Cipher List Configuration #661
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Restore SHA-1 as enabled by default. 2. Introduce a "soft disable" for SHA-1 algorithms. SHA-1 is allowed to be used, but the default configuration will not advertise it as available in the KEX.
1. Add APIs for setting the algorithm lists used in the KEX initization messages. 2. Add API to check if a specified algorithm name is available. 3. Add APIs to list available algorithms. 4. Add algorithm lists to the WOLFSSH_CTX and WOLFSSH structures. 5. Added a local function to fetch algorithm strings based on their type and an index. 6. Added starter tests for the algorithm functions. 7. Move the canned algorithm list strings before CtxInit() so they may be used for default lists in the WOLFSSH_CTX. 8. Carry over the algorithm name lists from WOLFSSH_CTX to WOLFSSH. 9. Remove dead code. 10. Add parameter names to a few function prototypes.
1. Using the configurable list from the WOLFSSH for setting the cipher list and the MAC list. 2. Removed the ID lists for the cipher list and MAC list used in DoKextInit(). 3. Changing DoKexInit() to use the configurable cipher and MAC lists.
1. Using the configurable list from the WOLFSSH for setting the KEX algorithm list. 2. Removed the ID lists for the KEX algorithm list used in DoKexInit(). 3. Changing DoKexInit() to use the configurable KEX list.
1. Fix using the MAC algorithm list from the WOLFSSH object when matching the peer's algorithm. 2. Fix polarity checking WOLFSSH_NO_SHA1_SOFT_DISABLE. 3. Remove some redundant size constants. Use strlen(). 4. Rearrange the canned key algorithm names, add the missing items, and add guards. 5. Whitespace.
1. Change SendKexInit() to send the configured Key algorithm list or the default list if a client or server with a list set. If the server doesn't have a list set, use the list from adding the keys. 2. Add the soft disable macro around setting ssh-rsa to the list of public key types in the server. 3. Change DoKexInit() to use the appropriate key algorithm list for decoding and matching the peer's list. 4. Whitespace. 5. Rearrange the new functions and prototypes in a different order.
1. Add new list for the public key algorithms the server can verify from the client for user authentication. 2. Add accessors for the key allowed list.
1. Add API test.
1. The wrapper for the pragma PRAGMA_GCC_DIAG_PUSH and its friends are not set up to be used like a function. Remove the semicolons after their usage. (Clang doesn't care, but MSVC does.)
JacobBarthelmeh
requested changes
Mar 4, 2024
Merged
JacobBarthelmeh
approved these changes
Mar 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
(ZD 17568, Issue Runtime configurability of key signature algorithms for KEX #659)