xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

libsec: add TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suits

Browse source
This commit is contained in:
cinap_lenrek 2015-09-14 09:27:06 +02:00
parent be3ba38c45
commit 9733434e6e
1 changed files with 41 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
sys/src/libsec/port/tlshand.c
View file

@ -253,8 +253,7 @@ enum {
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019, TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A, TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B, TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
TLS_RSA_WITH_AES_128_CBC_SHA = 0X002F, // aes, aka rijndael with 128 bit blocks
TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks
TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030, TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031, TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032, TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
@ -266,15 +265,14 @@ enum {
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038, TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039, TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A, TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
TLS_RSA_WITH_AES_128_CBC_SHA256 = 0X003C, TLS_RSA_WITH_AES_128_CBC_SHA256 = 0X003C,
TLS_RSA_WITH_AES_256_CBC_SHA256 = 0X003D, TLS_RSA_WITH_AES_256_CBC_SHA256 = 0X003D,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0XC009,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0XC00A,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0XC013,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0XC014,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0XC023,
CipherMax TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
}; };
// compression methods // compression methods
@ -284,8 +282,10 @@ enum {
}; };
static Algs cipherAlgs[] = { static Algs cipherAlgs[] = {
{"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA}, {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}, {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
{"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
@ -802,8 +802,10 @@ static int
isECDHE(int tlsid) isECDHE(int tlsid)
{ {
switch(tlsid){ switch(tlsid){
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
return 1; return 1;
@ -2026,36 +2028,36 @@ tlsConnectionFree(TlsConnection *c)
//================= cipher choices ======================== //================= cipher choices ========================
static int weakCipher[CipherMax] = static int weakCipher[] =
{ {
1, /* TLS_NULL_WITH_NULL_NULL */ [TLS_NULL_WITH_NULL_NULL] 1,
1, /* TLS_RSA_WITH_NULL_MD5 */ [TLS_RSA_WITH_NULL_MD5] 1,
1, /* TLS_RSA_WITH_NULL_SHA */ [TLS_RSA_WITH_NULL_SHA] 1,
1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */ [TLS_RSA_EXPORT_WITH_RC4_40_MD5] 1,
0, /* TLS_RSA_WITH_RC4_128_MD5 */ [TLS_RSA_WITH_RC4_128_MD5] 0,
0, /* TLS_RSA_WITH_RC4_128_SHA */ [TLS_RSA_WITH_RC4_128_SHA] 0,
1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */ [TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5] 1,
0, /* TLS_RSA_WITH_IDEA_CBC_SHA */ [TLS_RSA_WITH_IDEA_CBC_SHA] 0,
1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */ [TLS_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
0, /* TLS_RSA_WITH_DES_CBC_SHA */ [TLS_RSA_WITH_DES_CBC_SHA] 0,
0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */ [TLS_RSA_WITH_3DES_EDE_CBC_SHA] 0,
1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */ [TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] 1,
0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */ [TLS_DH_DSS_WITH_DES_CBC_SHA] 0,
0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */ [TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA] 0,
1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */ [TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */ [TLS_DH_RSA_WITH_DES_CBC_SHA] 0,
0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */ [TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA] 0,
1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */ [TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] 1,
0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */ [TLS_DHE_DSS_WITH_DES_CBC_SHA] 0,
0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */ [TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA] 0,
1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */ [TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */ [TLS_DHE_RSA_WITH_DES_CBC_SHA] 0,
0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ [TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA] 0,
1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */ [TLS_DH_anon_EXPORT_WITH_RC4_40_MD5] 1,
1, /* TLS_DH_anon_WITH_RC4_128_MD5 */ [TLS_DH_anon_WITH_RC4_128_MD5] 1,
1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */ [TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA] 1,
1, /* TLS_DH_anon_WITH_DES_CBC_SHA */ [TLS_DH_anon_WITH_DES_CBC_SHA] 1,
1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */ [TLS_DH_anon_WITH_3DES_EDE_CBC_SHA] 1,
}; };
static int static int
@ -2085,7 +2087,7 @@ okCipher(Ints *cv)
weak = 1; weak = 1;
for(i = 0; i < cv->len; i++) { for(i = 0; i < cv->len; i++) {
c = cv->data[i]; c = cv->data[i];
if(c >= CipherMax) if(c >= nelem(weakCipher))
weak = 0; weak = 0;
else else
weak &= weakCipher[c]; weak &= weakCipher[c];