integrity_algorithm_t mac;
encryption_algorithm_t encr;
size_t encr_size;
- tls_version_t tls_version;
+ tls_version_t min_version;
+ tls_version_t max_version;
} suite_algs_t;
/**
KEY_ANY, MODP_NONE,
HASH_SHA256, PRF_UNDEFINED,
AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
- TLS_1_3,
+ TLS_1_3, TLS_1_3,
},
{ TLS_AES_256_GCM_SHA384,
KEY_ANY, MODP_NONE,
HASH_SHA384, PRF_UNDEFINED,
AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
- TLS_1_3,
+ TLS_1_3, TLS_1_3,
},
{ TLS_CHACHA20_POLY1305_SHA256,
KEY_ANY, MODP_NONE,
HASH_SHA256, PRF_UNDEFINED,
AUTH_HMAC_SHA2_256_256, ENCR_CHACHA20_POLY1305, 32,
- TLS_1_3,
+ TLS_1_3, TLS_1_3,
},
{ TLS_AES_128_CCM_SHA256,
- KEY_ANY, MODP_NONE,
- HASH_SHA256, PRF_UNDEFINED,
- AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
- TLS_1_3,
+ KEY_ANY, MODP_NONE,
+ HASH_SHA256, PRF_UNDEFINED,
+ AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV16, 16,
+ TLS_1_3, TLS_1_3,
},
{ TLS_AES_128_CCM_8_SHA256,
- KEY_ANY, MODP_NONE,
- HASH_SHA256, PRF_UNDEFINED,
- AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
- TLS_1_3,
+ KEY_ANY, MODP_NONE,
+ HASH_SHA256, PRF_UNDEFINED,
+ AUTH_HMAC_SHA2_256_256, ENCR_AES_CCM_ICV8, 16,
+ TLS_1_3, TLS_1_3,
},
/* Legacy TLS cipher suites */
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
KEY_ECDSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
- TLS_1_2,
+ TLS_1_0, TLS_1_2,
},
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
KEY_ECDSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
KEY_ECDSA, ECP_384_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
- TLS_1_2,
+ TLS_1_0, TLS_1_2,
},
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
KEY_ECDSA, ECP_384_BIT,
HASH_SHA384, PRF_HMAC_SHA2_384,
AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
KEY_ECDSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
KEY_ECDSA, ECP_384_BIT,
HASH_SHA384, PRF_HMAC_SHA2_384,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
KEY_RSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
- TLS_1_2,
+ TLS_1_0, TLS_1_2,
},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
KEY_RSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
KEY_RSA, ECP_384_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
- TLS_1_2,
+ TLS_1_0, TLS_1_2,
},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
KEY_RSA, ECP_384_BIT,
HASH_SHA384, PRF_HMAC_SHA2_384,
AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
KEY_RSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
KEY_RSA, ECP_384_BIT,
HASH_SHA384, PRF_HMAC_SHA2_384,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
KEY_RSA, MODP_2048_BIT,
HASH_SHA256,PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
KEY_RSA, MODP_3072_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
KEY_RSA, MODP_3072_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
KEY_RSA, MODP_4096_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
KEY_RSA, MODP_3072_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
KEY_RSA, MODP_4096_BIT,
HASH_SHA384, PRF_HMAC_SHA2_384,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
KEY_RSA, MODP_2048_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
KEY_RSA, MODP_3072_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
KEY_RSA, MODP_3072_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
KEY_RSA, MODP_4096_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
KEY_RSA, MODP_2048_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_RSA_WITH_AES_128_CBC_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_RSA_WITH_AES_128_CBC_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_RSA_WITH_AES_256_CBC_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_RSA_WITH_AES_256_CBC_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_RSA_WITH_AES_128_GCM_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_RSA_WITH_AES_256_GCM_SHA384,
KEY_RSA, MODP_NONE,
HASH_SHA384, PRF_HMAC_SHA2_384,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
KEY_ECDSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
- TLS_1_2,
+ TLS_1_0, TLS_1_2,
},
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
KEY_RSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
- TLS_1_2,
+ TLS_1_0, TLS_1_2,
},
{ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
KEY_ECDSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
- TLS_1_2,
+ TLS_1_0, TLS_1_2,
},
{ TLS_ECDHE_RSA_WITH_NULL_SHA,
KEY_ECDSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
- TLS_1_2,
+ TLS_1_0, TLS_1_2,
},
{ TLS_RSA_WITH_NULL_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
- TLS_1_2,
+ SSL_3_0, TLS_1_2,
},
{ TLS_RSA_WITH_NULL_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
- TLS_1_2,
+ TLS_1_2, TLS_1_2,
},
{ TLS_RSA_WITH_NULL_MD5,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_MD5_128, ENCR_NULL, 0,
- TLS_1_2,
+ SSL_2_0, TLS_1_2,
},
};
bool require_encryption)
{
suite_algs_t suites[countof(suite_algs)];
- int count = countof(suite_algs), i;
+ tls_version_t min_version, max_version;
+ int count = 0, i;
- /* copy all suites */
- for (i = 0; i < count; i++)
+ min_version = this->tls->get_version_min(this->tls);
+ max_version = this->tls->get_version_max(this->tls);
+
+ /* copy all suites appropriate for the current min/max versions */
+ for (i = 0; i < countof(suite_algs); i++)
{
- suites[i] = suite_algs[i];
+ if (suite_algs[i].min_version <= max_version &&
+ suite_algs[i].max_version >= min_version)
+ {
+ suites[count++] = suite_algs[i];
+ }
}
if (require_encryption)
/**
* See header.
*/
-int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **out)
+int tls_crypto_get_supported_suites(bool null, tls_version_t version,
+ tls_cipher_suite_t **out)
{
suite_algs_t suites[countof(suite_algs)];
- int count = countof(suite_algs), i;
+ int count = 0, i;
/* initialize copy of suite list */
- for (i = 0; i < count; i++)
+ for (i = 0; i < countof(suite_algs); i++)
{
- suites[i] = suite_algs[i];
+ if (suite_algs[i].min_version <= version &&
+ suite_algs[i].max_version >= version)
+ {
+ suites[count++] = suite_algs[i];
+ }
}
filter_unsupported_suites(suites, &count);
projects / thirdparty / strongswan.git / commitdiff
