MbedTLS: Initial attempt to port release/3.5 commit 89d4c468 to this branch

librb/src/mbedtls_embedded_data.h

@@ -25,11 +25,90 @@
 #ifndef RB_MBEDTLS_EMBEDDED_DATA_H
 #define RB_MBEDTLS_EMBEDDED_DATA_H
 
+#include "mbedtls/ssl_ciphersuites.h"
+
 /*
  * Personalization string for CTR-DRBG initialization
  */
 static const char rb_mbedtls_personal_str[] = "charybdis/librb personalization string";
 
+/*
+ * Default list of supported ciphersuites
+ * User can override with ssl_cipher_list option in ircd.conf
+ *
+ * Charybdis cannot have more than one certificate configured, which means that with
+ * the MbedTLS backend, it will ALWAYS be serving EITHER an RSA OR ECDSA certificate.
+ *
+ * This means we can order ciphersuites to place all ECDSA ones ahead of RSA ones,
+ * without weird interactions of cipher order, such as inadvertantly preferring an
+ * ECDSA ciphersuite with AES128-CBC-SHA over an RSA ciphersuite with
+ * AES256-GCM-SHA384.
+ *
+ * We also prefer all AEAD ciphersuites first, even if it results in using a 128-bit
+ * AEAD ciphersuite instead of a 256-bit CBC ciphersuite. This is due to the fact that
+ * ONLY the AEAD ciphersuites in TLS are cryptographically secure in practice; the ETM
+ * extension for CBC ciphersuites has not seen wide adoption. This choice can be
+ * revisited in future; please consult me first.  -- amdj
+ */
+static const int rb_mbedtls_ciphersuites[] = {
+
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+	MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
+	MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
+	MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+	MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+	0	// End of list
+};
+
 /*
  * YES, this is a hardcoded CA certificate.
  *