Soft Disable AES-CBC

1. By default, soft disable AES-CBC. It isn't offered as a default
   encrypt algorithm, but may be set at runtime.
2. Add guard where AES-CBC can be added back as a default.
3. Add option to example client to run it with a custom encrypt
   algorithm list.
4. In the client, add macro to add items to the arg lists while checking
   the number of items in the list.

examples/client/client.c

@@ -126,7 +126,8 @@ static void ShowUsage(void)
     printf(" -X            Ignore IP checks on peer vs peer certificate\n");
 #endif
     printf(" -E            List all possible algos\n");
-    printf(" -k            set the list of key algos to use\n");
+    printf(" -k            set the list of key algos\n");
+    printf(" -C            set the list of encrypt algos\n");
     printf(" -q            turn off debugging output\n");
 }
 
@@ -651,6 +652,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
     const char* cmd      = NULL;
     const char* privKeyName = NULL;
     const char* keyList = NULL;
+    const char* cipherList = NULL;
     byte imExit = 0;
     byte listAlgos = 0;
     byte nonBlock = 0;
@@ -669,7 +671,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
 
     (void)keepOpen;
 
-    while ((ch = mygetopt(argc, argv, "?ac:h:i:j:p:tu:xzNP:RJ:A:XeEk:qK:")) != -1) {
+    while ((ch = mygetopt(argc, argv, "?ac:C:h:i:j:p:tu:xzNP:RJ:A:XeEk:qK:")) != -1) {
         switch (ch) {
             case 'h':
                 host = myoptarg;
@@ -750,6 +752,10 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
                 keyList = myoptarg;
                 break;
 
+            case 'C':
+                cipherList = myoptarg;
+                break;
+
         #if !defined(SINGLE_THREADED) && !defined(WOLFSSL_NUCLEUS)
             case 'c':
                 cmd = myoptarg;
@@ -841,6 +847,11 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
             err_sys("Error setting key list.\n");
         }
     }
+    if (cipherList) {
+        if (wolfSSH_CTX_SetAlgoListCipher(ctx, cipherList) != WS_SUCCESS) {
+            err_sys("Error setting cipher list.\n");
+        }
+    }
 
     if (((func_args*)args)->user_auth == NULL)
         wolfSSH_SetUserAuth(ctx, ClientUserAuth);

src/internal.c

@@ -147,6 +147,11 @@ Flags:
   WOLFSSH_NO_NISTP256_MLKEM768_SHA256
     Set when ML-KEM is disabled in wolfssl. Set to disable use of ECDHE with
     prime NISTP256 hybridized with post-quantum ML-KEM 768.
+  WOLFSSH_NO_AES_CBC_SOFT_DISABLE
+    AES-CBC is normally soft-disabled. The default configuration will not
+    advertise the availability of AES-CBC algorithms during KEX. AES-CBC
+    algorithms still work. Setting this flag will advertise AES-CBC
+    algorithms during KEX by default.
   WOLFSSH_NO_AES_CBC
     Set when AES or AES-CBC are disabled. Set to disable use of AES-CBC
     encryption.
@@ -803,7 +808,7 @@ static const char cannedEncAlgoNames[] =
     "aes192-ctr,"
     "aes128-ctr,"
 #endif
-#if !defined(WOLFSSH_NO_AES_CBC)
+#if !defined(WOLFSSH_NO_AES_CBC) && defined(WOLFSSH_NO_AES_CBC_SOFT_DISABLE)
     "aes256-cbc,"
     "aes192-cbc,"
     "aes128-cbc,"

tests/kex.c

@@ -163,6 +163,52 @@ static int tsClientUserAuth(byte authType, WS_UserAuthData* authData, void* ctx)
 #define NUMARGS 12
 #define ARGLEN 32
 
+/* 
+ * Macro: ADD_ARG
+ * Purpose: Adds a string argument to the argument list.
+ * Parameters:
+ *   - argList: The array of argument strings.
+ *   - argListCount: The current count of arguments in the list (modified
+ *     by the macro).
+ *   - arg: The string argument to add.
+ * Behavior:
+ *   - Copies the string `arg` into the next available slot in `argList`.
+ *   - Increments `argListCount` if the operation is successful.
+ * Constraints:
+ *   - The total number of arguments must not exceed `NUMARGS`.
+ *   - Each argument string must not exceed `ARGLEN` characters.
+ * Side effects:
+ *   - Modifies `argList` and increments `argListCount`.
+ */
+#define ADD_ARG(argList,argListCount,arg) do { \
+    if ((argListCount) < NUMARGS) \
+        WSTRNCPY((argList)[(argListCount)++], (arg), ARGLEN); \
+} while (0)
+
+/* 
+ * Macro: ADD_ARG_INT
+ * Purpose: Adds an integer argument to the argument list as a string.
+ * Parameters:
+ *   - argList: The array of argument strings.
+ *   - argListCount: The current count of arguments in the list (modified
+ *     by the macro).
+ *   - arg: The integer argument to add.
+ * Behavior:
+ *   - Converts the integer `arg` to a string and stores it in the next
+ *     available slot in `argList`.
+ *   - Increments `argListCount` if the operation is successful.
+ * Constraints:
+ *   - The total number of arguments must not exceed `NUMARGS`.
+ *   - Each argument string must not exceed `ARGLEN` characters.
+ * Side effects:
+ *   - Modifies `argList` and increments `argListCount`.
+ */
+#define ADD_ARG_INT(argList,argListCount,arg) do { \
+    if ((argListCount) < NUMARGS) \
+        WSNPRINTF((argList)[(argListCount)++], ARGLEN, "%d", (arg)); \
+} while (0)
+
+
 static int wolfSSH_wolfSSH_Group16_512(void)
 {
     tcp_ready ready;
@@ -175,7 +221,8 @@ static int wolfSSH_wolfSSH_Group16_512(void)
           sA[10], sA[11] };
     char cA[NUMARGS][ARGLEN];
     char *clientArgv[NUMARGS] =
-        { cA[0], cA[1], cA[2], cA[3], cA[4] };
+        { cA[0], cA[1], cA[2], cA[3], cA[4], cA[5], cA[6], cA[7], cA[8], cA[9],
+          cA[10], cA[11] };
     int serverArgc = 0;
     int clientArgc = 0;
 
@@ -202,19 +249,19 @@ static int wolfSSH_wolfSSH_Group16_512(void)
 
     InitTcpReady(&ready);
 
-    WSTRNCPY(serverArgv[serverArgc++], "echoserver", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "-1", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "-f", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "echoserver");
+    ADD_ARG(serverArgv, serverArgc, "-1");
+    ADD_ARG(serverArgv, serverArgc, "-f");
     #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR)
-        WSTRNCPY(serverArgv[serverArgc++], "-p", ARGLEN);
-        WSTRNCPY(serverArgv[serverArgc++], "-0", ARGLEN);
+        ADD_ARG(serverArgv, serverArgc, "-p");
+        ADD_ARG(serverArgv, serverArgc, "-0");
     #endif
-    WSTRNCPY(serverArgv[serverArgc++], "-x", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "diffie-hellman-group16-sha512", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "-m", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "hmac-sha2-512", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "-c", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "aes256-cbc", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "-x");
+    ADD_ARG(serverArgv, serverArgc, "diffie-hellman-group16-sha512");
+    ADD_ARG(serverArgv, serverArgc, "-m");
+    ADD_ARG(serverArgv, serverArgc, "hmac-sha2-512");
+    ADD_ARG(serverArgv, serverArgc, "-c");
+    ADD_ARG(serverArgv, serverArgc, "aes256-cbc");
 
     serverArgs.argc = serverArgc;
     serverArgs.argv = serverArgv;
@@ -224,12 +271,14 @@ static int wolfSSH_wolfSSH_Group16_512(void)
     ThreadStart(echoserver_test, &serverArgs, &serverThread);
     WaitTcpReady(&ready);
 
-    WSTRNCPY(cA[clientArgc++], "client", ARGLEN);
-    WSTRNCPY(cA[clientArgc++], "-u", ARGLEN);
-    WSTRNCPY(cA[clientArgc++], "jill", ARGLEN);
+    ADD_ARG(clientArgv, clientArgc, "client");
+    ADD_ARG(clientArgv, clientArgc, "-u");
+    ADD_ARG(clientArgv, clientArgc, "jill");
+    ADD_ARG(clientArgv, clientArgc, "-C");
+    ADD_ARG(clientArgv, clientArgc, "aes256-cbc");
     #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR)
-        WSTRNCPY(cA[clientArgc++], "-p", ARGLEN);
-        WSNPRINTF(cA[clientArgc++], ARGLEN, "%d", ready.port);
+        ADD_ARG(clientArgv, clientArgc, "-p");
+        ADD_ARG_INT(clientArgv, clientArgc, ready.port);
     #endif
 
     clientArgs.argc = clientArgc;