1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00

Merge CCM cipher mode and ciphersuites

Conflicts:
	library/ssl_tls.c
This commit is contained in:
Paul Bakker
2014-05-22 15:30:31 +02:00
27 changed files with 3533 additions and 246 deletions

View File

@ -11,6 +11,7 @@ set(src
bignum.c
blowfish.c
camellia.c
ccm.c
certs.c
cipher.c
cipher_wrap.c

View File

@ -37,7 +37,7 @@ endif
OBJS= aes.o aesni.o arc4.o \
asn1parse.o \
asn1write.o base64.o bignum.o \
blowfish.o camellia.o \
blowfish.o camellia.o ccm.o \
certs.o cipher.o cipher_wrap.o \
ctr_drbg.o debug.o des.o \
dhm.o ecdh.o ecdsa.o \

448
library/ccm.c Normal file
View File

@ -0,0 +1,448 @@
/*
* NIST SP800-38C compliant CCM implementation
*
* Copyright (C) 2014, Brainspark B.V.
*
* This file is part of PolarSSL (http://www.polarssl.org)
* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
*
* All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
* Definition of CCM:
* http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
* RFC 3610 "Counter with CBC-MAC (CCM)"
*
* Related:
* RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
*/
#if !defined(POLARSSL_CONFIG_FILE)
#include "polarssl/config.h"
#else
#include POLARSSL_CONFIG_FILE
#endif
#if defined(POLARSSL_CCM_C)
#include "polarssl/ccm.h"
#define CCM_ENCRYPT 0
#define CCM_DECRYPT 1
/*
* Initialize context
*/
int ccm_init( ccm_context *ctx, cipher_id_t cipher,
const unsigned char *key, unsigned int keysize )
{
int ret;
const cipher_info_t *cipher_info;
memset( ctx, 0, sizeof( ccm_context ) );
cipher_info = cipher_info_from_values( cipher, keysize, POLARSSL_MODE_ECB );
if( cipher_info == NULL )
return( POLARSSL_ERR_CCM_BAD_INPUT );
if( cipher_info->block_size != 16 )
return( POLARSSL_ERR_CCM_BAD_INPUT );
if( ( ret = cipher_init_ctx( &ctx->cipher_ctx, cipher_info ) ) != 0 )
return( ret );
if( ( ret = cipher_setkey( &ctx->cipher_ctx, key, keysize,
POLARSSL_ENCRYPT ) ) != 0 )
{
return( ret );
}
return( 0 );
}
/*
* Free context
*/
void ccm_free( ccm_context *ctx )
{
(void) cipher_free_ctx( &ctx->cipher_ctx );
memset( ctx, 0, sizeof( ccm_context ) );
}
/*
* Macros for common operations.
* Results in smaller compiled code than static inline functions.
*/
/*
* Update the CBC-MAC state in y using a block in b
* (Always using b as the source helps the compiler optimise a bit better.)
*/
#define UPDATE_CBC_MAC \
for( i = 0; i < 16; i++ ) \
y[i] ^= b[i]; \
\
if( ( ret = cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \
return( ret );
/*
* Encrypt or decrypt a partial block with CTR
* Warning: using b for temporary storage! src and dst must not be b!
* This avoids allocating one more 16 bytes buffer while allowing src == dst.
*/
#define CTR_CRYPT( dst, src, len ) \
if( ( ret = cipher_update( &ctx->cipher_ctx, ctr, 16, b, &olen ) ) != 0 ) \
return( ret ); \
\
for( i = 0; i < len; i++ ) \
dst[i] = src[i] ^ b[i];
/*
* Authenticated encryption or decryption
*/
static int ccm_auth_crypt( ccm_context *ctx, int mode, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
unsigned char *tag, size_t tag_len )
{
int ret;
unsigned char i;
unsigned char q = 16 - 1 - iv_len;
size_t len_left, olen;
unsigned char b[16];
unsigned char y[16];
unsigned char ctr[16];
const unsigned char *src;
unsigned char *dst;
/*
* Check length requirements: SP800-38C A.1
* Additional requirement: a < 2^16 - 2^8 to simplify the code.
* 'length' checked later (when writing it to the first block)
*/
if( tag_len < 4 || tag_len > 16 || tag_len % 2 != 0 )
return( POLARSSL_ERR_CCM_BAD_INPUT );
/* Also implies q is within bounds */
if( iv_len < 7 || iv_len > 13 )
return( POLARSSL_ERR_CCM_BAD_INPUT );
if( add_len > 0xFF00 )
return( POLARSSL_ERR_CCM_BAD_INPUT );
/*
* First block B_0:
* 0 .. 0 flags
* 1 .. iv_len nonce (aka iv)
* iv_len+1 .. 15 length
*
* With flags as (bits):
* 7 0
* 6 add present?
* 5 .. 3 (t - 2) / 2
* 2 .. 0 q - 1
*/
b[0] = 0;
b[0] |= ( add_len > 0 ) << 6;
b[0] |= ( ( tag_len - 2 ) / 2 ) << 3;
b[0] |= q - 1;
memcpy( b + 1, iv, iv_len );
for( i = 0, len_left = length; i < q; i++, len_left >>= 8 )
b[15-i] = (unsigned char)( len_left & 0xFF );
if( len_left > 0 )
return( POLARSSL_ERR_CCM_BAD_INPUT );
/* Start CBC-MAC with first block */
memset( y, 0, 16 );
UPDATE_CBC_MAC;
/*
* If there is additional data, update CBC-MAC with
* add_len, add, 0 (padding to a block boundary)
*/
if( add_len > 0 )
{
size_t use_len;
len_left = add_len;
src = add;
memset( b, 0, 16 );
b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF );
b[1] = (unsigned char)( ( add_len ) & 0xFF );
use_len = len_left < 16 - 2 ? len_left : 16 - 2;
memcpy( b + 2, src, use_len );
len_left -= use_len;
src += use_len;
UPDATE_CBC_MAC;
while( len_left > 0 )
{
use_len = len_left > 16 ? 16 : len_left;
memset( b, 0, 16 );
memcpy( b, src, use_len );
UPDATE_CBC_MAC;
len_left -= use_len;
src += use_len;
}
}
/*
* Prepare counter block for encryption:
* 0 .. 0 flags
* 1 .. iv_len nonce (aka iv)
* iv_len+1 .. 15 counter (initially 1)
*
* With flags as (bits):
* 7 .. 3 0
* 2 .. 0 q - 1
*/
ctr[0] = q - 1;
memcpy( ctr + 1, iv, iv_len );
memset( ctr + 1 + iv_len, 0, q );
ctr[15] = 1;
/*
* Authenticate and {en,de}crypt the message.
*
* The only difference between encryption and decryption is
* the respective order of authentication and {en,de}cryption.
*/
len_left = length;
src = input;
dst = output;
while( len_left > 0 )
{
unsigned char use_len = len_left > 16 ? 16 : len_left;
if( mode == CCM_ENCRYPT )
{
memset( b, 0, 16 );
memcpy( b, src, use_len );
UPDATE_CBC_MAC;
}
CTR_CRYPT( dst, src, use_len );
if( mode == CCM_DECRYPT )
{
memset( b, 0, 16 );
memcpy( b, dst, use_len );
UPDATE_CBC_MAC;
}
dst += use_len;
src += use_len;
len_left -= use_len;
/*
* Increment counter.
* No need to check for overflow thanks to the length check above.
*/
for( i = 0; i < q; i++ )
if( ++ctr[15-i] != 0 )
break;
}
/*
* Authentication: reset counter and crypt/mask internal tag
*/
for( i = 0; i < q; i++ )
ctr[15-i] = 0;
CTR_CRYPT( y, y, 16 );
memcpy( tag, y, tag_len );
return( 0 );
}
/*
* Authenticated encryption
*/
int ccm_encrypt_and_tag( ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
unsigned char *tag, size_t tag_len )
{
return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len,
add, add_len, input, output, tag, tag_len ) );
}
/*
* Authenticated decryption
*/
int ccm_auth_decrypt( ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
const unsigned char *tag, size_t tag_len )
{
int ret;
unsigned char check_tag[16];
unsigned char i;
int diff;
if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length,
iv, iv_len, add, add_len,
input, output, check_tag, tag_len ) ) != 0 )
{
return( ret );
}
/* Check tag in "constant-time" */
for( diff = 0, i = 0; i < tag_len; i++ )
diff |= tag[i] ^ check_tag[i];
if( diff != 0 )
{
memset( output, 0, length );
return( POLARSSL_ERR_CCM_AUTH_FAILED );
}
return( 0 );
}
#if defined(POLARSSL_SELF_TEST) && defined(POLARSSL_AES_C)
#if defined(POLARSSL_PLATFORM_C)
#include "polarssl/platform.h"
#else
#define polarssl_printf printf
#endif
/*
* Examples 1 to 3 from SP800-38C Appendix C
*/
#define NB_TESTS 3
/*
* The data is the same for all tests, only the used length changes
*/
static const unsigned char key[] = {
0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
};
static const unsigned char iv[] = {
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b
};
static const unsigned char ad[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13
};
static const unsigned char msg[] = {
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
};
static const size_t iv_len [NB_TESTS] = { 7, 8, 12 };
static const size_t add_len[NB_TESTS] = { 8, 16, 20 };
static const size_t msg_len[NB_TESTS] = { 4, 16, 24 };
static const size_t tag_len[NB_TESTS] = { 4, 6, 8 };
static const unsigned char res[NB_TESTS][32] = {
{ 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
{ 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
{ 0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
};
int ccm_self_test( int verbose )
{
ccm_context ctx;
unsigned char out[32];
size_t i;
int ret;
if( ccm_init( &ctx, POLARSSL_CIPHER_ID_AES, key, 8 * sizeof key ) != 0 )
{
if( verbose != 0 )
polarssl_printf( " CCM: setup failed" );
return( 1 );
}
for( i = 0; i < NB_TESTS; i++ )
{
if( verbose != 0 )
polarssl_printf( " CCM-AES #%u: ", (unsigned int) i + 1 );
ret = ccm_encrypt_and_tag( &ctx, msg_len[i],
iv, iv_len[i], ad, add_len[i],
msg, out,
out + msg_len[i], tag_len[i] );
if( ret != 0 ||
memcmp( out, res[i], msg_len[i] + tag_len[i] ) != 0 )
{
if( verbose != 0 )
polarssl_printf( "failed\n" );
return( 1 );
}
ret = ccm_auth_decrypt( &ctx, msg_len[i],
iv, iv_len[i], ad, add_len[i],
res[i], out,
res[i] + msg_len[i], tag_len[i] );
if( ret != 0 ||
memcmp( out, msg, msg_len[i] ) != 0 )
{
if( verbose != 0 )
polarssl_printf( "failed\n" );
return( 1 );
}
if( verbose != 0 )
polarssl_printf( "passed\n" );
}
ccm_free( &ctx );
if( verbose != 0 )
polarssl_printf( "\n" );
return( 0 );
}
#endif /* POLARSSL_SELF_TEST && POLARSSL_AES_C */
#endif /* POLARSSL_CCM_C */

View File

@ -42,6 +42,10 @@
#include "polarssl/gcm.h"
#endif
#if defined(POLARSSL_CCM_C)
#include "polarssl/ccm.h"
#endif
#include <stdlib.h>
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
@ -771,6 +775,115 @@ int cipher_check_tag( cipher_context_t *ctx,
}
#endif /* POLARSSL_CIPHER_MODE_AEAD */
/*
* Packet-oriented wrapper for non-AEAD modes
*/
int cipher_crypt( cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen )
{
int ret;
size_t finish_olen;
if( ( ret = cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
return( ret );
if( ( ret = cipher_reset( ctx ) ) != 0 )
return( ret );
if( ( ret = cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
return( ret );
if( ( ret = cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
return( ret );
*olen += finish_olen;
return( 0 );
}
#if defined(POLARSSL_CIPHER_MODE_AEAD)
/*
* Packet-oriented encryption for AEAD modes
*/
int cipher_auth_encrypt( cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
unsigned char *tag, size_t tag_len )
{
#if defined(POLARSSL_GCM_C)
if( POLARSSL_MODE_GCM == ctx->cipher_info->mode )
{
*olen = ilen;
return( gcm_crypt_and_tag( ctx->cipher_ctx, GCM_ENCRYPT, ilen,
iv, iv_len, ad, ad_len, input, output,
tag_len, tag ) );
}
#endif /* POLARSSL_GCM_C */
#if defined(POLARSSL_CCM_C)
if( POLARSSL_MODE_CCM == ctx->cipher_info->mode )
{
*olen = ilen;
return( ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
iv, iv_len, ad, ad_len, input, output,
tag, tag_len ) );
}
#endif /* POLARSSL_CCM_C */
return( POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
/*
* Packet-oriented decryption for AEAD modes
*/
int cipher_auth_decrypt( cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
const unsigned char *tag, size_t tag_len )
{
#if defined(POLARSSL_GCM_C)
if( POLARSSL_MODE_GCM == ctx->cipher_info->mode )
{
int ret;
*olen = ilen;
ret = gcm_auth_decrypt( ctx->cipher_ctx, ilen,
iv, iv_len, ad, ad_len,
tag, tag_len, input, output );
if( ret == POLARSSL_ERR_GCM_AUTH_FAILED )
ret = POLARSSL_ERR_CIPHER_AUTH_FAILED;
return( ret );
}
#endif /* POLARSSL_GCM_C */
#if defined(POLARSSL_CCM_C)
if( POLARSSL_MODE_CCM == ctx->cipher_info->mode )
{
int ret;
*olen = ilen;
ret = ccm_auth_decrypt( ctx->cipher_ctx, ilen,
iv, iv_len, ad, ad_len,
input, output, tag, tag_len );
if( ret == POLARSSL_ERR_CCM_AUTH_FAILED )
ret = POLARSSL_ERR_CIPHER_AUTH_FAILED;
return( ret );
}
#endif /* POLARSSL_CCM_C */
return( POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
#endif /* POLARSSL_CIPHER_MODE_AEAD */
#if defined(POLARSSL_SELF_TEST)
/*

View File

@ -61,6 +61,10 @@
#include "polarssl/gcm.h"
#endif
#if defined(POLARSSL_CCM_C)
#include "polarssl/ccm.h"
#endif
#if defined(POLARSSL_PLATFORM_C)
#include "polarssl/platform.h"
#else
@ -84,6 +88,20 @@ static void gcm_ctx_free( void *ctx )
}
#endif /* POLARSSL_GCM_C */
#if defined(POLARSSL_CCM_C)
/* shared by all CCM ciphers */
static void *ccm_ctx_alloc( void )
{
return polarssl_malloc( sizeof( ccm_context ) );
}
static void ccm_ctx_free( void *ctx )
{
ccm_free( ctx );
polarssl_free( ctx );
}
#endif /* POLARSSL_CCM_C */
#if defined(POLARSSL_AES_C)
static int aes_crypt_ecb_wrap( void *ctx, operation_t operation,
@ -378,6 +396,61 @@ const cipher_info_t aes_256_gcm_info = {
};
#endif /* POLARSSL_GCM_C */
#if defined(POLARSSL_CCM_C)
static int ccm_aes_setkey_wrap( void *ctx, const unsigned char *key,
unsigned int key_length )
{
return ccm_init( (ccm_context *) ctx, POLARSSL_CIPHER_ID_AES,
key, key_length );
}
const cipher_base_t ccm_aes_info = {
POLARSSL_CIPHER_ID_AES,
NULL,
NULL,
NULL,
NULL,
NULL,
ccm_aes_setkey_wrap,
ccm_aes_setkey_wrap,
ccm_ctx_alloc,
ccm_ctx_free,
};
const cipher_info_t aes_128_ccm_info = {
POLARSSL_CIPHER_AES_128_CCM,
POLARSSL_MODE_CCM,
128,
"AES-128-CCM",
12,
1,
16,
&ccm_aes_info
};
const cipher_info_t aes_192_ccm_info = {
POLARSSL_CIPHER_AES_192_CCM,
POLARSSL_MODE_CCM,
192,
"AES-192-CCM",
12,
1,
16,
&ccm_aes_info
};
const cipher_info_t aes_256_ccm_info = {
POLARSSL_CIPHER_AES_256_CCM,
POLARSSL_MODE_CCM,
256,
"AES-256-CCM",
12,
1,
16,
&ccm_aes_info
};
#endif /* POLARSSL_CCM_C */
#endif /* POLARSSL_AES_C */
#if defined(POLARSSL_CAMELLIA_C)
@ -676,6 +749,61 @@ const cipher_info_t camellia_256_gcm_info = {
};
#endif /* POLARSSL_GCM_C */
#if defined(POLARSSL_CCM_C)
static int ccm_camellia_setkey_wrap( void *ctx, const unsigned char *key,
unsigned int key_length )
{
return ccm_init( (ccm_context *) ctx, POLARSSL_CIPHER_ID_CAMELLIA,
key, key_length );
}
const cipher_base_t ccm_camellia_info = {
POLARSSL_CIPHER_ID_CAMELLIA,
NULL,
NULL,
NULL,
NULL,
NULL,
ccm_camellia_setkey_wrap,
ccm_camellia_setkey_wrap,
ccm_ctx_alloc,
ccm_ctx_free,
};
const cipher_info_t camellia_128_ccm_info = {
POLARSSL_CIPHER_CAMELLIA_128_CCM,
POLARSSL_MODE_CCM,
128,
"CAMELLIA-128-CCM",
12,
1,
16,
&ccm_camellia_info
};
const cipher_info_t camellia_192_ccm_info = {
POLARSSL_CIPHER_CAMELLIA_192_CCM,
POLARSSL_MODE_CCM,
192,
"CAMELLIA-192-CCM",
12,
1,
16,
&ccm_camellia_info
};
const cipher_info_t camellia_256_ccm_info = {
POLARSSL_CIPHER_CAMELLIA_256_CCM,
POLARSSL_MODE_CCM,
256,
"CAMELLIA-256-CCM",
12,
1,
16,
&ccm_camellia_info
};
#endif /* POLARSSL_CCM_C */
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)
@ -1217,6 +1345,11 @@ const cipher_definition_t cipher_definitions[] =
{ POLARSSL_CIPHER_AES_192_GCM, &aes_192_gcm_info },
{ POLARSSL_CIPHER_AES_256_GCM, &aes_256_gcm_info },
#endif
#if defined(POLARSSL_CCM_C)
{ POLARSSL_CIPHER_AES_128_CCM, &aes_128_ccm_info },
{ POLARSSL_CIPHER_AES_192_CCM, &aes_192_ccm_info },
{ POLARSSL_CIPHER_AES_256_CCM, &aes_256_ccm_info },
#endif
#endif /* POLARSSL_AES_C */
#if defined(POLARSSL_ARC4_C)
@ -1260,6 +1393,11 @@ const cipher_definition_t cipher_definitions[] =
{ POLARSSL_CIPHER_CAMELLIA_192_GCM, &camellia_192_gcm_info },
{ POLARSSL_CIPHER_CAMELLIA_256_GCM, &camellia_256_gcm_info },
#endif
#if defined(POLARSSL_CCM_C)
{ POLARSSL_CIPHER_CAMELLIA_128_CCM, &camellia_128_ccm_info },
{ POLARSSL_CIPHER_CAMELLIA_192_CCM, &camellia_192_ccm_info },
{ POLARSSL_CIPHER_CAMELLIA_256_CCM, &camellia_256_ccm_info },
#endif
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_DES_C)

View File

@ -53,6 +53,10 @@
#include "polarssl/camellia.h"
#endif
#if defined(POLARSSL_CCM_C)
#include "polarssl/ccm.h"
#endif
#if defined(POLARSSL_CIPHER_C)
#include "polarssl/cipher.h"
#endif
@ -578,6 +582,13 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
snprintf( buf, buflen, "CAMELLIA - Invalid data input length" );
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_CCM_C)
if( use_ret == -(POLARSSL_ERR_CCM_BAD_INPUT) )
snprintf( buf, buflen, "CCM - Bad input parameters to function" );
if( use_ret == -(POLARSSL_ERR_CCM_AUTH_FAILED) )
snprintf( buf, buflen, "CCM - Authenticated decryption failed" );
#endif /* POLARSSL_CCM_C */
#if defined(POLARSSL_CTR_DRBG_C)
if( use_ret == -(POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) )
snprintf( buf, buflen, "CTR_DRBG - The entropy source failed" );

View File

@ -51,13 +51,15 @@
* Forward-secure non-PSK > forward-secure PSK > other non-PSK > other PSK
* 2. By key length and cipher:
* AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES
* 3. By cipher mode when relevant GCM > CBC
* 4. By hash function used
* 3. By cipher mode when relevant CCM > GCM > CBC > CCM_8
* 4. By hash function used when relevant
* 5. By key exchange/auth again: EC > non-EC
*/
static const int ciphersuite_preference[] =
{
/* All AES-256 ephemeral suites */
TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_DHE_RSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
@ -67,6 +69,8 @@ static const int ciphersuite_preference[] =
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_DHE_RSA_WITH_AES_256_CCM_8,
/* All CAMELLIA-256 ephemeral suites */
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
@ -78,6 +82,8 @@ static const int ciphersuite_preference[] =
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
/* All AES-128 ephemeral suites */
TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_DHE_RSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
@ -87,6 +93,8 @@ static const int ciphersuite_preference[] =
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_DHE_RSA_WITH_AES_128_CCM_8,
/* All CAMELLIA-128 ephemeral suites */
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
@ -103,6 +111,7 @@ static const int ciphersuite_preference[] =
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
/* The PSK ephemeral suites */
TLS_DHE_PSK_WITH_AES_256_CCM,
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
@ -111,7 +120,9 @@ static const int ciphersuite_preference[] =
TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS_DHE_PSK_WITH_AES_256_CCM_8,
TLS_DHE_PSK_WITH_AES_128_CCM,
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
@ -120,11 +131,13 @@ static const int ciphersuite_preference[] =
TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DHE_PSK_WITH_AES_128_CCM_8,
TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
/* All AES-256 suites */
TLS_RSA_WITH_AES_256_CCM,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
@ -134,6 +147,7 @@ static const int ciphersuite_preference[] =
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CCM_8,
/* All CAMELLIA-256 suites */
TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
@ -145,6 +159,7 @@ static const int ciphersuite_preference[] =
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
/* All AES-128 suites */
TLS_RSA_WITH_AES_128_CCM,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
@ -154,6 +169,7 @@ static const int ciphersuite_preference[] =
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CCM_8,
/* All CAMELLIA-128 suites */
TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
@ -185,17 +201,21 @@ static const int ciphersuite_preference[] =
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
/* The PSK suites */
TLS_PSK_WITH_AES_256_CCM,
TLS_PSK_WITH_AES_256_GCM_SHA384,
TLS_PSK_WITH_AES_256_CBC_SHA384,
TLS_PSK_WITH_AES_256_CBC_SHA,
TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS_PSK_WITH_AES_256_CCM_8,
TLS_PSK_WITH_AES_128_CCM,
TLS_PSK_WITH_AES_128_GCM_SHA256,
TLS_PSK_WITH_AES_128_CBC_SHA256,
TLS_PSK_WITH_AES_128_CBC_SHA,
TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS_PSK_WITH_AES_128_CCM_8,
TLS_PSK_WITH_3DES_EDE_CBC_SHA,
@ -240,7 +260,7 @@ static const int ciphersuite_preference[] =
0
};
#define MAX_CIPHERSUITES 160
#define MAX_CIPHERSUITES 176
static int supported_ciphersuites[MAX_CIPHERSUITES];
static int supported_init = 0;
@ -294,6 +314,28 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_SHA512_C */
#if defined(POLARSSL_CCM_C)
{ TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
{ TLS_ECDHE_ECDSA_WITH_AES_128_CCM, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
#endif /* POLARSSL_CCM_C */
#endif /* POLARSSL_AES_C */
#if defined(POLARSSL_CAMELLIA_C)
@ -533,6 +575,28 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA1_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_CCM_C)
{ TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_DHE_RSA_WITH_AES_256_CCM_8, "TLS-DHE-RSA-WITH-AES-256-CCM-8",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
{ TLS_DHE_RSA_WITH_AES_128_CCM, "TLS-DHE-RSA-WITH-AES-128-CCM",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_DHE_RSA_WITH_AES_128_CCM_8, "TLS-DHE-RSA-WITH-AES-128-CCM-8",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
#endif /* POLARSSL_CCM_C */
#endif /* POLARSSL_AES_C */
#if defined(POLARSSL_CAMELLIA_C)
@ -646,6 +710,28 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_CIPHER_MODE_CBC */
#endif /* POLARSSL_SHA1_C */
#if defined(POLARSSL_CCM_C)
{ TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
{ TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
#endif /* POLARSSL_CCM_C */
#endif /* POLARSSL_AES_C */
#if defined(POLARSSL_CAMELLIA_C)
@ -1018,6 +1104,28 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA1_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_CCM_C)
{ TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
{ TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
#endif /* POLARSSL_CCM_C */
#endif /* POLARSSL_AES_C */
#if defined(POLARSSL_CAMELLIA_C)
@ -1132,6 +1240,28 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
0 },
#endif /* POLARSSL_SHA1_C */
#endif /* POLARSSL_CIPHER_MODE_CBC */
#if defined(POLARSSL_CCM_C)
{ TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8",
POLARSSL_CIPHER_AES_256_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
{ TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
0 },
{ TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8",
POLARSSL_CIPHER_AES_128_CCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3,
POLARSSL_CIPHERSUITE_SHORT_TAG },
#endif /* POLARSSL_CCM_C */
#endif /* POLARSSL_AES_C */
#if defined(POLARSSL_CAMELLIA_C)

View File

@ -506,7 +506,8 @@ int ssl_derive_keys( ssl_context *ssl )
* Determine the appropriate key, IV and MAC length.
*/
if( cipher_info->mode == POLARSSL_MODE_GCM )
if( cipher_info->mode == POLARSSL_MODE_GCM ||
cipher_info->mode == POLARSSL_MODE_CCM )
{
transform->keylen = cipher_info->key_length;
transform->keylen /= 8;
@ -991,17 +992,19 @@ static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
static int ssl_encrypt_buf( ssl_context *ssl )
{
size_t i;
const cipher_mode_t mode = cipher_get_cipher_mode(
&ssl->transform_out->cipher_ctx_enc );
SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
/*
* Add MAC before encrypt, except for GCM
* Add MAC before encrypt, except for AEAD modes
*/
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
( defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
if( ssl->transform_out->cipher_ctx_enc.cipher_info->mode !=
POLARSSL_MODE_GCM )
if( mode != POLARSSL_MODE_GCM &&
mode != POLARSSL_MODE_CCM )
{
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
@ -1037,14 +1040,13 @@ static int ssl_encrypt_buf( ssl_context *ssl )
ssl->out_msglen += ssl->transform_out->maclen;
}
#endif /* GCM not the only option */
#endif /* AEAD not the only option */
/*
* Encrypt
*/
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
if( ssl->transform_out->cipher_ctx_enc.cipher_info->mode ==
POLARSSL_MODE_STREAM )
if( mode == POLARSSL_MODE_STREAM )
{
int ret;
size_t olen = 0;
@ -1056,25 +1058,13 @@ static int ssl_encrypt_buf( ssl_context *ssl )
SSL_DEBUG_BUF( 4, "before encrypt: output payload",
ssl->out_msg, ssl->out_msglen );
if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_reset", ret );
return( ret );
}
if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
ssl->transform_out->iv_enc,
ssl->transform_out->ivlen ) ) != 0 )
ssl->transform_out->ivlen,
ssl->out_msg, ssl->out_msglen,
ssl->out_msg, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
return( ret );
}
if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
ssl->out_msg, ssl->out_msglen, ssl->out_msg,
&olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_update", ret );
SSL_DEBUG_RET( 1, "cipher_crypt", ret );
return( ret );
}
@ -1084,31 +1074,19 @@ static int ssl_encrypt_buf( ssl_context *ssl )
ssl->out_msglen, olen ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
ssl->out_msg + olen, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_finish", ret );
return( ret );
}
if( 0 != olen )
{
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
0, olen ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
}
else
#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
#if defined(POLARSSL_GCM_C)
if( ssl->transform_out->cipher_ctx_enc.cipher_info->mode ==
POLARSSL_MODE_GCM )
#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
if( mode == POLARSSL_MODE_GCM ||
mode == POLARSSL_MODE_CCM )
{
size_t enc_msglen, olen, totlen;
int ret;
size_t enc_msglen, olen;
unsigned char *enc_msg;
unsigned char add_data[13];
int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16;
memcpy( add_data, ssl->out_ctr, 8 );
add_data[8] = ssl->out_msgtype;
@ -1152,67 +1130,36 @@ static int ssl_encrypt_buf( ssl_context *ssl )
ssl->out_msg, ssl->out_msglen );
/*
* Encrypt
* Encrypt and authenticate
*/
if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
ssl->transform_out->iv_enc,
ssl->transform_out->ivlen ) ) != 0 ||
( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
if( ( ret = cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
ssl->transform_out->iv_enc,
ssl->transform_out->ivlen,
add_data, 13,
enc_msg, enc_msglen,
enc_msg, &olen,
enc_msg + enc_msglen, taglen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_reset", ret );
SSL_DEBUG_RET( 1, "cipher_auth_encrypt", ret );
return( ret );
}
if( ( ret = cipher_update_ad( &ssl->transform_out->cipher_ctx_enc,
add_data, 13 ) ) != 0 )
if( olen != enc_msglen )
{
SSL_DEBUG_RET( 1, "cipher_update_ad", ret );
return( ret );
}
if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
enc_msg, enc_msglen,
enc_msg, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_update", ret );
return( ret );
}
totlen = olen;
if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
enc_msg + olen, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_finish", ret );
return( ret );
}
totlen += olen;
if( totlen != enc_msglen )
{
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect %d %d",
enc_msglen, olen ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
/*
* Authenticate
*/
ssl->out_msglen += 16;
ssl->out_msglen += taglen;
if( ( ret = cipher_write_tag( &ssl->transform_out->cipher_ctx_enc,
enc_msg + enc_msglen, 16 ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_write_tag", ret );
return( ret );
}
SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, 16 );
SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
}
else
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
#if defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
if( ssl->transform_out->cipher_ctx_enc.cipher_info->mode ==
POLARSSL_MODE_CBC )
if( mode == POLARSSL_MODE_CBC )
{
int ret;
unsigned char *enc_msg;
@ -1266,34 +1213,13 @@ static int ssl_encrypt_buf( ssl_context *ssl )
SSL_DEBUG_BUF( 4, "before encrypt: output payload",
ssl->out_iv, ssl->out_msglen );
if( ( ret = cipher_reset( &ssl->transform_out->cipher_ctx_enc ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_reset", ret );
return( ret );
}
if( ( ret = cipher_set_iv( &ssl->transform_out->cipher_ctx_enc,
if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
ssl->transform_out->iv_enc,
ssl->transform_out->ivlen ) ) != 0 )
ssl->transform_out->ivlen,
enc_msg, enc_msglen,
enc_msg, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
return( ret );
}
if( ( ret = cipher_update( &ssl->transform_out->cipher_ctx_enc,
enc_msg, enc_msglen, enc_msg,
&olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_update", ret );
return( ret );
}
enc_msglen -= olen;
if( ( ret = cipher_finish( &ssl->transform_out->cipher_ctx_enc,
enc_msg + olen, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_finish", ret );
SSL_DEBUG_RET( 1, "cipher_crypt", ret );
return( ret );
}
@ -1345,6 +1271,8 @@ static int ssl_encrypt_buf( ssl_context *ssl )
static int ssl_decrypt_buf( ssl_context *ssl )
{
size_t i;
const cipher_mode_t mode = cipher_get_cipher_mode(
&ssl->transform_in->cipher_ctx_dec );
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
( defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
@ -1361,33 +1289,20 @@ static int ssl_decrypt_buf( ssl_context *ssl )
}
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER)
if( ssl->transform_in->cipher_ctx_dec.cipher_info->mode ==
POLARSSL_MODE_STREAM )
if( mode == POLARSSL_MODE_STREAM )
{
int ret;
size_t olen = 0;
padlen = 0;
if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_reset", ret );
return( ret );
}
if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
ssl->transform_in->iv_dec,
ssl->transform_in->ivlen ) ) != 0 )
ssl->transform_in->ivlen,
ssl->in_msg, ssl->in_msglen,
ssl->in_msg, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
return( ret );
}
if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
ssl->in_msg, ssl->in_msglen, ssl->in_msg,
&olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_update", ret );
SSL_DEBUG_RET( 1, "cipher_crypt", ret );
return( ret );
}
@ -1396,35 +1311,24 @@ static int ssl_decrypt_buf( ssl_context *ssl )
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
ssl->in_msg + olen, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_finish", ret );
return( ret );
}
if( 0 != olen )
{
SSL_DEBUG_MSG( 1, ( "total encrypted length incorrect" ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
}
else
#endif /* POLARSSL_ARC4_C || POLARSSL_CIPHER_NULL_CIPHER */
#if defined(POLARSSL_GCM_C)
if( ssl->transform_in->cipher_ctx_dec.cipher_info->mode ==
POLARSSL_MODE_GCM )
#if defined(POLARSSL_GCM_C) || defined(POLARSSL_CCM_C)
if( mode == POLARSSL_MODE_GCM ||
mode == POLARSSL_MODE_CCM )
{
int ret;
size_t dec_msglen, olen;
unsigned char *dec_msg;
unsigned char *dec_msg_result;
size_t dec_msglen, olen, totlen;
unsigned char add_data[13];
int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16;
dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
ssl->transform_in->fixed_ivlen );
dec_msglen -= 16;
dec_msglen -= taglen;
dec_msg = ssl->in_msg;
dec_msg_result = ssl->in_msg;
ssl->in_msglen = dec_msglen;
@ -1445,67 +1349,39 @@ static int ssl_decrypt_buf( ssl_context *ssl )
SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
ssl->transform_in->ivlen );
SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
/*
* Decrypt
* Decrypt and authenticate
*/
if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
ssl->transform_in->iv_dec,
ssl->transform_in->ivlen ) ) != 0 ||
( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
if( ( ret = cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
ssl->transform_in->iv_dec,
ssl->transform_in->ivlen,
add_data, 13,
dec_msg, dec_msglen,
dec_msg_result, &olen,
dec_msg + dec_msglen, taglen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_reset", ret );
SSL_DEBUG_RET( 1, "cipher_auth_decrypt", ret );
if( ret == POLARSSL_ERR_CIPHER_AUTH_FAILED )
return( POLARSSL_ERR_SSL_INVALID_MAC );
return( ret );
}
if( ( ret = cipher_update_ad( &ssl->transform_in->cipher_ctx_dec,
add_data, 13 ) ) != 0 )
if( olen != dec_msglen )
{
SSL_DEBUG_RET( 1, "cipher_update_ad", ret );
return( ret );
}
if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
dec_msg, dec_msglen,
dec_msg_result, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_update", ret );
return( ret );
}
totlen = olen;
if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
dec_msg_result + olen, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_finish", ret );
return( ret );
}
totlen += olen;
if( totlen != dec_msglen )
{
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
SSL_DEBUG_MSG( 1, ( "total decrypted length incorrect %d %d",
dec_msglen, olen ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
/*
* Authenticate
*/
if( ( ret = cipher_check_tag( &ssl->transform_in->cipher_ctx_dec,
dec_msg + dec_msglen, 16 ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_check_tag", ret );
return( POLARSSL_ERR_SSL_INVALID_MAC );
}
}
else
#endif /* POLARSSL_GCM_C */
#endif /* POLARSSL_GCM_C || POLARSSL_CCM_C */
#if defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) )
if( ssl->transform_in->cipher_ctx_dec.cipher_info->mode ==
POLARSSL_MODE_CBC )
if( mode == POLARSSL_MODE_CBC )
{
/*
* Decrypt and check the padding
@ -1560,33 +1436,13 @@ static int ssl_decrypt_buf( ssl_context *ssl )
}
#endif /* POLARSSL_SSL_PROTO_TLS1_1 || POLARSSL_SSL_PROTO_TLS1_2 */
if( ( ret = cipher_reset( &ssl->transform_in->cipher_ctx_dec ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_reset", ret );
return( ret );
}
if( ( ret = cipher_set_iv( &ssl->transform_in->cipher_ctx_dec,
if( ( ret = cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
ssl->transform_in->iv_dec,
ssl->transform_in->ivlen ) ) != 0 )
ssl->transform_in->ivlen,
dec_msg, dec_msglen,
dec_msg_result, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_set_iv", ret );
return( ret );
}
if( ( ret = cipher_update( &ssl->transform_in->cipher_ctx_dec,
dec_msg, dec_msglen, dec_msg_result,
&olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_update", ret );
return( ret );
}
dec_msglen -= olen;
if( ( ret = cipher_finish( &ssl->transform_in->cipher_ctx_dec,
dec_msg_result + olen, &olen ) ) != 0 )
{
SSL_DEBUG_RET( 1, "cipher_finish", ret );
SSL_DEBUG_RET( 1, "cipher_crypt", ret );
return( ret );
}
@ -1697,13 +1553,13 @@ static int ssl_decrypt_buf( ssl_context *ssl )
ssl->in_msg, ssl->in_msglen );
/*
* Always compute the MAC (RFC4346, CBCTIME), except for GCM of course
* Always compute the MAC (RFC4346, CBCTIME), except for AEAD of course
*/
#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \
( defined(POLARSSL_CIPHER_MODE_CBC) && \
( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) )
if( ssl->transform_in->cipher_ctx_dec.cipher_info->mode !=
POLARSSL_MODE_GCM )
if( mode != POLARSSL_MODE_GCM &&
mode != POLARSSL_MODE_CCM )
{
unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
@ -1784,7 +1640,7 @@ static int ssl_decrypt_buf( ssl_context *ssl )
if( correct == 0 )
return( POLARSSL_ERR_SSL_INVALID_MAC );
}
#endif /* GCM not the only option */
#endif /* AEAD not the only option */
if( ssl->in_msglen == 0 )
{

View File

@ -366,6 +366,9 @@ const char *features[] = {
#if defined(POLARSSL_CAMELLIA_C)
"POLARSSL_CAMELLIA_C",
#endif /* POLARSSL_CAMELLIA_C */
#if defined(POLARSSL_CCM_C)
"POLARSSL_CCM_C",
#endif /* POLARSSL_CCM_C */
#if defined(POLARSSL_CERTS_C)
"POLARSSL_CERTS_C",
#endif /* POLARSSL_CERTS_C */