diff options
| author | Felix Fietkau <nbd@openwrt.org> | 2016-01-19 23:33:01 +0100 |
|---|---|---|
| committer | Felix Fietkau <nbd@openwrt.org> | 2016-01-19 23:33:01 +0100 |
| commit | 334dce08589197d6571d4afa1aabc69891647daf (patch) | |
| tree | f5300301a7a7b2ecd138f686e787fb3ec0be10ce | |
| parent | 6d8d23739b9015782e6caf3093059639f3beb341 (diff) | |
| download | ustream-ssl-334dce08589197d6571d4afa1aabc69891647daf.tar.gz | |
mbedtls: sync with polarssl ciphersuite changes
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
| -rw-r--r-- | ustream-mbedtls.c | 69 |
1 files changed, 33 insertions, 36 deletions
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index eeabe42..7fbfba5 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -86,44 +86,39 @@ static int _urandom(void *ctx, unsigned char *out, size_t len) return 0; } +#define TLS_DEFAULT_CIPHERS \ + TLS_CIPHER(AES_256_CBC_SHA256) \ + TLS_CIPHER(AES_256_GCM_SHA384) \ + TLS_CIPHER(AES_256_CBC_SHA) \ + TLS_CIPHER(CAMELLIA_256_CBC_SHA256) \ + TLS_CIPHER(CAMELLIA_256_CBC_SHA) \ + TLS_CIPHER(AES_128_CBC_SHA256) \ + TLS_CIPHER(AES_128_GCM_SHA256) \ + TLS_CIPHER(AES_128_CBC_SHA) \ + TLS_CIPHER(CAMELLIA_128_CBC_SHA256) \ + TLS_CIPHER(CAMELLIA_128_CBC_SHA) \ + TLS_CIPHER(3DES_EDE_CBC_SHA) + +static const int default_ciphersuites_nodhe[] = +{ +#define TLS_CIPHER(v) \ + MBEDTLS_TLS_RSA_WITH_##v, + TLS_DEFAULT_CIPHERS +#undef TLS_CIPHER + 0 +}; + static const int default_ciphersuites[] = { -#if defined(MBEDTLS_AES_C) -#if defined(MBEDTLS_SHA2_C) - MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, -#endif /* MBEDTLS_SHA2_C */ -#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA4_C) - MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, -#endif /* MBEDTLS_SHA2_C */ - MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, -#endif -#if defined(MBEDTLS_CAMELLIA_C) -#if defined(MBEDTLS_SHA2_C) - MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, -#endif /* MBEDTLS_SHA2_C */ - MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, -#endif -#if defined(MBEDTLS_AES_C) -#if defined(MBEDTLS_SHA2_C) - MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, -#endif /* MBEDTLS_SHA2_C */ -#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA2_C) - MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, -#endif /* MBEDTLS_SHA2_C */ - MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, -#endif -#if defined(MBEDTLS_CAMELLIA_C) -#if defined(MBEDTLS_SHA2_C) - MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, -#endif /* MBEDTLS_SHA2_C */ - MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, -#endif -#if defined(MBEDTLS_DES_C) - MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, -#endif +#define TLS_CIPHER(v) \ + MBEDTLS_TLS_DHE_RSA_WITH_##v, \ + MBEDTLS_TLS_RSA_WITH_##v, + TLS_DEFAULT_CIPHERS +#undef TLS_CIPHER 0 }; + __hidden struct ustream_ssl_ctx * __ustream_ssl_context_new(bool server) { @@ -145,12 +140,14 @@ __ustream_ssl_context_new(bool server) conf = &ctx->conf; mbedtls_ssl_config_init(conf); - mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites); - if (server) + if (server) { + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe); ep = MBEDTLS_SSL_IS_SERVER; - else + } else { + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites); ep = MBEDTLS_SSL_IS_CLIENT; + } mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); |