Soft Disable AES-CBC

1. By default, soft disable AES-CBC. It isn't offered as a default
   encrypt algorithm, but may be set at runtime.
2. Add guard where AES-CBC can be added back as a default.
3. Add option to example client to run it with a custom encrypt
   algorithm list.
4. In the client, add macro to add items to the arg lists while checking
   the number of items in the list.

Author: ejohnstown

examples/client/client.c

@@ -126,7 +126,8 @@ static void ShowUsage(void)
     printf(" -X            Ignore IP checks on peer vs peer certificate\n");
 #endif
     printf(" -E            List all possible algos\n");
-    printf(" -k            set the list of key algos to use\n");
+    printf(" -k            set the list of key algos\n");
+    printf(" -C            set the list of encrypt algos");
     printf(" -q            turn off debugging output\n");
 }
 
@@ -651,6 +652,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
     const char* cmd      = NULL;
     const char* privKeyName = NULL;
     const char* keyList = NULL;
+    const char* cipherList = NULL;
     byte imExit = 0;
     byte listAlgos = 0;
     byte nonBlock = 0;
@@ -669,7 +671,7 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
 
     (void)keepOpen;
 
-    while ((ch = mygetopt(argc, argv, "?ac:h:i:j:p:tu:xzNP:RJ:A:XeEk:qK:")) != -1) {
+    while ((ch = mygetopt(argc, argv, "?ac:C:h:i:j:p:tu:xzNP:RJ:A:XeEk:qK:")) != -1) {
         switch (ch) {
             case 'h':
                 host = myoptarg;
@@ -750,6 +752,10 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
                 keyList = myoptarg;
                 break;
 
+            case 'C':
+                cipherList = myoptarg;
+                break;
+
         #if !defined(SINGLE_THREADED) && !defined(WOLFSSL_NUCLEUS)
             case 'c':
                 cmd = myoptarg;
@@ -841,6 +847,11 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
             err_sys("Error setting key list.\n");
         }
     }
+    if (cipherList) {
+        if (wolfSSH_CTX_SetAlgoListCipher(ctx, cipherList) != WS_SUCCESS) {
+            err_sys("Error setting cipher list.\n");
+        }
+    }
 
     if (((func_args*)args)->user_auth == NULL)
         wolfSSH_SetUserAuth(ctx, ClientUserAuth);

src/internal.c

@@ -147,6 +147,11 @@
   WOLFSSH_NO_NISTP256_MLKEM768_SHA256
     Set when ML-KEM is disabled in wolfssl. Set to disable use of ECDHE with
     prime NISTP256 hybridized with post-quantum ML-KEM 768.
+  WOLFSSH_NO_AES_CBC_SOFT_DISABLE
+    AES-CBC is normally soft-disabled. The default configuration will not
+    advertise the availability of AES-CBC algorithms during KEX. AES-CBC
+    algorithms still work. Setting this flag will advertise AES-CBC
+    algorithms during KEX by default.
   WOLFSSH_NO_AES_CBC
     Set when AES or AES-CBC are disabled. Set to disable use of AES-CBC
     encryption.
@@ -804,10 +809,12 @@ static const char cannedEncAlgoNames[] =
     "aes128-ctr,"
 #endif
 #if !defined(WOLFSSH_NO_AES_CBC)
-    "aes256-cbc,"
-    "aes192-cbc,"
-    "aes128-cbc,"
-#endif
+    #if defined(WOLFSSH_NO_AES_CBC_SOFT_DISABLE)
+        "aes256-cbc,"
+        "aes192-cbc,"
+        "aes128-cbc,"
+    #endif
+#endif /* WOLFSSH_NO_AES_CBC */
     "";
 
 static const char cannedMacAlgoNames[] =

tests/kex.c

@@ -163,6 +163,16 @@ static int tsClientUserAuth(byte authType, WS_UserAuthData* authData, void* ctx)
 #define NUMARGS 12
 #define ARGLEN 32
 
+#define ADD_ARG(argList,argListCount,arg) do { \
+    if ((argListCount) < NUMARGS) \
+        WSTRNCPY((argList)[(argListCount)++], (arg), ARGLEN); \
+} while (0)
+#define ADD_ARG_INT(argList,argListCount,arg) do { \
+    if ((argListCount) < NUMARGS) \
+        WSNPRINTF((argList)[(argListCount)++], ARGLEN, "%d", (arg)); \
+} while (0)
+
+
 static int wolfSSH_wolfSSH_Group16_512(void)
 {
     tcp_ready ready;
@@ -175,7 +185,8 @@ static int wolfSSH_wolfSSH_Group16_512(void)
           sA[10], sA[11] };
     char cA[NUMARGS][ARGLEN];
     char *clientArgv[NUMARGS] =
-        { cA[0], cA[1], cA[2], cA[3], cA[4] };
+        { cA[0], cA[1], cA[2], cA[3], cA[4], cA[5], cA[6], cA[7], cA[8], cA[9],
+          cA[10], cA[11] };
     int serverArgc = 0;
     int clientArgc = 0;
 
@@ -202,19 +213,19 @@ static int wolfSSH_wolfSSH_Group16_512(void)
 
     InitTcpReady(&ready);
 
-    WSTRNCPY(serverArgv[serverArgc++], "echoserver", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "-1", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "-f", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "echoserver");
+    ADD_ARG(serverArgv, serverArgc, "-1");
+    ADD_ARG(serverArgv, serverArgc, "-f");
     #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR)
-        WSTRNCPY(serverArgv[serverArgc++], "-p", ARGLEN);
-        WSTRNCPY(serverArgv[serverArgc++], "-0", ARGLEN);
+        ADD_ARG(serverArgv, serverArgc, "-p");
+        ADD_ARG(serverArgv, serverArgc, "-0");
     #endif
-    WSTRNCPY(serverArgv[serverArgc++], "-x", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "diffie-hellman-group16-sha512", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "-m", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "hmac-sha2-512", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "-c", ARGLEN);
-    WSTRNCPY(serverArgv[serverArgc++], "aes256-cbc", ARGLEN);
+    ADD_ARG(serverArgv, serverArgc, "-x");
+    ADD_ARG(serverArgv, serverArgc, "diffie-hellman-group16-sha512");
+    ADD_ARG(serverArgv, serverArgc, "-m");
+    ADD_ARG(serverArgv, serverArgc, "hmac-sha2-512");
+    ADD_ARG(serverArgv, serverArgc, "-c");
+    ADD_ARG(serverArgv, serverArgc, "aes256-cbc");
 
     serverArgs.argc = serverArgc;
     serverArgs.argv = serverArgv;
@@ -224,12 +235,14 @@ static int wolfSSH_wolfSSH_Group16_512(void)
     ThreadStart(echoserver_test, &serverArgs, &serverThread);
     WaitTcpReady(&ready);
 
-    WSTRNCPY(cA[clientArgc++], "client", ARGLEN);
-    WSTRNCPY(cA[clientArgc++], "-u", ARGLEN);
-    WSTRNCPY(cA[clientArgc++], "jill", ARGLEN);
+    ADD_ARG(clientArgv, clientArgc, "client");
+    ADD_ARG(clientArgv, clientArgc, "-u");
+    ADD_ARG(clientArgv, clientArgc, "jill");
+    ADD_ARG(clientArgv, clientArgc, "-C");
+    ADD_ARG(clientArgv, clientArgc, "aes256-cbc");
     #if !defined(USE_WINDOWS_API) && !defined(WOLFSSH_ZEPHYR)
-        WSTRNCPY(cA[clientArgc++], "-p", ARGLEN);
-        WSNPRINTF(cA[clientArgc++], ARGLEN, "%d", ready.port);
+        ADD_ARG(clientArgv, clientArgc, "-p");
+        ADD_ARG_INT(clientArgv, clientArgc, ready.port);
     #endif
 
     clientArgs.argc = clientArgc;