disable static dh cipher suites in non max strength build by default

2025-07-31 19:24:42 +02:00 · 2015-08-11 12:25:40 -07:00
parent 4cf78a2dab
commit ffa75d40e0
2 changed files with 47 additions and 16 deletions
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -391,46 +391,66 @@ typedef byte word24[3];
                #if !defined(NO_RSA)
                    #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
                    #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-                    #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
-                    #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+                    #if defined(WOLFSSL_STATIC_DH)
+                        #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+                        #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+                    #endif
                #endif

                #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
                #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

-                #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-                #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+                #if defined(WOLFSSL_STATIC_DH)
+                    #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+                    #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+                #endif
            #endif /* NO_SHA */
            #ifndef NO_SHA256
                #if !defined(NO_RSA)
                    #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-                    #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+                    #if defined(WOLFSSL_STATIC_DH)
+                        #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+                    #endif
                #endif
                #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-                #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+                #if defined(WOLFSSL_STATIC_DH)
+                    #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+                #endif
            #endif

            #ifdef WOLFSSL_SHA384
                #if !defined(NO_RSA)
                    #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
-                    #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+                    #if defined(WOLFSSL_STATIC_DH)
+                        #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+                    #endif
                #endif
                #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
-                #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+                #if defined(WOLFSSL_STATIC_DH)
+                    #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+                #endif
            #endif

            #if defined (HAVE_AESGCM)
                #if !defined(NO_RSA)
-                    #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+                    #if defined(WOLFSSL_STATIC_DH)
+                        #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+                    #endif
                    #if defined(WOLFSSL_SHA384)
-                        #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+                        #if defined(WOLFSSL_STATIC_DH)
+                            #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+                        #endif
                    #endif
                #endif

-                #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+                #if defined(WOLFSSL_STATIC_DH)
+                    #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+                #endif

                #if defined(WOLFSSL_SHA384)
-                    #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+                    #if defined(WOLFSSL_STATIC_DH)
+                        #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+                    #endif
                #endif
            #endif
        #endif /* NO_AES */
@@ -438,22 +458,30 @@ typedef byte word24[3];
            #if !defined(NO_SHA)
                #if !defined(NO_RSA)
                    #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
-                    #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
+                    #if defined(WOLFSSL_STATIC_DH)
+                        #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
+                    #endif
                #endif

                #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
-                #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+                #if defined(WOLFSSL_STATIC_DH)
+                    #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+                #endif
            #endif
        #endif
        #if !defined(NO_DES3)
            #ifndef NO_SHA
                #if !defined(NO_RSA)
                    #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-                    #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+                    #if defined(WOLFSSL_STATIC_DH)
+                        #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+                    #endif
                #endif

                #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
-                #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+                #if defined(WOLFSSL_STATIC_DH)
+                    #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+                #endif
            #endif /* NO_SHA */
        #endif
    #endif
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -111,6 +111,9 @@
 /* Uncomment next line if building for VxWorks */
 /* #define WOLFSSL_VXWORKS */

+/* Uncomment next line to enable deprecated less secure static DH suites */
+/* #define WOLFSSL_STATIC_DH */
+
 #include <wolfssl/wolfcrypt/visibility.h>

 #ifdef WOLFSSL_USER_SETTINGS