feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #7315 from fabiankeil/disable-3des-ciphers

Browse Source 
Allow to enable DES3 support without the DES3 ciphers
This commit is contained in:
JacobBarthelmeh
2024-04-02 17:48:01 -06:00
committed by GitHub
parent 75da69911c 790129ee71
commit c768f76d5a
3 changed files with 28 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
CMakeLists.txt
View File

@ -1216,6 +1216,14 @@ if(WOLFSSL_OPENSSH OR
override_cache(WOLFSSL_DES3 "yes") override_cache(WOLFSSL_DES3 "yes")
endif() endif()
# DES3 TLS Suites
set(WOLFSSL_DES3_TLS_SUITES_STRING "Enable DES3 TLS cipher suites (default: disabled)")
add_option("WOLFSSL_DES3_TLS_SUITES" ${WOLFSSL_DES3_TLS_SUITES_STRING} "no" "yes;no")
if(NOT WOLFSSL_DES3_TLS_SUITES)
list(APPEND WOLFSSL_DEFINITIONS "-DNO_DES3_TLS_SUITES")
endif()
# ARC4 # ARC4
set(WOLFSSL_ARC4_HELP_STRING "Enable ARC4 (default: disabled)") set(WOLFSSL_ARC4_HELP_STRING "Enable ARC4 (default: disabled)")
add_option("WOLFSSL_ARC4" ${WOLFSSL_ARC4_HELP_STRING} "no" "yes;no") add_option("WOLFSSL_ARC4" ${WOLFSSL_ARC4_HELP_STRING} "no" "yes;no")

16
configure.ac
View File

@ -4805,6 +4805,13 @@ then
ENABLED_DES3="yes" ENABLED_DES3="yes"
fi fi
# DES3 TLS suites
AC_ARG_ENABLE([des3-tls-suites],
[AS_HELP_STRING([--enable-des3-tls-suites],[Enable DES3 TLS cipher suites (default: disabled)])],
[ ENABLED_DES3_TLS_SUITES=$enableval ],
[ ENABLED_DES3_TLS_SUITES=no ]
)
# ARC4 # ARC4
if (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || \ if (test "$ENABLED_OPENSSH" = "yes" && test "x$ENABLED_FIPS" = "xno") || \
test "$ENABLED_WPAS" = "yes" || test "$ENABLED_KRB" = "yes" test "$ENABLED_WPAS" = "yes" || test "$ENABLED_KRB" = "yes"
@ -8718,6 +8725,14 @@ else
fi fi
fi fi
if test "x$ENABLED_DES3_TLS_SUITES" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DES3_TLS_SUITES"
else
AS_IF([test "x$ENABLED_DES3" = "xno"],
[AC_MSG_ERROR([DES3 TLS suites require DES3])])
fi
if test "$ENABLED_AESGCM" != "no" if test "$ENABLED_AESGCM" != "no"
then then
if test "$ENABLED_AESGCM" = "word" if test "$ENABLED_AESGCM" = "word"
@ -9521,6 +9536,7 @@ echo " * AES-EAX: $ENABLED_AESEAX"
echo " * AES Bitspliced: $ENABLED_AESBS" echo " * AES Bitspliced: $ENABLED_AESBS"
echo " * ARIA: $ENABLED_ARIA" echo " * ARIA: $ENABLED_ARIA"
echo " * DES3: $ENABLED_DES3" echo " * DES3: $ENABLED_DES3"
echo " * DES3 TLS Suites: $ENABLED_DES3_TLS_SUITES"
echo " * Camellia: $ENABLED_CAMELLIA" echo " * Camellia: $ENABLED_CAMELLIA"
echo " * SM4-ECB: $ENABLED_SM4_ECB" echo " * SM4-ECB: $ENABLED_SM4_ECB"
echo " * SM4-CBC: $ENABLED_SM4_CBC" echo " * SM4-CBC: $ENABLED_SM4_CBC"

7
wolfssl/internal.h
View File

@ -343,7 +343,7 @@
#endif #endif
#endif #endif
#if !defined(NO_RSA) && !defined(NO_DES3) #if !defined(NO_RSA) && !defined(NO_DES3) && !defined(NO_DES3_TLS_SUITES)
#if !defined(NO_SHA) #if !defined(NO_SHA)
#if defined(WOLFSSL_STATIC_RSA) #if defined(WOLFSSL_STATIC_RSA)
#define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
@ -500,7 +500,7 @@
#if defined(WOLFSSL_AES_256) && defined(HAVE_AES_CBC) #if defined(WOLFSSL_AES_256) && defined(HAVE_AES_CBC)
#define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
#endif #endif
#if !defined(NO_DES3) #if !defined(NO_DES3) && !defined(NO_DES3_TLS_SUITES)
#define BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
#endif #endif
#endif #endif
@ -686,7 +686,8 @@
#endif #endif
#endif #endif
#if !defined(NO_DES3) && !(defined(WSSL_HARDEN_TLS) && \ #if !defined(NO_DES3) && !(defined(WSSL_HARDEN_TLS) && \
WSSL_HARDEN_TLS > 112) WSSL_HARDEN_TLS > 112) && \
!defined(NO_DES3_TLS_SUITES)
/* 3DES offers only 112 bits of security. /* 3DES offers only 112 bits of security.
* Using guidance from section 5.6.1 * Using guidance from section 5.6.1
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */