File: tls_cipher.c

package info (click to toggle)
tlswrapper 0~20241101-1
  • links: PTS, VCS
  • area: main
  • in suites: sid, trixie
  • size: 1,796 kB
  • sloc: ansic: 7,099; sh: 2,342; makefile: 234
file content (114 lines) | stat: -rw-r--r-- 3,431 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
 
#include "str.h"
#include "log.h"
#include "tls.h"

const tls_cipher tls_ciphers[] = {
    {
        "CHACHA20_POLY1305_SHA256",
        BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
        BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
        "ECDSA   ECDHE   ChaCha20 Poly1305 (TLS 1.2 )",
        "RSA   ECDHE   ChaCha20 Poly1305 (TLS 1.2 )",
    },
    {
        "AES_256_GCM_SHA384",
        BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
        BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
        "ECDSA   ECDHE   AES256/GCM (TLS 1.2 )",
        "RSA   ECDHE   AES256/GCM (TLS 1.2 )",
    },
    {
        "AES_128_GCM_SHA256",
        BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
        BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        "ECDSA   ECDHE   AES128/GCM (TLS 1.2 )",
        "RSA   ECDHE   AES128/GCM (TLS 1.2 )",
    },
    {
        "AES_256_CBC_SHA384",
        BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
        BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
        "ECDSA   ECDHE   AES256/CBC   SHA384 (TLS 1.2 )",
        "RSA   ECDHE   AES256/CBC   SHA384 (TLS 1.2 )",
    },
    {
        "AES_128_CBC_SHA256",
        BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
        BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
        "ECDSA   ECDHE   AES128/CBC   SHA256 (TLS 1.2 )",
        "RSA   ECDHE   AES128/CBC   SHA256 (TLS 1.2 )",
    },
    {
        "AES_256_CBC_SHA",
        BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
        BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
        "ECDSA   ECDHE   AES256/CBC   SHA1",
        "RSA   ECDHE   AES256/CBC   SHA1",
    },
    {
        "AES_128_CBC_SHA",
        BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
        BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
        "ECDSA   ECDHE   AES128/CBC   SHA1",
        "RSA   ECDHE   AES128/CBC   SHA1",
    },
    {0, 0, 0, 0, 0}};

const char *tls_cipher_str(uint16_t s) {

    long long i;

    for (i = 0; tls_ciphers[i].name;   i) {
        if ((tls_ciphers[i].ecsuite) == s) return tls_ciphers[i].eccomment;
        if ((tls_ciphers[i].rsasuite) == s) return tls_ciphers[i].rsacomment;
    }
    return "unknown cipher";
}

static int use_default = 1;
int tls_cipher_add(struct tls_context *ctx, const char *x) {

    unsigned long long i;
    uint16_t ecsuite = 0;
    uint16_t rsasuite = 0;

    if (use_default == 1) {
        ctx->cipher_enabled_len = 0;
        use_default = 0;
    }

    for (i = 0; tls_ciphers[i].name;   i) {
        if (str_diff(x, tls_ciphers[i].name)) continue;
        ecsuite = tls_ciphers[i].ecsuite;
        rsasuite = tls_ciphers[i].rsasuite;
        goto ok;
    }

    return 0;

ok:

    if (ecsuite && rsasuite) {
        for (i = 0; i < ctx->cipher_enabled_len;   i) {
            if (ctx->cipher_enabled[i] == ecsuite ||
                ctx->cipher_enabled[i] == rsasuite) {
                log_w3("unable to add cipher '", x,
                       "': cipher is already added");
                ecsuite = 0;
                rsasuite = 0;
            }
        }
    }

    if (ecsuite && rsasuite) {
        if ((sizeof ctx->cipher_enabled / sizeof ctx->cipher_enabled[0]) <
            ctx->cipher_enabled_len   2) {
            log_e3("unable to add cipher '", x, "': too many enabled ciphers");
            return 0;
        }
        ctx->cipher_enabled[ctx->cipher_enabled_len  ] = ecsuite;
        ctx->cipher_enabled[ctx->cipher_enabled_len  ] = rsasuite;
    }

    return 1;
}