server_initiated_renegotiation() const { return false; } bool Policy::allow_insecure_renegotiation() const { return false; } -bool Policy::allow_tls10() const { return true; } -bool Policy::allow_tls11() const { return true; } +bool Policy::allow_tls10() const { return false; } +bool Policy::allow_tls11() const { return false; } bool Policy::allow_tls12() const { return true; } bool Policy::allow_dtls10() const { return false; } bool Policy::allow_dtls12() const { return true; } diff --git a/src/scripts/test_cli.py b/src/scripts/test_cli.py index 0a76d7465..2f5e5bba4 100755 --- a/src/scripts/test_cli.py +++ b/src/scripts/test_cli.py @@ -425,7 +425,7 @@ def cli_tls_ciphersuite_tests(): for policy in policies: for version in versions: - if policy in ['suiteb_128', 'suiteb_192', 'strict'] and version != 'tls1.2': + if version != 'tls1.2' and policy != 'all': continue output = test_cli("tls_ciphers", ["--version=" + version, "--policy=" + policy], None).split('\n') @@ -648,8 +648,8 @@ def main(args=None): setup_logging(options) - if len(args) != 2: - logging.error("Usage: ./cli_tests.py path_to_botan_cli") + if len(args) < 2: + logging.error("Usage: ./cli_tests.py path_to_botan_cli [test_regex]") return 1 if not os.access(args[1], os.X_OK): @@ -659,6 +659,10 @@ def main(args=None): global CLI_PATH CLI_PATH = args[1] + test_regex = None + if len(args) == 3: + test_regex = re.compile(args[2]) + start_time = time.time() test_fns = [ @@ -694,10 +698,16 @@ def main(args=None): ] for fn in test_fns: + fn_name = fn.__name__ + + if test_regex is not None: + if test_regex.match(fn_name) is None: + continue + start = time.time() fn() end = time.time() - logging.debug("Ran %s in %.02f", fn.__name__, end-start) + logging.debug("Ran %s in %.02f", fn_name, end-start) end_time = time.time() diff --git a/src/tests/data/tls-policy/datagram.txt b/src/tests/data/tls-policy/datagram.txt index 9006c6e87..8c787490d 100644 --- a/src/tests/data/tls-policy/datagram.txt +++ b/src/tests/data/tls-policy/datagram.txt @@ -3,7 +3,7 @@ allow_tls11 = false allow_tls12 = false allow_dtls10 = false allow_dtls12 = true -ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128 +ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM macs = AEAD signature_hashes = SHA-512 SHA-384 SHA-256 signature_methods = ECDSA RSA diff --git a/src/tests/data/tls-policy/default.txt b/src/tests/data/tls-policy/default.txt index 5ed7890c6..4ff6c293d 100644 --- a/src/tests/data/tls-policy/default.txt +++ b/src/tests/data/tls-policy/default.txt @@ -1,9 +1,9 @@ -allow_tls10 = true -allow_tls11 = true +allow_tls10 = false +allow_tls11 = false allow_tls12 = true allow_dtls10 = false allow_dtls12 = true -ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128 +ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM macs = AEAD SHA-256 SHA-384 SHA-1 signature_hashes = SHA-512 SHA-384 SHA-256 signature_methods = ECDSA RSA |