Commit ca4ab491 authored by Paul Bakker's avatar Paul Bakker

- Added GCM ciphersuites to TLS implementation

parent 0b22e3e9
......@@ -14,6 +14,7 @@ Features
* Added cert_req example application
* Added base Galois Counter Mode (GCM) for AES
* Added TLS 1.2 support
* Added GCM suites to TLS 1.2 (RFC 5288)
Changes
* Removed redundant POLARSSL_DEBUG_MSG define
......
......@@ -35,6 +35,7 @@
#define GCM_DECRYPT 0
#define POLARSSL_ERR_GCM_AUTH_FAILED -0x0012 /**< Authenticated decryption failed. */
#define POLARSSL_ERR_GCM_BAD_INPUT -0x0014 /**< Bad input parameters to function. */
/**
* \brief GCM context structure
......@@ -64,6 +65,11 @@ int gcm_init( gcm_context *ctx, const unsigned char *key, unsigned int keysize )
/**
* \brief GCM buffer encryption/decryption using AES
*
* \note On encryption, the output buffer can be the same as the input buffer.
* On decryption, the output buffer cannot be the same as input buffer.
* If buffers overlap, the output buffer must trail at least 8 bytes
* behind the input buffer.
*
* \param ctx GCM context
* \param mode GCM_ENCRYPT or GCM_DECRYPT
* \param length length of the input data
......@@ -93,6 +99,10 @@ int gcm_crypt_and_tag( gcm_context *ctx,
/**
* \brief GCM buffer authenticated decryption using AES
*
* \note On decryption, the output buffer cannot be the same as input buffer.
* If buffers overlap, the output buffer must trail at least 8 bytes
* behind the input buffer.
*
* \param ctx GCM context
* \param length length of the input data
* \param iv initialization vector
......
......@@ -35,6 +35,7 @@
#include "md5.h"
#include "sha1.h"
#include "sha2.h"
#include "sha4.h"
#include "x509.h"
#include "config.h"
......@@ -142,6 +143,11 @@
#define SSL_RSA_CAMELLIA_256_SHA256 0xC0 /**< TLS 1.2 */
#define SSL_EDH_RSA_CAMELLIA_256_SHA256 0xC4 /**< TLS 1.2 */
#define SSL_RSA_AES_128_GCM_SHA256 0x9C
#define SSL_RSA_AES_256_GCM_SHA384 0x9D
#define SSL_EDH_RSA_AES_128_GCM_SHA256 0x9E
#define SSL_EDH_RSA_AES_256_GCM_SHA384 0x9F
/*
* Supported Signature and Hash algorithms (For TLS 1.2)
*/
......@@ -172,7 +178,7 @@
#define SSL_ALERT_MSG_DECRYPTION_FAILED 21 /* 0x15 */
#define SSL_ALERT_MSG_RECORD_OVERFLOW 22 /* 0x16 */
#define SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30 /* 0x1E */
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE 41 /* 0x29 */
#define SSL_ALERT_MSG_HANDSHAKE_FAILURE 40 /* 0x28 */
#define SSL_ALERT_MSG_NO_CERT 41 /* 0x29 */
#define SSL_ALERT_MSG_BAD_CERT 42 /* 0x2A */
#define SSL_ALERT_MSG_UNSUPPORTED_CERT 43 /* 0x2B */
......@@ -339,6 +345,7 @@ struct _ssl_context
md5_context fin_md5; /*!< Finished MD5 checksum */
sha1_context fin_sha1; /*!< Finished SHA-1 checksum */
sha2_context fin_sha2; /*!< Finished SHA-256 checksum */
sha4_context fin_sha4; /*!< Finished SHA-384 checksum */
void (*calc_finished)(ssl_context *, unsigned char *, int);
int (*tls_prf)(unsigned char *, size_t, char *,
......@@ -351,6 +358,7 @@ struct _ssl_context
unsigned int keylen; /*!< symmetric key length */
size_t minlen; /*!< min. ciphertext length */
size_t ivlen; /*!< IV length */
size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
size_t maclen; /*!< MAC length */
unsigned char randbytes[64]; /*!< random bytes */
......@@ -362,8 +370,8 @@ struct _ssl_context
unsigned char mac_enc[32]; /*!< MAC (encryption) */
unsigned char mac_dec[32]; /*!< MAC (decryption) */
unsigned long ctx_enc[128]; /*!< encryption context */
unsigned long ctx_dec[128]; /*!< decryption context */
unsigned long ctx_enc[134]; /*!< encryption context */
unsigned long ctx_dec[134]; /*!< decryption context */
/*
* TLS extensions
......
......@@ -453,7 +453,9 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA &&
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA256 &&
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA256 )
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA256 &&
ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_GCM_SHA256 &&
ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_GCM_SHA384 )
{
SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
ssl->state++;
......@@ -786,7 +788,9 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
{
#if !defined(POLARSSL_DHM_C)
SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
......@@ -888,7 +892,7 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
{
int ret = 0;
size_t n = 0, offset = 0;
unsigned char hash[36];
unsigned char hash[48];
int hash_id = SIG_RSA_RAW;
unsigned int hashlen = 36;
......@@ -903,8 +907,21 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
hash_id = SIG_RSA_SHA256;
hashlen = 32;
// TODO TLS1.2 Should be based on allowed signature algorithm received in
// Certificate Request according to RFC 5246. But OpenSSL only allows
// SHA256 and SHA384. Find out why OpenSSL does this.
//
if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
{
hash_id = SIG_RSA_SHA384;
hashlen = 48;
}
else
{
hash_id = SIG_RSA_SHA256;
hashlen = 32;
}
}
if( ssl->rsa_key == NULL )
......@@ -934,9 +951,21 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
// TODO TLS1.2 Base on signature algorithm received in Certificate Request
ssl->out_msg[4] = SSL_HASH_SHA256;
ssl->out_msg[5] = SSL_SIG_RSA;
// TODO TLS1.2 Should be based on allowed signature algorithm received in
// Certificate Request according to RFC 5246. But OpenSSL only allows
// SHA256 and SHA384. Find out why OpenSSL does this.
//
if( ssl->session->ciphersuite == SSL_RSA_AES_256_GCM_SHA384 ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
{
ssl->out_msg[4] = SSL_HASH_SHA384;
ssl->out_msg[5] = SSL_SIG_RSA;
}
else
{
ssl->out_msg[4] = SSL_HASH_SHA256;
ssl->out_msg[5] = SSL_SIG_RSA;
}
offset = 2;
}
......
......@@ -109,6 +109,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
md5_update( &ssl->fin_md5 , buf + 2, n );
sha1_update( &ssl->fin_sha1, buf + 2, n );
sha2_update( &ssl->fin_sha2, buf + 2, n );
sha4_update( &ssl->fin_sha4, buf + 2, n );
buf = ssl->in_msg;
n = ssl->in_left - 5;
......@@ -230,6 +231,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
md5_update( &ssl->fin_md5 , buf, n );
sha1_update( &ssl->fin_sha1, buf, n );
sha2_update( &ssl->fin_sha2, buf, n );
sha4_update( &ssl->fin_sha4, buf, n );
/*
* SSL layer:
......@@ -539,7 +541,7 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
#if defined(POLARSSL_DHM_C)
int ret;
size_t n, rsa_key_len = 0;
unsigned char hash[36];
unsigned char hash[48];
md5_context md5;
sha1_context sha1;
int hash_id;
......@@ -557,7 +559,9 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA &&
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA &&
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_128_SHA256 &&
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA256 )
ssl->session->ciphersuite != SSL_EDH_RSA_CAMELLIA_256_SHA256 &&
ssl->session->ciphersuite != SSL_EDH_RSA_AES_128_GCM_SHA256 &&
ssl->session->ciphersuite != SSL_EDH_RSA_AES_256_GCM_SHA384 )
{
SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
ssl->state++;
......@@ -770,7 +774,9 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_128_SHA256 ||
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 )
ssl->session->ciphersuite == SSL_EDH_RSA_CAMELLIA_256_SHA256 ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_128_GCM_SHA256 ||
ssl->session->ciphersuite == SSL_EDH_RSA_AES_256_GCM_SHA384 )
{
#if !defined(POLARSSL_DHM_C)
SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
......
This diff is collapsed.
......@@ -80,6 +80,12 @@ int my_ciphersuites[] =
#endif /* POLARSSL_SHA2_C */
SSL_EDH_RSA_AES_256_SHA,
SSL_EDH_RSA_AES_128_SHA,
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
SSL_EDH_RSA_AES_256_GCM_SHA384,
#endif
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
SSL_EDH_RSA_AES_128_GCM_SHA256,
#endif
#endif
#if defined(POLARSSL_CAMELLIA_C)
#if defined(POLARSSL_SHA2_C)
......@@ -111,6 +117,12 @@ int my_ciphersuites[] =
SSL_RSA_AES_128_SHA256,
#endif /* POLARSSL_SHA2_C */
SSL_RSA_AES_128_SHA,
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
SSL_RSA_AES_256_GCM_SHA384,
#endif
#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
SSL_RSA_AES_128_GCM_SHA256,
#endif
#endif
#if defined(POLARSSL_CAMELLIA_C)
#if defined(POLARSSL_SHA2_C)
......
......@@ -7,7 +7,7 @@ VERIFY=""
if [ "X$VERIFY" = "XYES" ];
then
P_CLIENT_ARGS="crt_file=data_files/server2.crt key_file=data_files/server2.key"
O_SERVER_ARGS="-verify 10"
O_SERVER_ARGS="-verify 10 -CAfile data_files/test-ca.crt"
fi
for MODE in $MODES;
......@@ -61,6 +61,10 @@ then
SSL-EDH-RSA-AES-128-SHA256 \
SSL-RSA-AES-256-SHA256 \
SSL-EDH-RSA-AES-256-SHA256 \
SSL-RSA-AES-128-GCM-SHA256 \
SSL-EDH-RSA-AES-128-GCM-SHA256 \
SSL-RSA-AES-256-GCM-SHA384 \
SSL-EDH-RSA-AES-256-GCM-SHA384 \
"
O_CIPHERS="$O_CIPHERS \
......@@ -69,6 +73,10 @@ then
DHE-RSA-AES128-SHA256 \
AES256-SHA256 \
DHE-RSA-AES256-SHA256 \
AES128-GCM-SHA256 \
DHE-RSA-AES128-GCM-SHA256 \
AES256-GCM-SHA384 \
DHE-RSA-AES256-GCM-SHA384 \
"
fi
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment