From: Jan Venekamp <1422460+jan2000@users.noreply.github.com> Date: Wed, 24 Apr 2024 15:37:14 +0000 (+0200) Subject: bearssl: use common code for cipher suite lookup X-Git-Tag: curl-8_8_0~131 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e4b7abfd3bef38130598b7f62289881f448a13c;p=thirdparty%2Fcurl.git bearssl: use common code for cipher suite lookup Take advantage of the Curl_cipher_suite_walk_str() and Curl_cipher_suite_get_str() functions introduced in commit fba9afeb. This also fixes CURLOPT_SSL_CIPHER_LIST not working at all for bearssl due to commit ff74cef5. Closes #13464 --- diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c index b3918b73fb..a595f54a9c 100644 --- a/lib/vtls/bearssl.c +++ b/lib/vtls/bearssl.c @@ -28,6 +28,7 @@ #include #include "bearssl.h" +#include "cipher_suite.h" #include "urldata.h" #include "sendf.h" #include "inet_pton.h" @@ -37,7 +38,6 @@ #include "select.h" #include "multiif.h" #include "curl_printf.h" -#include "strcase.h" /* The last #include files should be: */ #include "curl_memory.h" @@ -360,219 +360,121 @@ static const br_x509_class x509_vtable = { x509_get_pkey }; -struct st_cipher { - const char *name; /* Cipher suite IANA name. It starts with "TLS_" prefix */ - const char *alias_name; /* Alias name is the same as OpenSSL cipher name */ - uint16_t num; /* BearSSL cipher suite */ -}; - -/* Macro to initialize st_cipher data structure */ -#define CIPHER_DEF(num, alias) { #num, alias, BR_##num } - -static const struct st_cipher ciphertable[] = { +static const uint16_t ciphertable[] = { /* RFC 2246 TLS 1.0 */ - CIPHER_DEF(TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x000A */ - "DES-CBC3-SHA"), + BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x000A */ /* RFC 3268 TLS 1.0 AES */ - CIPHER_DEF(TLS_RSA_WITH_AES_128_CBC_SHA, /* 0x002F */ - "AES128-SHA"), - CIPHER_DEF(TLS_RSA_WITH_AES_256_CBC_SHA, /* 0x0035 */ - "AES256-SHA"), + BR_TLS_RSA_WITH_AES_128_CBC_SHA, /* 0x002F */ + BR_TLS_RSA_WITH_AES_256_CBC_SHA, /* 0x0035 */ /* RFC 5246 TLS 1.2 */ - CIPHER_DEF(TLS_RSA_WITH_AES_128_CBC_SHA256, /* 0x003C */ - "AES128-SHA256"), - CIPHER_DEF(TLS_RSA_WITH_AES_256_CBC_SHA256, /* 0x003D */ - "AES256-SHA256"), + BR_TLS_RSA_WITH_AES_128_CBC_SHA256, /* 0x003C */ + BR_TLS_RSA_WITH_AES_256_CBC_SHA256, /* 0x003D */ /* RFC 5288 TLS 1.2 AES GCM */ - CIPHER_DEF(TLS_RSA_WITH_AES_128_GCM_SHA256, /* 0x009C */ - "AES128-GCM-SHA256"), - CIPHER_DEF(TLS_RSA_WITH_AES_256_GCM_SHA384, /* 0x009D */ - "AES256-GCM-SHA384"), + BR_TLS_RSA_WITH_AES_128_GCM_SHA256, /* 0x009C */ + BR_TLS_RSA_WITH_AES_256_GCM_SHA384, /* 0x009D */ /* RFC 4492 TLS 1.0 ECC */ - CIPHER_DEF(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC003 */ - "ECDH-ECDSA-DES-CBC3-SHA"), - CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC004 */ - "ECDH-ECDSA-AES128-SHA"), - CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC005 */ - "ECDH-ECDSA-AES256-SHA"), - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC008 */ - "ECDHE-ECDSA-DES-CBC3-SHA"), - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC009 */ - "ECDHE-ECDSA-AES128-SHA"), - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC00A */ - "ECDHE-ECDSA-AES256-SHA"), - CIPHER_DEF(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC00D */ - "ECDH-RSA-DES-CBC3-SHA"), - CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, /* 0xC00E */ - "ECDH-RSA-AES128-SHA"), - CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, /* 0xC00F */ - "ECDH-RSA-AES256-SHA"), - CIPHER_DEF(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC012 */ - "ECDHE-RSA-DES-CBC3-SHA"), - CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, /* 0xC013 */ - "ECDHE-RSA-AES128-SHA"), - CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, /* 0xC014 */ - "ECDHE-RSA-AES256-SHA"), + BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC003 */ + BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC004 */ + BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC005 */ + BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC008 */ + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC009 */ + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC00A */ + BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC00D */ + BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, /* 0xC00E */ + BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, /* 0xC00F */ + BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC012 */ + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, /* 0xC013 */ + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, /* 0xC014 */ /* RFC 5289 TLS 1.2 ECC HMAC SHA256/384 */ - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC023 */ - "ECDHE-ECDSA-AES128-SHA256"), - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC024 */ - "ECDHE-ECDSA-AES256-SHA384"), - CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC025 */ - "ECDH-ECDSA-AES128-SHA256"), - CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC026 */ - "ECDH-ECDSA-AES256-SHA384"), - CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, /* 0xC027 */ - "ECDHE-RSA-AES128-SHA256"), - CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, /* 0xC028 */ - "ECDHE-RSA-AES256-SHA384"), - CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, /* 0xC029 */ - "ECDH-RSA-AES128-SHA256"), - CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, /* 0xC02A */ - "ECDH-RSA-AES256-SHA384"), + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC023 */ + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC024 */ + BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC025 */ + BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC026 */ + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, /* 0xC027 */ + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, /* 0xC028 */ + BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, /* 0xC029 */ + BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, /* 0xC02A */ /* RFC 5289 TLS 1.2 GCM */ - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02B */ - "ECDHE-ECDSA-AES128-GCM-SHA256"), - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02C */ - "ECDHE-ECDSA-AES256-GCM-SHA384"), - CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02D */ - "ECDH-ECDSA-AES128-GCM-SHA256"), - CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02E */ - "ECDH-ECDSA-AES256-GCM-SHA384"), - CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, /* 0xC02F */ - "ECDHE-RSA-AES128-GCM-SHA256"), - CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, /* 0xC030 */ - "ECDHE-RSA-AES256-GCM-SHA384"), - CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, /* 0xC031 */ - "ECDH-RSA-AES128-GCM-SHA256"), - CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, /* 0xC032 */ - "ECDH-RSA-AES256-GCM-SHA384"), -#ifdef BR_TLS_RSA_WITH_AES_128_CCM + BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02B */ + BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02C */ + BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02D */ + BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02E */ + BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, /* 0xC02F */ + BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, /* 0xC030 */ + BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, /* 0xC031 */ + BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, /* 0xC032 */ +#ifdef BR_TLS_RSA_WITH_AES_128_CCM /* RFC 6655 TLS 1.2 CCM Supported since BearSSL 0.6 */ - CIPHER_DEF(TLS_RSA_WITH_AES_128_CCM, /* 0xC09C */ - "AES128-CCM"), - CIPHER_DEF(TLS_RSA_WITH_AES_256_CCM, /* 0xC09D */ - "AES256-CCM"), - CIPHER_DEF(TLS_RSA_WITH_AES_128_CCM_8, /* 0xC0A0 */ - "AES128-CCM8"), - CIPHER_DEF(TLS_RSA_WITH_AES_256_CCM_8, /* 0xC0A1 */ - "AES256-CCM8"), + BR_TLS_RSA_WITH_AES_128_CCM, /* 0xC09C */ + BR_TLS_RSA_WITH_AES_256_CCM, /* 0xC09D */ + BR_TLS_RSA_WITH_AES_128_CCM_8, /* 0xC0A0 */ + BR_TLS_RSA_WITH_AES_256_CCM_8, /* 0xC0A1 */ /* RFC 7251 TLS 1.2 ECC CCM Supported since BearSSL 0.6 */ - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CCM, /* 0xC0AC */ - "ECDHE-ECDSA-AES128-CCM"), - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CCM, /* 0xC0AD */ - "ECDHE-ECDSA-AES256-CCM"), - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, /* 0xC0AE */ - "ECDHE-ECDSA-AES128-CCM8"), - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, /* 0xC0AF */ - "ECDHE-ECDSA-AES256-CCM8"), + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, /* 0xC0AC */ + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, /* 0xC0AD */ + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, /* 0xC0AE */ + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, /* 0xC0AF */ #endif /* RFC 7905 TLS 1.2 ChaCha20-Poly1305 Supported since BearSSL 0.2 */ - CIPHER_DEF(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA8 */ - "ECDHE-RSA-CHACHA20-POLY1305"), - CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA9 */ - "ECDHE-ECDSA-CHACHA20-POLY1305"), + BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA8 */ + BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA9 */ }; #define NUM_OF_CIPHERS (sizeof(ciphertable) / sizeof(ciphertable[0])) -#define CIPHER_NAME_BUF_LEN 64 - -static bool bearssl_is_separator(char c) -{ - /* Return whether character is a cipher list separator. */ - switch(c) { - case ' ': - case '\t': - case ':': - case ',': - case ';': - return true; - } - return false; -} static CURLcode bearssl_set_selected_ciphers(struct Curl_easy *data, br_ssl_engine_context *ssl_eng, const char *ciphers) { - uint16_t selected_ciphers[NUM_OF_CIPHERS]; - size_t selected_count = 0; - const char *cipher_start = ciphers; - const char *cipher_end; - size_t i, j; - - if(!cipher_start) - return CURLE_SSL_CIPHER; - - while(true) { - const char *cipher; - size_t clen; - - /* Extract the next cipher name from the ciphers string */ - while(bearssl_is_separator(*cipher_start)) - ++cipher_start; - if(!*cipher_start) - break; - cipher_end = cipher_start; - while(*cipher_end && !bearssl_is_separator(*cipher_end)) - ++cipher_end; - - clen = cipher_end - cipher_start; - cipher = cipher_start; - - cipher_start = cipher_end; - - /* Lookup the cipher name in the table of available ciphers. If the cipher - name starts with "TLS_" we do the lookup by IANA name. Otherwise, we try - to match cipher name by an (OpenSSL) alias. */ - if(strncasecompare(cipher, "TLS_", 4)) { - for(i = 0; i < NUM_OF_CIPHERS && - (strlen(ciphertable[i].name) == clen) && - !strncasecompare(cipher, ciphertable[i].name, clen); ++i); - } - else { - for(i = 0; i < NUM_OF_CIPHERS && - (strlen(ciphertable[i].alias_name) == clen) && - !strncasecompare(cipher, ciphertable[i].alias_name, clen); ++i); + uint16_t selected[NUM_OF_CIPHERS]; + size_t count = 0, i; + const char *ptr, *end; + + for(ptr = ciphers; ptr[0] != '\0' && count < NUM_OF_CIPHERS; ptr = end) { + uint16_t id = Curl_cipher_suite_walk_str(&ptr, &end); + + /* Check if cipher is supported */ + if(id) { + for(i = 0; i < NUM_OF_CIPHERS && ciphertable[i] != id; i++); + if(i == NUM_OF_CIPHERS) + id = 0; } - if(i == NUM_OF_CIPHERS) { - infof(data, "BearSSL: unknown cipher in list: %.*s", - (int)clen, cipher); + if(!id) { + if(ptr[0] != '\0') + infof(data, "BearSSL: unknown cipher in list: \"%.*s\"", + (int) (end - ptr), ptr); continue; } /* No duplicates allowed */ - for(j = 0; j < selected_count && - selected_ciphers[j] != ciphertable[i].num; j++); - if(j < selected_count) { - infof(data, "BearSSL: duplicate cipher in list: %.*s", - (int)clen, cipher); + for(i = 0; i < count && selected[i] != id; i++); + if(i < count) { + infof(data, "BearSSL: duplicate cipher in list: \"%.*s\"", + (int) (end - ptr), ptr); continue; } - DEBUGASSERT(selected_count < NUM_OF_CIPHERS); - selected_ciphers[selected_count] = ciphertable[i].num; - ++selected_count; + selected[count++] = id; } - if(selected_count == 0) { + if(count == 0) { failf(data, "BearSSL: no supported cipher in list"); return CURLE_SSL_CIPHER; } - br_ssl_engine_set_suites(ssl_eng, selected_ciphers, selected_count); + br_ssl_engine_set_suites(ssl_eng, selected, count); return CURLE_OK; } @@ -846,6 +748,9 @@ static CURLcode bearssl_connect_step2(struct Curl_cfilter *cf, struct ssl_connect_data *connssl = cf->ctx; struct bearssl_ssl_backend_data *backend = (struct bearssl_ssl_backend_data *)connssl->backend; + br_ssl_session_parameters session; + char cipher_str[64]; + char ver_str[16]; CURLcode ret; DEBUGASSERT(backend); @@ -856,6 +761,7 @@ static CURLcode bearssl_connect_step2(struct Curl_cfilter *cf, return CURLE_OK; if(ret == CURLE_OK) { unsigned int tver; + if(br_ssl_engine_current_state(&backend->ctx.eng) == BR_SSL_CLOSED) { failf(data, "SSL: connection closed during handshake"); return CURLE_SSL_CONNECT_ERROR; @@ -863,12 +769,19 @@ static CURLcode bearssl_connect_step2(struct Curl_cfilter *cf, connssl->connecting_state = ssl_connect_3; /* Informational message */ tver = br_ssl_engine_get_version(&backend->ctx.eng); - if(tver == 0x0303) - infof(data, "SSL connection using TLSv1.2"); - else if(tver == 0x0304) - infof(data, "SSL connection using TLSv1.3"); - else - infof(data, "SSL connection using TLS 0x%x", tver); + if(tver == BR_TLS12) + strcpy(ver_str, "TLSv1.2"); + else if(tver == BR_TLS11) + strcpy(ver_str, "TLSv1.1"); + else if(tver == BR_TLS10) + strcpy(ver_str, "TLSv1.0"); + else { + msnprintf(ver_str, sizeof(ver_str), "TLS 0x%04x", tver); + } + br_ssl_engine_get_session_parameters(&backend->ctx.eng, &session); + Curl_cipher_suite_get_str(session.cipher_suite, cipher_str, + sizeof(cipher_str), true); + infof(data, "BearSSL: %s connection using %s", ver_str, cipher_str); } return ret; } diff --git a/lib/vtls/cipher_suite.c b/lib/vtls/cipher_suite.c index d01f9d90eb..a78838d195 100644 --- a/lib/vtls/cipher_suite.c +++ b/lib/vtls/cipher_suite.c @@ -23,7 +23,7 @@ ***************************************************************************/ #include "curl_setup.h" -#if defined(USE_MBEDTLS) +#if defined(USE_MBEDTLS) || defined(USE_BEARSSL) #include "cipher_suite.h" #include "curl_printf.h" #include "strcase.h" @@ -81,12 +81,14 @@ static const char *cs_txt = "SHA" "\0" "SHA256" "\0" "SHA384" "\0" +#if defined(USE_MBEDTLS) "ARIA" "\0" "ARIA128" "\0" "ARIA256" "\0" "CAMELLIA" "\0" "CAMELLIA128" "\0" "CAMELLIA256" "\0" +#endif ; /* Indexes of above cs_txt */ enum { @@ -120,12 +122,14 @@ enum { CS_TXT_IDX_SHA, CS_TXT_IDX_SHA256, CS_TXT_IDX_SHA384, +#if defined(USE_MBEDTLS) CS_TXT_IDX_ARIA, CS_TXT_IDX_ARIA128, CS_TXT_IDX_ARIA256, CS_TXT_IDX_CAMELLIA, CS_TXT_IDX_CAMELLIA128, CS_TXT_IDX_CAMELLIA256, +#endif CS_TXT_LEN, }; @@ -220,7 +224,7 @@ static const struct cs_entry cs_list [] = { CS_ENTRY(0xCCA8, ECDHE,RSA,CHACHA20,POLY1305,,,,), CS_ENTRY(0xCCA9, TLS,ECDHE,ECDSA,WITH,CHACHA20,POLY1305,SHA256,), CS_ENTRY(0xCCA9, ECDHE,ECDSA,CHACHA20,POLY1305,,,,), - +#if defined(USE_MBEDTLS) CS_ENTRY(0x0001, TLS,RSA,WITH,NULL,MD5,,,), CS_ENTRY(0x0001, NULL,MD5,,,,,,), CS_ENTRY(0x0002, TLS,RSA,WITH,NULL,SHA,,,), @@ -312,7 +316,19 @@ static const struct cs_entry cs_list [] = { CS_ENTRY(0xC036, ECDHE,PSK,AES256,CBC,SHA,,,), CS_ENTRY(0xCCAB, TLS,PSK,WITH,CHACHA20,POLY1305,SHA256,,), CS_ENTRY(0xCCAB, PSK,CHACHA20,POLY1305,,,,,), - +#endif +#if defined(USE_BEARSSL) + CS_ENTRY(0x000A, TLS,RSA,WITH,3DES,EDE,CBC,SHA,), + CS_ENTRY(0x000A, DES,CBC3,SHA,,,,,), + CS_ENTRY(0xC003, TLS,ECDH,ECDSA,WITH,3DES,EDE,CBC,SHA), + CS_ENTRY(0xC003, ECDH,ECDSA,DES,CBC3,SHA,,,), + CS_ENTRY(0xC008, TLS,ECDHE,ECDSA,WITH,3DES,EDE,CBC,SHA), + CS_ENTRY(0xC008, ECDHE,ECDSA,DES,CBC3,SHA,,,), + CS_ENTRY(0xC00D, TLS,ECDH,RSA,WITH,3DES,EDE,CBC,SHA), + CS_ENTRY(0xC00D, ECDH,RSA,DES,CBC3,SHA,,,), + CS_ENTRY(0xC012, TLS,ECDHE,RSA,WITH,3DES,EDE,CBC,SHA), + CS_ENTRY(0xC012, ECDHE,RSA,DES,CBC3,SHA,,,), +#endif CS_ENTRY(0xC09C, TLS,RSA,WITH,AES,128,CCM,,), CS_ENTRY(0xC09C, AES128,CCM,,,,,,), CS_ENTRY(0xC09D, TLS,RSA,WITH,AES,256,CCM,,), @@ -329,7 +345,7 @@ static const struct cs_entry cs_list [] = { CS_ENTRY(0xC0AE, ECDHE,ECDSA,AES128,CCM8,,,,), CS_ENTRY(0xC0AF, TLS,ECDHE,ECDSA,WITH,AES,256,CCM,8), CS_ENTRY(0xC0AF, ECDHE,ECDSA,AES256,CCM8,,,,), - +#if defined(USE_MBEDTLS) /* entries marked ns are "non-standard", they are not in openssl */ CS_ENTRY(0x0041, TLS,RSA,WITH,CAMELLIA,128,CBC,SHA,), CS_ENTRY(0x0041, CAMELLIA128,SHA,,,,,,), @@ -533,6 +549,7 @@ static const struct cs_entry cs_list [] = { CS_ENTRY(0xCCAD, DHE,PSK,CHACHA20,POLY1305,,,,), CS_ENTRY(0xCCAE, TLS,RSA,PSK,WITH,CHACHA20,POLY1305,SHA256,), CS_ENTRY(0xCCAE, RSA,PSK,CHACHA20,POLY1305,,,,), +#endif }; #define CS_LIST_LEN (sizeof(cs_list) / sizeof(cs_list[0])) @@ -696,4 +713,4 @@ int Curl_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size, return r; } -#endif /* defined(USE_MBEDTLS) */ +#endif /* defined(USE_MBEDTLS) || defined(USE_BEARSSL) */ diff --git a/lib/vtls/cipher_suite.h b/lib/vtls/cipher_suite.h index 87fa259cd6..c1399794fe 100644 --- a/lib/vtls/cipher_suite.h +++ b/lib/vtls/cipher_suite.h @@ -26,7 +26,7 @@ #include "curl_setup.h" -#if defined(USE_MBEDTLS) +#if defined(USE_MBEDTLS) || defined(USE_BEARSSL) #include /* Lookup IANA id for cipher suite string, returns 0 if not recognized */ @@ -42,5 +42,5 @@ uint16_t Curl_cipher_suite_walk_str(const char **str, const char **end); int Curl_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size, bool prefer_rfc); -#endif /* defined(USE_MBEDTLS) */ +#endif /* defined(USE_MBEDTLS) || defined(USE_BEARSSL) */ #endif /* HEADER_CURL_CIPHER_SUITE_H */ diff --git a/tests/unit/unit3205.c b/tests/unit/unit3205.c index c88e829648..19c82ef34a 100644 --- a/tests/unit/unit3205.c +++ b/tests/unit/unit3205.c @@ -34,7 +34,7 @@ static void unit_stop(void) { } -#if defined(USE_MBEDTLS) +#if defined(USE_MBEDTLS) || defined(USE_BEARSSL) struct test_cs_entry { uint16_t id; @@ -106,7 +106,7 @@ static const struct test_cs_entry test_cs_list[] = { "ECDHE-RSA-CHACHA20-POLY1305" }, { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305" }, - +#if defined(USE_MBEDTLS) { 0x0001, "TLS_RSA_WITH_NULL_MD5", "NULL-MD5" }, { 0x0002, "TLS_RSA_WITH_NULL_SHA", @@ -203,7 +203,19 @@ static const struct test_cs_entry test_cs_list[] = { "ECDHE-PSK-AES256-CBC-SHA" }, { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", "PSK-CHACHA20-POLY1305" }, - +#endif +#if defined(USE_BEARSSL) + { 0x000A, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "DES-CBC3-SHA" }, + { 0xC003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", + "ECDH-ECDSA-DES-CBC3-SHA" }, + { 0xC008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + "ECDHE-ECDSA-DES-CBC3-SHA" }, + { 0xC00D, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", + "ECDH-RSA-DES-CBC3-SHA" }, + { 0xC012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "ECDHE-RSA-DES-CBC3-SHA" }, +#endif { 0xC09C, "TLS_RSA_WITH_AES_128_CCM", "AES128-CCM" }, { 0xC09D, "TLS_RSA_WITH_AES_256_CCM", @@ -220,7 +232,7 @@ static const struct test_cs_entry test_cs_list[] = { "ECDHE-ECDSA-AES128-CCM8" }, { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", "ECDHE-ECDSA-AES256-CCM8" }, - +#if defined(USE_MBEDTLS) /* entries marked ns are non-"standard", they are not in openssl */ { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", "CAMELLIA128-SHA" }, @@ -424,6 +436,7 @@ static const struct test_cs_entry test_cs_list[] = { "DHE-PSK-CHACHA20-POLY1305" }, { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", "RSA-PSK-CHACHA20-POLY1305" }, +#endif }; #define TEST_CS_LIST_LEN (sizeof(test_cs_list) / sizeof(test_cs_list[0])) @@ -448,18 +461,30 @@ struct test_str_entry { const char *str; }; static const struct test_str_entry test_str_list[] = { +#if defined(USE_MBEDTLS) { 0x1301, "TLS_AES_128_GCM_SHA256"}, { 0x1302, "TLS_AES_256_GCM_SHA384"}, { 0x1303, "TLS_CHACHA20_POLY1305_SHA256"}, +#else + { 0x0000, "TLS_AES_128_GCM_SHA256"}, + { 0x0000, "TLS_AES_256_GCM_SHA384"}, + { 0x0000, "TLS_CHACHA20_POLY1305_SHA256"}, +#endif { 0xC02B, "ECDHE-ECDSA-AES128-GCM-SHA256"}, { 0xC02F, "ECDHE-RSA-AES128-GCM-SHA256"}, { 0xC02C, "ECDHE-ECDSA-AES256-GCM-SHA384"}, { 0xC030, "ECDHE-RSA-AES256-GCM-SHA384"}, { 0xCCA9, "ECDHE-ECDSA-CHACHA20-POLY1305"}, { 0xCCA8, "ECDHE-RSA-CHACHA20-POLY1305"}, +#if defined(USE_MBEDTLS) { 0x009E, "DHE-RSA-AES128-GCM-SHA256"}, { 0x009F, "DHE-RSA-AES256-GCM-SHA384"}, { 0xCCAA, "DHE-RSA-CHACHA20-POLY1305"}, +#else + { 0x0000, "DHE-RSA-AES128-GCM-SHA256"}, + { 0x0000, "DHE-RSA-AES256-GCM-SHA384"}, + { 0x0000, "DHE-RSA-CHACHA20-POLY1305"}, +#endif { 0xC023, "ECDHE-ECDSA-AES128-SHA256" }, { 0xC027, "ECDHE-RSA-AES128-SHA256" }, { 0xC009, "ECDHE-ECDSA-AES128-SHA" }, @@ -468,15 +493,24 @@ static const struct test_str_entry test_str_list[] = { { 0xC028, "ECDHE-RSA-AES256-SHA384" }, { 0xC00A, "ECDHE-ECDSA-AES256-SHA" }, { 0xC014, "ECDHE-RSA-AES256-SHA" }, +#if defined(USE_MBEDTLS) { 0x0067, "DHE-RSA-AES128-SHA256" }, { 0x006B, "DHE-RSA-AES256-SHA256" }, +#else + { 0x0000, "DHE-RSA-AES128-SHA256" }, + { 0x0000, "DHE-RSA-AES256-SHA256" }, +#endif { 0x009C, "AES128-GCM-SHA256" }, { 0x009D, "AES256-GCM-SHA384" }, { 0x003C, "AES128-SHA256" }, { 0x003D, "AES256-SHA256" }, { 0x002F, "AES128-SHA" }, { 0x0035, "AES256-SHA" }, +#if defined(USE_BEARSSL) + { 0x000A, "DES-CBC3-SHA" }, +#else { 0x0000, "DES-CBC3-SHA" }, +#endif { 0x0000, "GIBBERISH" }, { 0x0000, "" }, }; @@ -573,9 +607,9 @@ UNITTEST_START } UNITTEST_STOP -#else /* defined(USE_MBEDTLS) */ +#else /* defined(USE_MBEDTLS) || defined(USE_BEARSSL) */ UNITTEST_START UNITTEST_STOP -#endif /* defined(USE_MBEDTLS) */ +#endif /* defined(USE_MBEDTLS) || defined(USE_BEARSSL) */