From bbee0d4eee0335ed129c37063ea47e14be076e57 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Fri, 6 Jan 2017 23:00:45 +0100 Subject: wolfssl: support setting cipher list --- docs/CIPHERS.md | 113 ++++++++++++++++++++++++++++ docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3 | 3 + lib/vtls/cyassl.c | 10 +++ 3 files changed, 126 insertions(+) diff --git a/docs/CIPHERS.md b/docs/CIPHERS.md index 9e8482098..99d261bdd 100644 --- a/docs/CIPHERS.md +++ b/docs/CIPHERS.md @@ -311,3 +311,116 @@ but libcurl maps them to the following case-insensitive names. `aes256-sha256` `aes128-gcm-sha256` `aes256-gcm-sha384` + +## WolfSSL + +`RC4-SHA`, +`RC4-MD5`, +`DES-CBC3-SHA`, +`AES128-SHA`, +`AES256-SHA`, +`NULL-SHA`, +`NULL-SHA256`, +`DHE-RSA-AES128-SHA`, +`DHE-RSA-AES256-SHA`, +`DHE-PSK-AES256-GCM-SHA384`, +`DHE-PSK-AES128-GCM-SHA256`, +`PSK-AES256-GCM-SHA384`, +`PSK-AES128-GCM-SHA256`, +`DHE-PSK-AES256-CBC-SHA384`, +`DHE-PSK-AES128-CBC-SHA256`, +`PSK-AES256-CBC-SHA384`, +`PSK-AES128-CBC-SHA256`, +`PSK-AES128-CBC-SHA`, +`PSK-AES256-CBC-SHA`, +`DHE-PSK-AES128-CCM`, +`DHE-PSK-AES256-CCM`, +`PSK-AES128-CCM`, +`PSK-AES256-CCM`, +`PSK-AES128-CCM-8`, +`PSK-AES256-CCM-8`, +`DHE-PSK-NULL-SHA384`, +`DHE-PSK-NULL-SHA256`, +`PSK-NULL-SHA384`, +`PSK-NULL-SHA256`, +`PSK-NULL-SHA`, +`HC128-MD5`, +`HC128-SHA`, +`HC128-B2B256`, +`AES128-B2B256`, +`AES256-B2B256`, +`RABBIT-SHA`, +`NTRU-RC4-SHA`, +`NTRU-DES-CBC3-SHA`, +`NTRU-AES128-SHA`, +`NTRU-AES256-SHA`, +`AES128-CCM-8`, +`AES256-CCM-8`, +`ECDHE-ECDSA-AES128-CCM`, +`ECDHE-ECDSA-AES128-CCM-8`, +`ECDHE-ECDSA-AES256-CCM-8`, +`ECDHE-RSA-AES128-SHA`, +`ECDHE-RSA-AES256-SHA`, +`ECDHE-ECDSA-AES128-SHA`, +`ECDHE-ECDSA-AES256-SHA`, +`ECDHE-RSA-RC4-SHA`, +`ECDHE-RSA-DES-CBC3-SHA`, +`ECDHE-ECDSA-RC4-SHA`, +`ECDHE-ECDSA-DES-CBC3-SHA`, +`AES128-SHA256`, +`AES256-SHA256`, +`DHE-RSA-AES128-SHA256`, +`DHE-RSA-AES256-SHA256`, +`ECDH-RSA-AES128-SHA`, +`ECDH-RSA-AES256-SHA`, +`ECDH-ECDSA-AES128-SHA`, +`ECDH-ECDSA-AES256-SHA`, +`ECDH-RSA-RC4-SHA`, +`ECDH-RSA-DES-CBC3-SHA`, +`ECDH-ECDSA-RC4-SHA`, +`ECDH-ECDSA-DES-CBC3-SHA`, +`AES128-GCM-SHA256`, +`AES256-GCM-SHA384`, +`DHE-RSA-AES128-GCM-SHA256`, +`DHE-RSA-AES256-GCM-SHA384`, +`ECDHE-RSA-AES128-GCM-SHA256`, +`ECDHE-RSA-AES256-GCM-SHA384`, +`ECDHE-ECDSA-AES128-GCM-SHA256`, +`ECDHE-ECDSA-AES256-GCM-SHA384`, +`ECDH-RSA-AES128-GCM-SHA256`, +`ECDH-RSA-AES256-GCM-SHA384`, +`ECDH-ECDSA-AES128-GCM-SHA256`, +`ECDH-ECDSA-AES256-GCM-SHA384`, +`CAMELLIA128-SHA`, +`DHE-RSA-CAMELLIA128-SHA`, +`CAMELLIA256-SHA`, +`DHE-RSA-CAMELLIA256-SHA`, +`CAMELLIA128-SHA256`, +`DHE-RSA-CAMELLIA128-SHA256`, +`CAMELLIA256-SHA256`, +`DHE-RSA-CAMELLIA256-SHA256`, +`ECDHE-RSA-AES128-SHA256`, +`ECDHE-ECDSA-AES128-SHA256`, +`ECDH-RSA-AES128-SHA256`, +`ECDH-ECDSA-AES128-SHA256`, +`ECDHE-RSA-AES256-SHA384`, +`ECDHE-ECDSA-AES256-SHA384`, +`ECDH-RSA-AES256-SHA384`, +`ECDH-ECDSA-AES256-SHA384`, +`ECDHE-RSA-CHACHA20-POLY1305`, +`ECDHE-ECDSA-CHACHA20-POLY1305`, +`DHE-RSA-CHACHA20-POLY1305`, +`ECDHE-RSA-CHACHA20-POLY1305-OLD`, +`ECDHE-ECDSA-CHACHA20-POLY1305-OLD`, +`DHE-RSA-CHACHA20-POLY1305-OLD`, +`ADH-AES128-SHA`, +`QSH`, +`RENEGOTIATION-INFO`, +`IDEA-CBC-SHA`, +`ECDHE-ECDSA-NULL-SHA`, +`ECDHE-PSK-NULL-SHA256`, +`ECDHE-PSK-AES128-CBC-SHA256`, +`PSK-CHACHA20-POLY1305`, +`ECDHE-PSK-CHACHA20-POLY1305`, +`DHE-PSK-CHACHA20-POLY1305`, +`EDH-RSA-DES-CBC3-SHA`, diff --git a/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3 b/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3 index f6b945994..5f3668a72 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_CIPHER_LIST.3 @@ -46,6 +46,9 @@ For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5', \'rsa_aes_128_sha\', etc. With NSS you don't add/remove ciphers. If one uses this option then all known ciphers are disabled and only those passed in are enabled. + +For WolfSSL, valid examples of cipher lists include +\'ECDHE-RSA-RC4-SHA\', 'AES256-SHA:AES256-SHA256', etc. .SH DEFAULT NULL, use internal default .SH PROTOCOLS diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 3346daa05..f494a011d 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -134,6 +134,7 @@ cyassl_connect_step1(struct connectdata *conn, int sockindex) { char error_buffer[CYASSL_MAX_ERROR_SZ]; + char *ciphers; struct Curl_easy *data = conn->data; struct ssl_connect_data* conssl = &conn->ssl[sockindex]; SSL_METHOD* req_method = NULL; @@ -229,6 +230,15 @@ cyassl_connect_step1(struct connectdata *conn, break; } + ciphers = SSL_CONN_CONFIG(cipher_list); + if(ciphers) { + if(!SSL_CTX_set_cipher_list(conssl->ctx, ciphers)) { + failf(data, "failed setting cipher list: %s", ciphers); + return CURLE_SSL_CIPHER; + } + infof(data, "Cipher selection: %s\n", ciphers); + } + #ifndef NO_FILESYSTEM /* load trusted cacert */ if(SSL_CONN_CONFIG(CAfile)) { -- cgit v1.2.3