9pfs/solanum-vs-hackint-and-charybdis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #214 from aaronmdjones/release/3.5

Browse source 
Fix up the MbedTLS backend
This commit is contained in:
William Pitcock 2016-09-03 10:34:43 -07:00 committed by GitHub
commit 89d4c468b6
3 changed files with 576 additions and 341 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -18,7 +18,7 @@ used with an IRCv3-capable services implementation such as [Atheme][atheme] or [
* OpenSSL 1.0.0 or newer (--enable-openssl) * OpenSSL 1.0.0 or newer (--enable-openssl)
* LibreSSL (--enable-openssl) * LibreSSL (--enable-openssl)
* mbedTLS (--enable-mbedtls) * MbedTLS (--enable-mbedtls)
* GnuTLS (--enable-gnutls) * GnuTLS (--enable-gnutls)
* For certificate-based oper CHALLENGE, OpenSSL 1.0.0 or newer. * For certificate-based oper CHALLENGE, OpenSSL 1.0.0 or newer.

836
libratbox/src/mbedtls.c
View file

File diff suppressed because it is too large Load diff

79
libratbox/src/mbedtls_embedded_data.h
View file

@ -25,11 +25,90 @@
#ifndef RB_MBEDTLS_EMBEDDED_DATA_H #ifndef RB_MBEDTLS_EMBEDDED_DATA_H
#define RB_MBEDTLS_EMBEDDED_DATA_H #define RB_MBEDTLS_EMBEDDED_DATA_H
#include "mbedtls/ssl_ciphersuites.h"
/* /*
* Personalization string for CTR-DRBG initialization * Personalization string for CTR-DRBG initialization
*/ */
static const char rb_mbedtls_personal_str[] = "charybdis/librb personalization string"; static const char rb_mbedtls_personal_str[] = "charybdis/librb personalization string";
/*
* Default list of supported ciphersuites
* User can override with ssl_cipher_list option in ircd.conf
*
* Charybdis cannot have more than one certificate configured, which means that with
* the MbedTLS backend, it will ALWAYS be serving EITHER an RSA OR ECDSA certificate.
*
* This means we can order ciphersuites to place all ECDSA ones ahead of RSA ones,
* without weird interactions of cipher order, such as inadvertantly preferring an
* ECDSA ciphersuite with AES128-CBC-SHA over an RSA ciphersuite with
* AES256-GCM-SHA384.
*
* We also prefer all AEAD ciphersuites first, even if it results in using a 128-bit
* AEAD ciphersuite instead of a 256-bit CBC ciphersuite. This is due to the fact that
* ONLY the AEAD ciphersuites in TLS are cryptographically secure in practice; the ETM
* extension for CBC ciphersuites has not seen wide adoption. This choice can be
* revisited in future; please consult me first. -- amdj
*/
static const int rb_mbedtls_ciphersuites[] = {
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
0 // End of list
};
/* /*
* YES, this is a hardcoded CA certificate. * YES, this is a hardcoded CA certificate.
* *