From 8a664104ab7d712783223fa4a2abb9ac675243be Mon Sep 17 00:00:00 2001 From: lloyd Date: Thu, 21 Mar 2013 13:59:24 +0000 Subject: Add TLS::Policy::server_uses_own_ciphersuite_preferences() Previously the server always took its most-preferred cipher out of the client's list, but this policy allows telling a server to follow the client's preferences insetad. --- src/tls/tls_policy.cpp | 8 ++++++++ src/tls/tls_policy.h | 7 +++++++ src/tls/tls_server.cpp | 15 ++++++++++----- src/tls/tls_version.h | 8 ++++++++ 4 files changed, 33 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/tls/tls_policy.cpp b/src/tls/tls_policy.cpp index 98e3c6bca..1048e0a62 100644 --- a/src/tls/tls_policy.cpp +++ b/src/tls/tls_policy.cpp @@ -131,6 +131,14 @@ u32bit Policy::session_ticket_lifetime() const bool Policy::acceptable_protocol_version(Protocol_Version version) const { return version.known_version(); // accept any version we know about + + // maybe someday... + //return version >= Protocol_Version::TLS_V11; + } + +bool Policy::server_uses_own_ciphersuite_preferences() const + { + return true; } namespace { diff --git a/src/tls/tls_policy.h b/src/tls/tls_policy.h index 125faa665..7176f7fd5 100644 --- a/src/tls/tls_policy.h +++ b/src/tls/tls_policy.h @@ -126,6 +126,13 @@ class BOTAN_DLL Policy */ virtual bool acceptable_protocol_version(Protocol_Version version) const; + /** + * @return true if servers should choose the ciphersuite matching + * their highest preference, rather than the clients. + * Has no effect on client side. + */ + virtual bool server_uses_own_ciphersuite_preferences() const; + virtual ~Policy() {} }; diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp index 2c393b32d..d8e827b39 100644 --- a/src/tls/tls_server.cpp +++ b/src/tls/tls_server.cpp @@ -112,6 +112,8 @@ u16bit choose_ciphersuite( const std::map >& cert_chains, const Client_Hello* client_hello) { + const bool our_choice = policy.server_uses_own_ciphersuite_preferences(); + const bool have_srp = creds.attempt_srp("tls-server", client_hello->sni_hostname()); @@ -128,12 +130,15 @@ u16bit choose_ciphersuite( const bool have_shared_ecc_curve = (policy.choose_curve(client_hello->supported_ecc_curves()) != ""); - // Ordering by our preferences rather than by clients - for(size_t i = 0; i != server_suites.size(); ++i) - { - const u16bit suite_id = server_suites[i]; + std::vector pref_list = server_suites; + std::vector other_list = client_suites; - if(!value_exists(client_suites, suite_id)) + if(!our_choice) + std::swap(pref_list, other_list); + + for(auto suite_id : pref_list) + { + if(!value_exists(other_list, suite_id)) continue; Ciphersuite suite = Ciphersuite::by_id(suite_id); diff --git a/src/tls/tls_version.h b/src/tls/tls_version.h index 39712db27..2fb5365dc 100644 --- a/src/tls/tls_version.h +++ b/src/tls/tls_version.h @@ -129,6 +129,14 @@ class BOTAN_DLL Protocol_Version */ bool operator>(const Protocol_Version& other) const; + /** + * @return if this version is later than or equal to other + */ + bool operator>=(const Protocol_Version& other) const + { + return (*this == other || *this > other); + } + private: u16bit m_version; }; -- cgit v1.2.3 From d1d27bda2173c78b9ddf573f83b1115d52af5530 Mon Sep 17 00:00:00 2001 From: lloyd Date: Thu, 21 Mar 2013 15:16:34 +0000 Subject: Fix error if we asked for nonexistent branch or version --- src/build-data/scripts/dist.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/build-data/scripts/dist.py b/src/build-data/scripts/dist.py index 8d707ff3e..e0b890c83 100755 --- a/src/build-data/scripts/dist.py +++ b/src/build-data/scripts/dist.py @@ -231,7 +231,7 @@ def main(args = None): rev_id = run_monotone(options.mtn_db, ['automate', 'select', selector(args)]) if rev_id == '': - logging.error('No revision for %s found' % (version)) + logging.error('No revision matching %s found' % (selector(args))) return 2 logging.info('Found revision id %s' % (rev_id)) -- cgit v1.2.3 From 500488feb9664100be812ea6b042d900cbd1aabc Mon Sep 17 00:00:00 2001 From: lloyd Date: Thu, 21 Mar 2013 15:30:44 +0000 Subject: Alias mips64el to mips64, from Brad Smith --- src/build-data/arch/mips64.txt | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src') diff --git a/src/build-data/arch/mips64.txt b/src/build-data/arch/mips64.txt index a2fd5849b..d6f481346 100644 --- a/src/build-data/arch/mips64.txt +++ b/src/build-data/arch/mips64.txt @@ -1,3 +1,7 @@ + +mips64el + + r4000 r4100 -- cgit v1.2.3 From 11c7544fe0576571f01973c8861a068895aa8c87 Mon Sep 17 00:00:00 2001 From: lloyd Date: Sat, 23 Mar 2013 00:28:58 +0000 Subject: Avoid warning --- src/engine/aes_isa_eng/aes_isa_engine.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/engine/aes_isa_eng/aes_isa_engine.cpp b/src/engine/aes_isa_eng/aes_isa_engine.cpp index e56f6e9ca..956a1ce38 100644 --- a/src/engine/aes_isa_eng/aes_isa_engine.cpp +++ b/src/engine/aes_isa_eng/aes_isa_engine.cpp @@ -30,7 +30,7 @@ AES_ISA_Engine::find_block_cipher(const SCAN_Name& request, } #endif - return 0; + return nullptr; } } -- cgit v1.2.3