Merge new security defaults for programs (RC4 disabled, SSL3 disabled)

2025-08-08 17:42:09 +03:00 · 2015-01-14 16:26:54 +01:00
parent 36adc3631c fa06581c73
commit 5b8f7eaa3e
14 changed files with 149 additions and 23 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -656,6 +656,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
            ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
            continue;

+        if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
+            ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
+            continue;
+
        SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
                       ciphersuites[i] ) );

@@ -1018,6 +1022,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
    int renegotiation_info_seen = 0;
 #endif
    int handshake_failure = 0;
+    const ssl_ciphersuite_t *suite_info;
 #if defined(POLARSSL_DEBUG_C)
    uint32_t t;
 #endif
@@ -1202,6 +1207,16 @@ static int ssl_parse_server_hello( ssl_context *ssl )
    SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
    SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );

+    suite_info = ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
+    if( suite_info == NULL ||
+        ( ssl->arc4_disabled &&
+          suite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+
    i = 0;
    while( 1 )
    {
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -920,6 +920,10 @@ static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
        suite_info->max_minor_ver < ssl->minor_ver )
        return( 0 );

+    if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
+            suite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
+        return( 0 );
+
 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    if( ssl_ciphersuite_uses_ec( suite_info ) &&
        ( ssl->handshake->curves == NULL ||
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4245,6 +4245,11 @@ void ssl_set_extended_master_secret( ssl_context *ssl, char ems )
 }
 #endif

+void ssl_set_arc4_support( ssl_context *ssl, char arc4 )
+{
+    ssl->arc4_disabled = arc4;
+}
+
 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
 {