From e980a994f0369ef2a8da123ae76688529cc65662 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 19 Jul 2013 11:08:52 +0200 Subject: [PATCH 1/4] Add interface for truncated hmac --- include/polarssl/ssl.h | 14 ++++++++++++++ library/ssl_tls.c | 10 ++++++++++ programs/ssl/ssl_client2.c | 13 +++++++++++++ 3 files changed, 37 insertions(+) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 4e1d25a83..1403ab331 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -148,6 +148,9 @@ #define SSL_LEGACY_ALLOW_RENEGOTIATION 1 #define SSL_LEGACY_BREAK_HANDSHAKE 2 +#define SSL_TRUNC_HMAC_DISABLED 0 +#define SSL_TRUNC_HMAC_ENABLED 1 + /* * Size of the input / output buffer. * Note: the RFC defines the default size of SSL / TLS messages. If you @@ -540,6 +543,7 @@ struct _ssl_context int disable_renegotiation; /*!< enable/disable renegotiation */ int allow_legacy_renegotiation; /*!< allow legacy renegotiation */ const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */ + int trunc_hmac; /*!< negotiate truncated hmac? */ #if defined(POLARSSL_DHM_C) mpi dhm_P; /*!< prime modulus for DHM */ @@ -976,6 +980,16 @@ void ssl_set_min_version( ssl_context *ssl, int major, int minor ); */ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code ); +/** + * \brief Activate negotiation of truncated HMAC (Client only) + * + * \param ssl SSL context + * + * \return O if successful, + * POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side + */ +int ssl_set_truncated_hmac( ssl_context *ssl ); + /** * \brief Enable / Disable renegotiation support for connection when * initiated by peer diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f701a8a1f..4e7cac79b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3141,6 +3141,16 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code ) return( 0 ); } +int ssl_set_truncated_hmac( ssl_context *ssl ) +{ + if( ssl->endpoint != SSL_IS_CLIENT ) + return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); + + ssl->trunc_hmac = SSL_TRUNC_HMAC_ENABLED; + + return( 0 ); +} + void ssl_set_renegotiation( ssl_context *ssl, int renegotiation ) { ssl->disable_renegotiation = renegotiation; diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 56d0e9112..60e6f7e97 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -58,6 +58,7 @@ #define DFL_MAX_VERSION -1 #define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE +#define DFL_TRUNC_HMAC 0 #define LONG_HEADER "User-agent: blah-blah-blah-blah-blah-blah-blah-blah-" \ "-01--blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-" \ @@ -94,6 +95,7 @@ struct options int max_version; /* maximum protocol version accepted */ int auth_mode; /* verify mode for connection */ unsigned char mfl_code; /* code for maximum fragment length */ + int trunc_hmac; /* negotiate truncated hmac or not */ } opt; static void my_debug( void *ctx, int level, const char *str ) @@ -191,6 +193,7 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags ) " options: none, optional, required\n" \ " max_frag_len=%%d default: 16384 (tls default)" \ " options: 512, 1024, 2048, 4096" \ + " trunc_hmac=%%d default: 0 (disabled)\n" \ USAGE_PSK \ "\n" \ " force_ciphersuite= default: all enabled\n"\ @@ -281,6 +284,7 @@ int main( int argc, char *argv[] ) opt.max_version = DFL_MAX_VERSION; opt.auth_mode = DFL_AUTH_MODE; opt.mfl_code = DFL_MFL_CODE; + opt.trunc_hmac = DFL_TRUNC_HMAC; for( i = 1; i < argc; i++ ) { @@ -416,6 +420,12 @@ int main( int argc, char *argv[] ) else goto usage; } + else if( strcmp( p, "trunc_hmac" ) == 0 ) + { + opt.trunc_hmac = atoi( q ); + if( opt.trunc_hmac < 0 || opt.trunc_hmac > 1 ) + goto usage; + } else goto usage; } @@ -623,6 +633,9 @@ int main( int argc, char *argv[] ) ssl_set_max_frag_len( &ssl, opt.mfl_code ); + if( opt.trunc_hmac != 0 ) + ssl_set_truncated_hmac( &ssl ); + ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio( &ssl, net_recv, &server_fd, From 57c285280710f81b8530608dd5877e8dcfa3ac36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 19 Jul 2013 11:41:43 +0200 Subject: [PATCH 2/4] Added truncated hmac negociation (without effect) --- include/polarssl/ssl.h | 3 +++ library/ssl_cli.c | 54 ++++++++++++++++++++++++++++++++++++++++++ library/ssl_srv.c | 51 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 1403ab331..c7d7b12e3 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -254,6 +254,8 @@ #define TLS_EXT_MAX_FRAGMENT_LENGTH 1 +#define TLS_EXT_TRUNCATED_HMAC 4 + #define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10 #define TLS_EXT_SUPPORTED_POINT_FORMATS 11 @@ -336,6 +338,7 @@ struct _ssl_session #endif /* POLARSSL_X509_PARSE_C */ unsigned char mfl_code; /*!< MaxFragmentLength negotiated by peer */ + int trunc_hmac; /*!< flag for truncated hmac activation */ }; /* diff --git a/library/ssl_cli.c b/library/ssl_cli.c index c89bf0cb0..877d6cddd 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -293,6 +293,28 @@ static void ssl_write_max_fragment_length_ext( ssl_context *ssl, *olen = 5; } +static void ssl_write_truncated_hmac_ext( ssl_context *ssl, + unsigned char *buf, size_t *olen ) +{ + unsigned char *p = buf; + + if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ) + { + *olen = 0; + return; + } + + SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); + + *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); + + *p++ = 0x00; + *p++ = 0x00; + + *olen = 4; +} + static int ssl_write_client_hello( ssl_context *ssl ) { int ret; @@ -463,6 +485,9 @@ static int ssl_write_client_hello( ssl_context *ssl ) ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; + ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); + ext_len += olen; + SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", ext_len ) ); @@ -526,6 +551,7 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl, return( 0 ); } + static int ssl_parse_max_fragment_length_ext( ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -544,6 +570,23 @@ static int ssl_parse_max_fragment_length_ext( ssl_context *ssl, return( 0 ); } +static int ssl_parse_truncated_hmac_ext( ssl_context *ssl, + const unsigned char *buf, + size_t len ) +{ + if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED || + len != 0 ) + { + return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); + } + + ((void) buf); + + ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED; + + return( 0 ); +} + static int ssl_parse_server_hello( ssl_context *ssl ) { uint32_t t; @@ -771,6 +814,17 @@ static int ssl_parse_server_hello( ssl_context *ssl ) break; + case TLS_EXT_TRUNCATED_HMAC: + SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); + + if( ( ret = ssl_parse_truncated_hmac_ext( ssl, + ext + 4, ext_size ) ) != 0 ) + { + return( ret ); + } + + break; + default: SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", ext_id ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 3e1838667..6cbc5f406 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -306,6 +306,23 @@ static int ssl_parse_max_fragment_length_ext( ssl_context *ssl, return( 0 ); } +static int ssl_parse_truncated_hmac_ext( ssl_context *ssl, + const unsigned char *buf, + size_t len ) +{ + if( len != 0 ) + { + SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + ((void) buf); + + ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED; + + return( 0 ); +} + #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) static int ssl_parse_client_hello_v2( ssl_context *ssl ) { @@ -848,6 +865,14 @@ static int ssl_parse_client_hello( ssl_context *ssl ) return( ret ); break; + case TLS_EXT_TRUNCATED_HMAC: + SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); + + ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; + default: SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", ext_id ) ); @@ -957,6 +982,29 @@ have_ciphersuite: return( 0 ); } +static void ssl_write_truncated_hmac_ext( ssl_context *ssl, + unsigned char *buf, + size_t *olen ) +{ + unsigned char *p = buf; + + if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ) + { + *olen = 0; + return; + } + + SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); + + *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); + + *p++ = 0x00; + *p++ = 0x00; + + *olen = 4; +} + static void ssl_write_renegotiation_ext( ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -1128,6 +1176,9 @@ static int ssl_write_server_hello( ssl_context *ssl ) ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; + ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); + ext_len += olen; + SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); From 277f7f23e270a66ca6058d7538977e3ce9ed0bb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 19 Jul 2013 12:19:21 +0200 Subject: [PATCH 3/4] Implement hmac truncation --- include/polarssl/ssl.h | 1 + library/ssl_tls.c | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index c7d7b12e3..184e2e178 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -150,6 +150,7 @@ #define SSL_TRUNC_HMAC_DISABLED 0 #define SSL_TRUNC_HMAC_ENABLED 1 +#define SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */ /* * Size of the input / output buffer. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4e7cac79b..3da7c0b09 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -475,6 +475,14 @@ int ssl_derive_keys( ssl_context *ssl ) } transform->maclen = md_get_size( md_info ); + + /* + * If HMAC is to be truncated, we shall keep the leftmost bytes, + * (rfc 6066 page 13 or rfc 2104 section 4), + * so we only need to adjust the length here. + */ + if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED ) + transform->maclen = SSL_TRUNCATED_HMAC_LEN; } transform->keylen = cipher_info->key_length; From 8c1ede655f14c544c35dd4e5c840efa5001754db Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Fri, 19 Jul 2013 14:14:37 +0200 Subject: [PATCH 4/4] Changed prototype for ssl_set_truncated_hmac() to allow disabling --- include/polarssl/ssl.h | 5 ++++- library/ssl_tls.c | 4 ++-- programs/ssl/ssl_client2.c | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 184e2e178..1557d3931 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -986,13 +986,16 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code ); /** * \brief Activate negotiation of truncated HMAC (Client only) + * (Default: SSL_TRUNC_HMAC_ENABLED) * * \param ssl SSL context + * \param truncate Enable or disable (SSL_TRUNC_HMAC_ENABLED or + * SSL_TRUNC_HMAC_DISABLED) * * \return O if successful, * POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side */ -int ssl_set_truncated_hmac( ssl_context *ssl ); +int ssl_set_truncated_hmac( ssl_context *ssl, int truncate ); /** * \brief Enable / Disable renegotiation support for connection when diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3da7c0b09..b9fca4440 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3149,12 +3149,12 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code ) return( 0 ); } -int ssl_set_truncated_hmac( ssl_context *ssl ) +int ssl_set_truncated_hmac( ssl_context *ssl, int truncate ) { if( ssl->endpoint != SSL_IS_CLIENT ) return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); - ssl->trunc_hmac = SSL_TRUNC_HMAC_ENABLED; + ssl->trunc_hmac = truncate; return( 0 ); } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 60e6f7e97..ca4d7c74e 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -634,7 +634,7 @@ int main( int argc, char *argv[] ) ssl_set_max_frag_len( &ssl, opt.mfl_code ); if( opt.trunc_hmac != 0 ) - ssl_set_truncated_hmac( &ssl ); + ssl_set_truncated_hmac( &ssl, SSL_TRUNC_HMAC_ENABLED ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout );