aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/tls/c_hello.cpp4
-rw-r--r--src/tls/tls_policy.cpp74
-rw-r--r--src/tls/tls_policy.h22
-rw-r--r--src/tls/tls_server.cpp21
4 files changed, 59 insertions, 62 deletions
diff --git a/src/tls/c_hello.cpp b/src/tls/c_hello.cpp
index d51bbac63..d3fff8b00 100644
--- a/src/tls/c_hello.cpp
+++ b/src/tls/c_hello.cpp
@@ -68,7 +68,7 @@ Client_Hello::Client_Hello(Record_Writer& writer,
const std::string& srp_identifier) :
m_version(policy.pref_version()),
m_random(make_hello_random(rng)),
- m_suites(policy.ciphersuite_list((srp_identifier != ""))),
+ m_suites(ciphersuite_list(policy, (srp_identifier != ""))),
m_comp_methods(policy.compression()),
m_hostname(hostname),
m_srp_identifier(srp_identifier),
@@ -101,7 +101,7 @@ Client_Hello::Client_Hello(Record_Writer& writer,
m_version(session.version()),
m_session_id(session.session_id()),
m_random(make_hello_random(rng)),
- m_suites(policy.ciphersuite_list(session.srp_identifier() != "")),
+ m_suites(ciphersuite_list(policy, (session.srp_identifier() != ""))),
m_comp_methods(policy.compression()),
m_hostname(session.sni_hostname()),
m_srp_identifier(session.srp_identifier()),
diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp
index 3db517e56..de3c6f674 100644
--- a/src/tls/tls_policy.cpp
+++ b/src/tls/tls_policy.cpp
@@ -88,6 +88,30 @@ std::vector<std::string> Policy::allowed_ecc_curves() const
return curves;
}
+/*
+* Choose an ECC curve to use
+*/
+std::string Policy::choose_curve(const std::vector<std::string>& curve_names) const
+ {
+ const std::vector<std::string> our_curves = allowed_ecc_curves();
+
+ for(size_t i = 0; i != our_curves.size(); ++i)
+ if(value_exists(curve_names, our_curves[i]))
+ return our_curves[i];
+
+ return ""; // no shared curve
+ }
+
+/*
+* Return allowed compression algorithms
+*/
+std::vector<byte> Policy::compression() const
+ {
+ std::vector<byte> algs;
+ algs.push_back(NO_COMPRESSION);
+ return algs;
+ }
+
u32bit Policy::session_ticket_lifetime() const
{
return 86400; // 1 day
@@ -177,12 +201,13 @@ class Ciphersuite_Preference_Ordering
}
-std::vector<u16bit> Policy::ciphersuite_list(bool have_srp) const
+std::vector<u16bit> ciphersuite_list(const Policy& policy,
+ bool have_srp)
{
- std::vector<std::string> ciphers = allowed_ciphers();
- std::vector<std::string> hashes = allowed_hashes();
- std::vector<std::string> kex = allowed_key_exchange_methods();
- std::vector<std::string> sigs = allowed_signature_methods();
+ std::vector<std::string> ciphers = policy.allowed_ciphers();
+ std::vector<std::string> hashes = policy.allowed_hashes();
+ std::vector<std::string> kex = policy.allowed_key_exchange_methods();
+ std::vector<std::string> sigs = policy.allowed_signature_methods();
if(!have_srp)
{
@@ -236,45 +261,6 @@ std::vector<u16bit> Policy::ciphersuite_list(bool have_srp) const
return ciphersuite_codes;
}
-/*
-* Return allowed compression algorithms
-*/
-std::vector<byte> Policy::compression() const
- {
- std::vector<byte> algs;
- algs.push_back(NO_COMPRESSION);
- return algs;
- }
-
-/*
-* Choose an ECC curve to use
-*/
-std::string Policy::choose_curve(const std::vector<std::string>& curve_names) const
- {
- std::vector<std::string> our_curves = allowed_ecc_curves();
-
- for(size_t i = 0; i != our_curves.size(); ++i)
- if(value_exists(curve_names, our_curves[i]))
- return our_curves[i];
-
- return ""; // no shared curve
- }
-
-/*
-* Choose which compression algorithm to use
-*/
-byte Policy::choose_compression(const std::vector<byte>& c_comp) const
- {
- std::vector<byte> s_comp = compression();
-
- for(size_t i = 0; i != s_comp.size(); ++i)
- for(size_t j = 0; j != c_comp.size(); ++j)
- if(s_comp[i] == c_comp[j])
- return s_comp[i];
-
- return NO_COMPRESSION;
- }
-
}
}
diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h
index b12f07125..288be62bd 100644
--- a/src/tls/tls_policy.h
+++ b/src/tls/tls_policy.h
@@ -89,7 +89,7 @@ class BOTAN_DLL Policy
* will be rejected with an unknown_psk_identifier alert as soon
* as the non-existence is identified. Otherwise, a false
* identifier value will be used and the protocol allowed to
- * proceed, causing the login to eventually fail without
+ * proceed, causing the handshake to eventually fail without
* revealing that the username does not exist on this system.
*/
virtual bool hide_unknown_users() const { return false; }
@@ -97,7 +97,7 @@ class BOTAN_DLL Policy
/**
* Return the allowed lifetime of a session ticket. If 0, session
* tickets do not expire until the session ticket key rolls over.
- * Old session tickets cannot be used to resume as session.
+ * Expired session tickets cannot be used to resume a session.
*/
virtual u32bit session_ticket_lifetime() const;
@@ -111,21 +111,15 @@ class BOTAN_DLL Policy
*/
virtual Protocol_Version pref_version() const;
- /**
- * Return allowed ciphersuites, in order of preference
- */
- std::vector<u16bit> ciphersuite_list(bool have_srp) const;
-
- u16bit choose_suite(const std::vector<u16bit>& client_suites,
- const std::vector<std::string>& available_cert_types,
- bool have_shared_ecc_curve,
- bool have_srp) const;
-
- byte choose_compression(const std::vector<byte>& client_algos) const;
-
virtual ~Policy() {}
};
+/**
+* Return allowed ciphersuites, in order of preference
+*/
+std::vector<u16bit> ciphersuite_list(const Policy& policy,
+ bool have_srp);
+
}
}
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index 43556e1bc..f5b4efc30 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -95,7 +95,7 @@ u16bit choose_ciphersuite(
const Client_Hello* client_hello)
{
const std::vector<u16bit> client_suites = client_hello->ciphersuites();
- const std::vector<u16bit> server_suites = policy.ciphersuite_list(false);
+ const std::vector<u16bit> server_suites = ciphersuite_list(policy, false);
const bool have_shared_ecc_curve =
(policy.choose_curve(client_hello->supported_ecc_curves()) != "");
@@ -123,6 +123,23 @@ u16bit choose_ciphersuite(
"Can't agree on a ciphersuite with client");
}
+
+/*
+* Choose which compression algorithm to use
+*/
+byte choose_compression(const Policy& policy,
+ const std::vector<byte>& c_comp)
+ {
+ std::vector<byte> s_comp = policy.compression();
+
+ for(size_t i = 0; i != s_comp.size(); ++i)
+ for(size_t j = 0; j != c_comp.size(); ++j)
+ if(s_comp[i] == c_comp[j])
+ return s_comp[i];
+
+ return NO_COMPRESSION;
+ }
+
std::map<std::string, std::vector<X509_Certificate> >
get_server_certs(const std::string& hostname,
Credentials_Manager& creds)
@@ -352,7 +369,7 @@ void Server::process_handshake_msg(Handshake_Type type,
rng.random_vec(32), // new session ID
state->version(),
choose_ciphersuite(policy, cert_chains, state->client_hello),
- policy.choose_compression(state->client_hello->compression_methods()),
+ choose_compression(policy, state->client_hello->compression_methods()),
state->client_hello->fragment_size(),
secure_renegotiation.supported(),
secure_renegotiation.for_server_hello(),