Merge GH #2195 Update BSI policy

randombit · Nov 15, 2019 · 09706a7 · 09706a7
2 parents 6c56fff + 4fca820
commit 09706a7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 9 deletions.
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
@@ -420,12 +420,12 @@ class BOTAN_PUBLIC_API(2,0) BSI_TR_02102_2 : public Policy
    public:
       std::vector<std::string> allowed_ciphers() const override
          {
-         return std::vector<std::string>({"AES-256/GCM", "AES-128/GCM", "AES-256", "AES-128" });
+         return std::vector<std::string>({"AES-256/GCM", "AES-128/GCM", "AES-256/CCM", "AES-128/CCM", "AES-256", "AES-128"});
          }
 
       std::vector<std::string> allowed_signature_hashes() const override
          {
-         return std::vector<std::string>({"SHA-384", "SHA-256"});
+         return std::vector<std::string>({"SHA-512", "SHA-384", "SHA-256"});
          }
 
       std::vector<std::string> allowed_macs() const override
@@ -435,7 +435,7 @@ class BOTAN_PUBLIC_API(2,0) BSI_TR_02102_2 : public Policy
 
       std::vector<std::string> allowed_key_exchange_methods() const override
          {
-         return std::vector<std::string>({"ECDH", "DH", "PSK", "ECDHE_PSK", "DHE_PSK"});
+         return std::vector<std::string>({"ECDH", "DH", "ECDHE_PSK", "DHE_PSK"});
          }
 
       std::vector<std::string> allowed_signature_methods() const override
@@ -451,8 +451,6 @@ class BOTAN_PUBLIC_API(2,0) BSI_TR_02102_2 : public Policy
             Group_Params::BRAINPOOL256R1,
             Group_Params::SECP384R1,
             Group_Params::SECP256R1,
-            Group_Params::FFDHE_8192,
-            Group_Params::FFDHE_6144,
             Group_Params::FFDHE_4096,
             Group_Params::FFDHE_3072,
             Group_Params::FFDHE_2048

diff --git a/src/tests/data/tls-policy/bsi.txt b/src/tests/data/tls-policy/bsi.txt
@@ -4,12 +4,12 @@ allow_tls12 = true
 allow_dtls10 = false
 allow_dtls12 = false
 
-ciphers = AES-256/GCM AES-128/GCM AES-256 AES-128
-signature_hashes = SHA-384 SHA-256
+ciphers = AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128
+signature_hashes = SHA-512 SHA-384 SHA-256
 macs = AEAD SHA-384 SHA-256
-key_exchange_methods = ECDH DH PSK ECDHE_PSK DHE_PSK
+key_exchange_methods = ECDH DH ECDHE_PSK DHE_PSK
 signature_methods = ECDSA RSA DSA
-key_exchange_groups = brainpool512r1 brainpool384r1 brainpool256r1 secp384r1 secp256r1 ffdhe/ietf/8192 ffdhe/ietf/6144 ffdhe/ietf/4096 ffdhe/ietf/3072 ffdhe/ietf/2048
+key_exchange_groups = brainpool512r1 brainpool384r1 brainpool256r1 secp384r1 secp256r1 ffdhe/ietf/4096 ffdhe/ietf/3072 ffdhe/ietf/2048
 minimum_dh_group_size = 2000
 minimum_dsa_group_size = 2000
 minimum_ecdh_group_size = 250