Remove 3DES ciphersuites
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz
parent
f1eb425782
commit
3670e387dc
6 changed files with 23 additions and 196 deletions
12
ChangeLog.d/issue4367.txt
Normal file
12
ChangeLog.d/issue4367.txt
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
Removals
|
||||
* Remove the MBEDTLS_REMOVE_3DES_CIPHERSUITES config.h option and makke as if
|
||||
it was disabled. Remove all the 3DES ciphersuites:
|
||||
MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA . Fixes #4367.
|
||||
10
docs/3.0-migration-guide.d/Remove_3DES_ciphersuites.md
Normal file
10
docs/3.0-migration-guide.d/Remove_3DES_ciphersuites.md
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
Remove 3DES ciphersuites
|
||||
--
|
||||
|
||||
This change does not affect users using default settings for 3DES in `config.h`
|
||||
because the 3DES ciphersuites were disabled by that.
|
||||
|
||||
3DES has weaknesses/limitations and there are better alternatives, and more and
|
||||
more standard bodies are recommending against its use in TLS.
|
||||
|
||||
The migration path here is to chose from the recomended in literature alternatives.
|
||||
|
|
@ -682,26 +682,6 @@
|
|||
*/
|
||||
//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
|
||||
*
|
||||
* Remove 3DES ciphersuites by default in SSL / TLS.
|
||||
* This flag removes the ciphersuites based on 3DES from the default list as
|
||||
* returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
|
||||
* to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
|
||||
* them explicitly.
|
||||
*
|
||||
* A man-in-the-browser attacker can recover authentication tokens sent through
|
||||
* a TLS connection using a 3DES based cipher suite (see "On the Practical
|
||||
* (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
|
||||
* Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
|
||||
* in your threat model or you are unsure, then you should keep this option
|
||||
* enabled to remove 3DES based cipher suites.
|
||||
*
|
||||
* Comment this macro to keep 3DES in the default ciphersuite list.
|
||||
*/
|
||||
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
*
|
||||
|
|
@ -843,7 +823,6 @@
|
|||
* MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
|
||||
|
|
@ -866,7 +845,6 @@
|
|||
* MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* \warning Using DHE constitutes a security risk as it
|
||||
* is not possible to validate custom DH parameters.
|
||||
|
|
@ -892,7 +870,6 @@
|
|||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
||||
|
||||
|
|
@ -916,7 +893,6 @@
|
|||
* MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
|
||||
|
|
@ -942,7 +918,6 @@
|
|||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
|
||||
|
|
@ -968,7 +943,6 @@
|
|||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* \warning Using DHE constitutes a security risk as it
|
||||
* is not possible to validate custom DH parameters.
|
||||
|
|
@ -999,7 +973,6 @@
|
|||
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
|
||||
|
|
@ -1022,7 +995,6 @@
|
|||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
|
||||
|
|
@ -1035,7 +1007,6 @@
|
|||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
|
|
@ -1058,7 +1029,6 @@
|
|||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
|
||||
|
|
@ -2370,7 +2340,7 @@
|
|||
* \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying
|
||||
* implementation of the CMAC algorithm is provided by an alternate
|
||||
* implementation, that alternate implementation may opt to not support
|
||||
* AES-192 or 3DES as underlying block ciphers for the CMAC operation.
|
||||
* AES-192 as underlying block ciphers for the CMAC operation.
|
||||
*
|
||||
* Module: library/cmac.c
|
||||
*
|
||||
|
|
@ -2422,19 +2392,6 @@
|
|||
* Caller: library/pem.c
|
||||
* library/cipher.c
|
||||
*
|
||||
* This module enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* PEM_PARSE uses DES/3DES for decrypting encrypted keys.
|
||||
*
|
||||
* \warning DES is considered a weak cipher and its use constitutes a
|
||||
|
|
|
|||
|
|
@ -42,10 +42,6 @@ extern "C" {
|
|||
#define MBEDTLS_TLS_RSA_WITH_NULL_MD5 0x01 /**< Weak! */
|
||||
#define MBEDTLS_TLS_RSA_WITH_NULL_SHA 0x02 /**< Weak! */
|
||||
|
||||
#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x0A
|
||||
|
||||
#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x16
|
||||
|
||||
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA 0x2C /**< Weak! */
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA 0x2D /**< Weak! */
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA 0x2E /**< Weak! */
|
||||
|
|
@ -68,15 +64,12 @@ extern "C" {
|
|||
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x84
|
||||
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x88
|
||||
|
||||
#define MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 0x8B
|
||||
#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 0x8C
|
||||
#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 0x8D
|
||||
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 0x8F
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x90
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x91
|
||||
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 0x93
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 0x94
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 0x95
|
||||
|
||||
|
|
@ -114,22 +107,18 @@ extern "C" {
|
|||
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 /**< TLS 1.2 */
|
||||
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
|
||||
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
|
||||
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A
|
||||
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F
|
||||
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 /**< Weak! */
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014
|
||||
|
||||
|
|
@ -151,7 +140,6 @@ extern "C" {
|
|||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 /**< TLS 1.2 */
|
||||
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 /**< TLS 1.2 */
|
||||
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 0xC034
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037
|
||||
|
|
|
|||
|
|
@ -254,18 +254,6 @@ static const int ciphersuite_preference[] =
|
|||
MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
|
||||
MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
|
||||
|
||||
/* 3DES suites */
|
||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
|
||||
/* NULL suites */
|
||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
|
||||
MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA,
|
||||
|
|
@ -471,18 +459,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_GCM_C */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA, "TLS-ECDHE-ECDSA-WITH-NULL-SHA",
|
||||
|
|
@ -580,18 +556,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_GCM_C */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA",
|
||||
|
|
@ -726,17 +690,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_GCM_C */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
|
|
@ -863,18 +816,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_GCM_C */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
|
||||
|
|
@ -963,18 +904,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_GCM_C */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, "TLS-ECDH-RSA-WITH-NULL-SHA",
|
||||
|
|
@ -1072,18 +1001,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_GCM_C */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS-ECDH-ECDSA-WITH-NULL-SHA",
|
||||
|
|
@ -1208,18 +1125,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_GCM_C */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-PSK-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
|
|
@ -1335,18 +1240,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_GCM_C */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
|
|
@ -1405,18 +1298,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
|
|
@ -1510,18 +1391,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
|||
#endif /* MBEDTLS_GCM_C */
|
||||
#endif /* MBEDTLS_CAMELLIA_C */
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA",
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
#endif /* MBEDTLS_DES_C */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
|
|
@ -2047,14 +1916,6 @@ static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
|
|||
{
|
||||
(void)cs_info;
|
||||
|
||||
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
|
||||
if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
|
||||
cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -189,7 +189,6 @@ EXCLUDE_FROM_FULL = frozenset([
|
|||
'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # incompatible with USE_PSA_CRYPTO
|
||||
'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM)
|
||||
'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions)
|
||||
'MBEDTLS_REMOVE_3DES_CIPHERSUITES', # removes a feature
|
||||
'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS
|
||||
'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan)
|
||||
'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
|
||||
|
|
|
|||
Loading…
Reference in a new issue