Merge branch 'truncated-hmac' into development

include/polarssl/ssl.h

@@ -148,6 +148,10 @@
 #define SSL_LEGACY_ALLOW_RENEGOTIATION  1
 #define SSL_LEGACY_BREAK_HANDSHAKE      2
 
+#define SSL_TRUNC_HMAC_DISABLED         0
+#define SSL_TRUNC_HMAC_ENABLED          1
+#define SSL_TRUNCATED_HMAC_LEN          10  /* 80 bits, rfc 6066 section 7 */
+
 /*
  * Size of the input / output buffer.
  * Note: the RFC defines the default size of SSL / TLS messages. If you
@@ -251,6 +255,8 @@
 
 #define TLS_EXT_MAX_FRAGMENT_LENGTH          1
 
+#define TLS_EXT_TRUNCATED_HMAC               4
+
 #define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES   10
 #define TLS_EXT_SUPPORTED_POINT_FORMATS     11
 
@@ -333,6 +339,7 @@ struct _ssl_session
 #endif /* POLARSSL_X509_PARSE_C */
 
     unsigned char mfl_code;     /*!< MaxFragmentLength negotiated by peer */
+    int trunc_hmac;             /*!< flag for truncated hmac activation   */
 };
 
 /*
@@ -540,6 +547,7 @@ struct _ssl_context
     int disable_renegotiation;          /*!<  enable/disable renegotiation   */
     int allow_legacy_renegotiation;     /*!<  allow legacy renegotiation     */
     const int *ciphersuite_list[4];     /*!<  allowed ciphersuites / version */
+    int trunc_hmac;                     /*!<  negotiate truncated hmac?      */
 
 #if defined(POLARSSL_DHM_C)
     mpi dhm_P;                          /*!<  prime modulus for DHM   */
@@ -976,6 +984,19 @@ void ssl_set_min_version( ssl_context *ssl, int major, int minor );
  */
 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
 
+/**
+ * \brief          Activate negotiation of truncated HMAC (Client only)
+ *                 (Default: SSL_TRUNC_HMAC_ENABLED)
+ *
+ * \param ssl      SSL context
+ * \param truncate Enable or disable (SSL_TRUNC_HMAC_ENABLED or
+ *                                    SSL_TRUNC_HMAC_DISABLED)
+ *
+ * \return         O if successful,
+ *                 POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side
+ */
+int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
+
 /**
  * \brief          Enable / Disable renegotiation support for connection when
  *                 initiated by peer

library/ssl_cli.c

@@ -293,6 +293,28 @@ static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
     *olen = 5;
 }
 
+static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
+                                          unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
+    {
+        *olen = 0;
+        return;
+    }
+
+    SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
+
+    *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+
 static int ssl_write_client_hello( ssl_context *ssl )
 {
     int ret;
@@ -463,6 +485,9 @@ static int ssl_write_client_hello( ssl_context *ssl )
     ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
     ext_len += olen;
 
+    ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+
     SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
                    ext_len ) );
 
@@ -526,6 +551,7 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
 
     return( 0 );
 }
+
 static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
                                               const unsigned char *buf,
                                               size_t len )
@@ -544,6 +570,23 @@ static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
     return( 0 );
 }
 
+static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
+        len != 0 )
+    {
+        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
+
+    return( 0 );
+}
+
 static int ssl_parse_server_hello( ssl_context *ssl )
 {
     uint32_t t;
@@ -771,6 +814,17 @@ static int ssl_parse_server_hello( ssl_context *ssl )
 
             break;
 
+        case TLS_EXT_TRUNCATED_HMAC:
+            SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
+
+            if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+
         default:
             SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
                            ext_id ) );

library/ssl_srv.c

@@ -306,6 +306,23 @@ static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
     return( 0 );
 }
 
+static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( len != 0 )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
+
+    return( 0 );
+}
+
 #if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
 static int ssl_parse_client_hello_v2( ssl_context *ssl )
 {
@@ -848,6 +865,14 @@ static int ssl_parse_client_hello( ssl_context *ssl )
                 return( ret );
             break;
 
+        case TLS_EXT_TRUNCATED_HMAC:
+            SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
+
+            ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
+            if( ret != 0 )
+                return( ret );
+            break;
+
         default:
             SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
                            ext_id ) );
@@ -957,6 +982,29 @@ have_ciphersuite:
     return( 0 );
 }
 
+static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
+                                          unsigned char *buf,
+                                          size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
+    {
+        *olen = 0;
+        return;
+    }
+
+    SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
+
+    *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+
 static void ssl_write_renegotiation_ext( ssl_context *ssl,
                                          unsigned char *buf,
                                          size_t *olen )
@@ -1128,6 +1176,9 @@ static int ssl_write_server_hello( ssl_context *ssl )
     ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
     ext_len += olen;
 
+    ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+
     SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
 
     *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );

library/ssl_tls.c

@@ -475,6 +475,14 @@ int ssl_derive_keys( ssl_context *ssl )
             }
 
             transform->maclen = md_get_size( md_info );
+
+            /*
+             * If HMAC is to be truncated, we shall keep the leftmost bytes,
+             * (rfc 6066 page 13 or rfc 2104 section 4),
+             * so we only need to adjust the length here.
+             */
+            if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
+                transform->maclen = SSL_TRUNCATED_HMAC_LEN;
         }
 
         transform->keylen = cipher_info->key_length;
@@ -3141,6 +3149,16 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
     return( 0 );
 }
 
+int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
+{
+    if( ssl->endpoint != SSL_IS_CLIENT )
+        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
+    ssl->trunc_hmac = truncate;
+
+    return( 0 );
+}
+
 void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
 {
     ssl->disable_renegotiation = renegotiation;

programs/ssl/ssl_client2.c

@@ -58,6 +58,7 @@
 #define DFL_MAX_VERSION         -1
 #define DFL_AUTH_MODE           SSL_VERIFY_OPTIONAL
 #define DFL_MFL_CODE            SSL_MAX_FRAG_LEN_NONE
+#define DFL_TRUNC_HMAC          0
 
 #define LONG_HEADER "User-agent: blah-blah-blah-blah-blah-blah-blah-blah-"   \
     "-01--blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-" \
@@ -94,6 +95,7 @@ struct options
     int max_version;            /* maximum protocol version accepted        */
     int auth_mode;              /* verify mode for connection               */
     unsigned char mfl_code;     /* code for maximum fragment length         */
+    int trunc_hmac;             /* negotiate truncated hmac or not          */
 } opt;
 
 static void my_debug( void *ctx, int level, const char *str )
@@ -191,6 +193,7 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags )
     "                        options: none, optional, required\n" \
     "    max_frag_len=%%d     default: 16384 (tls default)" \
     "                        options: 512, 1024, 2048, 4096" \
+    "    trunc_hmac=%%d       default: 0 (disabled)\n"      \
     USAGE_PSK                                               \
     "\n"                                                    \
     "    force_ciphersuite=<name>    default: all enabled\n"\
@@ -281,6 +284,7 @@ int main( int argc, char *argv[] )
     opt.max_version         = DFL_MAX_VERSION;
     opt.auth_mode           = DFL_AUTH_MODE;
     opt.mfl_code            = DFL_MFL_CODE;
+    opt.trunc_hmac          = DFL_TRUNC_HMAC;
 
     for( i = 1; i < argc; i++ )
     {
@@ -416,6 +420,12 @@ int main( int argc, char *argv[] )
             else
                 goto usage;
         }
+        else if( strcmp( p, "trunc_hmac" ) == 0 )
+        {
+            opt.trunc_hmac = atoi( q );
+            if( opt.trunc_hmac < 0 || opt.trunc_hmac > 1 )
+                goto usage;
+        }
         else
             goto usage;
     }
@@ -623,6 +633,9 @@ int main( int argc, char *argv[] )
 
     ssl_set_max_frag_len( &ssl, opt.mfl_code );
 
+    if( opt.trunc_hmac != 0 )
+        ssl_set_truncated_hmac( &ssl, SSL_TRUNC_HMAC_ENABLED );
+
     ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
     ssl_set_dbg( &ssl, my_debug, stdout );
     ssl_set_bio( &ssl, net_recv, &server_fd,