MbedTLS: Initial attempt to port release/3.5 commit 89d4c468
to this branch
This commit is contained in:
parent
ac88154f94
commit
7272518795
2 changed files with 661 additions and 428 deletions
1002
librb/src/mbedtls.c
1002
librb/src/mbedtls.c
File diff suppressed because it is too large
Load diff
|
@ -25,11 +25,90 @@
|
||||||
#ifndef RB_MBEDTLS_EMBEDDED_DATA_H
|
#ifndef RB_MBEDTLS_EMBEDDED_DATA_H
|
||||||
#define RB_MBEDTLS_EMBEDDED_DATA_H
|
#define RB_MBEDTLS_EMBEDDED_DATA_H
|
||||||
|
|
||||||
|
#include "mbedtls/ssl_ciphersuites.h"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Personalization string for CTR-DRBG initialization
|
* Personalization string for CTR-DRBG initialization
|
||||||
*/
|
*/
|
||||||
static const char rb_mbedtls_personal_str[] = "charybdis/librb personalization string";
|
static const char rb_mbedtls_personal_str[] = "charybdis/librb personalization string";
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Default list of supported ciphersuites
|
||||||
|
* User can override with ssl_cipher_list option in ircd.conf
|
||||||
|
*
|
||||||
|
* Charybdis cannot have more than one certificate configured, which means that with
|
||||||
|
* the MbedTLS backend, it will ALWAYS be serving EITHER an RSA OR ECDSA certificate.
|
||||||
|
*
|
||||||
|
* This means we can order ciphersuites to place all ECDSA ones ahead of RSA ones,
|
||||||
|
* without weird interactions of cipher order, such as inadvertantly preferring an
|
||||||
|
* ECDSA ciphersuite with AES128-CBC-SHA over an RSA ciphersuite with
|
||||||
|
* AES256-GCM-SHA384.
|
||||||
|
*
|
||||||
|
* We also prefer all AEAD ciphersuites first, even if it results in using a 128-bit
|
||||||
|
* AEAD ciphersuite instead of a 256-bit CBC ciphersuite. This is due to the fact that
|
||||||
|
* ONLY the AEAD ciphersuites in TLS are cryptographically secure in practice; the ETM
|
||||||
|
* extension for CBC ciphersuites has not seen wide adoption. This choice can be
|
||||||
|
* revisited in future; please consult me first. -- amdj
|
||||||
|
*/
|
||||||
|
static const int rb_mbedtls_ciphersuites[] = {
|
||||||
|
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||||
|
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
|
||||||
|
|
||||||
|
MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
|
||||||
|
|
||||||
|
0 // End of list
|
||||||
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* YES, this is a hardcoded CA certificate.
|
* YES, this is a hardcoded CA certificate.
|
||||||
*
|
*
|
||||||
|
|
Loading…
Reference in a new issue