Build TLS cipher suite list in a generic fashion
This commit is contained in:
parent
2e64455ee1
commit
a2bfc45bfd
|
@ -400,95 +400,72 @@ static suite_algs_t *find_suite(tls_cipher_suite_t suite)
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filter a suite list using a transform enumerator
|
||||||
|
*/
|
||||||
|
static void filter_suite(private_tls_crypto_t *this,
|
||||||
|
suite_algs_t suites[], int *count, int offset,
|
||||||
|
enumerator_t*(*create_enumerator)(crypto_factory_t*))
|
||||||
|
{
|
||||||
|
suite_algs_t current;
|
||||||
|
int i, remaining = 0;
|
||||||
|
enumerator_t *enumerator;
|
||||||
|
|
||||||
|
memset(¤t, 0, sizeof(current));
|
||||||
|
for (i = 0; i < *count; i++)
|
||||||
|
{
|
||||||
|
enumerator = create_enumerator(lib->crypto);
|
||||||
|
while (enumerator->enumerate(enumerator, ((char*)¤t) + offset))
|
||||||
|
{
|
||||||
|
if ((suites[i].encr == ENCR_NULL ||
|
||||||
|
!current.encr || current.encr == suites[i].encr) &&
|
||||||
|
(!current.mac || current.mac == suites[i].mac) &&
|
||||||
|
(!current.prf || current.prf == suites[i].prf) &&
|
||||||
|
(!current.hash || current.hash == suites[i].hash))
|
||||||
|
{
|
||||||
|
suites[remaining] = suites[i];
|
||||||
|
remaining++;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
enumerator->destroy(enumerator);
|
||||||
|
}
|
||||||
|
*count = remaining;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Initialize the cipher suite list
|
* Initialize the cipher suite list
|
||||||
*/
|
*/
|
||||||
static void build_cipher_suite_list(private_tls_crypto_t *this)
|
static void build_cipher_suite_list(private_tls_crypto_t *this)
|
||||||
{
|
{
|
||||||
encryption_algorithm_t encr;
|
suite_algs_t suites[countof(suite_algs)];
|
||||||
integrity_algorithm_t mac;
|
int count = countof(suite_algs), i;
|
||||||
enumerator_t *encrs, *macs;
|
|
||||||
tls_cipher_suite_t supported[64], unique[64];
|
|
||||||
int count = 0, i, j;
|
|
||||||
|
|
||||||
/* we assume that we support RSA, but no DHE yet */
|
/* copy all suites */
|
||||||
macs = lib->crypto->create_signer_enumerator(lib->crypto);
|
|
||||||
while (macs->enumerate(macs, &mac))
|
|
||||||
{
|
|
||||||
switch (mac)
|
|
||||||
{
|
|
||||||
case AUTH_HMAC_SHA1_160:
|
|
||||||
supported[count++] = TLS_RSA_WITH_NULL_SHA;
|
|
||||||
break;
|
|
||||||
case AUTH_HMAC_SHA2_256_256:
|
|
||||||
supported[count++] = TLS_RSA_WITH_NULL_SHA256;
|
|
||||||
break;
|
|
||||||
case AUTH_HMAC_MD5_128:
|
|
||||||
supported[count++] = TLS_RSA_WITH_NULL_MD5;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
encrs = lib->crypto->create_crypter_enumerator(lib->crypto);
|
|
||||||
while (encrs->enumerate(encrs, &encr))
|
|
||||||
{
|
|
||||||
switch (encr)
|
|
||||||
{
|
|
||||||
case ENCR_AES_CBC:
|
|
||||||
switch (mac)
|
|
||||||
{
|
|
||||||
case AUTH_HMAC_SHA1_160:
|
|
||||||
supported[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
|
|
||||||
supported[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
|
|
||||||
break;
|
|
||||||
case AUTH_HMAC_SHA2_256_256:
|
|
||||||
supported[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
|
|
||||||
supported[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case ENCR_3DES:
|
|
||||||
switch (mac)
|
|
||||||
{
|
|
||||||
case AUTH_HMAC_SHA1_160:
|
|
||||||
supported[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
encrs->destroy(encrs);
|
|
||||||
}
|
|
||||||
macs->destroy(macs);
|
|
||||||
|
|
||||||
/* remove duplicates */
|
|
||||||
this->suite_count = 0;
|
|
||||||
for (i = 0; i < count; i++)
|
for (i = 0; i < count; i++)
|
||||||
{
|
{
|
||||||
bool match = FALSE;
|
suites[i] = suite_algs[i];
|
||||||
|
}
|
||||||
|
/* filter suite list by each algorithm */
|
||||||
|
filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
|
||||||
|
lib->crypto->create_crypter_enumerator);
|
||||||
|
filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
|
||||||
|
lib->crypto->create_signer_enumerator);
|
||||||
|
filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
|
||||||
|
lib->crypto->create_prf_enumerator);
|
||||||
|
filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
|
||||||
|
lib->crypto->create_hasher_enumerator);
|
||||||
|
|
||||||
for (j = 0; j < this->suite_count; j++)
|
DBG2(DBG_CFG, "%d supported TLS cipher suites:", count);
|
||||||
|
for (i = 0; i < count; i++)
|
||||||
{
|
{
|
||||||
if (supported[i] == unique[j])
|
DBG2(DBG_CFG, " %N", tls_cipher_suite_names, suites[i]);
|
||||||
{
|
|
||||||
match = TRUE;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (!match)
|
|
||||||
{
|
|
||||||
unique[this->suite_count++] = supported[i];
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
free(this->suites);
|
free(this->suites);
|
||||||
this->suites = malloc(sizeof(tls_cipher_suite_t) * this->suite_count);
|
this->suite_count = count;
|
||||||
memcpy(this->suites, unique, sizeof(tls_cipher_suite_t) * this->suite_count);
|
this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
|
||||||
|
memcpy(this->suites, suites, sizeof(tls_cipher_suite_t) * this->suite_count);
|
||||||
}
|
}
|
||||||
|
|
||||||
METHOD(tls_crypto_t, get_cipher_suites, int,
|
METHOD(tls_crypto_t, get_cipher_suites, int,
|
||||||
|
|
Loading…
Reference in New Issue