Added --enable-maxstrength configure build to only

allow TLSv1.2, PFS, and AEAD ciphers.
2015-04-01 11:55:49 -07:00
parent 34700642fa
commit 5ecbe14d2c
2 changed files with 300 additions and 234 deletions
--- a/configure.ac
+++ b/configure.ac
@ -165,6 +165,13 @@ then
 fi


+# High Strength Build
+AC_ARG_ENABLE([maxstrength],
+    [AS_HELP_STRING([--enable-maxstrength],[Enable Max Strengh build, allows TLSv1.2-AEAD-PFS ciphers only (default: disabled)])],
+    [ENABLED_MAXSTRENGTH=$enableval],
+    [ENABLED_MAXSTRENGTH=no])
+
+
 # IPv6 Test Apps
 AC_ARG_ENABLE([ipv6],
    [  --enable-ipv6           Enable testing of IPV6 (default: disabled)],
@ -1849,6 +1856,32 @@ fi
 AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"])


+# Check for build-type conflicts
+AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
+       test "x$ENABLED_LEANPSK" = "xyes"],
+      [AC_MSG_ERROR([Cannot use Max Strength and Lean PSK at the same time.])])
+
+
+# Update CFLAGS based on options
+AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes"],
+      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAX_STRENGTH"])
+
+AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" || \
+       test "x$ENABLED_AESGCM" = "xyes" || \
+       test "x$ENABLED_AESCCM" = "xyes" || \
+       test "x$ENABLED_CHACHA" = "xyes" || \
+       test "x$ENABLED_POLY1305" = "xyes"],
+      [AM_CFLAGS="$AM_CFLAGS -DHAVE_AEAD"])
+
+AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" || \
+       test "x$ENABLED_DH" = "xyes"],
+      [AM_CFLAGS="$AM_CFLAGS -DHAVE_PFS"])
+
+AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
+       test "x$ENABLED_OLD_TLS" = "xyes"],
+      [AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
+       ENABLED_OLD_TLS=no])
+

 # OPTIMIZE FLAGS
 if test "$GCC" = "yes"
@ -2004,6 +2037,7 @@ echo "   Features "
 echo "   * Single threaded:           $ENABLED_SINGLETHREADED"
 echo "   * Filesystem:                $ENABLED_FILESYSTEM"
 echo "   * OpenSSL Extra API:         $ENABLED_OPENSSLEXTRA"
+echo "   * Max Strength Build:        $ENABLED_MAXSTRENGTH"
 echo "   * fastmath:                  $ENABLED_FASTMATH"
 echo "   * sniffer:                   $ENABLED_SNIFFER"
 echo "   * snifftest:                 $ENABLED_SNIFFTEST"
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -181,7 +181,15 @@ typedef byte word24[3];
   make sure to use at least one BUILD_SSL_xxx or BUILD_TLS_xxx is defined

   When adding cipher suites, add name to cipher_names, idx to cipher_name_idx
+
+   Now that there is a maximum strength crypto build, the following BUILD_XXX
+   flags need to be divided into two groups selected by WOLFSSL_MAX_STRENGTH.
+   Those that do not use Perfect Forward Security and do not use AEAD ciphers
+   need to be switched off. Allowed suites use (EC)DHE, AES-GCM|CCM, or
+   CHACHA-POLY.
 */
+#ifndef WOLFSSL_MAX_STRENGTH
+
    #if !defined(NO_RSA) && !defined(NO_RC4)
        #if !defined(NO_SHA)
            #define BUILD_SSL_RSA_WITH_RC4_128_SHA
@ -320,6 +328,7 @@ typedef byte word24[3];

    #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \
        !defined(NO_RSA)
+
        #if !defined(NO_SHA)
            #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
            #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
@ -327,12 +336,6 @@ typedef byte word24[3];
        #if !defined(NO_SHA256)
            #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
            #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
-        #if defined (HAVE_AESGCM)
-            #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-            #if defined (WOLFSSL_SHA384)
-                #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-            #endif
-        #endif
        #endif
    #endif

@ -347,22 +350,12 @@ typedef byte word24[3];
            #ifdef HAVE_NULL_CIPHER
                #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
            #endif
-        #ifdef HAVE_AESGCM
-            #define BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
-        #endif
-        #ifdef HAVE_AESCCM
-            #define BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
-            #define BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
-        #endif
        #endif
        #ifdef WOLFSSL_SHA384
            #define BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
            #ifdef HAVE_NULL_CIPHER
                #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
            #endif
-        #ifdef HAVE_AESGCM
-            #define BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
-        #endif
        #endif
    #endif

@ -402,26 +395,18 @@ typedef byte word24[3];

            #if defined (HAVE_AESGCM)
                #if !defined(NO_RSA)
-                #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                    #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
                    #if defined(WOLFSSL_SHA384)
-                    #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
                        #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
                    #endif
                #endif

-            #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
                #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

                #if defined(WOLFSSL_SHA384)
-                #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
                    #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
                #endif
            #endif
-        #if defined (HAVE_AESCCM)
-            #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
-            #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
-        #endif
        #endif /* NO_AES */
        #if !defined(NO_RC4)
            #if !defined(NO_SHA)
@ -445,6 +430,70 @@ typedef byte word24[3];
        #endif
    #endif

+#endif /* !WOLFSSL_MAX_STRENGTH */
+
+#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \
+    !defined(NO_RSA) && defined(HAVE_AESGCM)
+
+    #ifndef NO_SHA256
+        #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+    #endif
+
+    #ifdef WOLFSSL_SHA384
+        #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+    #endif
+#endif
+
+#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS)
+    #ifndef NO_SHA256
+        #ifdef HAVE_AESGCM
+            #define BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+        #endif
+        #ifdef HAVE_AESCCM
+            #define BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
+            #define BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
+        #endif
+    #endif
+    #if defined(WOLFSSL_SHA384) && defined(HAVE_AESGCM)
+        #define BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+    #endif
+#endif
+
+#if defined(HAVE_ECC) && !defined(NO_DH) && !defined(NO_TLS) && !defined(NO_AES)
+    #ifdef HAVE_AESGCM
+        #ifndef NO_SHA256
+            #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+            #ifndef NO_RSA
+                #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+            #endif
+        #endif
+        #ifdef WOLFSSL_SHA384
+            #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+            #ifndef NO_RSA
+                #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+            #endif
+        #endif
+    #endif
+    #if defined(HAVE_AESCCM) && !defined(NO_SHA256)
+        #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+        #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
+    #endif
+#endif
+
+#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) && \
+    !defined(NO_DH)
+
+    #ifdef HAVE_ECC
+        #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        #ifndef NO_RSA
+            #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+        #endif
+    #endif
+    #ifndef NO_RSA
+        #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    #endif
+#endif
+

 #if defined(BUILD_SSL_RSA_WITH_RC4_128_SHA) || \
    defined(BUILD_SSL_RSA_WITH_RC4_128_MD5)
@ -499,23 +548,6 @@ typedef byte word24[3];

 #ifdef HAVE_CHACHA
    #define CHACHA20_BLOCK_SIZE 16
-    /* ChaCha - Poly AEAD suites */
-    #if defined(HAVE_POLY1305) && !defined(NO_SHA256)
-        #if defined(HAVE_ECC)
-            #if !defined(NO_RSA)
-                #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-            #endif
-            #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-        #endif
-        #if !defined(NO_DH) && !defined(NO_RSA)
-            #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-        #endif
-    #endif /* end of ChaCha - Poly AEAD suites */
-#endif
-
-#if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) || \
-                             (defined(HAVE_CHACHA) && defined(HAVE_POLY1305))
-    #define HAVE_AEAD
 #endif