lmoskala/SSLClient
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Removed support for some elliptical curves and removed support for SHA384 ciphers to save space

Browse source
This commit is contained in:
Noah Laptop 2019-07-30 15:33:10 -07:00
parent 97aee26a1f
commit 2e2c247a0f
1 changed files with 8 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
src/TLS12_only_profile.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org> * Copyright (c) 2019 OSU OPEnS Lab
* *
* Permission is hereby granted, free of charge, to any person obtaining * Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the * a copy of this software and associated documentation files (the
@ -79,21 +79,13 @@ br_client_init_TLS12_only(br_ssl_client_context *cc,
BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
}; };
/* /*
@ -125,7 +117,7 @@ br_client_init_TLS12_only(br_ssl_client_context *cc,
*/ */
// br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf); // br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);
br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf); br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);
br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf); // br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);
/* /*
* Set hash functions for the engine. Required hash functions * Set hash functions for the engine. Required hash functions
@ -158,7 +150,7 @@ br_client_init_TLS12_only(br_ssl_client_context *cc,
br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable); br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable);
br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable); br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable);
br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable); br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable);
// br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable); br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable);
/* /*
* Set the cipher suites. All specified cipher suite MUST be * Set the cipher suites. All specified cipher suite MUST be
@ -237,7 +229,7 @@ br_client_init_TLS12_only(br_ssl_client_context *cc,
//* Alternate: set implementations explicitly. //* Alternate: set implementations explicitly.
// br_ssl_client_set_rsapub(cc, &br_rsa_i31_public); // br_ssl_client_set_rsapub(cc, &br_rsa_i31_public);
br_ssl_engine_set_rsavrfy(&cc->eng, &br_rsa_i15_pkcs1_vrfy); br_ssl_engine_set_rsavrfy(&cc->eng, &br_rsa_i15_pkcs1_vrfy);
br_ssl_engine_set_ec(&cc->eng, &br_ec_all_m15); br_ssl_engine_set_ec(&cc->eng, &br_ec_prime_i15);
br_ssl_engine_set_ecdsa(&cc->eng, &br_ecdsa_i15_vrfy_asn1); br_ssl_engine_set_ecdsa(&cc->eng, &br_ecdsa_i15_vrfy_asn1);
//*/ //*/
@ -323,11 +315,12 @@ br_client_init_TLS12_only(br_ssl_client_context *cc,
* implementations only if duly measured performance issues make * implementations only if duly measured performance issues make
* it mandatory. * it mandatory.
*/ */
/*
br_ssl_engine_set_aes_cbc(&cc->eng, br_ssl_engine_set_aes_cbc(&cc->eng,
&br_aes_ct_cbcenc_vtable, &br_aes_ct_cbcenc_vtable,
&br_aes_ct_cbcdec_vtable); &br_aes_ct_cbcdec_vtable);
br_ssl_engine_set_aes_ctr(&cc->eng, br_ssl_engine_set_aes_ctr(&cc->eng,
&br_aes_ct_ctr_vtable); &br_aes_ct_ctr_vtable); */
/* Alternate: aes_ct64 /* Alternate: aes_ct64
br_ssl_engine_set_aes_cbc(&cc->eng, br_ssl_engine_set_aes_cbc(&cc->eng,
&br_aes_ct64_cbcenc_vtable, &br_aes_ct64_cbcenc_vtable,
@ -335,13 +328,12 @@ br_client_init_TLS12_only(br_ssl_client_context *cc,
br_ssl_engine_set_aes_ctr(&cc->eng, br_ssl_engine_set_aes_ctr(&cc->eng,
&br_aes_ct64_ctr_vtable); &br_aes_ct64_ctr_vtable);
*/ */
/* Alternate: aes_small // Alternate: aes_small
br_ssl_engine_set_aes_cbc(&cc->eng, br_ssl_engine_set_aes_cbc(&cc->eng,
&br_aes_small_cbcenc_vtable, &br_aes_small_cbcenc_vtable,
&br_aes_small_cbcdec_vtable); &br_aes_small_cbcdec_vtable);
br_ssl_engine_set_aes_ctr(&cc->eng, br_ssl_engine_set_aes_ctr(&cc->eng,
&br_aes_small_ctr_vtable); &br_aes_small_ctr_vtable);
*/
/* Alternate: aes_big /* Alternate: aes_big
br_ssl_engine_set_aes_cbc(&cc->eng, br_ssl_engine_set_aes_cbc(&cc->eng,
&br_aes_big_cbcenc_vtable, &br_aes_big_cbcenc_vtable,
@ -472,7 +464,7 @@ br_client_init_TLS12_only(br_ssl_client_context *cc,
br_x509_minimal_set_hash(xc, br_sha224_ID, &br_sha224_vtable); br_x509_minimal_set_hash(xc, br_sha224_ID, &br_sha224_vtable);
br_x509_minimal_set_hash(xc, br_sha256_ID, &br_sha256_vtable); br_x509_minimal_set_hash(xc, br_sha256_ID, &br_sha256_vtable);
br_x509_minimal_set_hash(xc, br_sha384_ID, &br_sha384_vtable); br_x509_minimal_set_hash(xc, br_sha384_ID, &br_sha384_vtable);
// br_x509_minimal_set_hash(xc, br_sha512_ID, &br_sha512_vtable); br_x509_minimal_set_hash(xc, br_sha512_ID, &br_sha512_vtable);
/* /*
* Link the X.509 engine in the SSL engine. * Link the X.509 engine in the SSL engine.