Suyu/mbedtls
1
0
Fork 0
mirror of https://git.suyu.dev/suyu/mbedtls.git synced 2025-12-21 21:36:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge new security defaults for programs (RC4 disabled, SSL3 disabled)

Browse source
This commit is contained in:
Paul Bakker 2015-01-14 16:26:54 +01:00
commit 5b8f7eaa3e
14 changed files with 149 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

5
programs/ssl/ssl_client1.c
View file

@ -168,6 +168,11 @@ int main( int argc, char *argv[] )
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,

18
programs/ssl/ssl_client2.c
View file

@ -86,8 +86,9 @@ int main( int argc, char *argv[] )
#define DFL_ALLOW_LEGACY -2
#define DFL_RENEGOTIATE 0
#define DFL_EXCHANGES 1
#define DFL_MIN_VERSION -1
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1
#define DFL_ARC4 SSL_ARC4_DISABLED
#define DFL_AUTH_MODE SSL_VERIFY_REQUIRED
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
@ -129,6 +130,7 @@ struct options
int exchanges; /* number of data exchanges */
int min_version; /* minimum protocol version accepted */
int max_version; /* maximum protocol version accepted */
int arc4; /* flag for arc4 suites support */
int auth_mode; /* verify mode for connection */
unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* negotiate truncated hmac or not */
@ -363,6 +365,7 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
"\n" \
" min_version=%%s default: \"\" (ssl3)\n" \
" max_version=%%s default: \"\" (tls1_2)\n" \
" arc4=%%d default: 0 (disabled)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2\n" \
" auth_mode=%%s default: \"required\"\n" \
@ -453,6 +456,7 @@ int main( int argc, char *argv[] )
opt.exchanges = DFL_EXCHANGES;
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
opt.arc4 = DFL_ARC4;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
@ -627,6 +631,15 @@ int main( int argc, char *argv[] )
else
goto usage;
}
else if( strcmp( p, "arc4" ) == 0 )
{
switch( atoi( q ) )
{
case 0: opt.arc4 = SSL_ARC4_DISABLED; break;
case 1: opt.arc4 = SSL_ARC4_ENABLED; break;
default: goto usage;
}
}
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@ -1011,8 +1024,11 @@ int main( int argc, char *argv[] )
}
#endif
/* RC4 setting is redundant if we use only one ciphersuite */
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
else
ssl_set_arc4_support( &ssl, opt.arc4 );
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );

6
programs/ssl/ssl_fork_server.c
View file

@ -264,6 +264,12 @@ int main( int argc, char *argv[] )
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &client_fd,

5
programs/ssl/ssl_mail_client.c
View file

@ -601,6 +601,11 @@ int main( int argc, char *argv[] )
* but makes interop easier in this simplified example */
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,

5
programs/ssl/ssl_pthread_server.c
View file

@ -165,6 +165,11 @@ static void *handle_ssl_connection( void *data )
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_mutexed_debug, stdout );

5
programs/ssl/ssl_server.c
View file

@ -198,6 +198,11 @@ int main( int argc, char *argv[] )
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
/* RC4 is deprecated, disable it */
ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );

17
programs/ssl/ssl_server2.c
View file

@ -106,8 +106,9 @@ int main( int argc, char *argv[] )
#define DFL_RENEGO_DELAY -2
#define DFL_RENEGO_PERIOD -1
#define DFL_EXCHANGES 1
#define DFL_MIN_VERSION -1
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1
#define DFL_ARC4 SSL_ARC4_DISABLED
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
@ -172,6 +173,7 @@ struct options
int exchanges; /* number of data exchanges */
int min_version; /* minimum protocol version accepted */
int max_version; /* maximum protocol version accepted */
int arc4; /* flag for arc4 suites support */
int auth_mode; /* verify mode for connection */
unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* accept truncated hmac? */
@ -367,6 +369,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
"\n" \
" min_version=%%s default: \"ssl3\"\n" \
" max_version=%%s default: \"tls1_2\"\n" \
" arc4=%%d default: 0 (disabled)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2\n" \
"\n" \
@ -749,6 +752,7 @@ int main( int argc, char *argv[] )
opt.exchanges = DFL_EXCHANGES;
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
opt.arc4 = DFL_ARC4;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
@ -885,6 +889,15 @@ int main( int argc, char *argv[] )
else
goto usage;
}
else if( strcmp( p, "arc4" ) == 0 )
{
switch( atoi( q ) )
{
case 0: opt.arc4 = SSL_ARC4_DISABLED; break;
case 1: opt.arc4 = SSL_ARC4_ENABLED; break;
default: goto usage;
}
}
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@ -1393,6 +1406,8 @@ int main( int argc, char *argv[] )
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
else
ssl_set_arc4_support( &ssl, opt.arc4 );
if( opt.version_suites != NULL )
{