diff --git a/cyassl/internal.h b/cyassl/internal.h index 60ba02e8f..e26146509 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -174,8 +174,8 @@ void c32to24(word32 in, word24 out); #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 #endif #if defined (HAVE_AESCCM) - #define BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256 - #define BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384 + #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 + #define BUILD_TLS_RSA_WITH_AES_256_CCM_8 #endif #endif @@ -209,6 +209,10 @@ void c32to24(word32 in, word24 out); #endif #ifndef NO_SHA256 #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 + #ifdef HAVE_AESCCM + #define BUILD_TLS_PSK_WITH_AES_128_CCM_8 + #define BUILD_TLS_PSK_WITH_AES_256_CCM_8 + #endif #endif #endif @@ -309,8 +313,8 @@ void c32to24(word32 in, word24 out); #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 #endif #if defined (HAVE_AESCCM) - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 #endif #endif #if !defined(NO_RC4) @@ -475,10 +479,14 @@ enum { * also, in some of the other AES-CCM suites * there will be second byte number conflicts * with non-ECC AES-GCM */ - TLS_RSA_WITH_AES_128_CCM_8_SHA256 = 0xa0, - TLS_RSA_WITH_AES_256_CCM_8_SHA384 = 0xa1, - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 = 0xac, /* Still TBD, made up */ - TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 = 0xad, /* Still TBD, made up */ + TLS_RSA_WITH_AES_128_CCM_8 = 0xa0, + TLS_RSA_WITH_AES_256_CCM_8 = 0xa1, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xc6, /* Still TBD, made up */ + TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xc7, /* Still TBD, made up */ + TLS_PSK_WITH_AES_128_CCM = 0xa4, + TLS_PSK_WITH_AES_256_CCM = 0xa5, + TLS_PSK_WITH_AES_128_CCM_8 = 0xa8, + TLS_PSK_WITH_AES_256_CCM_8 = 0xa9, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x41, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x84, @@ -592,7 +600,7 @@ enum Misc { MASTER_LABEL_SZ = 13, /* TLS master secret label sz */ KEY_LABEL_SZ = 13, /* TLS key block expansion sz */ MAX_PRF_HALF = 128, /* Maximum half secret len */ - MAX_PRF_LABSEED = 80, /* Maximum label + seed len */ + MAX_PRF_LABSEED = 128, /* Maximum label + seed len */ MAX_PRF_DIG = 224, /* Maximum digest len */ MAX_REQUEST_SZ = 256, /* Maximum cert req len (no auth yet */ SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ @@ -611,12 +619,15 @@ enum Misc { AEAD_VMAJ_OFFSET = 9, /* Auth Data: Major Version */ AEAD_VMIN_OFFSET = 10, /* Auth Data: Minor Version */ AEAD_LEN_OFFSET = 11, /* Auth Data: Length */ - AEAD_AUTH_TAG_SZ = 16, /* Size of the authentication tag */ AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */ AEAD_IMP_IV_SZ = 4, /* Size of the implicit IV */ AEAD_EXP_IV_SZ = 8, /* Size of the explicit IV */ AEAD_NONCE_SZ = AEAD_EXP_IV_SZ + AEAD_IMP_IV_SZ, + AES_GCM_AUTH_SZ = 16, /* AES-GCM Auth Tag length */ + AES_CCM_16_AUTH_SZ = 16, /* AES-CCM-16 Auth Tag length */ + AES_CCM_8_AUTH_SZ = 8, /* AES-CCM-8 Auth Tag Length */ + CAMELLIA_128_KEY_SIZE = 16, /* for 128 bit */ CAMELLIA_192_KEY_SIZE = 24, /* for 192 bit */ CAMELLIA_256_KEY_SIZE = 32, /* for 256 bit */ @@ -1149,6 +1160,7 @@ typedef struct CipherSpecs { word16 key_size; word16 iv_size; word16 block_size; + word16 aead_mac_size; } CipherSpecs; diff --git a/cyassl/openssl/evp.h b/cyassl/openssl/evp.h index b934e6112..eef1a8cf1 100644 --- a/cyassl/openssl/evp.h +++ b/cyassl/openssl/evp.h @@ -95,8 +95,10 @@ typedef struct CYASSL_EVP_MD_CTX { typedef union { Aes aes; +#ifndef NO_DES3 Des des; Des3 des3; +#endif Arc4 arc4; } CYASSL_Cipher; diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 8f0eafc85..79b280bad 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -758,6 +758,11 @@ CYASSL_API int CyaSSL_get_keys(CYASSL*,unsigned char** ms, unsigned int* msLen, unsigned char** sr, unsigned int* srLen, unsigned char** cr, unsigned int* crLen); +/* Computes EAP-TLS and EAP-TTLS keying material from the master_secret. */ +CYASSL_API int CyaSSL_make_eap_keys(CYASSL*, void* key, unsigned int len, + const char* label); + + #ifndef _WIN32 #ifndef NO_WRITEV #ifdef __PPU diff --git a/src/internal.c b/src/internal.c index a7467d732..acc2dafd2 100644 --- a/src/internal.c +++ b/src/internal.c @@ -695,14 +695,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - if (tls1_2 && haveStaticECC) { + if (tls1_2 && haveECDSAsig) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - if (tls && haveStaticECC) { + if (tls && haveECDSAsig) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; } @@ -723,14 +723,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - if (tls1_2 && haveStaticECC) { + if (tls1_2 && haveECDSAsig) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; } #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - if (tls && haveStaticECC) { + if (tls && haveECDSAsig) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; } @@ -751,7 +751,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - if (tls && haveStaticECC) { + if (tls && haveECDSAsig) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; } @@ -765,7 +765,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, #endif #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - if (tls && haveStaticECC) { + if (tls && haveECDSAsig) { suites->suites[idx++] = ECC_BYTE; suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; } @@ -869,31 +869,31 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, } #endif -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 - if (tls1_2 && haveECDSAsig && haveDH) { +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + if (tls1_2 && haveECDSAsig) { suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256; + suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; } #endif -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 - if (tls1_2 && haveECDSAsig && haveDH) { +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 + if (tls1_2 && haveECDSAsig) { suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384; + suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8; } #endif -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256 +#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 if (tls1_2 && haveRSA) { suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8_SHA256; + suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8; } #endif -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384 +#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 if (tls1_2 && haveRSA) { suites->suites[idx++] = ECC_BYTE; - suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8_SHA384; + suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8; } #endif @@ -1009,6 +1009,20 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, } #endif +#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 + if (tls && havePSK) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM_8; + } +#endif + +#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 + if (tls && havePSK) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM_8; + } +#endif + #ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 if (tls && havePSK) { suites->suites[idx++] = 0; @@ -3098,7 +3112,7 @@ int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, int sniff) } } else { - idx += (finishedSz + AEAD_AUTH_TAG_SZ); + idx += (finishedSz + ssl->specs.aead_mac_size); } if (ssl->options.side == CLIENT_END) { @@ -3449,7 +3463,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) /* Store the length of the plain text minus the explicit * IV length minus the authentication tag size. */ - c16toa(sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, + c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, additional + AEAD_LEN_OFFSET); XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ); @@ -3457,10 +3471,11 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ); AesGcmEncrypt(ssl->encrypt.aes, out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ, - sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, + sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, nonce, AEAD_NONCE_SZ, - out + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ, - additional, AEAD_AUTH_DATA_SZ); + out + sz - ssl->specs.aead_mac_size, + ssl->specs.aead_mac_size, additional, + AEAD_AUTH_DATA_SZ); AeadIncrementExpIV(ssl); XMEMSET(nonce, 0, AEAD_NONCE_SZ); } @@ -3490,7 +3505,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) /* Store the length of the plain text minus the explicit * IV length minus the authentication tag size. */ - c16toa(sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, + c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, additional + AEAD_LEN_OFFSET); XMEMCPY(nonce, ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ); @@ -3498,9 +3513,10 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ); AesCcmEncrypt(ssl->encrypt.aes, out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ, - sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, + sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, nonce, AEAD_NONCE_SZ, - out + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ, + out + sz - ssl->specs.aead_mac_size, + ssl->specs.aead_mac_size, additional, AEAD_AUTH_DATA_SZ); AeadIncrementExpIV(ssl); XMEMSET(nonce, 0, AEAD_NONCE_SZ); @@ -3613,16 +3629,17 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input, additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; - c16toa(sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, + c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, additional + AEAD_LEN_OFFSET); XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ); XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ); if (AesGcmDecrypt(ssl->decrypt.aes, plain + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ, - sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, + sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, nonce, AEAD_NONCE_SZ, - input + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ, + input + sz - ssl->specs.aead_mac_size, + ssl->specs.aead_mac_size, additional, AEAD_AUTH_DATA_SZ) < 0) { SendAlert(ssl, alert_fatal, bad_record_mac); XMEMSET(nonce, 0, AEAD_NONCE_SZ); @@ -3648,16 +3665,17 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input, additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; - c16toa(sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, + c16toa(sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, additional + AEAD_LEN_OFFSET); XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ); XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ); if (AesCcmDecrypt(ssl->decrypt.aes, plain + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ, - sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, + sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size, nonce, AEAD_NONCE_SZ, - input + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ, + input + sz - ssl->specs.aead_mac_size, + ssl->specs.aead_mac_size, additional, AEAD_AUTH_DATA_SZ) < 0) { SendAlert(ssl, alert_fatal, bad_record_mac); XMEMSET(nonce, 0, AEAD_NONCE_SZ); @@ -3723,7 +3741,7 @@ static int SanityCheckCipherText(CYASSL* ssl, word32 encryptSz) minLength = ssl->specs.hash_size; } else if (ssl->specs.cipher_type == aead) { - minLength = ssl->specs.block_size; /* explicit IV + implicit IV + CTR*/ + minLength = ssl->specs.block_size; /* explicit IV + implicit IV + CTR */ } if (encryptSz < minLength) { @@ -4072,7 +4090,7 @@ int DoApplicationData(CYASSL* ssl, byte* input, word32* inOutIdx) } else if (ssl->specs.cipher_type == aead) { ivExtra = AEAD_EXP_IV_SZ; - digestSz = AEAD_AUTH_TAG_SZ; + digestSz = ssl->specs.aead_mac_size; } dataSz = msgSz - ivExtra - digestSz - pad - padByte; @@ -4160,7 +4178,7 @@ static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type) } } else { - *inOutIdx += AEAD_AUTH_TAG_SZ; + *inOutIdx += ssl->specs.aead_mac_size; } } @@ -4762,7 +4780,7 @@ static int BuildMessage(CYASSL* ssl, byte* output, const byte* input, int inSz, #ifdef HAVE_AEAD if (ssl->specs.cipher_type == aead) { ivSz = AEAD_EXP_IV_SZ; - sz += (ivSz + 16 - digestSz); + sz += (ivSz + ssl->specs.aead_mac_size - digestSz); XMEMCPY(iv, ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ); } #endif @@ -5663,6 +5681,14 @@ const char* const cipher_names[] = "PSK-AES256-CBC-SHA", #endif +#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 + "PSK-AES128-CCM-8", +#endif + +#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 + "PSK-AES256-CCM-8", +#endif + #ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 "PSK-NULL-SHA256", #endif @@ -5699,20 +5725,20 @@ const char* const cipher_names[] = "NTRU-AES256-SHA", #endif -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256 - "AES128-CCM-8-SHA256", +#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 + "AES128-CCM-8", #endif -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384 - "AES256-CCM-8-SHA384", +#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 + "AES256-CCM-8", #endif -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 - "ECDHE-ECDSA-AES128-CCM-8-SHA256", +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + "ECDHE-ECDSA-AES128-CCM-8", #endif -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 - "ECDHE-ECDSA-AES256-CCM-8-SHA384", +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 + "ECDHE-ECDSA-AES256-CCM-8", #endif #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA @@ -5963,6 +5989,14 @@ int cipher_name_idx[] = TLS_PSK_WITH_AES_256_CBC_SHA, #endif +#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 + TLS_PSK_WITH_AES_128_CCM_8, +#endif + +#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 + TLS_PSK_WITH_AES_256_CCM_8, +#endif + #ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 TLS_PSK_WITH_NULL_SHA256, #endif @@ -5999,20 +6033,20 @@ int cipher_name_idx[] = TLS_NTRU_RSA_WITH_AES_256_CBC_SHA, #endif -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256 - TLS_RSA_WITH_AES_128_CCM_8_SHA256, +#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 + TLS_RSA_WITH_AES_128_CCM_8, #endif -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384 - TLS_RSA_WITH_AES_256_CCM_8_SHA384, +#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 + TLS_RSA_WITH_AES_256_CCM_8, #endif -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256, +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, #endif -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384, +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 + TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, #endif #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA @@ -8413,16 +8447,16 @@ int SetCipherList(Suites* s, const char* list) return 1; break; - case TLS_RSA_WITH_AES_128_CCM_8_SHA256 : - case TLS_RSA_WITH_AES_256_CCM_8_SHA384 : + case TLS_RSA_WITH_AES_128_CCM_8 : + case TLS_RSA_WITH_AES_256_CCM_8 : if (requirement == REQUIRES_RSA) return 1; if (requirement == REQUIRES_RSA_SIG) return 1; break; - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 : - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 : + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : + case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : if (requirement == REQUIRES_ECC_DSA) return 1; break; diff --git a/src/keys.c b/src/keys.c index 97f2f5b2e..14ebb0d93 100644 --- a/src/keys.c +++ b/src/keys.c @@ -457,6 +457,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -474,6 +475,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -491,6 +493,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -508,6 +511,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -525,6 +529,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -542,6 +547,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -559,6 +565,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -576,12 +583,13 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 : +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : ssl->specs.bulk_cipher_algorithm = aes_ccm; ssl->specs.cipher_type = aead; ssl->specs.mac_algorithm = sha256_mac; @@ -589,32 +597,36 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.sig_algo = ecc_dsa_sa_algo; ssl->specs.hash_size = SHA256_DIGEST_SIZE; ssl->specs.pad_size = PAD_SHA; - ssl->specs.static_ecdh = 1; + ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; + break; #endif -#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 : +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 + case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : ssl->specs.bulk_cipher_algorithm = aes_ccm; ssl->specs.cipher_type = aead; - ssl->specs.mac_algorithm = sha384_mac; + ssl->specs.mac_algorithm = sha256_mac; ssl->specs.kea = ecc_diffie_hellman_kea; ssl->specs.sig_algo = ecc_dsa_sa_algo; - ssl->specs.hash_size = SHA384_DIGEST_SIZE; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; ssl->specs.pad_size = PAD_SHA; - ssl->specs.static_ecdh = 1; + ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; + break; #endif #endif /* HAVE_ECC */ -#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256 - case TLS_RSA_WITH_AES_128_CCM_8_SHA256 : +#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 + case TLS_RSA_WITH_AES_128_CCM_8 : ssl->specs.bulk_cipher_algorithm = aes_ccm; ssl->specs.cipher_type = aead; ssl->specs.mac_algorithm = sha256_mac; @@ -626,22 +638,64 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; + break; #endif -#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384 - case TLS_RSA_WITH_AES_256_CCM_8_SHA384 : +#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8 + case TLS_RSA_WITH_AES_256_CCM_8 : ssl->specs.bulk_cipher_algorithm = aes_ccm; ssl->specs.cipher_type = aead; - ssl->specs.mac_algorithm = sha384_mac; + ssl->specs.mac_algorithm = sha256_mac; ssl->specs.kea = rsa_kea; ssl->specs.sig_algo = rsa_sa_algo; - ssl->specs.hash_size = SHA384_DIGEST_SIZE; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; ssl->specs.pad_size = PAD_SHA; ssl->specs.static_ecdh = 0; ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; + + break; +#endif + +#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8 + case TLS_PSK_WITH_AES_128_CCM_8 : + ssl->specs.bulk_cipher_algorithm = aes_ccm; + ssl->specs.cipher_type = aead; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = psk_kea; + ssl->specs.sig_algo = anonymous_sa_algo; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = AES_128_KEY_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; + + ssl->options.usingPSK_cipher = 1; + break; +#endif + +#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8 + case TLS_PSK_WITH_AES_256_CCM_8 : + ssl->specs.bulk_cipher_algorithm = aes_ccm; + ssl->specs.cipher_type = aead; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = psk_kea; + ssl->specs.sig_algo = anonymous_sa_algo; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = AES_256_KEY_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_CCM_8_AUTH_SZ; + + ssl->options.usingPSK_cipher = 1; break; #endif @@ -1096,6 +1150,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -1113,6 +1168,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -1130,6 +1186,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif @@ -1147,6 +1204,7 @@ int SetCipherSpecs(CYASSL* ssl) ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.iv_size = AEAD_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_GCM_AUTH_SZ; break; #endif diff --git a/src/ssl.c b/src/ssl.c index 90e73ff47..ade477e90 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5686,15 +5686,15 @@ int CyaSSL_set_compression(CYASSL* ssl) #ifdef HAVE_AESCCM #ifndef NO_RSA - case TLS_RSA_WITH_AES_128_CCM_8_SHA256 : - return "TLS_RSA_WITH_AES_128_CCM_8_SHA256"; - case TLS_RSA_WITH_AES_256_CCM_8_SHA384 : - return "TLS_RSA_WITH_AES_256_CCM_8_SHA384"; + case TLS_RSA_WITH_AES_128_CCM_8 : + return "TLS_RSA_WITH_AES_128_CCM_8"; + case TLS_RSA_WITH_AES_256_CCM_8 : + return "TLS_RSA_WITH_AES_256_CCM_8"; #endif - case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 : - return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256"; - case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384 : - return "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA384"; + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: + return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"; + case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : + return "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"; #endif default: @@ -5746,8 +5746,16 @@ int CyaSSL_set_compression(CYASSL* ssl) case TLS_PSK_WITH_AES_256_CBC_SHA : return "TLS_PSK_WITH_AES_256_CBC_SHA"; #endif + #ifndef NO_SHA256 + #ifdef HAVE_AESCCM + case TLS_PSK_WITH_AES_128_CCM_8 : + return "TLS_PSK_WITH_AES_128_CCM_8"; + case TLS_PSK_WITH_AES_256_CCM_8 : + return "TLS_PSK_WITH_AES_256_CCM_8"; + #endif case TLS_PSK_WITH_NULL_SHA256 : return "TLS_PSK_WITH_NULL_SHA256"; + #endif #ifndef NO_SHA case TLS_PSK_WITH_NULL_SHA : return "TLS_PSK_WITH_NULL_SHA"; diff --git a/src/tls.c b/src/tls.c index 4a89be320..4160a1b23 100644 --- a/src/tls.c +++ b/src/tls.c @@ -333,6 +333,29 @@ int MakeTlsMasterSecret(CYASSL* ssl) } +/* Used by EAP-TLS and EAP-TTLS to derive keying material from + * the master_secret. */ +int CyaSSL_make_eap_keys(CYASSL* ssl, void* msk, unsigned int len, + const char* label) +{ + byte seed[SEED_LEN]; + + /* + * As per RFC-5281, the order of the client and server randoms is reversed + * from that used by the TLS protocol to derive keys. + */ + XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN); + XMEMCPY(&seed[RAN_LEN], ssl->arrays->serverRandom, RAN_LEN); + + PRF(msk, len, + ssl->arrays->masterSecret, SECRET_LEN, + (const byte *)label, (word32)strlen(label), + seed, SEED_LEN, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm); + + return 0; +} + + /*** next for static INLINE s copied from cyassl_int.c ***/ /* convert 16 bit integer to opaque */ @@ -613,5 +636,13 @@ int MakeTlsMasterSecret(CYASSL* ssl) return NOT_COMPILED_IN; } + +int CyaSSL_make_eap_keys(CYASSL* ssl, void* msk, unsigned int len, + const char* label) +{ + return -1; +} + + #endif /* NO_TLS */ diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf index 95739f0ed..59891690d 100644 --- a/tests/test-dtls.conf +++ b/tests/test-dtls.conf @@ -754,29 +754,29 @@ -v 3 -l ECDH-RSA-AES256-GCM-SHA384 -# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -u -v 3 --l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-l ECDHE-ECDSA-AES128-CCM-8 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem -# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -u -v 3 --l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-l ECDHE-ECDSA-AES128-CCM-8 -A ./certs/server-ecc.pem -# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +# server DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -u -v 3 --l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-l ECDHE-ECDSA-AES256-CCM-8 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem -# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +# client DTLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -u -v 3 --l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-l ECDHE-ECDSA-AES256-CCM-8 -A ./certs/server-ecc.pem diff --git a/tests/test.conf b/tests/test.conf index c95f0a959..987786308 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -1532,41 +1532,61 @@ -v 3 -l DHE-RSA-AES256-GCM-SHA384 -# server TLSv1.2 AES128-CCM-8-SHA256 +# server TLSv1.2 AES128-CCM-8 -v 3 --l AES128-CCM-8-SHA256 +-l AES128-CCM-8 -# client TLSv1.2 AES128-CCM-8-SHA256 +# client TLSv1.2 AES128-CCM-8 -v 3 --l AES128-CCM-8-SHA256 +-l AES128-CCM-8 -# server TLSv1.2 AES256-CCM-8-SHA384 +# server TLSv1.2 AES256-CCM-8 -v 3 --l AES256-CCM-8-SHA384 +-l AES256-CCM-8 -# client TLSv1.2 AES256-CCM-8-SHA384 +# client TLSv1.2 AES256-CCM-8 -v 3 --l AES256-CCM-8-SHA384 +-l AES256-CCM-8 -# server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +# server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -v 3 --l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-l ECDHE-ECDSA-AES128-CCM-8 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem -# client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8-SHA256 +# client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -v 3 --l ECDHE-ECDSA-AES128-CCM-8-SHA256 +-l ECDHE-ECDSA-AES128-CCM-8 -A ./certs/server-ecc.pem -# server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +# server TLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -v 3 --l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-l ECDHE-ECDSA-AES256-CCM-8 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem -# client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8-SHA384 +# client TLSv1.2 ECDHE-ECDSA-AES256-CCM-8 -v 3 --l ECDHE-ECDSA-AES256-CCM-8-SHA384 +-l ECDHE-ECDSA-AES256-CCM-8 -A ./certs/server-ecc.pem +# server TLSv1.2 PSK-AES128-CCM-8 +-s +-v 3 +-l PSK-AES128-CCM-8 + +# client TLSv1.2 AES128-CCM-8 +-s +-v 3 +-l PSK-AES128-CCM-8 + +# server TLSv1.2 PSK-AES256-CCM-8 +-s +-v 3 +-l PSK-AES256-CCM-8 + +# client TLSv1.2 AES256-CCM-8 +-s +-v 3 +-l PSK-AES256-CCM-8 +