From e9bc868dbb3c88942f72b16017b5acf0bd72eb81 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 1 Apr 2013 14:25:20 -0700 Subject: [PATCH] AES-GCM does not require SHA-384, but will use it if enabled in build; reorder some of the requirement checks to regroup some NO_RSA suite checks --- configure.ac | 14 ++----------- cyassl/internal.h | 53 +++++++++++++++++++++++++++-------------------- src/internal.c | 26 +++++++++++------------ 3 files changed, 45 insertions(+), 48 deletions(-) diff --git a/configure.ac b/configure.ac index 8b0600148..0aa30db37 100644 --- a/configure.ac +++ b/configure.ac @@ -288,7 +288,7 @@ fi if test "$ENABLED_AESGCM" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM -DCYASSL_SHA384 -DCYASSL_SHA512" + AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM" fi AM_CONDITIONAL([BUILD_AESGCM], [test "x$ENABLED_AESGCM" = "xyes"]) @@ -303,7 +303,7 @@ AC_ARG_ENABLE([aesccm], if test "$ENABLED_AESCCM" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM -DCYASSL_SHA384 -DCYASSL_SHA512" + AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM" fi AM_CONDITIONAL([BUILD_AESCCM], [test "x$ENABLED_AESCCM" = "xyes"]) @@ -423,16 +423,6 @@ then ENABLED_SHA512="yes" fi -if test "$ENABLED_AESGCM" = "yes" -then - ENABLED_SHA512="yes" -fi - -if test "$ENABLED_AESCCM" = "yes" -then - ENABLED_SHA512="yes" -fi - AM_CONDITIONAL([BUILD_SHA512], [test "x$ENABLED_SHA512" = "xyes"]) diff --git a/cyassl/internal.h b/cyassl/internal.h index 00cafab24..80bf98913 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -171,7 +171,9 @@ void c32to24(word32 in, word24 out); #endif #if defined (HAVE_AESGCM) #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 + #if defined (CYASSL_SHA384) + #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 + #endif #endif #if defined (HAVE_AESCCM) #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 @@ -259,27 +261,29 @@ void c32to24(word32 in, word24 out); #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 #if defined (HAVE_AESGCM) #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + #if defined (CYASSL_SHA384) + #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + #endif #endif #endif #endif #if defined(HAVE_ECC) && !defined(NO_TLS) #if !defined(NO_AES) - #if !defined(NO_SHA) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - + #if !defined(NO_SHA) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + #endif + + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + #endif /* NO_SHA */ #ifndef NO_SHA256 #if !defined(NO_RSA) #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 @@ -302,21 +306,25 @@ void c32to24(word32 in, word24 out); #if !defined(NO_RSA) #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + #if defined(CYASSL_SHA384) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + #endif #endif #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + + #if defined(CYASS_SHA384) + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + #endif #endif #if defined (HAVE_AESCCM) #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 #endif - #endif + #endif /* NO_AES */ #if !defined(NO_RC4) #if !defined(NO_SHA) #if !defined(NO_RSA) @@ -337,7 +345,6 @@ void c32to24(word32 in, word24 out); #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA #endif - #endif #endif diff --git a/src/internal.c b/src/internal.c index df729a5fb..1e61e3a54 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8464,12 +8464,6 @@ int SetCipherList(Suites* s, const char* list) return 1; break; - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : - if (requirement == REQUIRES_ECC_DSA) - return 1; - break; - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : if (requirement == REQUIRES_RSA) @@ -8478,12 +8472,6 @@ int SetCipherList(Suites* s, const char* list) return 1; break; - case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : - case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : - if (requirement == REQUIRES_ECC_DSA) - return 1; - break; - case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : if (requirement == REQUIRES_RSA_SIG) @@ -8491,6 +8479,19 @@ int SetCipherList(Suites* s, const char* list) if (requirement == REQUIRES_ECC_STATIC) return 1; break; +#endif + + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : + case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : + if (requirement == REQUIRES_ECC_DSA) + return 1; + break; + + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : + if (requirement == REQUIRES_ECC_DSA) + return 1; + break; case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : @@ -8499,7 +8500,6 @@ int SetCipherList(Suites* s, const char* list) if (requirement == REQUIRES_ECC_STATIC) return 1; break; -#endif default: CYASSL_MSG("Unsupported cipher suite, CipherRequires ECC");