|
|
|
|
@ -364,24 +364,34 @@ TLSConfiguration_create()
|
|
|
|
|
if (self->ciphersuites)
|
|
|
|
|
{
|
|
|
|
|
self->maxCiphersuites = 20;
|
|
|
|
|
int cipherIndex = 0;
|
|
|
|
|
|
|
|
|
|
/* TLS 1.2 cipher suites */
|
|
|
|
|
|
|
|
|
|
/* mandatory cipher suites by IEC 62351-4:2018 */
|
|
|
|
|
self->ciphersuites[0] = MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256;
|
|
|
|
|
/* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_GCM_SHA256; */ /* weak - not supported? */
|
|
|
|
|
self->ciphersuites[1] = MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;
|
|
|
|
|
self->ciphersuites[2] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256;
|
|
|
|
|
/* self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_GCM_SHA256; */ /* weak - not supported? */
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
|
|
|
|
|
|
|
|
|
|
/* recommended cipher suites by IEC 62351-4:2018 */
|
|
|
|
|
|
|
|
|
|
/* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_CBC_SHA256; */ /* weak - not supported?*/
|
|
|
|
|
/* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_256_GCM_SHA384; */ /* not supported?*/
|
|
|
|
|
self->ciphersuites[3] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
|
|
|
|
|
self->ciphersuites[4] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
|
|
|
|
|
self->ciphersuites[5] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
|
|
|
|
|
/* self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_CBC_SHA256; */ /* weak - not supported?*/
|
|
|
|
|
/* self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_DH_RSA_WITH_AES_256_GCM_SHA384; */ /* not supported?*/
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
|
|
|
|
|
|
|
|
|
|
/* additional ciphersuites */
|
|
|
|
|
self->ciphersuites[6] = MBEDTLS_TLS_RSA_WITH_NULL_SHA256;
|
|
|
|
|
self->ciphersuites[7] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_RSA_WITH_NULL_SHA256;
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
|
|
|
|
|
|
|
|
|
|
/* TLS 1.3 cipher suites */
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_AES_128_GCM_SHA256; /* mandatory according IEC 62351-3:2023 */
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_AES_256_GCM_SHA384; /* mandatory according IEC 62351-3:2023 */
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256; /* optional according IEC 62351-3:2023 */
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_AES_128_CCM_SHA256; /* mandatory according IEC 62351-3:2023 */
|
|
|
|
|
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256 ; /* optional according IEC 62351-3:2023 */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -609,6 +619,8 @@ TLSConfiguration_setRenegotiationTime(TLSConfiguration self, int timeInMs)
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
TLSConfiguration_destroy(TLSConfiguration self)
|
|
|
|
|
{
|
|
|
|
|
if (self)
|
|
|
|
|
{
|
|
|
|
|
if (self->useSessionResumption)
|
|
|
|
|
{
|
|
|
|
|
@ -647,6 +659,8 @@ TLSConfiguration_destroy(TLSConfiguration self)
|
|
|
|
|
|
|
|
|
|
LinkedList_destroy(self->allowedCertificates);
|
|
|
|
|
|
|
|
|
|
GLOBAL_FREEMEM(self->ciphersuites);
|
|
|
|
|
|
|
|
|
|
psaInitCounter--;
|
|
|
|
|
|
|
|
|
|
if (psaInitCounter < 1)
|
|
|
|
|
@ -654,6 +668,7 @@ TLSConfiguration_destroy(TLSConfiguration self)
|
|
|
|
|
|
|
|
|
|
GLOBAL_FREEMEM(self);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
createSecurityEvents(TLSConfiguration config, int ret, uint32_t flags, TLSSocket socket)
|
|
|
|
|
|
Michael Zillgith
1 year ago