more cleanup, add RC4 filtering.

wolfSSL · Nov 26, 2024 · 9535b80 · 9535b80
1 parent ebf449e
commit 9535b80
Show file tree

Hide file tree

Showing 9 changed files with 47 additions and 39 deletions.
diff --git a/examples/crypto_policies/default/wolfssl.txt b/examples/crypto_policies/default/wolfssl.txt
@@ -1 +1 @@
-@SECLEVEL=2:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!3DES:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!MD5:!CAMELLIA:!ARIA:!AESCCM8
+@SECLEVEL=2:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!3DES:!DES:!RC4:!SEED:!eNULL:!aNULL:!MD5:!ARIA:!AESCCM8
diff --git a/examples/crypto_policies/future/wolfssl.txt b/examples/crypto_policies/future/wolfssl.txt
@@ -1 +1 @@
-@SECLEVEL=3:EECDH:EDH:PSK:DHEPSK:ECDHEPSK:!RSAPSK:!kRSA:!AES128:!SHA256:!3DES:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!SHA1:!MD5:!CAMELLIA:!ARIA:!AESCCM8
+@SECLEVEL=3:EECDH:EDH:PSK:DHEPSK:ECDHEPSK:!RSAPSK:!kRSA:!AES128:!SHA256:!3DES:!DES:!RC4:!SEED:!eNULL:!aNULL:!SHA1:!MD5:!ARIA:!AESCCM8
diff --git a/examples/crypto_policies/legacy/wolfssl.txt b/examples/crypto_policies/legacy/wolfssl.txt
@@ -1 +1 @@
-@SECLEVEL=1:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!MD5:!CAMELLIA:!ARIA:!AESCCM8
+@SECLEVEL=1:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!DES:!SEED:!eNULL:!aNULL:!MD5:!ARIA:!AESCCM8
diff --git a/src/internal.c b/src/internal.c
@@ -3452,8 +3452,8 @@ int AllocateSuites(WOLFSSL* ssl)
 void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
                 word16 havePSK, word16 haveDH, word16 haveECDSAsig,
                 word16 haveECC, word16 haveStaticRSA, word16 haveStaticECC,
-                word16 haveAnon,
-                word16 haveNull, word16 haveAES128, word16 haveSHA1, int side)
+                word16 haveAnon, word16 haveNull, word16 haveAES128,
+                word16 haveSHA1, word16 haveRC4, int side)
 {
     word16 idx = 0;
     int    tls    = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
@@ -3491,6 +3491,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
     (void)haveNull;
     (void)haveAES128;
     (void)haveSHA1;
+    (void)haveRC4;
 
     if (suites == NULL) {
         WOLFSSL_MSG("InitSuites pointer error");
@@ -3868,14 +3869,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
-    if (!dtls && tls && haveECC && haveSHA1) {
+    if (!dtls && tls && haveECC && haveSHA1 && haveRC4) {
         suites->suites[idx++] = ECC_BYTE;
         suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA;
     }
 #endif
 
 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
-    if (!dtls && tls && haveECC && haveStaticECC && haveSHA1) {
+    if (!dtls && tls && haveECC && haveStaticECC && haveSHA1 && haveRC4) {
         suites->suites[idx++] = ECC_BYTE;
         suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA;
     }
@@ -3933,14 +3934,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 
 #ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
-    if (!dtls && tls && haveRSA && haveSHA1) {
+    if (!dtls && tls && haveRSA && haveSHA1 && haveRC4) {
         suites->suites[idx++] = ECC_BYTE;
         suites->suites[idx++] = TLS_ECDHE_RSA_WITH_RC4_128_SHA;
     }
 #endif
 
 #ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
-    if (!dtls && tls && haveRSAsig && haveStaticECC && haveSHA1) {
+    if (!dtls && tls && haveRSAsig && haveStaticECC && haveSHA1 && haveRC4) {
         suites->suites[idx++] = ECC_BYTE;
         suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA;
     }
@@ -4380,14 +4381,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 
 #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
-    if (!dtls && haveRSA && haveStaticRSA && haveSHA1) {
+    if (!dtls && haveRSA && haveStaticRSA && haveSHA1 && haveRC4) {
         suites->suites[idx++] = CIPHER_BYTE;
         suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA;
     }
 #endif
 
 #ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
-    if (!dtls && haveRSA && haveStaticRSA) {
+    if (!dtls && haveRSA && haveStaticRSA && haveRC4) {
         suites->suites[idx++] = CIPHER_BYTE;
         suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5;
     }
@@ -6633,12 +6634,12 @@ static void InitSuites_EitherSide(Suites* suites, ProtocolVersion pv, int keySz,
     if (side == WOLFSSL_SERVER_END) {
         InitSuites(suites, pv, keySz, haveRSA, havePSK, haveDH, haveECDSAsig,
                    haveECC, TRUE, haveStaticECC,
-                   haveAnon, TRUE, TRUE, TRUE, side);
+                   haveAnon, TRUE, TRUE, TRUE, TRUE, side);
     }
     else {
         InitSuites(suites, pv, keySz, haveRSA, havePSK, TRUE, haveECDSAsig,
                    haveECC, TRUE, haveStaticECC,
-                   haveAnon, TRUE, TRUE, TRUE, side);
+                   haveAnon, TRUE, TRUE, TRUE, TRUE, side);
     }
 }
 
@@ -27532,6 +27533,7 @@ static int ParseCipherList(Suites* suites,
     word16    havePSK          = 0;
     word16    haveAES128       = 1; /* allowed by default if compiled in */
     word16    haveSHA1         = 1; /* allowed by default if compiled in */
+    word16    haveRC4          = 1; /* allowed by default if compiled in */
 #endif
     const int suiteSz       = GetCipherNamesSize();
     const char* next        = list;
@@ -27557,7 +27559,7 @@ static int ParseCipherList(Suites* suites,
                 0,
 #endif
                 haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 0, 0, 1,
-                1, side
+                1, 1, side
         );
         return 1; /* wolfSSL default */
     }
@@ -27772,6 +27774,13 @@ static int ParseCipherList(Suites* suites,
             ret = 1;
             continue;
         }
+
+        if (XSTRCMP(name, "RC4") == 0) {
+            haveRC4 = allowing;
+            callInitSuites = 1;
+            ret = 1;
+            continue;
+        }
         #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 
         if (XSTRCMP(name, "LOW") == 0 || XSTRCMP(name, "MEDIUM") == 0) {
@@ -27944,7 +27953,7 @@ static int ParseCipherList(Suites* suites,
                        (word16)haveStaticECC,
                        (word16)((haveSig & SIG_ANON) != 0),
                        (word16)haveNull, (word16)haveAES128,
-                       (word16)haveSHA1, side);
+                       (word16)haveSHA1, (word16)haveRC4, side);
             /* Restore user ciphers ahead of defaults */
             XMEMMOVE(suites->suites + idx, suites->suites,
                     min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
@@ -37105,7 +37114,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                        ssl->options.haveDH, ssl->options.haveECDSAsig,
                        ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
                        ssl->options.useAnon,
-                       TRUE, TRUE, TRUE, ssl->options.side);
+                       TRUE, TRUE, TRUE, TRUE, ssl->options.side);
         }
 
         /* suite size */
@@ -37536,7 +37545,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                        ssl->options.haveDH, ssl->options.haveECDSAsig,
                        ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
                        ssl->options.useAnon,
-                       TRUE, TRUE, TRUE, ssl->options.side);
+                       TRUE, TRUE, TRUE, TRUE, ssl->options.side);
         }
 
         /* check if option is set to not allow the current version
@@ -37613,7 +37622,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                            ssl->options.haveDH, ssl->options.haveECDSAsig,
                            ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
                            ssl->options.useAnon,
-                           TRUE, TRUE, TRUE, ssl->options.side);
+                           TRUE, TRUE, TRUE, TRUE, ssl->options.side);
             }
         }
 

diff --git a/src/ssl.c b/src/ssl.c
@@ -5087,7 +5087,7 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
     InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
                ssl->options.haveDH, ssl->options.haveECDSAsig,
                ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-               ssl->options.useAnon, TRUE, TRUE, TRUE, ssl->options.side);
+               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
     return WOLFSSL_SUCCESS;
 }
 #endif /* !leanpsk */
@@ -11351,7 +11351,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
         InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
                    ssl->options.haveDH, ssl->options.haveECDSAsig,
                    ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-                   ssl->options.useAnon, TRUE, TRUE, TRUE, ssl->options.side);
+                   ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
     }
     #ifdef OPENSSL_EXTRA
     /**
@@ -11407,7 +11407,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
         InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
                    ssl->options.haveDH, ssl->options.haveECDSAsig,
                    ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-                   ssl->options.useAnon, TRUE, TRUE, TRUE, ssl->options.side);
+                   ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
     }
 
     const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl)
@@ -16806,7 +16806,7 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
                        havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
                        ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
                        ssl->options.useAnon,
-                       TRUE, TRUE, TRUE, ssl->options.side);
+                       TRUE, TRUE, TRUE, TRUE, ssl->options.side);
         }
         else {
             /* Only preserve overlapping suites */
@@ -16827,7 +16827,7 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
              * - haveStaticECC turns off haveRSA
              * - haveECDSAsig turns off haveRSAsig */
             InitSuites(&tmpSuites, ssl->version, 0, 1, 1, 1, haveECDSAsig, 1, 1,
-                    haveStaticECC, 1, 1, 1, 1, ssl->options.side);
+                    haveStaticECC, 1, 1, 1, 1, 1, ssl->options.side);
             for (in = 0, out = 0; in < ssl->suites->suiteSz; in += SUITE_LEN) {
                 if (FindSuite(&tmpSuites, ssl->suites->suites[in],
                         ssl->suites->suites[in+1]) >= 0) {

diff --git a/src/ssl_load.c b/src/ssl_load.c
@@ -2203,7 +2203,7 @@ static int ProcessBufferResetSuites(WOLFSSL_CTX* ctx, WOLFSSL* ssl, int type)
                     ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE,
                     ssl->options.haveStaticECC,
                     ssl->options.useAnon, TRUE,
-                    TRUE, TRUE, ssl->options.side);
+                    TRUE, TRUE, TRUE, ssl->options.side);
             }
         }
     }
@@ -2219,7 +2219,7 @@ static int ProcessBufferResetSuites(WOLFSSL_CTX* ctx, WOLFSSL* ssl, int type)
                 WOLFSSL_HAVE_RSA, CTX_HAVE_PSK(ctx), ctx->haveDH,
                 ctx->haveECDSAsig, ctx->haveECC, TRUE, ctx->haveStaticECC,
                 CTX_USE_ANON(ctx),
-                TRUE, TRUE, TRUE, ctx->method->side);
+                TRUE, TRUE, TRUE, TRUE, ctx->method->side);
         }
     }
 
@@ -5240,7 +5240,7 @@ static int wolfssl_set_tmp_dh(WOLFSSL* ssl, unsigned char* p, int pSz,
             ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE,
             ssl->options.haveStaticECC,
             ssl->options.useAnon, TRUE,
-            TRUE, TRUE, ssl->options.side);
+            TRUE, TRUE, TRUE, ssl->options.side);
     }
 
     return ret;

diff --git a/src/tls13.c b/src/tls13.c
@@ -13955,7 +13955,7 @@ void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl,
     InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
                ssl->options.haveDH, ssl->options.haveECDSAsig,
                ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-               ssl->options.useAnon, TRUE, TRUE, TRUE, ssl->options.side);
+               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
 }
 
 /* Set the PSK callback that returns the cipher suite for a client to use
@@ -14007,7 +14007,7 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
     InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
                ssl->options.haveDH, ssl->options.haveECDSAsig,
                ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-               ssl->options.useAnon, TRUE, TRUE, TRUE, ssl->options.side);
+               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
 }
 
 /* Set the PSK callback that returns the cipher suite for a server to use
@@ -14056,7 +14056,7 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
     InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
                ssl->options.haveDH, ssl->options.haveECDSAsig,
                ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-               ssl->options.useAnon, TRUE, TRUE, TRUE, ssl->options.side);
+               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
 }
 
 /* Get name of first supported cipher suite that uses the hash indicated.

diff --git a/tests/api.c b/tests/api.c
@@ -91929,14 +91929,12 @@ static int test_wolfSSL_crypto_policy(void)
     };
     const char * ciphers_list[] = {
         "@SECLEVEL=1:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!DES:"
-        "!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!MD5:!CAMELLIA:!ARIA:"
-        "!AESCCM8",
+        "!SEED:!eNULL:!aNULL:!MD5:!ARIA:!AESCCM8",
         "@SECLEVEL=2:EECDH:RSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:"
-        "!3DES:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!MD5:"
-        "!CAMELLIA:!ARIA:!AESCCM8",
+        "!3DES:!DES:!RC4:!SEED:!eNULL:!aNULL:!MD5:!ARIA:!AESCCM8",
         "@SECLEVEL=3:EECDH:EDH:PSK:DHEPSK:ECDHEPSK:!RSAPSK:!kRSA:"
-        "!AES128:!SHA256:!3DES:!DES:!RC4:!RC2:!IDEA:!SEED:!eNULL:!aNULL:!SHA1:"
-        "!MD5:!CAMELLIA:!ARIA:!AESCCM8",
+        "!AES128:!SHA256:!3DES:!DES:!RC4:!SEED:!eNULL:!aNULL:!SHA1:"
+        "!MD5:!ARIA:!AESCCM8",
 
     };
     int          seclevel_list[] = { 1, 2, 3 };
@@ -92559,6 +92557,9 @@ static int test_wolfSSL_crypto_policy_ciphers(void)
         rc = wolfSSL_get_security_level(ssl);
         ExpectIntEQ(rc, seclevel_list[i]);
 
+        found = crypto_policy_cipher_found(ssl, "RC4", 0);
+        ExpectIntEQ(found, is_legacy);
+
         found = crypto_policy_cipher_found(ssl, "AES128", 0);
         ExpectIntEQ(found, !is_future);
 
@@ -92568,9 +92569,6 @@ static int test_wolfSSL_crypto_policy_ciphers(void)
         found = crypto_policy_cipher_found(ssl, "ECDHE-ECDSA-AES256-SHA", 2);
         ExpectIntEQ(found, !is_future);
 
-        found = crypto_policy_cipher_found(ssl, "ECDHE-ECDSA-RC4-SHA", 2);
-        ExpectIntEQ(found, !is_future);
-
         found = crypto_policy_cipher_found(ssl, "ECDHE-RSA-AES256-SHA", 2);
         ExpectIntEQ(found, !is_future);
 

diff --git a/wolfssl/internal.h b/wolfssl/internal.h
@@ -2422,7 +2422,8 @@ WOLFSSL_LOCAL void InitSuites(Suites* suites, ProtocolVersion pv, int keySz,
                               word16 haveECDSAsig, word16 haveECC,
                               word16 haveStaticRSA, word16 haveStaticECC,
                               word16 haveAnon, word16 haveNull,
-                              word16 haveAES128, word16 haveSHA1, int side);
+                              word16 haveAES128, word16 haveSHA1,
+                              word16 haveRC4, int side);
 
 typedef struct TLSX TLSX;
 WOLFSSL_LOCAL int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites,