From fb35dc61db3d91fb9704542b71bb3119925d7edf Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 13 Aug 2015 11:05:07 -0700 Subject: [PATCH] disable static rsa cipher suites in non max strength build by default --- wolfssl/internal.h | 80 +++++++++++++++++++++--------------- wolfssl/wolfcrypt/settings.h | 11 +++++ 2 files changed, 58 insertions(+), 33 deletions(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 898356645..87162e935 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -211,11 +211,13 @@ typedef byte word24[3]; #ifndef WOLFSSL_MAX_STRENGTH #if !defined(NO_RSA) && !defined(NO_RC4) - #if !defined(NO_SHA) - #define BUILD_SSL_RSA_WITH_RC4_128_SHA - #endif - #if !defined(NO_MD5) - #define BUILD_SSL_RSA_WITH_RC4_128_MD5 + #if defined(WOLFSSL_STATIC_RSA) + #if !defined(NO_SHA) + #define BUILD_SSL_RSA_WITH_RC4_128_SHA + #endif + #if !defined(NO_MD5) + #define BUILD_SSL_RSA_WITH_RC4_128_MD5 + #endif #endif #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA @@ -224,7 +226,9 @@ typedef byte word24[3]; #if !defined(NO_RSA) && !defined(NO_DES3) #if !defined(NO_SHA) - #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA + #if defined(WOLFSSL_STATIC_RSA) + #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA + #endif #if !defined(NO_TLS) && defined(HAVE_NTRU) #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA #endif @@ -233,43 +237,49 @@ typedef byte word24[3]; #if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS) #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA + #if defined(WOLFSSL_STATIC_RSA) + #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA + #endif #if defined(HAVE_NTRU) #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA #endif #endif - #if !defined (NO_SHA256) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - #endif - #if defined (HAVE_AESGCM) - #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - #if defined (WOLFSSL_SHA384) - #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 + #if defined(WOLFSSL_STATIC_RSA) + #if !defined (NO_SHA256) + #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 + #endif + #if defined (HAVE_AESGCM) + #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 + #if defined (WOLFSSL_SHA384) + #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 + #endif + #endif + #if defined (HAVE_AESCCM) + #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 + #define BUILD_TLS_RSA_WITH_AES_256_CCM_8 + #endif + #if defined(HAVE_BLAKE2) + #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 + #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 #endif - #endif - #if defined (HAVE_AESCCM) - #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 - #define BUILD_TLS_RSA_WITH_AES_256_CCM_8 - #endif - #if defined(HAVE_BLAKE2) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 #endif #endif #if defined(HAVE_CAMELLIA) && !defined(NO_TLS) #ifndef NO_RSA - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - #endif + #if defined(WOLFSSL_STATIC_RSA) + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + #endif #ifndef NO_SHA256 #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 #endif + #endif #if !defined(NO_DH) #if !defined(NO_SHA) #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA @@ -310,11 +320,13 @@ typedef byte word24[3]; #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) #if !defined(NO_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_NULL_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_RSA_WITH_NULL_SHA256 + #if defined(WOLFSSL_STATIC_RSA) + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_NULL_SHA + #endif + #ifndef NO_SHA256 + #define BUILD_TLS_RSA_WITH_NULL_SHA256 + #endif #endif #endif #if !defined(NO_PSK) @@ -330,6 +342,7 @@ typedef byte word24[3]; #endif #endif +#if defined(WOLFSSL_STATIC_RSA) #if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS) #ifndef NO_MD5 #define BUILD_TLS_RSA_WITH_HC_128_MD5 @@ -347,6 +360,7 @@ typedef byte word24[3]; #define BUILD_TLS_RSA_WITH_RABBIT_SHA #endif #endif +#endif #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ !defined(NO_RSA) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index fb6f9543a..8cdd73898 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -114,6 +114,9 @@ /* Uncomment next line to enable deprecated less secure static DH suites */ /* #define WOLFSSL_STATIC_DH */ +/* Uncomment next line to enable deprecated less secure static RSA suites */ +/* #define WOLFSSL_STATIC_RSA */ + #include #ifdef WOLFSSL_USER_SETTINGS @@ -813,6 +816,14 @@ #define HAVE_HASHDRBG #endif + +/* sniffer requires static RSA cipher suites */ +#ifdef WOLFSSL_SNIFFER + #ifndef WOLFSSL_STATIC_RSA + #define WOLFSSL_STATIC_RSA + #endif +#endif + /* Place any other flags or defines here */