mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 02:05:39 +01:00
Merge remote-tracking branch 'public/pr/1752' into development
This commit is contained in:
commit
922bd1efb2
@ -4,8 +4,9 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
Features
|
||||
* Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
|
||||
authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed by
|
||||
Daniel King (#485).
|
||||
authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
|
||||
by Daniel King (#485).
|
||||
* Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
|
||||
* Add platform support for the Haiku OS. (https://www.haiku-os.org).
|
||||
Contributed by Augustin Cavalier.
|
||||
* Make the receive and transmit buffers independent sizes, for situations
|
||||
|
@ -81,7 +81,7 @@
|
||||
* both ends of the connection! (See comments in "mbedtls/ssl.h".)
|
||||
* The optimal size here depends on the typical size of records.
|
||||
*/
|
||||
#define MBEDTLS_SSL_MAX_CONTENT_LEN 512
|
||||
#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
|
||||
|
||||
#include "mbedtls/check_config.h"
|
||||
|
||||
|
@ -271,6 +271,15 @@ extern "C" {
|
||||
|
||||
#define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 0xC0FF /**< experimental */
|
||||
|
||||
/* RFC 7905 */
|
||||
#define MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 /**< TLS 1.2 */
|
||||
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 /**< TLS 1.2 */
|
||||
#define MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA /**< TLS 1.2 */
|
||||
#define MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB /**< TLS 1.2 */
|
||||
#define MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC /**< TLS 1.2 */
|
||||
#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD /**< TLS 1.2 */
|
||||
#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE /**< TLS 1.2 */
|
||||
|
||||
/* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
|
||||
* Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
|
||||
*/
|
||||
|
@ -47,7 +47,7 @@
|
||||
* 1. By key exchange:
|
||||
* Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
|
||||
* 2. By key length and cipher:
|
||||
* AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128 > 3DES
|
||||
* ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128 > 3DES
|
||||
* 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
|
||||
* 4. By hash function used when relevant
|
||||
* 5. By key exchange/auth again: EC > non-EC
|
||||
@ -57,6 +57,11 @@ static const int ciphersuite_preference[] =
|
||||
#if defined(MBEDTLS_SSL_CIPHERSUITES)
|
||||
MBEDTLS_SSL_CIPHERSUITES,
|
||||
#else
|
||||
/* Chacha-Poly ephemeral suites */
|
||||
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
|
||||
/* All AES-256 ephemeral suites */
|
||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
@ -127,6 +132,8 @@ static const int ciphersuite_preference[] =
|
||||
MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||
|
||||
/* The PSK ephemeral suites */
|
||||
MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
|
||||
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
|
||||
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
|
||||
@ -227,6 +234,7 @@ static const int ciphersuite_preference[] =
|
||||
MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
||||
|
||||
/* The RSA PSK suites */
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
|
||||
@ -246,6 +254,7 @@ static const int ciphersuite_preference[] =
|
||||
MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
|
||||
|
||||
/* The PSK suites */
|
||||
MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
|
||||
MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
|
||||
MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384,
|
||||
@ -312,6 +321,75 @@ static const int ciphersuite_preference[] =
|
||||
|
||||
static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
{
|
||||
#if defined(MBEDTLS_CHACHAPOLY_C) && \
|
||||
defined(MBEDTLS_SHA256_C) && \
|
||||
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
|
||||
{ MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
"TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
|
||||
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
"TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
|
||||
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
|
||||
{ MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||
"TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
|
||||
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_KEY_EXCHANGE_DHE_RSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||
{ MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
"TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
|
||||
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_KEY_EXCHANGE_PSK,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
{ MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
"TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
|
||||
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
{ MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
"TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
|
||||
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_KEY_EXCHANGE_DHE_PSK,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
"TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256",
|
||||
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
#endif
|
||||
#endif /* MBEDTLS_CHACHAPOLY_C &&
|
||||
MBEDTLS_SHA256_C &&
|
||||
MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
|
@ -698,18 +698,32 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||
transform->keylen = cipher_info->key_bitlen / 8;
|
||||
|
||||
if( cipher_info->mode == MBEDTLS_MODE_GCM ||
|
||||
cipher_info->mode == MBEDTLS_MODE_CCM )
|
||||
cipher_info->mode == MBEDTLS_MODE_CCM ||
|
||||
cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
|
||||
{
|
||||
size_t taglen, explicit_ivlen;
|
||||
|
||||
transform->maclen = 0;
|
||||
mac_key_len = 0;
|
||||
|
||||
/* All modes haves 96-bit IVs;
|
||||
* GCM and CCM has 4 implicit and 8 explicit bytes
|
||||
* ChachaPoly has all 12 bytes implicit
|
||||
*/
|
||||
transform->ivlen = 12;
|
||||
if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
|
||||
transform->fixed_ivlen = 12;
|
||||
else
|
||||
transform->fixed_ivlen = 4;
|
||||
|
||||
/* Minimum length is expicit IV + tag */
|
||||
transform->minlen = transform->ivlen - transform->fixed_ivlen
|
||||
+ ( transform->ciphersuite_info->flags &
|
||||
MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
|
||||
/* All modes have 128-bit tags, except CCM_8 (ciphersuite flag) */
|
||||
taglen = transform->ciphersuite_info->flags &
|
||||
MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
|
||||
|
||||
|
||||
/* Minimum length of encrypted record */
|
||||
explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
|
||||
transform->minlen = explicit_ivlen + taglen;
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -1407,17 +1421,26 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
else
|
||||
#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
|
||||
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
|
||||
#if defined(MBEDTLS_GCM_C) || \
|
||||
defined(MBEDTLS_CCM_C) || \
|
||||
defined(MBEDTLS_CHACHAPOLY_C)
|
||||
if( mode == MBEDTLS_MODE_GCM ||
|
||||
mode == MBEDTLS_MODE_CCM )
|
||||
mode == MBEDTLS_MODE_CCM ||
|
||||
mode == MBEDTLS_MODE_CHACHAPOLY )
|
||||
{
|
||||
int ret;
|
||||
size_t enc_msglen, olen;
|
||||
unsigned char *enc_msg;
|
||||
unsigned char add_data[13];
|
||||
unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
|
||||
unsigned char iv[12];
|
||||
mbedtls_ssl_transform *transform = ssl->transform_out;
|
||||
unsigned char taglen = transform->ciphersuite_info->flags &
|
||||
MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
|
||||
size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
|
||||
|
||||
/*
|
||||
* Prepare additional authenticated data
|
||||
*/
|
||||
memcpy( add_data, ssl->out_ctr, 8 );
|
||||
add_data[8] = ssl->out_msgtype;
|
||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
||||
@ -1425,44 +1448,57 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
|
||||
add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
|
||||
add_data[12] = ssl->out_msglen & 0xFF;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
|
||||
add_data, 13 );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
|
||||
|
||||
/*
|
||||
* Generate IV
|
||||
*/
|
||||
if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
|
||||
if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
|
||||
{
|
||||
/* GCM and CCM: fixed || explicit (=seqnum) */
|
||||
memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
|
||||
memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 );
|
||||
memcpy( ssl->out_iv, ssl->out_ctr, 8 );
|
||||
|
||||
}
|
||||
else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
|
||||
{
|
||||
/* ChachaPoly: fixed XOR sequence number */
|
||||
unsigned char i;
|
||||
|
||||
memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
|
||||
|
||||
for( i = 0; i < 8; i++ )
|
||||
iv[i+4] ^= ssl->out_ctr[i];
|
||||
}
|
||||
else
|
||||
{
|
||||
/* Reminder if we ever add an AEAD mode with a different size */
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||
}
|
||||
|
||||
memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
|
||||
ssl->out_ctr, 8 );
|
||||
memcpy( ssl->out_iv, ssl->out_ctr, 8 );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
|
||||
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
|
||||
iv, transform->ivlen );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
|
||||
ssl->out_iv, explicit_ivlen );
|
||||
|
||||
/*
|
||||
* Fix pointer positions and message length with added IV
|
||||
* Fix message length with added IV
|
||||
*/
|
||||
enc_msg = ssl->out_msg;
|
||||
enc_msglen = ssl->out_msglen;
|
||||
ssl->out_msglen += ssl->transform_out->ivlen -
|
||||
ssl->transform_out->fixed_ivlen;
|
||||
ssl->out_msglen += explicit_ivlen;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
|
||||
"including %d bytes of padding",
|
||||
ssl->out_msglen, 0 ) );
|
||||
"including 0 bytes of padding",
|
||||
ssl->out_msglen ) );
|
||||
|
||||
/*
|
||||
* Encrypt and authenticate
|
||||
*/
|
||||
if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
|
||||
ssl->transform_out->iv_enc,
|
||||
ssl->transform_out->ivlen,
|
||||
if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
|
||||
iv, transform->ivlen,
|
||||
add_data, 13,
|
||||
enc_msg, enc_msglen,
|
||||
enc_msg, &olen,
|
||||
@ -1622,7 +1658,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
|
||||
|
||||
static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
size_t i;
|
||||
mbedtls_cipher_mode_t mode;
|
||||
int auth_done = 0;
|
||||
#if defined(SSL_SOME_MODES_USE_MAC)
|
||||
@ -1672,20 +1707,27 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
else
|
||||
#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
|
||||
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
|
||||
#if defined(MBEDTLS_GCM_C) || \
|
||||
defined(MBEDTLS_CCM_C) || \
|
||||
defined(MBEDTLS_CHACHAPOLY_C)
|
||||
if( mode == MBEDTLS_MODE_GCM ||
|
||||
mode == MBEDTLS_MODE_CCM )
|
||||
mode == MBEDTLS_MODE_CCM ||
|
||||
mode == MBEDTLS_MODE_CHACHAPOLY )
|
||||
{
|
||||
int ret;
|
||||
size_t dec_msglen, olen;
|
||||
unsigned char *dec_msg;
|
||||
unsigned char *dec_msg_result;
|
||||
unsigned char add_data[13];
|
||||
unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
|
||||
unsigned char iv[12];
|
||||
mbedtls_ssl_transform *transform = ssl->transform_in;
|
||||
unsigned char taglen = transform->ciphersuite_info->flags &
|
||||
MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
|
||||
size_t explicit_iv_len = ssl->transform_in->ivlen -
|
||||
ssl->transform_in->fixed_ivlen;
|
||||
size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
|
||||
|
||||
/*
|
||||
* Compute and update sizes
|
||||
*/
|
||||
if( ssl->in_msglen < explicit_iv_len + taglen )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
|
||||
@ -1699,6 +1741,9 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
||||
dec_msg_result = ssl->in_msg;
|
||||
ssl->in_msglen = dec_msglen;
|
||||
|
||||
/*
|
||||
* Prepare additional authenticated data
|
||||
*/
|
||||
memcpy( add_data, ssl->in_ctr, 8 );
|
||||
add_data[8] = ssl->in_msgtype;
|
||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
||||
@ -1706,23 +1751,43 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
||||
add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
|
||||
add_data[12] = ssl->in_msglen & 0xFF;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
|
||||
add_data, 13 );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
|
||||
|
||||
memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
|
||||
ssl->in_iv,
|
||||
ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
|
||||
/*
|
||||
* Prepare IV
|
||||
*/
|
||||
if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
|
||||
{
|
||||
/* GCM and CCM: fixed || explicit (transmitted) */
|
||||
memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
|
||||
memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
|
||||
ssl->transform_in->ivlen );
|
||||
}
|
||||
else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
|
||||
{
|
||||
/* ChachaPoly: fixed XOR sequence number */
|
||||
unsigned char i;
|
||||
|
||||
memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
|
||||
|
||||
for( i = 0; i < 8; i++ )
|
||||
iv[i+4] ^= ssl->in_ctr[i];
|
||||
}
|
||||
else
|
||||
{
|
||||
/* Reminder if we ever add an AEAD mode with a different size */
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
|
||||
|
||||
/*
|
||||
* Decrypt and authenticate
|
||||
*/
|
||||
if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
|
||||
ssl->transform_in->iv_dec,
|
||||
ssl->transform_in->ivlen,
|
||||
iv, transform->ivlen,
|
||||
add_data, 13,
|
||||
dec_msg, dec_msglen,
|
||||
dec_msg_result, &olen,
|
||||
@ -1840,6 +1905,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
||||
*/
|
||||
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||
{
|
||||
unsigned char i;
|
||||
dec_msglen -= ssl->transform_in->ivlen;
|
||||
ssl->in_msglen -= ssl->transform_in->ivlen;
|
||||
|
||||
@ -1914,6 +1980,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
||||
*/
|
||||
size_t pad_count = 0, real_count = 1;
|
||||
size_t padding_idx = ssl->in_msglen - padlen - 1;
|
||||
size_t i;
|
||||
|
||||
/*
|
||||
* Padding is guaranteed to be incorrect if:
|
||||
@ -2090,6 +2157,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
||||
else
|
||||
#endif
|
||||
{
|
||||
unsigned char i;
|
||||
for( i = 8; i > ssl_ep_len( ssl ); i-- )
|
||||
if( ++ssl->in_ctr[i - 1] != 0 )
|
||||
break;
|
||||
|
@ -42,6 +42,9 @@ if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then
|
||||
PEER_GNUTLS=""
|
||||
else
|
||||
PEER_GNUTLS=" GnuTLS"
|
||||
if [ $MINOR -lt 4 ]; then
|
||||
GNUTLS_MINOR_LT_FOUR='x'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
else
|
||||
@ -58,7 +61,8 @@ FILTER=""
|
||||
# - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions
|
||||
# avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
|
||||
# - ARIA: not in default config.h + requires OpenSSL >= 1.1.1
|
||||
EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA'
|
||||
# - ChachaPoly: requires OpenSSL >= 1.1.0
|
||||
EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
|
||||
VERBOSE=""
|
||||
MEMCHECK=0
|
||||
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
|
||||
@ -437,6 +441,9 @@ add_common_ciphersuites()
|
||||
# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
|
||||
# so RSA-PSK ciphersuites need to go in other sections, see
|
||||
# https://github.com/ARMmbed/mbedtls/issues/1419
|
||||
#
|
||||
# ChachaPoly suites are here rather than in "common", as they were added in
|
||||
# GnuTLS in 3.5.0 and the CI only has 3.4.x so far.
|
||||
add_openssl_ciphersuites()
|
||||
{
|
||||
case $TYPE in
|
||||
@ -468,6 +475,7 @@ add_openssl_ciphersuites()
|
||||
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
|
||||
"
|
||||
O_CIPHERS="$O_CIPHERS \
|
||||
ECDH-ECDSA-AES128-SHA256 \
|
||||
@ -476,6 +484,7 @@ add_openssl_ciphersuites()
|
||||
ECDH-ECDSA-AES256-GCM-SHA384 \
|
||||
ECDHE-ECDSA-ARIA256-GCM-SHA384 \
|
||||
ECDHE-ECDSA-ARIA128-GCM-SHA256 \
|
||||
ECDHE-ECDSA-CHACHA20-POLY1305 \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
@ -498,6 +507,8 @@ add_openssl_ciphersuites()
|
||||
TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-RSA-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
|
||||
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
|
||||
"
|
||||
O_CIPHERS="$O_CIPHERS \
|
||||
ECDHE-ARIA256-GCM-SHA384 \
|
||||
@ -506,6 +517,8 @@ add_openssl_ciphersuites()
|
||||
ECDHE-ARIA128-GCM-SHA256 \
|
||||
DHE-RSA-ARIA128-GCM-SHA256 \
|
||||
ARIA128-GCM-SHA256 \
|
||||
DHE-RSA-CHACHA20-POLY1305 \
|
||||
ECDHE-RSA-CHACHA20-POLY1305 \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
@ -518,12 +531,18 @@ add_openssl_ciphersuites()
|
||||
TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-PSK-WITH-ARIA-256-GCM-SHA384 \
|
||||
TLS-PSK-WITH-ARIA-128-GCM-SHA256 \
|
||||
TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \
|
||||
TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
|
||||
TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
|
||||
"
|
||||
O_CIPHERS="$O_CIPHERS \
|
||||
DHE-PSK-ARIA256-GCM-SHA384 \
|
||||
DHE-PSK-ARIA128-GCM-SHA256 \
|
||||
PSK-ARIA256-GCM-SHA384 \
|
||||
PSK-ARIA128-GCM-SHA256 \
|
||||
DHE-PSK-CHACHA20-POLY1305 \
|
||||
ECDHE-PSK-CHACHA20-POLY1305 \
|
||||
PSK-CHACHA20-POLY1305 \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
@ -545,12 +564,20 @@ add_gnutls_ciphersuites()
|
||||
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
|
||||
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
|
||||
"
|
||||
G_CIPHERS="$G_CIPHERS \
|
||||
+ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256 \
|
||||
+ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384 \
|
||||
+ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD \
|
||||
+ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD \
|
||||
+ECDHE-ECDSA:+AES-128-CCM:+AEAD \
|
||||
+ECDHE-ECDSA:+AES-256-CCM:+AEAD \
|
||||
+ECDHE-ECDSA:+AES-128-CCM-8:+AEAD \
|
||||
+ECDHE-ECDSA:+AES-256-CCM-8:+AEAD \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
@ -580,6 +607,14 @@ add_gnutls_ciphersuites()
|
||||
TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
|
||||
TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
|
||||
TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
|
||||
TLS-RSA-WITH-AES-128-CCM \
|
||||
TLS-RSA-WITH-AES-256-CCM \
|
||||
TLS-DHE-RSA-WITH-AES-128-CCM \
|
||||
TLS-DHE-RSA-WITH-AES-256-CCM \
|
||||
TLS-RSA-WITH-AES-128-CCM-8 \
|
||||
TLS-RSA-WITH-AES-256-CCM-8 \
|
||||
TLS-DHE-RSA-WITH-AES-128-CCM-8 \
|
||||
TLS-DHE-RSA-WITH-AES-256-CCM-8 \
|
||||
"
|
||||
G_CIPHERS="$G_CIPHERS \
|
||||
+ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256 \
|
||||
@ -594,6 +629,14 @@ add_gnutls_ciphersuites()
|
||||
+DHE-RSA:+CAMELLIA-256-GCM:+AEAD \
|
||||
+RSA:+CAMELLIA-128-GCM:+AEAD \
|
||||
+RSA:+CAMELLIA-256-GCM:+AEAD \
|
||||
+RSA:+AES-128-CCM:+AEAD \
|
||||
+RSA:+AES-256-CCM:+AEAD \
|
||||
+RSA:+AES-128-CCM-8:+AEAD \
|
||||
+RSA:+AES-256-CCM-8:+AEAD \
|
||||
+DHE-RSA:+AES-128-CCM:+AEAD \
|
||||
+DHE-RSA:+AES-256-CCM:+AEAD \
|
||||
+DHE-RSA:+AES-128-CCM-8:+AEAD \
|
||||
+DHE-RSA:+AES-256-CCM-8:+AEAD \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
@ -665,6 +708,14 @@ add_gnutls_ciphersuites()
|
||||
TLS-PSK-WITH-AES-256-GCM-SHA384 \
|
||||
TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \
|
||||
TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \
|
||||
TLS-PSK-WITH-AES-128-CCM \
|
||||
TLS-PSK-WITH-AES-256-CCM \
|
||||
TLS-DHE-PSK-WITH-AES-128-CCM \
|
||||
TLS-DHE-PSK-WITH-AES-256-CCM \
|
||||
TLS-PSK-WITH-AES-128-CCM-8 \
|
||||
TLS-PSK-WITH-AES-256-CCM-8 \
|
||||
TLS-DHE-PSK-WITH-AES-128-CCM-8 \
|
||||
TLS-DHE-PSK-WITH-AES-256-CCM-8 \
|
||||
TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
|
||||
TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
|
||||
TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
|
||||
@ -695,6 +746,14 @@ add_gnutls_ciphersuites()
|
||||
+PSK:+AES-256-GCM:+AEAD \
|
||||
+DHE-PSK:+AES-128-GCM:+AEAD \
|
||||
+DHE-PSK:+AES-256-GCM:+AEAD \
|
||||
+PSK:+AES-128-CCM:+AEAD \
|
||||
+PSK:+AES-256-CCM:+AEAD \
|
||||
+DHE-PSK:+AES-128-CCM:+AEAD \
|
||||
+DHE-PSK:+AES-256-CCM:+AEAD \
|
||||
+PSK:+AES-128-CCM-8:+AEAD \
|
||||
+PSK:+AES-256-CCM-8:+AEAD \
|
||||
+DHE-PSK:+AES-128-CCM-8:+AEAD \
|
||||
+DHE-PSK:+AES-256-CCM-8:+AEAD \
|
||||
+RSA-PSK:+CAMELLIA-128-GCM:+AEAD \
|
||||
+RSA-PSK:+CAMELLIA-256-GCM:+AEAD \
|
||||
+PSK:+CAMELLIA-128-GCM:+AEAD \
|
||||
@ -737,10 +796,6 @@ add_mbedtls_ciphersuites()
|
||||
M_CIPHERS="$M_CIPHERS \
|
||||
TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
|
||||
TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
|
||||
TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \
|
||||
TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \
|
||||
@ -755,14 +810,6 @@ add_mbedtls_ciphersuites()
|
||||
if [ `minor_ver "$MODE"` -ge 3 ]
|
||||
then
|
||||
M_CIPHERS="$M_CIPHERS \
|
||||
TLS-RSA-WITH-AES-128-CCM \
|
||||
TLS-RSA-WITH-AES-256-CCM \
|
||||
TLS-DHE-RSA-WITH-AES-128-CCM \
|
||||
TLS-DHE-RSA-WITH-AES-256-CCM \
|
||||
TLS-RSA-WITH-AES-128-CCM-8 \
|
||||
TLS-RSA-WITH-AES-256-CCM-8 \
|
||||
TLS-DHE-RSA-WITH-AES-128-CCM-8 \
|
||||
TLS-DHE-RSA-WITH-AES-256-CCM-8 \
|
||||
TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \
|
||||
@ -789,14 +836,6 @@ add_mbedtls_ciphersuites()
|
||||
if [ `minor_ver "$MODE"` -ge 3 ]
|
||||
then
|
||||
M_CIPHERS="$M_CIPHERS \
|
||||
TLS-PSK-WITH-AES-128-CCM \
|
||||
TLS-PSK-WITH-AES-256-CCM \
|
||||
TLS-DHE-PSK-WITH-AES-128-CCM \
|
||||
TLS-DHE-PSK-WITH-AES-256-CCM \
|
||||
TLS-PSK-WITH-AES-128-CCM-8 \
|
||||
TLS-PSK-WITH-AES-256-CCM-8 \
|
||||
TLS-DHE-PSK-WITH-AES-128-CCM-8 \
|
||||
TLS-DHE-PSK-WITH-AES-256-CCM-8 \
|
||||
TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \
|
||||
TLS-PSK-WITH-ARIA-256-CBC-SHA384 \
|
||||
@ -807,6 +846,7 @@ add_mbedtls_ciphersuites()
|
||||
TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \
|
||||
TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \
|
||||
TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \
|
||||
TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \
|
||||
"
|
||||
fi
|
||||
;;
|
||||
@ -842,10 +882,17 @@ setup_arguments()
|
||||
exit 1;
|
||||
esac
|
||||
|
||||
# GnuTLS < 3.4 will choke if we try to allow CCM-8
|
||||
if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then
|
||||
G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:"
|
||||
else
|
||||
G_PRIO_CCM=""
|
||||
fi
|
||||
|
||||
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
|
||||
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem"
|
||||
G_SERVER_ARGS="-p $PORT --http $G_MODE"
|
||||
G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
|
||||
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
|
||||
|
||||
# with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
|
||||
if is_dtls "$MODE"; then
|
||||
|
@ -565,8 +565,8 @@ if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
|
||||
msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min
|
||||
if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
|
||||
|
||||
msg "test: compat.sh ARIA"
|
||||
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA'
|
||||
msg "test: compat.sh ARIA + ChachaPoly"
|
||||
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
|
||||
|
||||
msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
|
||||
cleanup
|
||||
|
@ -742,7 +742,7 @@ run_test "Default" \
|
||||
"$P_CLI" \
|
||||
0 \
|
||||
-s "Protocol is TLSv1.2" \
|
||||
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
|
||||
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
|
||||
-s "client hello v3, signature_algorithm ext: 6" \
|
||||
-s "ECDHE curve: secp521r1" \
|
||||
-S "error" \
|
||||
@ -753,20 +753,14 @@ run_test "Default, DTLS" \
|
||||
"$P_CLI dtls=1" \
|
||||
0 \
|
||||
-s "Protocol is DTLSv1.2" \
|
||||
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
|
||||
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
|
||||
|
||||
# Test current time in ServerHello
|
||||
requires_config_enabled MBEDTLS_HAVE_TIME
|
||||
run_test "Default, ServerHello contains gmt_unix_time" \
|
||||
run_test "ServerHello contains gmt_unix_time" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI debug_level=3" \
|
||||
0 \
|
||||
-s "Protocol is TLSv1.2" \
|
||||
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
|
||||
-s "client hello v3, signature_algorithm ext: 6" \
|
||||
-s "ECDHE curve: secp521r1" \
|
||||
-S "error" \
|
||||
-C "error" \
|
||||
-f "check_server_hello_time" \
|
||||
-F "check_server_hello_time"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user