Merge new security defaults for programs (RC4 disabled, SSL3 disabled)

2015-01-14 16:26:54 +01:00 · 2015-01-14 16:26:54 +01:00 · 5b8f7eaa3e
commit 5b8f7eaa3e
parent 36adc3631c fa06581c73
14 changed files with 149 additions and 23 deletions
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -257,6 +257,9 @@
 #define SSL_CBC_RECORD_SPLITTING_DISABLED   -1
 #define SSL_CBC_RECORD_SPLITTING_ENABLED     0

+#define SSL_ARC4_ENABLED                0
+#define SSL_ARC4_DISABLED               1
+
 /**
 * \name SECTION: Module settings
 *
@ -748,6 +751,7 @@ struct _ssl_context
 #if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET)
    char extended_ms;           /*!< flag for extended master secret  */
 #endif
+    char arc4_disabled;         /*!< flag for disabling RC4           */

    /*
     * Callbacks (RNG, debug, I/O, verification)
@ -1438,8 +1442,10 @@ void ssl_set_max_version( ssl_context *ssl, int major, int minor );
 * \brief          Set the minimum accepted SSL/TLS protocol version
 *                 (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
 *
- *                 Note: Input outside of the SSL_MAX_XXXXX_VERSION and
- *                       SSL_MIN_XXXXX_VERSION range is ignored.
+ * \note           Input outside of the SSL_MAX_XXXXX_VERSION and
+ *                 SSL_MIN_XXXXX_VERSION range is ignored.
+ *
+ * \note           SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
 *
 * \param ssl      SSL context
 * \param major    Major version number (only SSL_MAJOR_VERSION_3 supported)
@ -1502,6 +1508,21 @@ void ssl_set_encrypt_then_mac( ssl_context *ssl, char etm );
 void ssl_set_extended_master_secret( ssl_context *ssl, char ems );
 #endif /* POLARSSL_SSL_EXTENDED_MASTER_SECRET */

+/**
+ * \brief          Disable or enable support for RC4
+ *                 (Default: SSL_ARC4_ENABLED)
+ *
+ * \note           Though the default is RC4 for compatibility reasons in the
+ *                 1.3 branch, the recommended value is SSL_ARC4_DISABLED.
+ *
+ * \note           This function will likely be removed in future versions as
+ *                 RC4 will then be disabled by default at compile time.
+ *
+ * \param ssl      SSL context
+ * \param arc4     SSL_ARC4_ENABLED or SSL_ARC4_DISABLED
+ */
+void ssl_set_arc4_support( ssl_context *ssl, char arc4 );
+
 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
 /**
 * \brief          Set the maximum fragment length to emit and/or negotiate