From 6d8d23739b9015782e6caf3093059639f3beb341 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 19 Jan 2016 23:30:38 +0100 Subject: [PATCH] polarssl: enable DHE in default client ciphersuite Signed-off-by: Felix Fietkau --- ustream-polarssl.c | 65 +++++++++++++++++++++------------------------- 1 file changed, 30 insertions(+), 35 deletions(-) diff --git a/ustream-polarssl.c b/ustream-polarssl.c index 7135d3c..57b3714 100644 --- a/ustream-polarssl.c +++ b/ustream-polarssl.c @@ -249,42 +249,36 @@ __hidden int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len) return ret; } +#define TLS_DEFAULT_CIPHERS \ + TLS_CIPHER(AES_256_CBC_SHA256) \ + TLS_CIPHER(AES_256_GCM_SHA384) \ + TLS_CIPHER(AES_256_CBC_SHA) \ + TLS_CIPHER(CAMELLIA_256_CBC_SHA256) \ + TLS_CIPHER(CAMELLIA_256_CBC_SHA) \ + TLS_CIPHER(AES_128_CBC_SHA256) \ + TLS_CIPHER(AES_128_GCM_SHA256) \ + TLS_CIPHER(AES_128_CBC_SHA) \ + TLS_CIPHER(CAMELLIA_128_CBC_SHA256) \ + TLS_CIPHER(CAMELLIA_128_CBC_SHA) \ + TLS_CIPHER(3DES_EDE_CBC_SHA) + +static const int default_ciphersuites_nodhe[] = +{ +#define TLS_CIPHER(v) \ + TLS_RSA_WITH_##v, + TLS_DEFAULT_CIPHERS +#undef TLS_CIPHER + 0 +}; + static const int default_ciphersuites[] = { -#if defined(POLARSSL_AES_C) -#if defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_AES_256_CBC_SHA256, -#endif /* POLARSSL_SHA2_C */ -#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C) - TLS_RSA_WITH_AES_256_GCM_SHA384, -#endif /* POLARSSL_SHA2_C */ - TLS_RSA_WITH_AES_256_CBC_SHA, -#endif -#if defined(POLARSSL_CAMELLIA_C) -#if defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, -#endif /* POLARSSL_SHA2_C */ - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, -#endif -#if defined(POLARSSL_AES_C) -#if defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_AES_128_CBC_SHA256, -#endif /* POLARSSL_SHA2_C */ -#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_AES_128_GCM_SHA256, -#endif /* POLARSSL_SHA2_C */ - TLS_RSA_WITH_AES_128_CBC_SHA, -#endif -#if defined(POLARSSL_CAMELLIA_C) -#if defined(POLARSSL_SHA2_C) - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, -#endif /* POLARSSL_SHA2_C */ - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, -#endif -#if defined(POLARSSL_DES_C) - TLS_RSA_WITH_3DES_EDE_CBC_SHA, -#endif - 0 +#define TLS_CIPHER(v) \ + TLS_DHE_RSA_WITH_##v, \ + TLS_RSA_WITH_##v, + TLS_DEFAULT_CIPHERS +#undef TLS_CIPHER + 0 }; __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) @@ -310,16 +304,17 @@ __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) auth = SSL_VERIFY_OPTIONAL; } - ssl_set_ciphersuites(ssl, default_ciphersuites); ssl_set_endpoint(ssl, ep); ssl_set_authmode(ssl, auth); ssl_set_rng(ssl, _urandom, NULL); if (ctx->server) { + ssl_set_ciphersuites(ssl, default_ciphersuites_nodhe); if (ctx->cert.next) ssl_set_ca_chain(ssl, ctx->cert.next, NULL, NULL); ssl_set_own_cert(ssl, &ctx->cert, &ctx->key); } else { + ssl_set_ciphersuites(ssl, default_ciphersuites); ssl_set_ca_chain(ssl, &ctx->ca_cert, NULL, NULL); } -- 2.30.2