From 0f650789dec31853e720369a6d5d4727af55f37e Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 16 May 2025 11:41:52 -0500 Subject: [PATCH] Soft Disable AES-CBC 1. By default, soft disable AES-CBC. It isn't offered as a default encrypt algorithm, but may be set at runtime. 2. Add guard where AES-CBC can be added back as a default. 3. Add option to example client to run it with a custom encrypt algorithm list. 4. In the client, add macro to add items to the arg lists while checking the number of items in the list. --- examples/client/client.c | 15 +++++++- src/internal.c | 7 +++- tests/kex.c | 83 ++++++++++++++++++++++++++++++++-------- 3 files changed, 85 insertions(+), 20 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 1329de39..e27305f7 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -126,7 +126,8 @@ static void ShowUsage(void) printf(" -X Ignore IP checks on peer vs peer certificate\n"); #endif printf(" -E List all possible algos\n"); - printf(" -k set the list of key algos to use\n"); + printf(" -k set the list of key algos\n"); + printf(" -C set the list of encrypt algos\n"); printf(" -q turn off debugging output\n"); } @@ -651,6 +652,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args) const char* cmd = NULL; const char* privKeyName = NULL; const char* keyList = NULL; + const char* cipherList = NULL; byte imExit = 0; byte listAlgos = 0; byte nonBlock = 0; @@ -669,7 +671,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args) (void)keepOpen; - while ((ch = mygetopt(argc, argv, "?ac:h:i:j:p:tu:xzNP:RJ:A:XeEk:qK:")) != -1) { + while ((ch = mygetopt(argc, argv, "?ac:C:h:i:j:p:tu:xzNP:RJ:A:XeEk:qK:")) != -1) { switch (ch) { case 'h': host = myoptarg; @@ -750,6 +752,10 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args) keyList = myoptarg; break; + case 'C': + cipherList = myoptarg; + break; + #if !defined(SINGLE_THREADED) && !defined(WOLFSSL_NUCLEUS) case 'c': cmd = myoptarg; @@ -841,6 +847,11 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args) err_sys("Error setting key list.\n"); } } + if (cipherList) { + if (wolfSSH_CTX_SetAlgoListCipher(ctx, cipherList) != WS_SUCCESS) { + err_sys("Error setting cipher list.\n"); + } + } if (((func_args*)args)->user_auth == NULL) wolfSSH_SetUserAuth(ctx, ClientUserAuth); diff --git a/src/internal.c b/src/internal.c index e1a042e4..c75a8452 100644 --- a/src/internal.c +++ b/src/internal.c @@ -147,6 +147,11 @@ Flags: WOLFSSH_NO_NISTP256_MLKEM768_SHA256 Set when ML-KEM is disabled in wolfssl. Set to disable use of ECDHE with prime NISTP256 hybridized with post-quantum ML-KEM 768. + WOLFSSH_NO_AES_CBC_SOFT_DISABLE + AES-CBC is normally soft-disabled. The default configuration will not + advertise the availability of AES-CBC algorithms during KEX. AES-CBC + algorithms still work. Setting this flag will advertise AES-CBC + algorithms during KEX by default. WOLFSSH_NO_AES_CBC Set when AES or AES-CBC are disabled. Set to disable use of AES-CBC encryption. @@ -803,7 +808,7 @@ static const char cannedEncAlgoNames[] = "aes192-ctr," "aes128-ctr," #endif -#if !defined(WOLFSSH_NO_AES_CBC) +#if !defined(WOLFSSH_NO_AES_CBC) && defined(WOLFSSH_NO_AES_CBC_SOFT_DISABLE) "aes256-cbc," "aes192-cbc," "aes128-cbc," diff --git a/tests/kex.c b/tests/kex.c index d511db48..02f9837f 100644 --- a/tests/kex.c +++ b/tests/kex.c @@ -163,6 +163,52 @@ static int tsClientUserAuth(byte authType, WS_UserAuthData* authData, void* ctx) #define NUMARGS 12 #define ARGLEN 32 +/* + * Macro: ADD_ARG + * Purpose: Adds a string argument to the argument list. + * Parameters: + * - argList: The array of argument strings. + * - argListCount: The current count of arguments in the list (modified + * by the macro). + * - arg: The string argument to add. + * Behavior: + * - Copies the string `arg` into the next available slot in `argList`. + * - Increments `argListCount` if the operation is successful. + * Constraints: + * - The total number of arguments must not exceed `NUMARGS`. + * - Each argument string must not exceed `ARGLEN` characters. + * Side effects: + * - Modifies `argList` and increments `argListCount`. + */ +#define ADD_ARG(argList,argListCount,arg) do { \ + if ((argListCount) < NUMARGS) \ + WSTRNCPY((argList)[(argListCount)++], (arg), ARGLEN); \ +} while (0) + +/* + * Macro: ADD_ARG_INT + * Purpose: Adds an integer argument to the argument list as a string. + * Parameters: + * - argList: The array of argument strings. + * - argListCount: The current count of arguments in the list (modified + * by the macro). + * - arg: The integer argument to add. + * Behavior: + * - Converts the integer `arg` to a string and stores it in the next + * available slot in `argList`. + * - Increments `argListCount` if the operation is successful. + * Constraints: + * - The total number of arguments must not exceed `NUMARGS`. + * - Each argument string must not exceed `ARGLEN` characters. + * Side effects: + * - Modifies `argList` and increments `argListCount`. + */ +#define ADD_ARG_INT(argList,argListCount,arg) do { \ + if ((argListCount) < NUMARGS) \ + WSNPRINTF((argList)[(argListCount)++], ARGLEN, "%d", (arg)); \ +} while (0) + + static int wolfSSH_wolfSSH_Group16_512(void) { tcp_ready ready; @@ -175,7 +221,8 @@ static int wolfSSH_wolfSSH_Group16_512(void) sA[10], sA[11] }; char cA[NUMARGS][ARGLEN]; char *clientArgv[NUMARGS] = - { cA[0], cA[1], cA[2], cA[3], cA[4] }; + { cA[0], cA[1], cA[2], cA[3], cA[4], cA[5], cA[6], cA[7], cA[8], cA[9], + cA[10], cA[11] }; int serverArgc = 0; int clientArgc = 0; @@ -202,19 +249,19 @@ static int wolfSSH_wolfSSH_Group16_512(void) InitTcpReady(&ready); - WSTRNCPY(serverArgv[serverArgc++], "echoserver", ARGLEN); - WSTRNCPY(serverArgv[serverArgc++], "-1", ARGLEN); - WSTRNCPY(serverArgv[serverArgc++], "-f", ARGLEN); + ADD_ARG(serverArgv, serverArgc, "echoserver"); + ADD_ARG(serverArgv, serverArgc, "-1"); + ADD_ARG(serverArgv, serverArgc, "-f"); #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR) - WSTRNCPY(serverArgv[serverArgc++], "-p", ARGLEN); - WSTRNCPY(serverArgv[serverArgc++], "-0", ARGLEN); + ADD_ARG(serverArgv, serverArgc, "-p"); + ADD_ARG(serverArgv, serverArgc, "-0"); #endif - WSTRNCPY(serverArgv[serverArgc++], "-x", ARGLEN); - WSTRNCPY(serverArgv[serverArgc++], "diffie-hellman-group16-sha512", ARGLEN); - WSTRNCPY(serverArgv[serverArgc++], "-m", ARGLEN); - WSTRNCPY(serverArgv[serverArgc++], "hmac-sha2-512", ARGLEN); - WSTRNCPY(serverArgv[serverArgc++], "-c", ARGLEN); - WSTRNCPY(serverArgv[serverArgc++], "aes256-cbc", ARGLEN); + ADD_ARG(serverArgv, serverArgc, "-x"); + ADD_ARG(serverArgv, serverArgc, "diffie-hellman-group16-sha512"); + ADD_ARG(serverArgv, serverArgc, "-m"); + ADD_ARG(serverArgv, serverArgc, "hmac-sha2-512"); + ADD_ARG(serverArgv, serverArgc, "-c"); + ADD_ARG(serverArgv, serverArgc, "aes256-cbc"); serverArgs.argc = serverArgc; serverArgs.argv = serverArgv; @@ -224,12 +271,14 @@ static int wolfSSH_wolfSSH_Group16_512(void) ThreadStart(echoserver_test, &serverArgs, &serverThread); WaitTcpReady(&ready); - WSTRNCPY(cA[clientArgc++], "client", ARGLEN); - WSTRNCPY(cA[clientArgc++], "-u", ARGLEN); - WSTRNCPY(cA[clientArgc++], "jill", ARGLEN); + ADD_ARG(clientArgv, clientArgc, "client"); + ADD_ARG(clientArgv, clientArgc, "-u"); + ADD_ARG(clientArgv, clientArgc, "jill"); + ADD_ARG(clientArgv, clientArgc, "-C"); + ADD_ARG(clientArgv, clientArgc, "aes256-cbc"); #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR) - WSTRNCPY(cA[clientArgc++], "-p", ARGLEN); - WSNPRINTF(cA[clientArgc++], ARGLEN, "%d", ready.port); + ADD_ARG(clientArgv, clientArgc, "-p"); + ADD_ARG_INT(clientArgv, clientArgc, ready.port); #endif clientArgs.argc = clientArgc;