From 530f8e24b03bcaffd25766f3008c805a7f07ab6e Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Mon, 11 Nov 2024 13:47:26 +0000 Subject: [PATCH] Restore a few DHE_RSA ciphers --- tls/Network/TLS/Extra/Cipher.hs | 52 +++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/tls/Network/TLS/Extra/Cipher.hs b/tls/Network/TLS/Extra/Cipher.hs index 33ba10011..13d3f729b 100644 --- a/tls/Network/TLS/Extra/Cipher.hs +++ b/tls/Network/TLS/Extra/Cipher.hs @@ -6,8 +6,12 @@ module Network.TLS.Extra.Cipher ( ciphersuite_all_det, ciphersuite_strong, ciphersuite_strong_det, + ciphersuite_dhe_rsa, -- * individual ciphers + cipher_DHE_RSA_AES128GCM_SHA256, + cipher_DHE_RSA_AES256GCM_SHA384, + cipher_DHE_RSA_CHACHA20POLY1305_SHA256, cipher_ECDHE_RSA_AES128GCM_SHA256, cipher_ECDHE_RSA_AES256GCM_SHA384, cipher_ECDHE_RSA_CHACHA20POLY1305_SHA256, @@ -270,6 +274,15 @@ sets_strong = [cipher_TLS13_AES128CCM_SHA256] ] +-- | DHE-RSA cipher suite. This only includes ciphers bound specifically to +-- DHE-RSA so TLS 1.3 ciphers must be added separately. +ciphersuite_dhe_rsa :: [Cipher] +ciphersuite_dhe_rsa = + [ cipher_DHE_RSA_AES256GCM_SHA384 + , cipher_DHE_RSA_CHACHA20POLY1305_SHA256 + , cipher_DHE_RSA_AES128GCM_SHA256 + ] + ---------------------------------------------------------------- bulk_aes128ccm :: Bulk @@ -374,6 +387,33 @@ bulk_aes128ccm8_13 = bulk_aes128ccm8{bulkIVSize = 12, bulkExplicitIV = 0} -- A list of cipher suite is found from: -- https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 +---------------------------------------------------------------- +-- RFC 5288 + +cipher_DHE_RSA_AES128GCM_SHA256 :: Cipher +cipher_DHE_RSA_AES128GCM_SHA256 = + Cipher + { cipherID = 0x009E + , cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" + , cipherBulk = bulk_aes128gcm + , cipherHash = SHA256 + , cipherPRFHash = Just SHA256 + , cipherKeyExchange = CipherKeyExchange_DHE_RSA + , cipherMinVer = Just TLS12 -- RFC 5288 Sec 4 + } + +cipher_DHE_RSA_AES256GCM_SHA384 :: Cipher +cipher_DHE_RSA_AES256GCM_SHA384 = + Cipher + { cipherID = 0x009F + , cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" + , cipherBulk = bulk_aes256gcm + , cipherHash = SHA384 + , cipherPRFHash = Just SHA384 + , cipherKeyExchange = CipherKeyExchange_DHE_RSA + , cipherMinVer = Just TLS12 + } + ---------------------------------------------------------------- -- RFC 8446 @@ -565,3 +605,15 @@ cipher_ECDHE_ECDSA_CHACHA20POLY1305_SHA256 = , cipherKeyExchange = CipherKeyExchange_ECDHE_ECDSA , cipherMinVer = Just TLS12 } + +cipher_DHE_RSA_CHACHA20POLY1305_SHA256 :: Cipher +cipher_DHE_RSA_CHACHA20POLY1305_SHA256 = + Cipher + { cipherID = 0xCCAA + , cipherName = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + , cipherBulk = bulk_chacha20poly1305 + , cipherHash = SHA256 + , cipherPRFHash = Just SHA256 + , cipherKeyExchange = CipherKeyExchange_DHE_RSA + , cipherMinVer = Just TLS12 + }