sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity

tls-crypto: Check if TLS versions and cipher suites match

Browse Source 
Only suggest TLS versions of supported cipher suites.  For instance, do not
suggest TLS 1.3 if none of its cipher suites (requiring GCM/CCM or
ChaPoly) are available.
This commit is contained in:
Pascal Knecht 2020-09-04 18:29:43 +02:00 committed by Tobias Brunner
parent f920125304
commit 8a6edc08a4
2 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/libtls/tls_crypto.c
View File

@ -1140,7 +1140,7 @@ static void filter_unsupported_suites(suite_algs_t suites[], int *count)
static void build_cipher_suite_list(private_tls_crypto_t *this)
{
suite_algs_t suites[countof(suite_algs)];
tls_version_t min_version, max_version;
tls_version_t min_version, max_version, new_min_version, new_max_version;
bool require_encryption;
int count = 0, i;
@ -1198,10 +1198,26 @@ static void build_cipher_suite_list(private_tls_crypto_t *this)
this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
new_min_version = max_version;
new_max_version = min_version;
for (i = 0; i < count; i++)
{
DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite);
this->suites[i] = suites[i].suite;
/* set TLS min/max versions appropriate to the final cipher suites */
new_max_version = max(new_max_version, suites[i].max_version);
new_min_version = min(new_min_version, suites[i].min_version);
}
new_max_version = min(new_max_version, max_version);
new_min_version = max(new_min_version, min_version);
if (min_version != new_min_version || max_version != new_max_version)
{
this->tls->set_version(this->tls, new_min_version, new_max_version);
DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites",
tls_version_names, new_min_version,
tls_version_names, new_max_version);
}
}

4
src/libtls/tls_peer.c
View File

@ -1217,6 +1217,9 @@ static status_t send_client_hello(private_tls_peer_t *this,
}
rng->destroy(rng);
/* determine supported suites before the versions as they might change */
count = this->crypto->get_cipher_suites(this->crypto, &suites);
/* TLS version_max in handshake protocol */
version_max = this->tls->get_version_max(this->tls);
version_min = this->tls->get_version_min(this->tls);
@ -1236,7 +1239,6 @@ static status_t send_client_hello(private_tls_peer_t *this,
writer->write_data8(writer, this->session);
/* add TLS cipher suites */
count = this->crypto->get_cipher_suites(this->crypto, &suites);
if (count <= 0)
{
DBG1(DBG_TLS, "no supported TLS cipher suite available");