tls-crypto: Simplify and extend cipher config filter
authorTobias Brunner <tobias@strongswan.org>
Thu, 11 Feb 2021 17:10:56 +0000 (18:10 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
This way we automatically can filter for newer algorithms (e.g.
chacha20poly1305).

src/libtls/tls_crypto.c

index ed1eea3..cf5e5b5 100644 (file)
@@ -966,50 +966,12 @@ static void filter_cipher_config_suites(private_tls_crypto_t *this,
                        enumerator = enumerator_create_token(config, ",", " ");
                        while (enumerator->enumerate(enumerator, &token))
                        {
-                               if (strcaseeq(token, "aes128") &&
-                                       suites[i].encr == ENCR_AES_CBC &&
-                                       suites[i].encr_size == 16)
-                               {
-                                       suites[remaining++] = suites[i];
-                                       break;
-                               }
-                               if (strcaseeq(token, "aes256") &&
-                                       suites[i].encr == ENCR_AES_CBC &&
-                                       suites[i].encr_size == 32)
-                               {
-                                       suites[remaining++] = suites[i];
-                                       break;
-                               }
-                               if (strcaseeq(token, "aes128gcm") &&
-                                       suites[i].encr == ENCR_AES_GCM_ICV16 &&
-                                       suites[i].encr_size == 16)
-                               {
-                                       suites[remaining++] = suites[i];
-                                       break;
-                               }
-                               if (strcaseeq(token, "aes256gcm") &&
-                                       suites[i].encr == ENCR_AES_GCM_ICV16 &&
-                                       suites[i].encr_size == 32)
-                               {
-                                       suites[remaining++] = suites[i];
-                                       break;
-                               }
-                               if (strcaseeq(token, "camellia128") &&
-                                       suites[i].encr == ENCR_CAMELLIA_CBC &&
-                                       suites[i].encr_size == 16)
-                               {
-                                       suites[remaining++] = suites[i];
-                                       break;
-                               }
-                               if (strcaseeq(token, "camellia256") &&
-                                       suites[i].encr == ENCR_CAMELLIA_CBC &&
-                                       suites[i].encr_size == 32)
-                               {
-                                       suites[remaining++] = suites[i];
-                                       break;
-                               }
-                               if (strcaseeq(token, "null") &&
-                                       suites[i].encr == ENCR_NULL)
+                               const proposal_token_t *tok;
+
+                               tok = lib->proposal->get_token(lib->proposal, token);
+                               if (tok != NULL && tok->type == ENCRYPTION_ALGORITHM &&
+                                       suites[i].encr == tok->algorithm &&
+                                       (!tok->keysize || suites[i].encr_size == tok->keysize / 8))
                                {
                                        suites[remaining++] = suites[i];
                                        break;