From 66dc5555f0fba15fb3fa262ebb742279d2eeaa77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 14 May 2015 12:28:21 +0200 Subject: [PATCH] mbedtls_ssl_conf_arc4_support() depends on ARC4_C --- include/mbedtls/ssl.h | 6 +++++- library/ssl_cli.c | 12 ++++++++---- library/ssl_srv.c | 2 ++ library/ssl_tls.c | 4 ++++ programs/ssl/ssl_client2.c | 2 ++ programs/ssl/ssl_server2.c | 2 ++ 6 files changed, 23 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index cdcda30a1..f0b7b5404 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -911,10 +911,12 @@ typedef struct unsigned int endpoint : 1; /*!< 0: client, 1: server */ unsigned int transport : 1; /*!< stream (TLS) or datagram (DTLS) */ - unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites? */ unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */ /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */ unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX */ +#if defined(MBEDTLS_ARC4_C) + unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites? */ +#endif #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) unsigned int mfl_code : 3; /*!< desired fragment length */ #endif @@ -1928,6 +1930,7 @@ void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ); void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems ); #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ +#if defined(MBEDTLS_ARC4_C) /** * \brief Disable or enable support for RC4 * (Default: MBEDTLS_SSL_ARC4_DISABLED) @@ -1942,6 +1945,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems * \param arc4 MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED */ void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ); +#endif /* MBEDTLS_ARC4_C */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /** diff --git a/library/ssl_cli.c b/library/ssl_cli.c index c16b6e786..f344907a5 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -711,9 +711,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) continue; #endif +#if defined(MBEDTLS_ARC4_C) if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) continue; +#endif MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", ciphersuites[i] ) ); @@ -1405,15 +1407,17 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); - if( suite_info == NULL || - ( ssl->conf->arc4_disabled && - suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) ) + if( suite_info == NULL +#if defined(MBEDTLS_ARC4_C) + || ( ssl->conf->arc4_disabled && + suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) +#endif + ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - i = 0; while( 1 ) { diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 5d04497da..62c520d3f 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -969,12 +969,14 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, return( 0 ); #endif +#if defined(MBEDTLS_ARC4_C) if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); return( 0 ); } +#endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bd010a441..39796f8f0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5627,10 +5627,12 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems } #endif +#if defined(MBEDTLS_ARC4_C) void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ) { conf->arc4_disabled = arc4; } +#endif #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) @@ -6679,7 +6681,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = mbedtls_ssl_list_ciphersuites(); +#if defined(MBEDTLS_ARC4_C) conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; +#endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 89ef2c272..1b4d654df 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1116,8 +1116,10 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); +#if defined(MBEDTLS_ARC4_C) if( opt.arc4 != DFL_ARC4 ) mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 ); +#endif if( opt.allow_legacy != DFL_ALLOW_LEGACY ) mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index bef88cd38..d0260ecce 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1637,8 +1637,10 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); +#if defined(MBEDTLS_ARC4_C) if( opt.arc4 != DFL_ARC4 ) mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 ); +#endif if( opt.version_suites != NULL ) {