All of lore.kernel.org
 help / color / mirror / Atom feed
From: Denis Kenzior <denkenz@gmail.com>
To: ell@lists.01.org
Subject: Re: [PATCH 8/9] tls: Allow user to set custom list of cipher suites
Date: Fri, 14 Dec 2018 10:33:27 -0600	[thread overview]
Message-ID: <d5908538-31fc-d089-d343-c7812a54442b@gmail.com> (raw)
In-Reply-To: <20181213195746.32144-8-andrew.zaborowski@intel.com>

[-- Attachment #1: Type: text/plain, Size: 2764 bytes --]

Hi Andrew,

On 12/13/2018 01:57 PM, Andrew Zaborowski wrote:
> TLS "security profiles" define which minimum cipher suites and other
> parameter values are allowed in a specific usage scenario for TLS, for
> example WPA3 in theory requires a specific security profile for its
> TLS-based EAP method.  This will also allow the unit tests to test
> individual cipher suites.

Do we want to expose this fine level of granularity in a public API 
though?  It would seem at least at WPA2 vs WPA3 level that a single 
SuiteB selector is all that is needed?

Unless you have a usecase in mind where one would really want to twiddle 
the preference order?

> ---
>   ell/ell.sym       |   1 +
>   ell/tls-private.h |   2 +
>   ell/tls.c         | 101 ++++++++++++++++++++++++++++++++++++++++++----
>   ell/tls.h         |   3 ++
>   4 files changed, 99 insertions(+), 8 deletions(-)
> 

<snip>

<snip>

> @@ -2790,6 +2836,45 @@ LIB_EXPORT void l_tls_set_version_range(struct l_tls *tls,
>   		max_version : TLS_MAX_VERSION;
>   }
>   
> +LIB_EXPORT void l_tls_set_cipher_suites(struct l_tls *tls,
> +					const char **suite_list)

void?  Don't we want to fail if nothing valid was passed?

And wouldn't / shouldn't l_tls_start() also fail in this case?

> +{
> +	unsigned int i, len;
> +	struct tls_cipher_suite **suite;
> +
> +	l_free(tls->cipher_suite_pref_list);
> +
> +	if (suite_list)
> +		len = l_strv_length((char **) suite_list);

I hate C and its char ** / const char ** thing.  Oh well :)

> +	else
> +		len = L_ARRAY_SIZE(tls_cipher_suite_pref);

You take note of len here, but then...

> +
> +	tls->cipher_suite_pref_list = l_new(struct tls_cipher_suite *, len + 1);
> +
> +	if (!suite_list) {
> +		/* Use our default cipher suite preference list */
> +		for (i = 0; i < L_ARRAY_SIZE(tls_cipher_suite_pref); i++)

use array_size here again.  Maybe a nitpick, but using len would be 
shorter anyway.

Another question is whether storing a bool default_cipher_pref : 1 
instead of doing all this magic dancing would be easier.

> +			tls->cipher_suite_pref_list[i] =
> +				&tls_cipher_suite_pref[i];
> +
> +		return;
> +	}
> +
> +	suite = tls->cipher_suite_pref_list;
> +
> +	for (; *suite_list; suite_list++) {
> +		for (i = 0; i < L_ARRAY_SIZE(tls_cipher_suite_pref); i++)
> +			if (!strcmp(tls_cipher_suite_pref[i].name, *suite_list))
> +				break;
> +
> +		if (i < L_ARRAY_SIZE(tls_cipher_suite_pref))
> +			*suite++ = &tls_cipher_suite_pref[i];
> +		else
> +			TLS_DEBUG("Cipher suite %s is not supported",
> +					*suite_list);
> +	}
> +}
> +
>   LIB_EXPORT const char *l_tls_alert_to_str(enum l_tls_alert_desc desc)
>   {
>   	switch (desc) {

Regards,
-Denis

  reply	other threads:[~2018-12-14 16:33 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-13 19:57 [PATCH 1/9] tls: Don't send Client Hello in l_tls_new Andrew Zaborowski
2018-12-13 19:57 ` [PATCH 2/9] unit: Call l_tls_start in tls tests Andrew Zaborowski
2018-12-13 19:57 ` [PATCH 3/9] tls: Add TLS version number printf macros Andrew Zaborowski
2018-12-14 15:53   ` Denis Kenzior
2018-12-14 18:48     ` Andrew Zaborowski
2018-12-13 19:57 ` [PATCH 4/9] tls: Implement l_tls_set_version_range Andrew Zaborowski
2018-12-14 15:55   ` Denis Kenzior
2018-12-13 19:57 ` [PATCH 5/9] unit: Test TLS 1.0, 1.1 and 1.2 Andrew Zaborowski
2018-12-13 19:57 ` [PATCH 6/9] unit: Move tls_cert_load_file to relevant unit tests Andrew Zaborowski
2018-12-14 16:01   ` Denis Kenzior
2018-12-13 19:57 ` [PATCH 7/9] tls, pem: Drop tls_cert_load_file, l_pem_load_certificate Andrew Zaborowski
2018-12-13 19:57 ` [PATCH 8/9] tls: Allow user to set custom list of cipher suites Andrew Zaborowski
2018-12-14 16:33   ` Denis Kenzior [this message]
2018-12-14 19:12     ` Andrew Zaborowski
2018-12-14 19:28       ` Denis Kenzior
2018-12-14 19:49         ` Andrew Zaborowski
2018-12-14 19:57           ` Denis Kenzior
2018-12-13 19:57 ` [PATCH 9/9] unit: Test many TLS cipher suite and version combinations Andrew Zaborowski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d5908538-31fc-d089-d343-c7812a54442b@gmail.com \
    --to=denkenz@gmail.com \
    --cc=ell@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.