[From nobody Thu Jun 25 05:54:42 2020 Received: from sonic313-12.consmr.mail.ne1.yahoo.com ([66.163.185.35]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fU2Rd-0003VB-AT for openwrt-devel@lists.openwrt.org; Sat, 16 Jun 2018 04:04:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1529121835; bh=u+QUZcFKMlhmgWBaintc8bRkmOnrenjMZZTlirovGLI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:In-Reply-To:References:From:Subject; b=mDay43nC5k+NVEw9ZPDW3oxvasjwNdQ2D8ilrGiojR3Pv/dig/BSMh+2qQlHEEUul6ehTZvnbQZarnn/+gmHVlMTqqpdEmwcUjVTiABflJLc6uxC74dxNqRYbZQ2/RHGdWO5cUFa0Wc9lIqCQ2+W0/5Hk8sz0CIl0Vx/4kChnAQVCPOmmIDoR4IJJolB8yibla9kWMH+uo/go0BTGV0oKue89q6UBdFTN780wgR8/4S9AE45ipwfJANIvQs236UqdWo7KNQtm8/RfADQEK3q1sYBaNbqEPoOiWB/AmWGols+gNSWO9daJ3Rn93WzkLy6AgXx3Bf0l0vFJ2CWB3d+jw== X-YMail-OSG: O.Ygh2wVM1m61GXukJ85zpfn3OhIscRtTnHWbgdcpfzBqbJrCtqe.cYD9kJfWmy T9jmNkY.HOzav.nvHG5VidVwwWGQvNdLKu7TlTnUeslZShr9.ip1K9B_hyuqbYugL5J_Yvb1y8YY ay0nu.q.G8Kvx8uZFhZ9Vmss0D3DXxNqgiZsxtRW.JfTFyFoaquXo3kWT36x2fbdM_4.wghuRO.A 91pz1oN_kkVKY3zB3.5NCLHFJt5U7x6qjPtWvOOMang5xAfcO2AvBc9gOYbMXUVfCsMEiVFjWTNL i5xLv7NI4JIWxs5NfTeKHOR.Iv9bx4TIGWZLJq8QWycxhnCCtNN7A4VIiRYarJ3udJgh3Ajkqczr CQTWczNRYTGgyLk11NlS89DD9org_mgsexm1zgpmfF7pNX_FuWQIAvb7rIX67gRIx3syiZPleXIn Uso9yzy7eU4zZ91sRkD63ZuKCBjcI9RbAL0723xTTJ7WxPtcT_diNe9qi51UgGQJg85wvCWp7ziR BYaNVpLi7iLD_pPw6ig8phq52edHMSwZilRWgaUVxk3uos4bjR4_hAPOyTiq1QPYs5SpO1c_47JV f4d2fJ5r16nM7n0C9l8K0ZWzOYF_FKd8O4RhvqFUOmSMwxK6MgpPzKiaLzW1hPniM7gLsyfTKeI8 uzQUnDV7uQyZHUEbZQt9zNxIjGtTd9lpifDxk8_sR448ntdASLJgYnq6NYSOf6CLfqX1nhuziWnZ _jlZqXoG6bmd7TuOEZwwQtY6Vg.yJCb9AZLUTpxComak5dv50UaD.LL2sEJqz_PGuRRDv8uSQDBw emNC011fDE9tbs1i2vsPHTitrKrP9LdJWyDAXhuOplAUc3jdt368wEpifHPunAxa8qDUdDJSj9a4 nHZsqzGf2mW_RdlUaMU6v9JSL_CR4aSqjerpiQfHnCDzDJk7labGPeXdK0U4.m24CYraPcF7M.Vb AVc016fuA_.D8xhkhfGETbjFYrckJ Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Sat, 16 Jun 2018 04:03:55 +0000 Received: from 18.175.75.177.infopasa.com.br (EHLO gateway.troianet.com.br) ([177.75.175.18]) by smtp408.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID cbea9a4f35f8bc13a14a401ee42217cf; Sat, 16 Jun 2018 04:03:55 +0000 (UTC) From: Eneas U de Queiroz <cote2004-github@yahoo.com> To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz <cote2004-github@yahoo.com> Subject: [PATCH v3 3/3] ustream-ssl: Revised security on mbedtls Date: Sat, 16 Jun 2018 01:03:43 -0300 Message-Id: <20180616040343.24722-4-cote2004-github@yahoo.com> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20180616040343.24722-1-cote2004-github@yahoo.com> References: <20180616040343.24722-1-cote2004-github@yahoo.com> In-Reply-To: <20180531124520.31010-1-cote2004-github@yahoo.com> References: <20180531124520.31010-1-cote2004-github@yahoo.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180615_210409_421774_B231DD42 X-CRM114-Status: UNSURE ( 6.75 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 1.3 (+) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (1.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [66.163.185.35 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (cote2004-github[at]yahoo.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list I've revised the security options, and made them more uniform across the ssl libraries. - use only TLS 1.2 in server mode - changed the ciphersuite ordering Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> --- ustream-mbedtls.c | 49 +++++++++++++++++++++++-------------------------- 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 9b22ad2..347c600 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -86,33 +86,28 @@ static int _urandom(void *ctx, unsigned char *out, size_t len) return 0; } -#define TLS_DEFAULT_CIPHERS \ - TLS_CIPHER(AES_128_GCM_SHA256) \ - TLS_CIPHER(AES_256_GCM_SHA384) \ - TLS_CIPHER(AES_128_CBC_SHA) \ - TLS_CIPHER(AES_256_CBC_SHA) \ - TLS_CIPHER(3DES_EDE_CBC_SHA) - -static const int default_ciphersuites_nodhe[] = +#define AES_CIPHERS(v) \ + MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256, \ + MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384, \ + MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA, \ + MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA + +static const int default_ciphersuites_server[] = { -#define TLS_CIPHER(v) \ - MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \ - MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \ - MBEDTLS_TLS_RSA_WITH_##v, - TLS_DEFAULT_CIPHERS -#undef TLS_CIPHER + AES_CIPHERS(ECDHE_ECDSA), + AES_CIPHERS(ECDHE_RSA), + AES_CIPHERS(RSA), 0 }; -static const int default_ciphersuites[] = +static const int default_ciphersuites_client[] = { -#define TLS_CIPHER(v) \ - MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v, \ - MBEDTLS_TLS_ECDHE_RSA_WITH_##v, \ - MBEDTLS_TLS_DHE_RSA_WITH_##v, \ - MBEDTLS_TLS_RSA_WITH_##v, - TLS_DEFAULT_CIPHERS -#undef TLS_CIPHER + AES_CIPHERS(ECDHE_ECDSA), + AES_CIPHERS(ECDHE_RSA), + AES_CIPHERS(DHE_RSA), + MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + AES_CIPHERS(RSA), + MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, 0 }; @@ -152,10 +147,12 @@ __ustream_ssl_context_new(bool server) mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(conf, _urandom, NULL); - if (server) - mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe); - else - mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites); + if (server) { + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server); + mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, + MBEDTLS_SSL_MINOR_VERSION_3); + } else + mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client); #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_conf_session_cache(conf, &ctx->cache, -- 2.16.4 ]