disable static rsa cipher suites in non max strength build by default

wolfssl/internal.h

@@ -211,11 +211,13 @@ typedef byte word24[3];
 #ifndef WOLFSSL_MAX_STRENGTH
 
     #if !defined(NO_RSA) && !defined(NO_RC4)
-        #if !defined(NO_SHA)
+        #if defined(WOLFSSL_STATIC_RSA)
-            #define BUILD_SSL_RSA_WITH_RC4_128_SHA
+            #if !defined(NO_SHA)
-        #endif
+                #define BUILD_SSL_RSA_WITH_RC4_128_SHA
-        #if !defined(NO_MD5)
+            #endif
-            #define BUILD_SSL_RSA_WITH_RC4_128_MD5
+            #if !defined(NO_MD5)
+                #define BUILD_SSL_RSA_WITH_RC4_128_MD5
+            #endif
         #endif
         #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA)
             #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
@@ -224,7 +226,9 @@ typedef byte word24[3];
 
     #if !defined(NO_RSA) && !defined(NO_DES3)
         #if !defined(NO_SHA)
-            #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
+            #if defined(WOLFSSL_STATIC_RSA)
+                #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
+            #endif
             #if !defined(NO_TLS) && defined(HAVE_NTRU)
                     #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
             #endif
@@ -233,43 +237,49 @@ typedef byte word24[3];
 
     #if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS)
         #if !defined(NO_SHA)
-            #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
+            #if defined(WOLFSSL_STATIC_RSA)
-            #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
+                #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
+                #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
+            #endif
             #if defined(HAVE_NTRU)
                     #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
                     #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
             #endif
         #endif
-        #if !defined (NO_SHA256)
+        #if defined(WOLFSSL_STATIC_RSA)
-            #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
+            #if !defined (NO_SHA256)
-            #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
+                #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
-        #endif
+                #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
-        #if defined (HAVE_AESGCM)
+            #endif
-            #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
+            #if defined (HAVE_AESGCM)
-            #if defined (WOLFSSL_SHA384)
+                #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
-                #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
+                #if defined (WOLFSSL_SHA384)
+                    #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
+                #endif
+            #endif
+            #if defined (HAVE_AESCCM)
+                #define BUILD_TLS_RSA_WITH_AES_128_CCM_8
+                #define BUILD_TLS_RSA_WITH_AES_256_CCM_8
+            #endif
+            #if defined(HAVE_BLAKE2)
+                #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
+                #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
             #endif
-        #endif
-        #if defined (HAVE_AESCCM)
-            #define BUILD_TLS_RSA_WITH_AES_128_CCM_8
-            #define BUILD_TLS_RSA_WITH_AES_256_CCM_8
-        #endif
-        #if defined(HAVE_BLAKE2)
-            #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256
-            #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256
         #endif
     #endif
 
     #if defined(HAVE_CAMELLIA) && !defined(NO_TLS)
         #ifndef NO_RSA
-          #if !defined(NO_SHA)
+          #if defined(WOLFSSL_STATIC_RSA)
-            #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+            #if !defined(NO_SHA)
-            #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+                #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
-          #endif
+                #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+            #endif
             #ifndef NO_SHA256
                 #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
                 #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
             #endif
+          #endif
             #if !defined(NO_DH)
               #if !defined(NO_SHA)
                 #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
@@ -310,11 +320,13 @@ typedef byte word24[3];
 
     #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER)
         #if !defined(NO_RSA)
-            #if !defined(NO_SHA)
+            #if defined(WOLFSSL_STATIC_RSA)
-                #define BUILD_TLS_RSA_WITH_NULL_SHA
+                #if !defined(NO_SHA)
-            #endif
+                    #define BUILD_TLS_RSA_WITH_NULL_SHA
-            #ifndef NO_SHA256
+                #endif
-                #define BUILD_TLS_RSA_WITH_NULL_SHA256
+                #ifndef NO_SHA256
+                    #define BUILD_TLS_RSA_WITH_NULL_SHA256
+                #endif
             #endif
         #endif
         #if !defined(NO_PSK)
@@ -330,6 +342,7 @@ typedef byte word24[3];
         #endif
     #endif
 
+#if defined(WOLFSSL_STATIC_RSA)
     #if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS)
         #ifndef NO_MD5
             #define BUILD_TLS_RSA_WITH_HC_128_MD5
@@ -347,6 +360,7 @@ typedef byte word24[3];
             #define BUILD_TLS_RSA_WITH_RABBIT_SHA
         #endif
     #endif
+#endif
 
     #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \
         !defined(NO_RSA)

wolfssl/wolfcrypt/settings.h

@@ -114,6 +114,9 @@
 /* Uncomment next line to enable deprecated less secure static DH suites */
 /* #define WOLFSSL_STATIC_DH */
 
+/* Uncomment next line to enable deprecated less secure static RSA suites */
+/* #define WOLFSSL_STATIC_RSA */
+
 #include <wolfssl/wolfcrypt/visibility.h>
 
 #ifdef WOLFSSL_USER_SETTINGS
@@ -813,6 +816,14 @@
     #define HAVE_HASHDRBG
 #endif
 
+
+/* sniffer requires static RSA cipher suites */
+#ifdef WOLFSSL_SNIFFER
+    #ifndef WOLFSSL_STATIC_RSA
+        #define WOLFSSL_STATIC_RSA
+    #endif
+#endif
+
 /* Place any other flags or defines here */