[git commit] tls: add a comment on expanding list of supported ciphers

Denys Vlasenko vda.linux at googlemail.com
Sun Nov 25 16:27:48 UTC 2018 

commit: https://git.busybox.net/busybox/commit/?id=330d7f53f7890c0fbafa5b4769ce4ef23e734659
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 networking/tls.c | 37 ++++++++++++++++++++++++++++++-------
 1 file changed, 30 insertions(+), 7 deletions(-)

diff --git a/networking/tls.c b/networking/tls.c
index 9833a0adb..e64e84fcd 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -50,17 +50,39 @@
 //  ok:   openssl s_client -connect cdn.kernel.org:443 -debug -tls1_2 -no_tls1 -no_tls1_1 -cipher AES128-GCM-SHA256
 //  ok:   openssl s_client -connect cdn.kernel.org:443 -debug -tls1_2 -no_tls1 -no_tls1_1 -cipher AES128-SHA
 //        (TLS_RSA_WITH_AES_128_CBC_SHA - in TLS 1.2 it's mandated to be always supported)
-#define CIPHER_ID1  TLS_RSA_WITH_AES_256_CBC_SHA256 // no SERVER_KEY_EXCHANGE from peer
+#define CIPHER_ID1  TLS_RSA_WITH_AES_256_CBC_SHA256 //0x003D
 // Works with "wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.9.5.tar.xz"
-#define CIPHER_ID2  TLS_RSA_WITH_AES_128_CBC_SHA
+#define CIPHER_ID2  TLS_RSA_WITH_AES_128_CBC_SHA    //0x003C
 
 // bug #11456:
 // ftp.openbsd.org only supports ECDHE-RSA-AESnnn-GCM-SHAnnn or ECDHE-RSA-CHACHA20-POLY1305
-#define CIPHER_ID3  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+#define CIPHER_ID3  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 //0xC02F
 // host is.gd accepts only ECDHE-ECDSA-foo (the simplest which works: ECDHE-ECDSA-AES128-SHA 0xC009)
-#define CIPHER_ID4  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+#define CIPHER_ID4  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA  //0xC009
 
 #define NUM_CIPHERS 4
+//TODO: we can support all these:
+//  TLS_RSA_WITH_AES_128_CBC_SHA256         0x003C
+//  TLS_RSA_WITH_AES_256_CBC_SHA256         0x003D
+//  TLS_RSA_WITH_AES_128_GCM_SHA256         0x009C
+//  TLS_RSA_WITH_AES_256_GCM_SHA384         0x009D
+//  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    0xC009
+//  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    0xC00A
+//  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      0xC013
+//  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      0xC014
+//  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
+////TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 - can't do SHA384 yet
+//  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   0xC027
+////TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   0xC028 - can't do SHA384 yet
+//  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
+//  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C
+//  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   0xC02F
+//  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   0xC030
+//possibly these too:
+//  TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA      0xC035
+//  TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA      0xC036
+//  TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256   0xC037
+////TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384   0xC038 - can't do SHA384 yet
 
 
 #define TLS_DEBUG      0
@@ -142,6 +164,10 @@
 #define TLS_DHE_PSK_WITH_AES_128_CBC_SHA        0x0090  /* 144 */
 #define TLS_DHE_PSK_WITH_AES_256_CBC_SHA        0x0091  /* 145 */
 #define TLS_RSA_WITH_SEED_CBC_SHA               0x0096  /* 150 */
+#define TLS_RSA_WITH_AES_128_GCM_SHA256         0x009C  /*TLSv1.2 Kx=RSA   Au=RSA   Enc=AESGCM(128) Mac=AEAD */
+#define TLS_RSA_WITH_AES_256_GCM_SHA384         0x009D  /*TLSv1.2 Kx=RSA   Au=RSA   Enc=AESGCM(256) Mac=AEAD */
+#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     0x009E  /*TLSv1.2 Kx=DH    Au=RSA   Enc=AESGCM(128) Mac=AEAD */
+#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     0x009F  /*TLSv1.2 Kx=DH    Au=RSA   Enc=AESGCM(256) Mac=AEAD */
 #define TLS_PSK_WITH_AES_128_CBC_SHA256         0x00AE  /* 174 */
 #define TLS_PSK_WITH_AES_256_CBC_SHA384         0x00AF  /* 175 */
 #define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA     0xC004  /* 49156 */
@@ -161,10 +187,7 @@
 #define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   0xC028  /*TLSv1.2 Kx=ECDH  Au=RSA   Enc=AES(256) Mac=SHA384 */
 #define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256    0xC029  /* 49193 */
 #define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384    0xC02A  /* 49194 */
-
 /* RFC 5288 "AES Galois Counter Mode (GCM) Cipher Suites for TLS" */
-#define TLS_RSA_WITH_AES_128_GCM_SHA256         0x009C  /*TLSv1.2 Kx=RSA   Au=RSA   Enc=AESGCM(128) Mac=AEAD */
-#define TLS_RSA_WITH_AES_256_GCM_SHA384         0x009D  /*TLSv1.2 Kx=RSA   Au=RSA   Enc=AESGCM(256) Mac=AEAD */
 #define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B  /*TLSv1.2 Kx=ECDH  Au=ECDSA Enc=AESGCM(128) Mac=AEAD */
 #define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C  /*TLSv1.2 Kx=ECDH  Au=ECDSA Enc=AESGCM(256) Mac=AEAD */
 #define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256  0xC02D  /* 49197 */

More information about the busybox-cvs mailing list