ref: 9733434e6eecca748a15a46e8a52635c5183a8dc
parent: be3ba38c452084cf6644d4ae6fb35ccf6abbb1cb
author: cinap_lenrek <[email protected]>
date: Mon Sep 14 05:27:06 EDT 2015
libsec: add TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suits
--- a/sys/src/libsec/port/tlshand.c
+++ b/sys/src/libsec/port/tlshand.c
@@ -253,8 +253,7 @@
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
-
- TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks
+ TLS_RSA_WITH_AES_128_CBC_SHA = 0X002F, // aes, aka rijndael with 128 bit blocks
TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
@@ -266,15 +265,14 @@
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
-
TLS_RSA_WITH_AES_128_CBC_SHA256 = 0X003C,
TLS_RSA_WITH_AES_256_CBC_SHA256 = 0X003D,
-
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
- CipherMax
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0XC009,
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0XC00A,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0XC013,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0XC014,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0XC023,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
};
// compression methods
@@ -284,8 +282,10 @@
};
static Algs cipherAlgs[] = {
+ {"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
+ {"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
{"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
{"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
@@ -802,8 +802,10 @@
isECDHE(int tlsid)
{
switch(tlsid){
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
return 1;
@@ -2026,36 +2028,36 @@
//================= cipher choices ========================
-static int weakCipher[CipherMax] =
+static int weakCipher[] =
{
- 1, /* TLS_NULL_WITH_NULL_NULL */
- 1, /* TLS_RSA_WITH_NULL_MD5 */
- 1, /* TLS_RSA_WITH_NULL_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
- 0, /* TLS_RSA_WITH_RC4_128_MD5 */
- 0, /* TLS_RSA_WITH_RC4_128_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
- 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
- 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
- 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
- 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */
- 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
- 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */
- 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
+[TLS_NULL_WITH_NULL_NULL] 1,
+[TLS_RSA_WITH_NULL_MD5] 1,
+[TLS_RSA_WITH_NULL_SHA] 1,
+[TLS_RSA_EXPORT_WITH_RC4_40_MD5] 1,
+[TLS_RSA_WITH_RC4_128_MD5] 0,
+[TLS_RSA_WITH_RC4_128_SHA] 0,
+[TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5] 1,
+[TLS_RSA_WITH_IDEA_CBC_SHA] 0,
+[TLS_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_RSA_WITH_DES_CBC_SHA] 0,
+[TLS_RSA_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DH_DSS_WITH_DES_CBC_SHA] 0,
+[TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DH_RSA_WITH_DES_CBC_SHA] 0,
+[TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DHE_DSS_WITH_DES_CBC_SHA] 0,
+[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DHE_RSA_WITH_DES_CBC_SHA] 0,
+[TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DH_anon_EXPORT_WITH_RC4_40_MD5] 1,
+[TLS_DH_anon_WITH_RC4_128_MD5] 1,
+[TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DH_anon_WITH_DES_CBC_SHA] 1,
+[TLS_DH_anon_WITH_3DES_EDE_CBC_SHA] 1,
};
static int
@@ -2085,7 +2087,7 @@
weak = 1;
for(i = 0; i < cv->len; i++) {
c = cv->data[i];
- if(c >= CipherMax)
+ if(c >= nelem(weakCipher))
weak = 0;
else
weak &= weakCipher[c];