Soft Disable AES-CBC

1. By default, soft disable AES-CBC. It isn't offered as a default encrypt algorithm, but may be set at runtime. 2. Add guard where AES-CBC can be added back as a default. 3. Add option to example client to run it with a custom encrypt algorithm list. 4. In the client, add macro to add items to the arg lists while checking the number of items in the list.
2025-05-16 11:41:52 -05:00 · 2025-05-16 11:41:52 -05:00 · 0f650789de
parent ee9bc3b6fd
commit 0f650789de
3 changed files with 85 additions and 20 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@ -126,7 +126,8 @@ static void ShowUsage(void)
    printf(" -X            Ignore IP checks on peer vs peer certificate\n");
 #endif
    printf(" -E            List all possible algos\n");
-    printf(" -k            set the list of key algos to use\n");
+    printf(" -k            set the list of key algos\n");
    printf(" -C            set the list of encrypt algos\n");
    printf(" -q            turn off debugging output\n");
 }
@ -651,6 +652,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
    const char* cmd      = NULL;
    const char* privKeyName = NULL;
    const char* keyList = NULL;
    const char* cipherList = NULL;
    byte imExit = 0;
    byte listAlgos = 0;
    byte nonBlock = 0;
@ -669,7 +671,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
    (void)keepOpen;
-    while ((ch = mygetopt(argc, argv, "?ac:h:i:j:p:tu:xzNP:RJ:A:XeEk:qK:")) != -1) {
+    while ((ch = mygetopt(argc, argv, "?ac:C:h:i:j:p:tu:xzNP:RJ:A:XeEk:qK:")) != -1) {
        switch (ch) {
            case 'h':
                host = myoptarg;
@ -750,6 +752,10 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
                keyList = myoptarg;
                break;
            case 'C':
                cipherList = myoptarg;
                break;
        #if !defined(SINGLE_THREADED) && !defined(WOLFSSL_NUCLEUS)
            case 'c':
                cmd = myoptarg;
@ -841,6 +847,11 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
            err_sys("Error setting key list.\n");
        }
    }
    if (cipherList) {
        if (wolfSSH_CTX_SetAlgoListCipher(ctx, cipherList) != WS_SUCCESS) {
            err_sys("Error setting cipher list.\n");
        }
    }
    if (((func_args*)args)->user_auth == NULL)
        wolfSSH_SetUserAuth(ctx, ClientUserAuth);
--- a/src/internal.c
+++ b/src/internal.c
@ -147,6 +147,11 @@ Flags:
  WOLFSSH_NO_NISTP256_MLKEM768_SHA256
    Set when ML-KEM is disabled in wolfssl. Set to disable use of ECDHE with
    prime NISTP256 hybridized with post-quantum ML-KEM 768.
  WOLFSSH_NO_AES_CBC_SOFT_DISABLE
    AES-CBC is normally soft-disabled. The default configuration will not
    advertise the availability of AES-CBC algorithms during KEX. AES-CBC
    algorithms still work. Setting this flag will advertise AES-CBC
    algorithms during KEX by default.
  WOLFSSH_NO_AES_CBC
    Set when AES or AES-CBC are disabled. Set to disable use of AES-CBC
    encryption.
@ -803,7 +808,7 @@ static const char cannedEncAlgoNames[] =
    "aes192-ctr,"
    "aes128-ctr,"
 #endif
-#if !defined(WOLFSSH_NO_AES_CBC)
+#if !defined(WOLFSSH_NO_AES_CBC) && defined(WOLFSSH_NO_AES_CBC_SOFT_DISABLE)
    "aes256-cbc,"
    "aes192-cbc,"
    "aes128-cbc,"
--- a/tests/kex.c
+++ b/tests/kex.c
@ -163,6 +163,52 @@ static int tsClientUserAuth(byte authType, WS_UserAuthData* authData, void* ctx)
 #define NUMARGS 12
 #define ARGLEN 32
 /* 
 * Macro: ADD_ARG
 * Purpose: Adds a string argument to the argument list.
 * Parameters:
 *   - argList: The array of argument strings.
 *   - argListCount: The current count of arguments in the list (modified
 *     by the macro).
 *   - arg: The string argument to add.
 * Behavior:
 *   - Copies the string `arg` into the next available slot in `argList`.
 *   - Increments `argListCount` if the operation is successful.
 * Constraints:
 *   - The total number of arguments must not exceed `NUMARGS`.
 *   - Each argument string must not exceed `ARGLEN` characters.
 * Side effects:
 *   - Modifies `argList` and increments `argListCount`.
 */
 #define ADD_ARG(argList,argListCount,arg) do { \
    if ((argListCount) < NUMARGS) \
        WSTRNCPY((argList)[(argListCount)++], (arg), ARGLEN); \
 } while (0)
 /* 
 * Macro: ADD_ARG_INT
 * Purpose: Adds an integer argument to the argument list as a string.
 * Parameters:
 *   - argList: The array of argument strings.
 *   - argListCount: The current count of arguments in the list (modified
 *     by the macro).
 *   - arg: The integer argument to add.
 * Behavior:
 *   - Converts the integer `arg` to a string and stores it in the next
 *     available slot in `argList`.
 *   - Increments `argListCount` if the operation is successful.
 * Constraints:
 *   - The total number of arguments must not exceed `NUMARGS`.
 *   - Each argument string must not exceed `ARGLEN` characters.
 * Side effects:
 *   - Modifies `argList` and increments `argListCount`.
 */
 #define ADD_ARG_INT(argList,argListCount,arg) do { \
    if ((argListCount) < NUMARGS) \
        WSNPRINTF((argList)[(argListCount)++], ARGLEN, "%d", (arg)); \
 } while (0)
 static int wolfSSH_wolfSSH_Group16_512(void)
 {
    tcp_ready ready;
@ -175,7 +221,8 @@ static int wolfSSH_wolfSSH_Group16_512(void)
          sA[10], sA[11] };
    char cA[NUMARGS][ARGLEN];
    char *clientArgv[NUMARGS] =
-        { cA[0], cA[1], cA[2], cA[3], cA[4] };
+        { cA[0], cA[1], cA[2], cA[3], cA[4], cA[5], cA[6], cA[7], cA[8], cA[9],
          cA[10], cA[11] };
    int serverArgc = 0;
    int clientArgc = 0;
@ -202,19 +249,19 @@ static int wolfSSH_wolfSSH_Group16_512(void)
    InitTcpReady(&ready);
-    WSTRNCPY(serverArgv[serverArgc++], "echoserver", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "echoserver");
-    WSTRNCPY(serverArgv[serverArgc++], "-1", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "-1");
-    WSTRNCPY(serverArgv[serverArgc++], "-f", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "-f");
    #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR)
-        WSTRNCPY(serverArgv[serverArgc++], "-p", ARGLEN);
+        ADD_ARG(serverArgv, serverArgc, "-p");
-        WSTRNCPY(serverArgv[serverArgc++], "-0", ARGLEN);
+        ADD_ARG(serverArgv, serverArgc, "-0");
    #endif
-    WSTRNCPY(serverArgv[serverArgc++], "-x", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "-x");
-    WSTRNCPY(serverArgv[serverArgc++], "diffie-hellman-group16-sha512", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "diffie-hellman-group16-sha512");
-    WSTRNCPY(serverArgv[serverArgc++], "-m", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "-m");
-    WSTRNCPY(serverArgv[serverArgc++], "hmac-sha2-512", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "hmac-sha2-512");
-    WSTRNCPY(serverArgv[serverArgc++], "-c", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "-c");
-    WSTRNCPY(serverArgv[serverArgc++], "aes256-cbc", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "aes256-cbc");
    serverArgs.argc = serverArgc;
    serverArgs.argv = serverArgv;
@ -224,12 +271,14 @@ static int wolfSSH_wolfSSH_Group16_512(void)
    ThreadStart(echoserver_test, &serverArgs, &serverThread);
    WaitTcpReady(&ready);
-    WSTRNCPY(cA[clientArgc++], "client", ARGLEN);
+    ADD_ARG(clientArgv, clientArgc, "client");
-    WSTRNCPY(cA[clientArgc++], "-u", ARGLEN);
+    ADD_ARG(clientArgv, clientArgc, "-u");
-    WSTRNCPY(cA[clientArgc++], "jill", ARGLEN);
+    ADD_ARG(clientArgv, clientArgc, "jill");
    ADD_ARG(clientArgv, clientArgc, "-C");
    ADD_ARG(clientArgv, clientArgc, "aes256-cbc");
    #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR)
-        WSTRNCPY(cA[clientArgc++], "-p", ARGLEN);
+        ADD_ARG(clientArgv, clientArgc, "-p");
-        WSNPRINTF(cA[clientArgc++], ARGLEN, "%d", ready.port);
+        ADD_ARG_INT(clientArgv, clientArgc, ready.port);
    #endif
    clientArgs.argc = clientArgc;