From ffa75d40e02bd1079439722c18bd1031aca70632 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 11 Aug 2015 12:25:40 -0700 Subject: [PATCH] disable static dh cipher suites in non max strength build by default --- wolfssl/internal.h | 60 ++++++++++++++++++++++++++---------- wolfssl/wolfcrypt/settings.h | 3 ++ 2 files changed, 47 insertions(+), 16 deletions(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7950cf056..898356645 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -391,46 +391,66 @@ typedef byte word24[3]; #if !defined(NO_RSA) #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + #endif #endif #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + #endif #endif /* NO_SHA */ #ifndef NO_SHA256 #if !defined(NO_RSA) #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + #endif #endif #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + #endif #endif #ifdef WOLFSSL_SHA384 #if !defined(NO_RSA) #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + #endif #endif #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + #endif #endif #if defined (HAVE_AESGCM) #if !defined(NO_RSA) - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + #endif #if defined(WOLFSSL_SHA384) - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + #endif #endif #endif - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + #endif #if defined(WOLFSSL_SHA384) - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + #endif #endif #endif #endif /* NO_AES */ @@ -438,22 +458,30 @@ typedef byte word24[3]; #if !defined(NO_SHA) #if !defined(NO_RSA) #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA + #endif #endif #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA + #endif #endif #endif #if !defined(NO_DES3) #ifndef NO_SHA #if !defined(NO_RSA) #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + #endif #endif #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + #if defined(WOLFSSL_STATIC_DH) + #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + #endif #endif /* NO_SHA */ #endif #endif diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 6c10ddf2a..fb6f9543a 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -111,6 +111,9 @@ /* Uncomment next line if building for VxWorks */ /* #define WOLFSSL_VXWORKS */ +/* Uncomment next line to enable deprecated less secure static DH suites */ +/* #define WOLFSSL_STATIC_DH */ + #include #ifdef WOLFSSL_USER_SETTINGS