diff --git a/cyassl/internal.h b/cyassl/internal.h index a506d6cf8..aabc62ccb 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -160,8 +160,12 @@ void c32to24(word32 in, word24 out); #endif #endif -#if !defined(NO_TLS) && !defined(NO_PSK) && defined(HAVE_NULL_CIPHER) - #define BUILD_TLS_PSK_WITH_NULL_SHA +#if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) + #define BUILD_TLS_RSA_WITH_NULL_SHA + #define BUILD_TLS_RSA_WITH_NULL_SHA256 + #if !defined(NO_PSK) + #define BUILD_TLS_PSK_WITH_NULL_SHA + #endif #endif #if !defined(NO_HC128) && !defined(NO_TLS) @@ -269,6 +273,7 @@ enum { TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x33, TLS_RSA_WITH_AES_256_CBC_SHA = 0x35, TLS_RSA_WITH_AES_128_CBC_SHA = 0x2F, + TLS_RSA_WITH_NULL_SHA = 0x02, TLS_PSK_WITH_AES_256_CBC_SHA = 0x8d, TLS_PSK_WITH_AES_128_CBC_SHA = 0x8c, TLS_PSK_WITH_NULL_SHA = 0x2c, @@ -312,6 +317,7 @@ enum { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x67, TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3d, TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x3c, + TLS_RSA_WITH_NULL_SHA256 = 0x3b, /* AES-GCM */ TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x9c, diff --git a/src/internal.c b/src/internal.c index c60e982f6..4c20bf6bf 100644 --- a/src/internal.c +++ b/src/internal.c @@ -828,6 +828,20 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveDH, byte havePSK, } #endif +#ifdef BUILD_TLS_RSA_WITH_NULL_SHA + if (tls && haveRSA) { + suites->suites[idx++] = 0; + suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA; + } +#endif + +#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 + if (tls && haveRSA) { + suites->suites[idx++] = 0; + suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA256; + } +#endif + #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA if (tls && havePSK) { suites->suites[idx++] = 0; @@ -4428,6 +4442,14 @@ const char* const cipher_names[] = "AES256-SHA", #endif +#ifdef BUILD_TLS_RSA_WITH_NULL_SHA + "NULL-SHA", +#endif + +#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 + "NULL-SHA256", +#endif + #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA "DHE-RSA-AES128-SHA", #endif @@ -4632,6 +4654,14 @@ int cipher_name_idx[] = TLS_RSA_WITH_AES_256_CBC_SHA, #endif +#ifdef BUILD_TLS_RSA_WITH_NULL_SHA + TLS_RSA_WITH_NULL_SHA, +#endif + +#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 + TLS_RSA_WITH_NULL_SHA256, +#endif + #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA, #endif @@ -6701,6 +6731,12 @@ int SetCipherList(Suites* s, const char* list) return 1; break; + case TLS_RSA_WITH_NULL_SHA : + case TLS_RSA_WITH_NULL_SHA256 : + if (requirement == REQUIRES_RSA) + return 1; + break; + case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA : if (requirement == REQUIRES_NTRU) return 1; diff --git a/src/keys.c b/src/keys.c index abb55472c..50eb76020 100644 --- a/src/keys.c +++ b/src/keys.c @@ -568,6 +568,38 @@ int SetCipherSpecs(CYASSL* ssl) break; #endif +#ifdef BUILD_TLS_RSA_WITH_NULL_SHA + case TLS_RSA_WITH_NULL_SHA : + ssl->specs.bulk_cipher_algorithm = cipher_null; + ssl->specs.cipher_type = stream; + ssl->specs.mac_algorithm = sha_mac; + ssl->specs.kea = rsa_kea; + ssl->specs.hash_size = SHA_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = 0; + ssl->specs.block_size = 0; + ssl->specs.iv_size = 0; + + break; +#endif + +#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256 + case TLS_RSA_WITH_NULL_SHA256 : + ssl->specs.bulk_cipher_algorithm = cipher_null; + ssl->specs.cipher_type = stream; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = rsa_kea; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = 0; + ssl->specs.block_size = 0; + ssl->specs.iv_size = 0; + + break; +#endif + #ifdef BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA : ssl->specs.bulk_cipher_algorithm = aes; diff --git a/src/ssl.c b/src/ssl.c index 3260d848f..79331926a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5289,6 +5289,10 @@ int CyaSSL_set_compression(CYASSL* ssl) return "TLS_RSA_WITH_AES_128_CBC_SHA256"; case TLS_RSA_WITH_AES_256_CBC_SHA256 : return "TLS_RSA_WITH_AES_256_CBC_SHA256"; + case TLS_RSA_WITH_NULL_SHA : + return "TLS_RSA_WITH_NULL_SHA"; + case TLS_RSA_WITH_NULL_SHA256 : + return "TLS_RSA_WITH_NULL_SHA256"; case TLS_PSK_WITH_AES_128_CBC_SHA : return "TLS_PSK_WITH_AES_128_CBC_SHA"; case TLS_PSK_WITH_AES_256_CBC_SHA : diff --git a/tests/suites.c b/tests/suites.c index d2f4d047b..b7e375e5f 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -250,6 +250,17 @@ int SuiteTest(void) } #endif +#ifdef HAVE_NULL_CIPHER + /* add rsa null cipher suites */ + strcpy(argv0[1], "tests/test-null.conf"); + printf("starting null cipher suite tests\n"); + test_harness(&args); + if (args.return_code != 0) { + printf("error from script %d\n", args.return_code); + exit(EXIT_FAILURE); + } +#endif + #ifdef HAVE_HC128 /* add hc128 extra suites */ strcpy(argv0[1], "tests/test-hc128.conf"); diff --git a/tests/test-null.conf b/tests/test-null.conf new file mode 100644 index 000000000..cd63d4257 --- /dev/null +++ b/tests/test-null.conf @@ -0,0 +1,48 @@ +# server TLSv1.0 RSA-NULL-SHA +-v 1 +-l NULL-SHA + +# client TLSv1.0 RSA-NULL-SHA +-v 1 +-l NULL-SHA + +# server TLSv1.1 RSA-NULL-SHA +-v 2 +-l NULL-SHA + +# client TLSv1.1 RSA-NULL-SHA +-v 2 +-l NULL-SHA + +# server TLSv1.2 RSA-NULL-SHA +-v 3 +-l NULL-SHA + +# client TLSv1.2 RSA-NULL-SHA +-v 3 +-l NULL-SHA + +# server TLSv1.0 RSA-NULL-SHA256 +-v 1 +-l NULL-SHA256 + +# client TLSv1.0 RSA-NULL-SHA256 +-v 1 +-l NULL-SHA256 + +# server TLSv1.1 RSA-NULL-SHA256 +-v 2 +-l NULL-SHA256 + +# client TLSv1.1 RSA-NULL-SHA256 +-v 2 +-l NULL-SHA256 + +# server TLSv1.2 RSA-NULL-SHA256 +-v 3 +-l NULL-SHA256 + +# client TLSv1.2 RSA-NULL-SHA256 +-v 3 +-l NULL-SHA256 +