Revert "config: Remove explicit ciphersuite lists" This reverts commit 7242ea688a9c7b1702dd41a026e921a696a5e0e2.

commit: db7d5f024d63fd0df8a5772e9eab947e21ce79c0 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Wed Feb 26 18:25:11 2020 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Wed Mar 04 15:39:14 2020 +0100
tree: 5699a98b38238a595c9cbb525af41a87a5cd1ed6
parent: 40f17dc8039efde68561dca1f4ba1906b1bf1cb7 [diff] [blame]
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 585d087..a728a31 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h

@@ -648,8 +648,26 @@
  * Warning: Only do so when you know what you are doing. This allows for
  * encryption or channels without any security!
  *
- * This module is required to support the TLS ciphersuites that use the NULL
- * cipher.
+ * This module is required to support the following ciphersuites in TLS:
+ *      TLS_ECDH_ECDSA_WITH_NULL_SHA
+ *      TLS_ECDH_RSA_WITH_NULL_SHA
+ *      TLS_ECDHE_ECDSA_WITH_NULL_SHA
+ *      TLS_ECDHE_RSA_WITH_NULL_SHA
+ *      TLS_ECDHE_PSK_WITH_NULL_SHA384
+ *      TLS_ECDHE_PSK_WITH_NULL_SHA256
+ *      TLS_ECDHE_PSK_WITH_NULL_SHA
+ *      TLS_DHE_PSK_WITH_NULL_SHA384
+ *      TLS_DHE_PSK_WITH_NULL_SHA256
+ *      TLS_DHE_PSK_WITH_NULL_SHA
+ *      TLS_RSA_WITH_NULL_SHA256
+ *      TLS_RSA_WITH_NULL_SHA
+ *      TLS_RSA_WITH_NULL_MD5
+ *      TLS_RSA_PSK_WITH_NULL_SHA384
+ *      TLS_RSA_PSK_WITH_NULL_SHA256
+ *      TLS_RSA_PSK_WITH_NULL_SHA
+ *      TLS_PSK_WITH_NULL_SHA384
+ *      TLS_PSK_WITH_NULL_SHA256
+ *      TLS_PSK_WITH_NULL_SHA
  *
  * Uncomment this macro to enable the NULL cipher
  */
@@ -1140,8 +1158,65 @@
  *          library/pem.c
  *          library/ctr_drbg.c
  *
- * This module is required to support the TLS ciphersuites that use the AES
- * cipher.
+ * This module is required to support the following ciphersuites in TLS:
+ *      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ *      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ *      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ *      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ *      TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+ *      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+ *      TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+ *      TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+ *      TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+ *      TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+ *      TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+ *      TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+ *      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ *      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ *      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ *      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ *      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ *      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ *      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ *      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ *      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ *      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ *      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ *      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+ *      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ *      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ *      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ *      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ *      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ *      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ *      TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+ *      TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+ *      TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+ *      TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+ *      TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+ *      TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+ *      TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+ *      TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+ *      TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+ *      TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+ *      TLS_RSA_WITH_AES_256_GCM_SHA384
+ *      TLS_RSA_WITH_AES_256_CBC_SHA256
+ *      TLS_RSA_WITH_AES_256_CBC_SHA
+ *      TLS_RSA_WITH_AES_128_GCM_SHA256
+ *      TLS_RSA_WITH_AES_128_CBC_SHA256
+ *      TLS_RSA_WITH_AES_128_CBC_SHA
+ *      TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+ *      TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+ *      TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+ *      TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+ *      TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+ *      TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+ *      TLS_PSK_WITH_AES_256_GCM_SHA384
+ *      TLS_PSK_WITH_AES_256_CBC_SHA384
+ *      TLS_PSK_WITH_AES_256_CBC_SHA
+ *      TLS_PSK_WITH_AES_128_GCM_SHA256
+ *      TLS_PSK_WITH_AES_128_CBC_SHA256
+ *      TLS_PSK_WITH_AES_128_CBC_SHA
  *
  * PEM_PARSE uses AES for decrypting encrypted keys.
  */
@@ -1155,8 +1230,17 @@
  * Module:  library/arc4.c
  * Caller:  library/cipher.c
  *
- * This module is required to support the TLS ciphersuites that use the ARC4
- * cipher.
+ * This module is required to support the following ciphersuites in TLS:
+ *      TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+ *      TLS_ECDH_RSA_WITH_RC4_128_SHA
+ *      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+ *      TLS_ECDHE_RSA_WITH_RC4_128_SHA
+ *      TLS_ECDHE_PSK_WITH_RC4_128_SHA
+ *      TLS_DHE_PSK_WITH_RC4_128_SHA
+ *      TLS_RSA_WITH_RC4_128_SHA
+ *      TLS_RSA_WITH_RC4_128_MD5
+ *      TLS_RSA_PSK_WITH_RC4_128_SHA
+ *      TLS_PSK_WITH_RC4_128_SHA
  *
  * \warning   ARC4 is considered a weak cipher and its use constitutes a
  *            security risk. If possible, we recommend avoidng dependencies on
@@ -1234,8 +1318,49 @@
  * Module:  library/camellia.c
  * Caller:  library/cipher.c
  *
- * This module is required to support the TLS ciphersuites that use the
- * Camellia cipher.
+ * This module is required to support the following ciphersuites in TLS:
+ *      TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
  */
 #define MBEDTLS_CAMELLIA_C
 
@@ -1247,8 +1372,45 @@
  * Module:  library/aria.c
  * Caller:  library/cipher.c
  *
- * This module is required to support the TLS ciphersuites that use the
- * ARIA cipher.
+ * This module is required to support the following ciphersuites in TLS:
+ *      TLS_RSA_WITH_ARIA_128_CBC_SHA256
+ *      TLS_RSA_WITH_ARIA_256_CBC_SHA384
+ *      TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
+ *      TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
+ *      TLS_RSA_WITH_ARIA_128_GCM_SHA256
+ *      TLS_RSA_WITH_ARIA_256_GCM_SHA384
+ *      TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
+ *      TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
+ *      TLS_PSK_WITH_ARIA_128_CBC_SHA256
+ *      TLS_PSK_WITH_ARIA_256_CBC_SHA384
+ *      TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
+ *      TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
+ *      TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
+ *      TLS_PSK_WITH_ARIA_128_GCM_SHA256
+ *      TLS_PSK_WITH_ARIA_256_GCM_SHA384
+ *      TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
+ *      TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
+ *      TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
+ *      TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
+ *      TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
  */
 //#define MBEDTLS_ARIA_C
 
@@ -1338,8 +1500,17 @@
  * Caller:  library/pem.c
  *          library/cipher.c
  *
- * This module is required to support the TLS ciphersuites that use the DES
- * cipher.
+ * This module is required to support the following ciphersuites in TLS:
+ *      TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ *      TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      TLS_RSA_WITH_3DES_EDE_CBC_SHA
+ *      TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+ *      TLS_PSK_WITH_3DES_EDE_CBC_SHA
  *
  * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
  *
@@ -1464,7 +1635,8 @@
  *
  * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C
  *
- * This module is required to support the TLS ciphersuites that use GCM.
+ * This module is required to support AES-GCM and CAMELLIA-GCM ciphersuites in
+ * TLS.
  */
 #define MBEDTLS_GCM_C
commit	db7d5f024d63fd0df8a5772e9eab947e21ce79c0	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Feb 26 18:25:11 2020 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Mar 04 15:39:14 2020 +0100
tree	5699a98b38238a595c9cbb525af41a87a5cd1ed6
parent	40f17dc8039efde68561dca1f4ba1906b1bf1cb7 [diff] [blame]