lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merged support for Camellia-GCM + ciphersuite and fixes to cipher layer

Browse Source
This commit is contained in:
Paul Bakker
2013-10-28 14:37:09 +01:00
parent 3f917e230d a8a25ae1b9
commit 1642122f8b
32 changed files with 5615 additions and 3443 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
library/cipher.c
View File

@ -185,11 +185,21 @@ int cipher_set_iv( cipher_context_t *ctx,
if( NULL == ctx || NULL == ctx->cipher_info || NULL == iv )
return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
/* avoid buffer overflow in ctx->iv */
if( iv_len > POLARSSL_MAX_IV_LENGTH )
return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
if( ctx->cipher_info->accepts_variable_iv_size )
actual_iv_size = iv_len;
else
{
actual_iv_size = ctx->cipher_info->iv_size;
/* avoid reading past the end of input buffer */
if( actual_iv_size > iv_len )
return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
}
memcpy( ctx->iv, iv, actual_iv_size );
ctx->iv_size = actual_iv_size;

87
library/cipher_wrap.c
View File

@ -66,6 +66,20 @@
#include <stdlib.h>
#if defined(POLARSSL_GCM_C)
/* shared by all GCM ciphers */
static void *gcm_ctx_alloc( void )
{
return polarssl_malloc( sizeof( gcm_context ) );
}
static void gcm_ctx_free( void *ctx )
{
gcm_free( ctx );
polarssl_free( ctx );
}
#endif
#if defined(POLARSSL_AES_C)
static int aes_crypt_ecb_wrap( void *ctx, operation_t operation,
@ -301,17 +315,6 @@ const cipher_info_t aes_256_ctr_info = {
#endif /* POLARSSL_CIPHER_MODE_CTR */
#if defined(POLARSSL_GCM_C)
static void *gcm_ctx_alloc( void )
{
return polarssl_malloc( sizeof( gcm_context ) );
}
static void gcm_ctx_free( void *ctx )
{
gcm_free( ctx );
polarssl_free( ctx );
}
static int gcm_aes_setkey_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
{
return gcm_init( (gcm_context *) ctx, POLARSSL_CIPHER_ID_AES,
@ -601,7 +604,61 @@ const cipher_info_t camellia_256_ctr_info = {
};
#endif /* POLARSSL_CIPHER_MODE_CTR */
#endif
#if defined(POLARSSL_GCM_C)
static int gcm_camellia_setkey_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
{
return gcm_init( (gcm_context *) ctx, POLARSSL_CIPHER_ID_CAMELLIA,
key, key_length );
}
const cipher_base_t gcm_camellia_info = {
POLARSSL_CIPHER_ID_CAMELLIA,
NULL,
NULL,
NULL,
NULL,
NULL,
gcm_camellia_setkey_wrap,
gcm_camellia_setkey_wrap,
gcm_ctx_alloc,
gcm_ctx_free,
};
const cipher_info_t camellia_128_gcm_info = {
POLARSSL_CIPHER_CAMELLIA_128_GCM,
POLARSSL_MODE_GCM,
128,
"CAMELLIA-128-GCM",
12,
1,
16,
&gcm_camellia_info
};
const cipher_info_t camellia_192_gcm_info = {
POLARSSL_CIPHER_CAMELLIA_192_GCM,
POLARSSL_MODE_GCM,
192,
"CAMELLIA-192-GCM",
12,
1,
16,
&gcm_camellia_info
};
const cipher_info_t camellia_256_gcm_info = {
POLARSSL_CIPHER_CAMELLIA_256_GCM,
POLARSSL_MODE_GCM,
256,
"CAMELLIA-256-GCM",
12,
1,
16,
&gcm_camellia_info
};
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)
@ -1149,6 +1206,7 @@ const cipher_definition_t cipher_definitions[] =
#if defined(POLARSSL_CAMELLIA_C)
{ POLARSSL_CIPHER_CAMELLIA_128_ECB, &camellia_128_ecb_info },
{ POLARSSL_CIPHER_CAMELLIA_192_ECB, &camellia_192_ecb_info },
{ POLARSSL_CIPHER_CAMELLIA_256_ECB, &camellia_256_ecb_info },
#if defined(POLARSSL_CIPHER_MODE_CBC)
{ POLARSSL_CIPHER_CAMELLIA_128_CBC, &camellia_128_cbc_info },
{ POLARSSL_CIPHER_CAMELLIA_192_CBC, &camellia_192_cbc_info },
@ -1164,6 +1222,11 @@ const cipher_definition_t cipher_definitions[] =
{ POLARSSL_CIPHER_CAMELLIA_192_CTR, &camellia_192_ctr_info },
{ POLARSSL_CIPHER_CAMELLIA_256_CTR, &camellia_256_ctr_info },
#endif
#if defined(POLARSSL_GCM_C)
{ POLARSSL_CIPHER_CAMELLIA_128_GCM, &camellia_128_gcm_info },
{ POLARSSL_CIPHER_CAMELLIA_192_GCM, &camellia_192_gcm_info },
{ POLARSSL_CIPHER_CAMELLIA_256_GCM, &camellia_256_gcm_info },
#endif
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)

2
library/error.c
View File

@ -422,6 +422,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
if( use_ret == -(POLARSSL_ERR_SSL_UNKNOWN_IDENTITY) )
snprintf( buf, buflen, "SSL - Unkown identity received (eg, PSK identity)" );
if( use_ret == -(POLARSSL_ERR_SSL_INTERNAL_ERROR) )
snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
#endif /* POLARSSL_SSL_TLS_C */
#if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C)

6
library/gcm.c
View File

@ -412,12 +412,12 @@ void gcm_free( gcm_context *ctx )
memset( ctx, 0, sizeof( gcm_context ) );
}
#if defined(POLARSSL_SELF_TEST)
#if defined(POLARSSL_SELF_TEST) && defined(POLARSSL_AES_C)
#include <stdio.h>
/*
* GCM test vectors from:
* AES-GCM test vectors from:
*
* http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
*/
@ -850,6 +850,6 @@ int gcm_self_test( int verbose )
#endif
#endif /* POLARSSL_SELF_TEST && POLARSSL_AES_C */
#endif

241
library/ssl_ciphersuites.c
View File

@ -40,38 +40,53 @@
/*
* Ordered from most preferred to least preferred in terms of security.
*
* Current rule (except weak and null which come last):
* 1. By key exchange:
* Forward-secure non-PSK > forward-secure PSK > other non-PSK > other PSK
* 2. By key length and cipher:
* AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES > RC4
* 3. By cipher mode when relevant GCM > CBC
* 4. By hash function used
* 5. By key exchange/auth again: EC > non-EC
*/
static const int ciphersuite_preference[] =
{
/* All AES-256 ephemeral suites */
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
/* All CAMELLIA-256 ephemeral suites */
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
/* All AES-128 ephemeral suites */
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
/* All CAMELLIA-128 ephemeral suites */
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
@ -85,40 +100,46 @@ static const int ciphersuite_preference[] =
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
/* The PSK ephemeral suites */
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_PSK_WITH_RC4_128_SHA,
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_PSK_WITH_RC4_128_SHA,
TLS_DHE_PSK_WITH_RC4_128_SHA,
/* All AES-256 suites */
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
/* All CAMELLIA-256 suites */
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
/* All AES-128 suites */
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
/* All CAMELLIA-128 suites */
TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
@ -128,26 +149,34 @@ static const int ciphersuite_preference[] =
TLS_RSA_WITH_RC4_128_MD5,
/* The RSA PSK suites */
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_PSK_WITH_RC4_128_SHA,
/* The PSK suites */
TLS_PSK_WITH_AES_256_GCM_SHA384,
TLS_PSK_WITH_AES_256_CBC_SHA384,
TLS_PSK_WITH_AES_256_CBC_SHA,
TLS_PSK_WITH_AES_256_GCM_SHA384,
TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS_PSK_WITH_AES_128_GCM_SHA256,
TLS_PSK_WITH_AES_128_CBC_SHA256,
TLS_PSK_WITH_AES_128_CBC_SHA,
TLS_PSK_WITH_AES_128_GCM_SHA256,
TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS_PSK_WITH_3DES_EDE_CBC_SHA,
TLS_PSK_WITH_RC4_128_SHA,
@ -164,6 +193,7 @@ static const int ciphersuite_preference[] =
TLS_DHE_PSK_WITH_NULL_SHA384,
TLS_DHE_PSK_WITH_NULL_SHA256,
TLS_DHE_PSK_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_MD5,
@ -250,6 +280,23 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_GCM_C)
#if defined(POLARSSL_SHA256_C)
{ TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
POLARSSL_CIPHER_CAMELLIA_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA256_C */
#if defined(POLARSSL_SHA512_C)
{ TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
POLARSSL_CIPHER_CAMELLIA_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)
@ -352,6 +399,23 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_GCM_C)
#if defined(POLARSSL_SHA256_C)
{ TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
POLARSSL_CIPHER_CAMELLIA_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA256_C */
#if defined(POLARSSL_SHA512_C)
{ TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
POLARSSL_CIPHER_CAMELLIA_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)
@ -468,6 +532,23 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA1_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_GCM_C)
#if defined(POLARSSL_SHA256_C)
{ TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
POLARSSL_CIPHER_CAMELLIA_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA256_C */
#if defined(POLARSSL_SHA512_C)
{ TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
POLARSSL_CIPHER_CAMELLIA_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_DHE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)
@ -564,6 +645,24 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA1_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_GCM_C)
#if defined(POLARSSL_SHA256_C)
{ TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
POLARSSL_CIPHER_CAMELLIA_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA256_C */
#if defined(POLARSSL_SHA1_C)
{ TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
POLARSSL_CIPHER_CAMELLIA_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA1_C */
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)
@ -668,6 +767,24 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_GCM_C)
#if defined(POLARSSL_SHA256_C)
{ TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256",
POLARSSL_CIPHER_CAMELLIA_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA256_C */
#if defined(POLARSSL_SHA512_C)
{ TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384",
POLARSSL_CIPHER_CAMELLIA_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)
@ -764,6 +881,24 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_GCM_C)
#if defined(POLARSSL_SHA256_C)
{ TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256",
POLARSSL_CIPHER_CAMELLIA_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA256_C */
#if defined(POLARSSL_SHA512_C)
{ TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
POLARSSL_CIPHER_CAMELLIA_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)
@ -939,6 +1074,24 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_GCM_C)
#if defined(POLARSSL_SHA256_C)
{ TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256",
POLARSSL_CIPHER_CAMELLIA_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA256_C */
#if defined(POLARSSL_SHA512_C)
{ TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
POLARSSL_CIPHER_CAMELLIA_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_RSA_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
#endif /* POLARSSL_SHA512_C */
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)
@ -1000,6 +1153,22 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_WEAK },
#endif /* POLARSSL_SHA1_C */
#if defined(POLARSSL_SHA256_C)
{ TLS_PSK_WITH_NULL_SHA256, "TLS-PSK-WITH-NULL-SHA256",
POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_WEAK },
#endif
#if defined(POLARSSL_SHA512_C)
{ TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384",
POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_WEAK },
#endif
#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
@ -1010,6 +1179,22 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_WEAK },
#endif /* POLARSSL_SHA1_C */
#if defined(POLARSSL_SHA256_C)
{ TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256",
POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_WEAK },
#endif
#if defined(POLARSSL_SHA512_C)
{ TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_WEAK },
#endif
#endif /* POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
@ -1048,20 +1233,20 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* POLARSSL_SHA1_C */
#if defined(POLARSSL_SHA256_C)
{ TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256",
{ TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-NULL-SHA256",
POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_WEAK },
#endif /* POLARSSL_SHA256_C */
#endif
#if defined(POLARSSL_SHA512_C)
{ TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
{ TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
POLARSSL_CIPHER_NULL, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_RSA_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_WEAK },
#endif /* POLARSSL_SHA512_C */
#endif
#endif /* POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED */
#endif /* POLARSSL_CIPHER_NULL_CIPHER */

365
library/ssl_tls.c
View File

@ -633,73 +633,54 @@ int ssl_derive_keys( ssl_context *ssl )
}
#endif
switch( cipher_info->type )
if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
cipher_info ) ) != 0 )
{
case POLARSSL_CIPHER_ARC4_128:
case POLARSSL_CIPHER_DES_EDE3_CBC:
case POLARSSL_CIPHER_CAMELLIA_128_CBC:
case POLARSSL_CIPHER_CAMELLIA_256_CBC:
case POLARSSL_CIPHER_AES_128_CBC:
case POLARSSL_CIPHER_AES_256_CBC:
case POLARSSL_CIPHER_DES_CBC:
case POLARSSL_CIPHER_AES_128_GCM:
case POLARSSL_CIPHER_AES_256_GCM:
if( ( ret = cipher_init_ctx( &transform->cipher_ctx_enc,
cipher_info ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
return( ret );
}
SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
return( ret );
}
if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
cipher_info ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
return( ret );
}
if( ( ret = cipher_init_ctx( &transform->cipher_ctx_dec,
cipher_info ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_init_ctx", ret );
return( ret );
}
if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
cipher_info->key_length,
POLARSSL_ENCRYPT ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_setkey", ret );
return( ret );
}
if( ( ret = cipher_setkey( &transform->cipher_ctx_enc, key1,
cipher_info->key_length,
POLARSSL_ENCRYPT ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_setkey", ret );
return( ret );
}
if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
cipher_info->key_length,
POLARSSL_DECRYPT ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_setkey", ret );
return( ret );
}
if( ( ret = cipher_setkey( &transform->cipher_ctx_dec, key2,
cipher_info->key_length,
POLARSSL_DECRYPT ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_setkey", ret );
return( ret );
}
#if defined(POLARSSL_CIPHER_MODE_CBC)
if( cipher_info->mode == POLARSSL_MODE_CBC )
{
if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
POLARSSL_PADDING_NONE ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
return( ret );
}
if( cipher_info->mode == POLARSSL_MODE_CBC )
{
if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_enc,
POLARSSL_PADDING_NONE ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
return( ret );
}
if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
POLARSSL_PADDING_NONE ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
return( ret );
}
}
#endif /* POLARSSL_CIPHER_MODE_CBC */
break;
case POLARSSL_CIPHER_NULL:
break;
default:
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
if( ( ret = cipher_set_padding_mode( &transform->cipher_ctx_dec,
POLARSSL_PADDING_NONE ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_set_padding_mode", ret );
return( ret );
}
}
#endif /* POLARSSL_CIPHER_MODE_CBC */
memset( keyblk, 0, sizeof( keyblk ) );
@ -992,50 +973,56 @@ static int ssl_encrypt_buf( ssl_context *ssl )
SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
/*
* Add MAC then encrypt
* Add MAC before encrypt, except for GCM
*/
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
( defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
if( ssl->transform_out->cipher_ctx_enc.cipher_info->mode !=
POLARSSL_MODE_GCM )
{
ssl_mac( &ssl->transform_out->md_ctx_enc,
ssl->transform_out->mac_enc,
ssl->out_msg, ssl->out_msglen,
ssl->out_ctr, ssl->out_msgtype );
}
else
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
{
ssl_mac( &ssl->transform_out->md_ctx_enc,
ssl->transform_out->mac_enc,
ssl->out_msg, ssl->out_msglen,
ssl->out_ctr, ssl->out_msgtype );
}
else
#endif
#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
{
md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
md_hmac_update( &ssl->transform_out->md_ctx_enc,
ssl->out_msg, ssl->out_msglen );
md_hmac_finish( &ssl->transform_out->md_ctx_enc,
ssl->out_msg + ssl->out_msglen );
md_hmac_reset( &ssl->transform_out->md_ctx_enc );
}
else
defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= SSL_MINOR_VERSION_1 )
{
md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 13 );
md_hmac_update( &ssl->transform_out->md_ctx_enc,
ssl->out_msg, ssl->out_msglen );
md_hmac_finish( &ssl->transform_out->md_ctx_enc,
ssl->out_msg + ssl->out_msglen );
md_hmac_reset( &ssl->transform_out->md_ctx_enc );
}
else
#endif
{
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
{
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
}
SSL_DEBUG_BUF( 4, "computed mac",
ssl->out_msg + ssl->out_msglen,
ssl->transform_out->maclen );
ssl->out_msglen += ssl->transform_out->maclen;
}
#endif /* GCM not the only option */
SSL_DEBUG_BUF( 4, "computed mac",
ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
ssl->out_msglen += ssl->transform_out->maclen;
#if defined(POLARSSL_CIPHER_NULL_CIPHER)
if( ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_NULL )
{
; /* Nothing to do */
}
else
#endif /* POLARSSL_CIPHER_NULL_CIPHER */
#if defined(POLARSSL_ARC4_C)
if( ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
/*
* Encrypt
*/
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
if( ssl->transform_out->cipher_ctx_enc.cipher_info->mode ==
POLARSSL_MODE_STREAM )
{
int ret;
size_t olen = 0;
@ -1073,8 +1060,7 @@ static int ssl_encrypt_buf( ssl_context *ssl )
{
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
ssl->out_msglen, olen ) );
// TODO Real error number
return( -1 );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
@ -1088,15 +1074,14 @@ static int ssl_encrypt_buf( ssl_context *ssl )
{
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
0, olen ) );
// TODO Real error number
return( -1 );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
}
else
#endif /* POLARSSL_ARC4_C */
#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
#if defined(POLARSSL_GCM_C)
if( ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_128_GCM ||
ssl->transform_out->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_256_GCM )
if( ssl->transform_out->cipher_ctx_enc.cipher_info->mode ==
POLARSSL_MODE_GCM )
{
size_t enc_msglen, olen, totlen;
unsigned char *enc_msg;
@ -1199,7 +1184,8 @@ static int ssl_encrypt_buf( ssl_context *ssl )
}
else
#endif /* POLARSSL_GCM_C */
#if defined(POLARSSL_CIPHER_MODE_CBC)
#if defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
if( ssl->transform_out->cipher_ctx_enc.cipher_info->mode ==
POLARSSL_MODE_CBC )
{
@ -1289,8 +1275,7 @@ static int ssl_encrypt_buf( ssl_context *ssl )
{
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
enc_msglen, olen ) );
// TODO Real error number
return( -1 );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
@ -1306,7 +1291,8 @@ static int ssl_encrypt_buf( ssl_context *ssl )
#endif
}
else
#endif /* POLARSSL_CIPHER_MODE_CBC */
#endif /* POLARSSL_CIPHER_MODE_CBC &&
( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
{
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
@ -1337,15 +1323,9 @@ static int ssl_decrypt_buf( ssl_context *ssl )
return( POLARSSL_ERR_SSL_INVALID_MAC );
}
#if defined(POLARSSL_CIPHER_NULL_CIPHER)
if( ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_NULL )
{
padlen = 0;
}
else
#endif /* POLARSSL_CIPHER_NULL_CIPHER */
#if defined(POLARSSL_ARC4_C)
if( ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
if( ssl->transform_in->cipher_ctx_dec.cipher_info->mode ==
POLARSSL_MODE_STREAM )
{
int ret;
size_t olen = 0;
@ -1377,8 +1357,7 @@ static int ssl_decrypt_buf( ssl_context *ssl )
if( ssl->in_msglen != olen )
{
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
// TODO Real error number
return( -1 );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
@ -1391,15 +1370,14 @@ static int ssl_decrypt_buf( ssl_context *ssl )
if( 0 != olen )
{
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
// TODO Real error number
return( -1 );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
}
else
#endif /* POLARSSL_ARC4_C */
#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
#if defined(POLARSSL_GCM_C)
if( ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_128_GCM ||
ssl->transform_in->ciphersuite_info->cipher == POLARSSL_CIPHER_AES_256_GCM )
if( ssl->transform_in->cipher_ctx_dec.cipher_info->mode ==
POLARSSL_MODE_GCM )
{
unsigned char *dec_msg;
unsigned char *dec_msg_result;
@ -1485,7 +1463,8 @@ static int ssl_decrypt_buf( ssl_context *ssl )
}
else
#endif /* POLARSSL_GCM_C */
#if defined(POLARSSL_CIPHER_MODE_CBC)
#if defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
if( ssl->transform_in->cipher_ctx_dec.cipher_info->mode ==
POLARSSL_MODE_CBC )
{
@ -1573,8 +1552,7 @@ static int ssl_decrypt_buf( ssl_context *ssl )
if( dec_msglen != olen )
{
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
// TODO Real error number
return( -1 );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1)
@ -1651,7 +1629,8 @@ static int ssl_decrypt_buf( ssl_context *ssl )
}
}
else
#endif /* POLARSSL_CIPHER_MODE_CBC */
#endif /* POLARSSL_CIPHER_MODE_CBC &&
( POLARSSL_AES_C || POLARSSL_CAMELLIA_C ) */
{
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
@ -1661,84 +1640,92 @@ static int ssl_decrypt_buf( ssl_context *ssl )
ssl->in_msg, ssl->in_msglen );
/*
* Always compute the MAC (RFC4346, CBCTIME).
* Always compute the MAC (RFC4346, CBCTIME), except for GCM of course
*/
ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
( defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
if( ssl->transform_in->cipher_ctx_dec.cipher_info->mode !=
POLARSSL_MODE_GCM )
{
ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen );
memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
{
ssl_mac( &ssl->transform_in->md_ctx_dec,
ssl->transform_in->mac_dec,
ssl->in_msg, ssl->in_msglen,
ssl->in_ctr, ssl->in_msgtype );
}
else
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
{
ssl_mac( &ssl->transform_in->md_ctx_dec,
ssl->transform_in->mac_dec,
ssl->in_msg, ssl->in_msglen,
ssl->in_ctr, ssl->in_msgtype );
}
else
#endif /* POLARSSL_SSL_PROTO_SSL3 */
#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
{
/*
* Process MAC and always update for padlen afterwards to make
* total time independent of padlen
*
* extra_run compensates MAC check for padlen
*
* Known timing attacks:
* - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
*
* We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
* correctly. (We round down instead of up, so -56 is the correct
* value for our calculations instead of -55)
*/
size_t j, extra_run = 0;
extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
( 13 + ssl->in_msglen + 8 ) / 64;
defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver > SSL_MINOR_VERSION_0 )
{
/*
* Process MAC and always update for padlen afterwards to make
* total time independent of padlen
*
* extra_run compensates MAC check for padlen
*
* Known timing attacks:
* - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
*
* We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
* correctly. (We round down instead of up, so -56 is the correct
* value for our calculations instead of -55)
*/
size_t j, extra_run = 0;
extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
( 13 + ssl->in_msglen + 8 ) / 64;
extra_run &= correct * 0xFF;
extra_run &= correct * 0xFF;
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
ssl->in_msglen );
md_hmac_finish( &ssl->transform_in->md_ctx_dec,
ssl->in_msg + ssl->in_msglen );
for( j = 0; j < extra_run; j++ )
md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 13 );
md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
ssl->in_msglen );
md_hmac_finish( &ssl->transform_in->md_ctx_dec,
ssl->in_msg + ssl->in_msglen );
for( j = 0; j < extra_run; j++ )
md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
md_hmac_reset( &ssl->transform_in->md_ctx_dec );
}
else
md_hmac_reset( &ssl->transform_in->md_ctx_dec );
}
else
#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
POLARSSL_SSL_PROTO_TLS1_2 */
{
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
}
POLARSSL_SSL_PROTO_TLS1_2 */
{
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
}
SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
ssl->transform_in->maclen );
SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen );
SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
ssl->transform_in->maclen );
if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
ssl->transform_in->maclen ) != 0 )
{
if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
ssl->transform_in->maclen ) != 0 )
{
#if defined(POLARSSL_SSL_DEBUG_ALL)
SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
#endif
correct = 0;
}
correct = 0;
}
/*
* Finally check the correct flag
*/
if( correct == 0 )
return( POLARSSL_ERR_SSL_INVALID_MAC );
/*
* Finally check the correct flag
*/
if( correct == 0 )
return( POLARSSL_ERR_SSL_INVALID_MAC );
}
#endif /* GCM not the only option */
if( ssl->in_msglen == 0 )
{