diff --git a/src/internal.c b/src/internal.c index 0607b4e6e..b055af250 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1362,6 +1362,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, } #endif +#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + if (tls && havePSK) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256; + } +#endif + #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM if (tls && havePSK) { suites->suites[idx++] = ECC_BYTE; @@ -4000,6 +4007,16 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; break; + case TLS_ECDHE_PSK_WITH_NULL_SHA256 : + if (requirement == REQUIRES_PSK) + return 1; + break; + + case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : + if (requirement == REQUIRES_PSK) + return 1; + break; + default: WOLFSSL_MSG("Unsupported cipher suite, CipherRequires ECC"); return 0; @@ -9941,6 +9958,10 @@ static const char* const cipher_names[] = #ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 "ECDHE-PSK-NULL-SHA256", #endif + +#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + "ECDHE-PSK-AES128-CBC-SHA256", +#endif }; @@ -10363,6 +10384,10 @@ static int cipher_name_idx[] = #ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_ECDHE_PSK_WITH_NULL_SHA256, #endif + +#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, +#endif }; diff --git a/src/keys.c b/src/keys.c index bbbc766c2..3167ee551 100644 --- a/src/keys.c +++ b/src/keys.c @@ -799,6 +799,24 @@ int SetCipherSpecs(WOLFSSL* ssl) ssl->options.usingPSK_cipher = 1; break; #endif + +#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : + ssl->specs.bulk_cipher_algorithm = wolfssl_aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = ecdhe_psk_kea; + ssl->specs.sig_algo = anonymous_sa_algo; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = AES_128_KEY_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + + ssl->options.usingPSK_cipher = 1; + break; +#endif #endif /* HAVE_ECC */ #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 diff --git a/src/ssl.c b/src/ssl.c index 8be5469b3..c88516c9c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10304,6 +10304,14 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; +#endif + case TLS_ECDHE_ECDSA_WITH_NULL_SHA : + return "TLS_ECDHE_ECDSA_WITH_NULL_SHA"; +#ifndef NO_PSK + case TLS_ECDHE_PSK_WITH_NULL_SHA256 : + return "TLS_ECDHE_PSK_WITH_NULL_SHA256"; + case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 : + return "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"; #endif #endif /* HAVE_ECC */ diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf index 625e11320..9257a5d4a 100644 --- a/tests/test-dtls.conf +++ b/tests/test-dtls.conf @@ -746,6 +746,42 @@ -l ECDH-ECDSA-AES256-SHA384 -A ./certs/server-ecc.pem +# server TLSv1 ECDHE-PSK-AES128-SHA256 +-s +-u +-v 1 +-l ECDHE-PSK-AES128-SHA256 + +# client TLSv1 ECDHE-PSK-AES128-SHA256 +-s +-u +-v 1 +-l ECDHE-PSK-AES128-SHA256 + +# server TLSv1.1 ECDHE-PSK-AES128-SHA256 +-s +-u +-v 2 +-l ECDHE-PSK-AES128-SHA256 + +# client TLSv1.1 ECDHE-PSK-AES128-SHA256 +-s +-u +-v 2 +-l ECDHE-PSK-AES128-SHA256 + +# server TLSv1.2 ECDHE-PSK-AES128-SHA256 +-s +-u +-v 3 +-l ECDHE-PSK-AES128-SHA256 + +# client TLSv1.2 ECDHE-PSK-AES128-SHA256 +-s +-u +-v 3 +-l ECDHE-PSK-AES128-SHA256 + # server TLSv1 ECDHE-PSK-NULL-SHA256 -s -u diff --git a/tests/test-psk-no-id.conf b/tests/test-psk-no-id.conf index 9669dc5bc..0169ce321 100644 --- a/tests/test-psk-no-id.conf +++ b/tests/test-psk-no-id.conf @@ -1,3 +1,69 @@ +# No Hint server TLSv1 ECDHE-PSK-AES128-SHA256 +-s +-I +-v 1 +-l ECDHE-PSK-AES128-SHA256 + +# No Hint client TLSv1 ECDHE-PSK-AES128-SHA256 +-s +-v 1 +-l ECDHE-PSK-AES128-SHA256 + +# No Hint server TLSv1.1 ECDHE-PSK-AES128-SHA256 +-s +-I +-v 2 +-l ECDHE-PSK-AES128-SHA256 + +# No Hint client TLSv1.1 ECDHE-PSK-AES128-SHA256 +-s +-v 2 +-l ECDHE-PSK-AES128-SHA256 + +# No Hint server TLSv1.2 ECDHE-PSK-AES128-SHA256 +-s +-I +-v 3 +-l ECDHE-PSK-AES128-SHA256 + +# No Hint client TLSv1.2 ECDHE-PSK-AES128-SHA256 +-s +-v 3 +-l ECDHE-PSK-AES128-SHA256 + +# No Hint server TLSv1 ECDHE-PSK-NULL-SHA256 +-s +-I +-v 1 +-l ECDHE-PSK-NULL-SHA256 + +# No Hint client TLSv1 ECDHE-PSK-NULL-SHA256 +-s +-v 1 +-l ECDHE-PSK-NULL-SHA256 + +# No Hint server TLSv1.1 ECDHE-PSK-NULL-SHA256 +-s +-I +-v 2 +-l ECDHE-PSK-NULL-SHA256 + +# No Hint client TLSv1.1 ECDHE-PSK-NULL-SHA256 +-s +-v 2 +-l ECDHE-PSK-NULL-SHA256 + +# No Hint server TLSv1.2 ECDHE-PSK-NULL-SHA256 +-s +-I +-v 3 +-l ECDHE-PSK-NULL-SHA256 + +# No Hint client TLSv1.2 ECDHE-PSK-NULL-SHA256 +-s +-v 3 +-l ECDHE-PSK-NULL-SHA256 + # No Hint server TLSv1 PSK-AES128 -s -I diff --git a/tests/test-qsh.conf b/tests/test-qsh.conf index d6fca56af..9ba4f54a9 100644 --- a/tests/test-qsh.conf +++ b/tests/test-qsh.conf @@ -1155,6 +1155,36 @@ -v 3 -l QSH:DHE-RSA-AES256-SHA256 +# server TLSv1 ECDHE-PSK-AES128-SHA256 +-s +-v 1 +-l QSH:ECDHE-PSK-AES128-SHA256 + +# client TLSv1 ECDHE-PSK-AES128-SHA256 +-s +-v 1 +-l QSH:ECDHE-PSK-AES128-SHA256 + +# server TLSv1.1 ECDHE-PSK-AES128-SHA256 +-s +-v 2 +-l QSH:ECDHE-PSK-AES128-SHA256 + +# client TLSv1.1 ECDHE-PSK-AES128-SHA256 +-s +-v 2 +-l QSH:ECDHE-PSK-AES128-SHA256 + +# server TLSv1.2 ECDHE-PSK-AES128-SHA256 +-s +-v 3 +-l QSH:ECDHE-PSK-AES128-SHA256 + +# client TLSv1.2 ECDHE-PSK-AES128-SHA256 +-s +-v 3 +-l QSH:ECDHE-PSK-AES128-SHA256 + # server TLSv1 ECDHE-PSK-NULL-SHA256 -s -v 1 diff --git a/tests/test.conf b/tests/test.conf index 1e8f6db33..ab067b6c3 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -1158,6 +1158,36 @@ -v 3 -l ECDHE-PSK-NULL-SHA256 +# server TLSv1 ECDHE-PSK-AES128-SHA256 +-s +-v 1 +-l ECDHE-PSK-AES128-SHA256 + +# client TLSv1 ECDHE-PSK-AES128-SHA256 +-s +-v 1 +-l ECDHE-PSK-AES128-SHA256 + +# server TLSv1.1 ECDHE-PSK-AES128-SHA256 +-s +-v 2 +-l ECDHE-PSK-AES128-SHA256 + +# client TLSv1.1 ECDHE-PSK-AES128-SHA256 +-s +-v 2 +-l ECDHE-PSK-AES128-SHA256 + +# server TLSv1.2 ECDHE-PSK-AES128-SHA256 +-s +-v 3 +-l ECDHE-PSK-AES128-SHA256 + +# client TLSv1.2 ECDHE-PSK-AES128-SHA256 +-s +-v 3 +-l ECDHE-PSK-AES128-SHA256 + # server TLSv1 PSK-AES128 -s -v 1 diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 4d47de042..3d2d2bdd4 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -528,6 +528,9 @@ typedef byte word24[3]; #define BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256 #endif #endif + #if !defined(NO_PSK) && !defined(NO_SHA256) && !defined(NO_AES) + #define BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + #endif #endif #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) \ && !defined(NO_OLD_POLY1305) @@ -715,6 +718,7 @@ enum { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0x24, TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0x06, TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0x3a, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0x37, /* static ECDH, first byte is 0xC0 (ECC_BYTE) */ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0x0F,