|
DCMTK
Version 3.6.7
OFFIS DICOM Toolkit
|
This helper class manages the list of TLS ciphersuites supported by DCMTK, translates DcmTLSSecurityProfile enums into the corresponding sets of ciphersuites, and permits translation between the official TLS ciphersuite names (as used in DCMTK) and the corresponding internal OpenSSL name. More...
Public Member Functions | |
| DcmTLSCiphersuiteHandler () | |
| constructor. More... | |
| virtual | ~DcmTLSCiphersuiteHandler () |
| destructor | |
| OFCondition | setTLSProfile (DcmTLSSecurityProfile profile) |
| replace the current list of ciphersuites by the list of ciphersuites for the given profile. More... | |
| DcmTLSSecurityProfile | getTLSProfile () const |
| return the currently selected TLS profile More... | |
| void | clearTLSProfile () |
| clear the current list of ciphersuites. More... | |
| OFCondition | addCipherSuite (const char *suite) |
| adds a ciphersuite to the list of ciphersuites for TLS negotiation. More... | |
| void | getListOfCipherSuitesForOpenSSL (OFString &cslist, OFBool isServer) const |
| returns a string in OpenSSL syntax that contains the currently defined list of TLS ciphersuites. More... | |
| long | getTLSOptions () const |
| returns the set of flags that need to be activated in OpenSSL depending on the selected TLS profile. More... | |
| OFBool | cipher3DESsupported () const |
| checks if the 3DES ciphersuite TLS_RSA_WITH_3DES_EDE_CBC_SHA is supported by the underlying OpenSSL library (which newer versions only do if compiled with "weak ciphers" enabled). More... | |
| OFBool | cipherNULLsupported () const |
| checks if the unencrypted ciphersuite TLS_RSA_WITH_NULL_SHA is supported by the underlying OpenSSL library (which newer versions only do if compiled with "weak ciphers" enabled). More... | |
| OFBool | isTLS13Enabled () const |
| checks if TLS 1.3 is enabled (permitted) for the currently selected TLS security profile. More... | |
| void | printSupportedCiphersuites (STD_NAMESPACE ostream &os) const |
| print a list of supported ciphersuites to the given output stream More... | |
Static Public Member Functions | |
| static size_t | getNumberOfCipherSuites () |
| returns the number of known ciphersuites. More... | |
| static size_t | lookupCiphersuite (const char *tlsCipherSuiteName) |
| looks up the index of the given ciphersuite by name More... | |
| static size_t | lookupCiphersuiteByOpenSSLName (const char *opensslCipherSuiteName) |
| looks up the index of the given ciphersuite by OpenSSL name More... | |
| static const char * | getTLSCipherSuiteName (size_t idx) |
| returns a ciphersuite name in RFC 2246 (TLS) form More... | |
| static const char * | getOpenSSLCipherSuiteName (size_t idx) |
| returns a ciphersuite name in OpenSSL form More... | |
| static DcmTLSCipherProtocolVersion | getCipherSuiteProtocolVersion (size_t idx) |
| returns the minimum SSL/TLS version required for the ciphersuite with the given index More... | |
| static DcmTLSCipherKeyExchange | getCipherSuiteKeyExchange (size_t idx) |
| returns the key exchange protocol used by the ciphersuite with the given index More... | |
| static DcmTLSCipherAuthentication | getCipherSuiteAuthentication (size_t idx) |
| returns the authentication algorithm used by the ciphersuite with the given index More... | |
| static DcmTLSCipherEncryption | getCipherSuiteEncryption (size_t idx) |
| returns the encryption algorithm used by the ciphersuite with the given index More... | |
| static DcmTLSCipherMAC | getCipherSuiteMAC (size_t idx) |
| returns the message authentication code (MAC) algorithm used by the ciphersuite with the given index More... | |
| static size_t | getCipherSuiteKeySize (size_t idx) |
| returns the symmetric key size used by the ciphersuite with the given index More... | |
| static size_t | getCipherSuiteEffectiveKeySize (size_t idx) |
| returns the effective symmetric key size (i.e. More... | |
| static const char * | lookupProfileName (DcmTLSSecurityProfile profile) |
| look up the name of the given security profile More... | |
Static Public Attributes | |
| static const size_t | unknownCipherSuiteIndex |
| constant returned by findOpenSSLCipherSuiteName() if ciphersuite name is unknown | |
Private Member Functions | |
| DcmTLSCiphersuiteHandler (const DcmTLSCiphersuiteHandler &) | |
| private undefined copy constructor | |
| DcmTLSCiphersuiteHandler & | operator= (const DcmTLSCiphersuiteHandler &) |
| private undefined assignment operator | |
| void | determineSupportedCiphers () |
| determine the set of ciphersuites that are supported both by DCMTK and the OpenSSL library we are currently using | |
| OFCondition | addRequiredCipherSuite (const char *name) |
| add ciphersuite by name, print error if unsupported More... | |
| void | addOptional3DESCipherSuite () |
| add 3DES ciphersuite, print warning if unsupported | |
Private Attributes | |
| OFVector< size_t > | ciphersuiteList |
| current list of ciphersuites | |
| DcmTLSSecurityProfile | currentProfile |
| currently selected DICOM TLS security profile | |
| OFBool | tls13_enabled |
| indicator whether TLS 1.3 is enabled or disabled for the current profile | |
| OFBool * | ciphersuiteSupported |
| an array of booleans indicating which ciphersuites known to DCMTK are actually supported by the OpenSSL library we are using. | |
This helper class manages the list of TLS ciphersuites supported by DCMTK, translates DcmTLSSecurityProfile enums into the corresponding sets of ciphersuites, and permits translation between the official TLS ciphersuite names (as used in DCMTK) and the corresponding internal OpenSSL name.
| DcmTLSCiphersuiteHandler::DcmTLSCiphersuiteHandler | ( | ) |
constructor.
The constructor assumes that the OpenSSL library has already been initialized. This should be ensured prior to creating any DcmTLSCiphersuiteHandler instance by calling DcmTLSTransportLayer::initializeOpenSSL(). This only needs to be done once.
| OFCondition DcmTLSCiphersuiteHandler::addCipherSuite | ( | const char * | suite | ) |
adds a ciphersuite to the list of ciphersuites for TLS negotiation.
It is the responsibility of the user to ensure that the added ciphersuite does not break the rules of the selected profile. Use with care!
| suite | TLS ciphersuite name, in the official TLS name form. |
|
private |
add ciphersuite by name, print error if unsupported
| name | ciphersuite name in RFC 2246 form |
| OFBool DcmTLSCiphersuiteHandler::cipher3DESsupported | ( | ) | const |
checks if the 3DES ciphersuite TLS_RSA_WITH_3DES_EDE_CBC_SHA is supported by the underlying OpenSSL library (which newer versions only do if compiled with "weak ciphers" enabled).
| OFBool DcmTLSCiphersuiteHandler::cipherNULLsupported | ( | ) | const |
checks if the unencrypted ciphersuite TLS_RSA_WITH_NULL_SHA is supported by the underlying OpenSSL library (which newer versions only do if compiled with "weak ciphers" enabled).
| void DcmTLSCiphersuiteHandler::clearTLSProfile | ( | ) |
clear the current list of ciphersuites.
Equivalent to calling setTLSProfile(TSP_Profile_None).
|
static |
returns the authentication algorithm used by the ciphersuite with the given index
| idx | index, must be < getNumberOfCipherSuites() |
|
static |
returns the effective symmetric key size (i.e.
security level) of the ciphersuite with the given index. BCP 195 (2015) recommends that no ciphersuites with an effective key size of less than 112 bits should be used anymore with TLS.
| idx | index, must be < getNumberOfCipherSuites() |
|
static |
returns the encryption algorithm used by the ciphersuite with the given index
| idx | index, must be < getNumberOfCipherSuites() |
|
static |
returns the key exchange protocol used by the ciphersuite with the given index
| idx | index, must be < getNumberOfCipherSuites() |
|
static |
returns the symmetric key size used by the ciphersuite with the given index
| idx | index, must be < getNumberOfCipherSuites() |
|
static |
returns the message authentication code (MAC) algorithm used by the ciphersuite with the given index
| idx | index, must be < getNumberOfCipherSuites() |
|
static |
returns the minimum SSL/TLS version required for the ciphersuite with the given index
| idx | index, must be < getNumberOfCipherSuites() |
| void DcmTLSCiphersuiteHandler::getListOfCipherSuitesForOpenSSL | ( | OFString & | cslist, |
| OFBool | isServer | ||
| ) | const |
returns a string in OpenSSL syntax that contains the currently defined list of TLS ciphersuites.
| cslist | The list of ciphersuites in OpenSSL syntax is written to this string. |
| isServer | true if the list of cipher suites is intended for a TLS server. In this case, the list of ciphersuites will be reordered from strongest to weakest, as recommended by BCP 195. |
|
static |
returns the number of known ciphersuites.
|
static |
returns a ciphersuite name in OpenSSL form
| idx | index, must be < getNumberOfCipherSuites() |
|
static |
returns a ciphersuite name in RFC 2246 (TLS) form
| idx | index, must be < getNumberOfCipherSuites() |
| long DcmTLSCiphersuiteHandler::getTLSOptions | ( | ) | const |
returns the set of flags that need to be activated in OpenSSL depending on the selected TLS profile.
|
inline |
return the currently selected TLS profile
| OFBool DcmTLSCiphersuiteHandler::isTLS13Enabled | ( | ) | const |
checks if TLS 1.3 is enabled (permitted) for the currently selected TLS security profile.
Note that this does not imply that the underlying OpenSSL library version actually supports TLS 1.3. That is checked elsewhere.
|
static |
looks up the index of the given ciphersuite by name
| tlsCipherSuiteName | ciphersuite name in RFC 2246 form |
|
static |
looks up the index of the given ciphersuite by OpenSSL name
| opensslCipherSuiteName | ciphersuite name in the form used by OpenSSL |
|
static |
look up the name of the given security profile
| profile | the given security profile |
| void DcmTLSCiphersuiteHandler::printSupportedCiphersuites | ( | STD_NAMESPACE ostream & | os | ) | const |
print a list of supported ciphersuites to the given output stream
| os | output stream |
| OFCondition DcmTLSCiphersuiteHandler::setTLSProfile | ( | DcmTLSSecurityProfile | profile | ) |
replace the current list of ciphersuites by the list of ciphersuites for the given profile.
| profile | TLS Security Profile |