From d42b7c82ef9b82a73c9133976aea91c37f513fdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 20 Mar 2015 19:44:04 +0000 Subject: [PATCH] Adapt programs to new RC4 default --- programs/ssl/ssl_client1.c | 2 -- programs/ssl/ssl_client2.c | 21 +++++++++++++++++---- programs/ssl/ssl_fork_server.c | 2 -- programs/ssl/ssl_mail_client.c | 2 -- programs/ssl/ssl_pthread_server.c | 2 -- programs/ssl/ssl_server.c | 2 -- programs/ssl/ssl_server2.c | 20 +++++++++++++++++--- 7 files changed, 34 insertions(+), 17 deletions(-) diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 838321ad3..4cd2cc4f8 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -173,8 +173,6 @@ int main( void ) /* SSLv3 is deprecated, set minimum to TLS 1.0 */ ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 ); - /* RC4 is deprecated, disable it */ - ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 46389ae40..f0e6781d4 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -85,7 +85,7 @@ #define DFL_EXCHANGES 1 #define DFL_MIN_VERSION SSL_MINOR_VERSION_1 #define DFL_MAX_VERSION -1 -#define DFL_ARC4 SSL_ARC4_DISABLED +#define DFL_ARC4 -1 #define DFL_AUTH_MODE SSL_VERIFY_REQUIRED #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_TRUNC_HMAC -1 @@ -249,9 +249,9 @@ USAGE_ETM \ USAGE_RECSPLIT \ "\n" \ + " arc4=%%d default: (library default)\n" \ " min_version=%%s default: \"\" (ssl3)\n" \ " max_version=%%s default: \"\" (tls1_2)\n" \ - " arc4=%%d default: 0 (disabled)\n" \ " force_version=%%s default: \"\" (none)\n" \ " options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \ "\n" \ @@ -823,6 +823,19 @@ int main( int argc, char *argv[] ) opt.min_version < SSL_MINOR_VERSION_2 ) opt.min_version = SSL_MINOR_VERSION_2; } + + /* Enable RC4 if needed and not explicitly disabled */ + if( ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) + { + if( opt.arc4 == SSL_ARC4_DISABLED ) + { + polarssl_printf("forced RC4 ciphersuite with RC4 disabled\n"); + ret = 2; + goto usage; + } + + opt.arc4 = SSL_ARC4_ENABLED; + } } #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -1130,10 +1143,10 @@ int main( int argc, char *argv[] ) } #endif - /* RC4 setting is redundant if we use only one ciphersuite */ if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); - else + + if( opt.arc4 != DFL_ARC4 ) ssl_set_arc4_support( &ssl, opt.arc4 ); if( opt.allow_legacy != DFL_ALLOW_LEGACY ) diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index b58d8d2dd..7813d41e3 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -273,8 +273,6 @@ int main( void ) /* SSLv3 is deprecated, set minimum to TLS 1.0 */ ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 ); - /* RC4 is deprecated, disable it */ - ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 41e0777c6..2e354a790 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -610,8 +610,6 @@ int main( int argc, char *argv[] ) /* SSLv3 is deprecated, set minimum to TLS 1.0 */ ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 ); - /* RC4 is deprecated, disable it */ - ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 52224356b..c4a93c391 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -176,8 +176,6 @@ static void *handle_ssl_connection( void *data ) /* SSLv3 is deprecated, set minimum to TLS 1.0 */ ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 ); - /* RC4 is deprecated, disable it */ - ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_mutexed_debug, stdout ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 9c45e1476..e38d3e229 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -204,8 +204,6 @@ int main( void ) /* SSLv3 is deprecated, set minimum to TLS 1.0 */ ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 ); - /* RC4 is deprecated, disable it */ - ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index c935165d9..d513ca73c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -101,7 +101,7 @@ #define DFL_EXCHANGES 1 #define DFL_MIN_VERSION SSL_MINOR_VERSION_1 #define DFL_MAX_VERSION -1 -#define DFL_ARC4 SSL_ARC4_DISABLED +#define DFL_ARC4 -1 #define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_TRUNC_HMAC -1 @@ -315,9 +315,9 @@ USAGE_EMS \ USAGE_ETM \ "\n" \ + " arc4=%%d default: (library default)\n" \ " min_version=%%s default: \"ssl3\"\n" \ " max_version=%%s default: \"tls1_2\"\n" \ - " arc4=%%d default: 0 (disabled)\n" \ " force_version=%%s default: \"\" (none)\n" \ " options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \ "\n" \ @@ -1193,6 +1193,19 @@ int main( int argc, char *argv[] ) opt.min_version < SSL_MINOR_VERSION_2 ) opt.min_version = SSL_MINOR_VERSION_2; } + + /* Enable RC4 if needed and not explicitly disabled */ + if( ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) + { + if( opt.arc4 == SSL_ARC4_DISABLED ) + { + polarssl_printf("forced RC4 ciphersuite with RC4 disabled\n"); + ret = 2; + goto usage; + } + + opt.arc4 = SSL_ARC4_ENABLED; + } } if( opt.version_suites != NULL ) @@ -1618,7 +1631,8 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); - else + + if( opt.arc4 != DFL_ARC4 ) ssl_set_arc4_support( &ssl, opt.arc4 ); if( opt.version_suites != NULL )