diff options
-rw-r--r-- | src/tls/c_hello.cpp | 4 | ||||
-rw-r--r-- | src/tls/tls_policy.cpp | 74 | ||||
-rw-r--r-- | src/tls/tls_policy.h | 22 | ||||
-rw-r--r-- | src/tls/tls_server.cpp | 21 |
4 files changed, 59 insertions, 62 deletions
diff --git a/src/tls/c_hello.cpp b/src/tls/c_hello.cpp index d51bbac63..d3fff8b00 100644 --- a/src/tls/c_hello.cpp +++ b/src/tls/c_hello.cpp @@ -68,7 +68,7 @@ Client_Hello::Client_Hello(Record_Writer& writer, const std::string& srp_identifier) : m_version(policy.pref_version()), m_random(make_hello_random(rng)), - m_suites(policy.ciphersuite_list((srp_identifier != ""))), + m_suites(ciphersuite_list(policy, (srp_identifier != ""))), m_comp_methods(policy.compression()), m_hostname(hostname), m_srp_identifier(srp_identifier), @@ -101,7 +101,7 @@ Client_Hello::Client_Hello(Record_Writer& writer, m_version(session.version()), m_session_id(session.session_id()), m_random(make_hello_random(rng)), - m_suites(policy.ciphersuite_list(session.srp_identifier() != "")), + m_suites(ciphersuite_list(policy, (session.srp_identifier() != ""))), m_comp_methods(policy.compression()), m_hostname(session.sni_hostname()), m_srp_identifier(session.srp_identifier()), diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp index 3db517e56..de3c6f674 100644 --- a/src/tls/tls_policy.cpp +++ b/src/tls/tls_policy.cpp @@ -88,6 +88,30 @@ std::vector<std::string> Policy::allowed_ecc_curves() const return curves; } +/* +* Choose an ECC curve to use +*/ +std::string Policy::choose_curve(const std::vector<std::string>& curve_names) const + { + const std::vector<std::string> our_curves = allowed_ecc_curves(); + + for(size_t i = 0; i != our_curves.size(); ++i) + if(value_exists(curve_names, our_curves[i])) + return our_curves[i]; + + return ""; // no shared curve + } + +/* +* Return allowed compression algorithms +*/ +std::vector<byte> Policy::compression() const + { + std::vector<byte> algs; + algs.push_back(NO_COMPRESSION); + return algs; + } + u32bit Policy::session_ticket_lifetime() const { return 86400; // 1 day @@ -177,12 +201,13 @@ class Ciphersuite_Preference_Ordering } -std::vector<u16bit> Policy::ciphersuite_list(bool have_srp) const +std::vector<u16bit> ciphersuite_list(const Policy& policy, + bool have_srp) { - std::vector<std::string> ciphers = allowed_ciphers(); - std::vector<std::string> hashes = allowed_hashes(); - std::vector<std::string> kex = allowed_key_exchange_methods(); - std::vector<std::string> sigs = allowed_signature_methods(); + std::vector<std::string> ciphers = policy.allowed_ciphers(); + std::vector<std::string> hashes = policy.allowed_hashes(); + std::vector<std::string> kex = policy.allowed_key_exchange_methods(); + std::vector<std::string> sigs = policy.allowed_signature_methods(); if(!have_srp) { @@ -236,45 +261,6 @@ std::vector<u16bit> Policy::ciphersuite_list(bool have_srp) const return ciphersuite_codes; } -/* -* Return allowed compression algorithms -*/ -std::vector<byte> Policy::compression() const - { - std::vector<byte> algs; - algs.push_back(NO_COMPRESSION); - return algs; - } - -/* -* Choose an ECC curve to use -*/ -std::string Policy::choose_curve(const std::vector<std::string>& curve_names) const - { - std::vector<std::string> our_curves = allowed_ecc_curves(); - - for(size_t i = 0; i != our_curves.size(); ++i) - if(value_exists(curve_names, our_curves[i])) - return our_curves[i]; - - return ""; // no shared curve - } - -/* -* Choose which compression algorithm to use -*/ -byte Policy::choose_compression(const std::vector<byte>& c_comp) const - { - std::vector<byte> s_comp = compression(); - - for(size_t i = 0; i != s_comp.size(); ++i) - for(size_t j = 0; j != c_comp.size(); ++j) - if(s_comp[i] == c_comp[j]) - return s_comp[i]; - - return NO_COMPRESSION; - } - } } diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h index b12f07125..288be62bd 100644 --- a/src/tls/tls_policy.h +++ b/src/tls/tls_policy.h @@ -89,7 +89,7 @@ class BOTAN_DLL Policy * will be rejected with an unknown_psk_identifier alert as soon * as the non-existence is identified. Otherwise, a false * identifier value will be used and the protocol allowed to - * proceed, causing the login to eventually fail without + * proceed, causing the handshake to eventually fail without * revealing that the username does not exist on this system. */ virtual bool hide_unknown_users() const { return false; } @@ -97,7 +97,7 @@ class BOTAN_DLL Policy /** * Return the allowed lifetime of a session ticket. If 0, session * tickets do not expire until the session ticket key rolls over. - * Old session tickets cannot be used to resume as session. + * Expired session tickets cannot be used to resume a session. */ virtual u32bit session_ticket_lifetime() const; @@ -111,21 +111,15 @@ class BOTAN_DLL Policy */ virtual Protocol_Version pref_version() const; - /** - * Return allowed ciphersuites, in order of preference - */ - std::vector<u16bit> ciphersuite_list(bool have_srp) const; - - u16bit choose_suite(const std::vector<u16bit>& client_suites, - const std::vector<std::string>& available_cert_types, - bool have_shared_ecc_curve, - bool have_srp) const; - - byte choose_compression(const std::vector<byte>& client_algos) const; - virtual ~Policy() {} }; +/** +* Return allowed ciphersuites, in order of preference +*/ +std::vector<u16bit> ciphersuite_list(const Policy& policy, + bool have_srp); + } } diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index 43556e1bc..f5b4efc30 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -95,7 +95,7 @@ u16bit choose_ciphersuite( const Client_Hello* client_hello) { const std::vector<u16bit> client_suites = client_hello->ciphersuites(); - const std::vector<u16bit> server_suites = policy.ciphersuite_list(false); + const std::vector<u16bit> server_suites = ciphersuite_list(policy, false); const bool have_shared_ecc_curve = (policy.choose_curve(client_hello->supported_ecc_curves()) != ""); @@ -123,6 +123,23 @@ u16bit choose_ciphersuite( "Can't agree on a ciphersuite with client"); } + +/* +* Choose which compression algorithm to use +*/ +byte choose_compression(const Policy& policy, + const std::vector<byte>& c_comp) + { + std::vector<byte> s_comp = policy.compression(); + + for(size_t i = 0; i != s_comp.size(); ++i) + for(size_t j = 0; j != c_comp.size(); ++j) + if(s_comp[i] == c_comp[j]) + return s_comp[i]; + + return NO_COMPRESSION; + } + std::map<std::string, std::vector<X509_Certificate> > get_server_certs(const std::string& hostname, Credentials_Manager& creds) @@ -352,7 +369,7 @@ void Server::process_handshake_msg(Handshake_Type type, rng.random_vec(32), // new session ID state->version(), choose_ciphersuite(policy, cert_chains, state->client_hello), - policy.choose_compression(state->client_hello->compression_methods()), + choose_compression(policy, state->client_hello->compression_methods()), state->client_hello->fragment_size(), secure_renegotiation.supported(), secure_renegotiation.for_server_hello(), |