From df221159209a0f379d8bd041022866589aefe111 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Mon, 7 Oct 2019 08:28:00 -0700 Subject: [PATCH 1/5] Return error with AES-GCM and negotiated versions < TLSv1.2 --- src/internal.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/internal.c b/src/internal.c index a9c109dde..a52365011 100644 --- a/src/internal.c +++ b/src/internal.c @@ -24466,6 +24466,26 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } } + if (first == CIPHER_BYTE && ssl->version.major == SSLv3_MAJOR && + ssl->version.minor < TLSv1_2_MINOR) { + switch(second) { + case TLS_RSA_WITH_AES_128_GCM_SHA256: + case TLS_RSA_WITH_AES_256_GCM_SHA384: + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: + case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: + case TLS_DH_anon_WITH_AES_256_GCM_SHA384: + case TLS_PSK_WITH_AES_128_GCM_SHA256: + case TLS_PSK_WITH_AES_256_GCM_SHA384: + case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: + case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: + WOLFSSL_MSG("Version of SSL does not support AES-GCM"); + return WOLFSSL_FAILURE; + default: + break; + } + } + + #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && \ defined(HAVE_SUPPORTED_CURVES) if (!TLSX_ValidateSupportedCurves(ssl, first, second)) { From 5adcee9f2c91fdb64d3f1d1b41f1470b9231070e Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Wed, 9 Oct 2019 08:36:47 -0700 Subject: [PATCH 2/5] Update testsuite to expect ADH-AES256-GCM-SHA384 to fail with TLSv1.0 and TLSv1.1 --- tests/test.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/test.conf b/tests/test.conf index 7e3abdd5e..c21929124 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -1782,21 +1782,25 @@ -a -v 2 -l ADH-AES256-GCM-SHA384 +-H exitWithRet # client TLSv1.1 ADH-AES256-GCM-SHA384 -a -v 2 -l ADH-AES256-GCM-SHA384 +-H exitWithRet # server TLSv1.0 ADH-AES256-GCM-SHA384 -a -v 1 -l ADH-AES256-GCM-SHA384 +-H exitWithRet # client TLSv1.0 ADH-AES256-GCM-SHA384 -a -v 1 -l ADH-AES256-GCM-SHA384 +-H exitWithRet # server TLSv1 NTRU_RC4 -v 1 From af8968ee5e995bae79f0513e39fbb07161e50d7e Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Wed, 9 Oct 2019 14:37:39 -0700 Subject: [PATCH 3/5] Add REQUIRES_AEAD and move functionallity for checking AEAD ciphers to CipherRequires() --- src/internal.c | 79 +++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 62 insertions(+), 17 deletions(-) diff --git a/src/internal.c b/src/internal.c index a52365011..4bcacdf6d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8061,7 +8061,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) REQUIRES_ECC_STATIC, REQUIRES_PSK, REQUIRES_NTRU, - REQUIRES_RSA_SIG + REQUIRES_RSA_SIG, + REQUIRES_AEAD }; @@ -8132,6 +8133,10 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; break; } + + if (requirement == REQUIRES_AEAD) + return 1; + } #endif /* HAVE_CHACHA */ @@ -8241,21 +8246,29 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 : if (requirement == REQUIRES_ECC) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 : if (requirement == REQUIRES_ECC) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : if (requirement == REQUIRES_ECC_STATIC) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; #endif /* HAVE_ECC */ @@ -8264,11 +8277,15 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : if (requirement == REQUIRES_RSA) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 : if (requirement == REQUIRES_RSA) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 : @@ -8276,6 +8293,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; if (requirement == REQUIRES_RSA_SIG) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 : @@ -8283,6 +8302,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; if (requirement == REQUIRES_RSA_SIG) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; #endif /* HAVE_ECC */ #ifdef HAVE_AESCCM @@ -8292,6 +8313,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; if (requirement == REQUIRES_RSA_SIG) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; #endif /* HAVE_AESCCM */ #ifdef HAVE_ECC @@ -8318,6 +8341,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : if (requirement == REQUIRES_ECC) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : @@ -8342,6 +8367,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) case TLS_PSK_WITH_AES_256_CCM_8: if (requirement == REQUIRES_PSK) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; case TLS_DHE_PSK_WITH_AES_128_CCM: @@ -8350,6 +8377,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; if (requirement == REQUIRES_DHE) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; #endif /* !NO_PSK */ #ifdef HAVE_ECC @@ -8493,7 +8522,19 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #ifndef NO_PSK case TLS_PSK_WITH_AES_128_GCM_SHA256 : + if (requirement == REQUIRES_PSK) + return 1; + if (requirement == REQUIRES_AEAD) + return 1; + break; + case TLS_PSK_WITH_AES_256_GCM_SHA384 : + if (requirement == REQUIRES_PSK) + return 1; + if (requirement == REQUIRES_AEAD) + return 1; + break; + case TLS_PSK_WITH_AES_128_CBC_SHA256 : case TLS_PSK_WITH_AES_256_CBC_SHA384 : case TLS_PSK_WITH_AES_128_CBC_SHA : @@ -8507,6 +8548,14 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : + if (requirement == REQUIRES_DHE) + return 1; + if (requirement == REQUIRES_PSK) + return 1; + if (requirement == REQUIRES_AEAD) + return 1; + break; + case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : case TLS_DHE_PSK_WITH_NULL_SHA384 : @@ -8583,6 +8632,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) case TLS_RSA_WITH_AES_256_GCM_SHA384 : if (requirement == REQUIRES_RSA) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : @@ -8591,6 +8642,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; if (requirement == REQUIRES_DHE) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; #ifdef HAVE_CAMELLIA @@ -8632,6 +8685,8 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) case TLS_DH_anon_WITH_AES_256_GCM_SHA384: if (requirement == REQUIRES_DHE) return 1; + if (requirement == REQUIRES_AEAD) + return 1; break; #endif #ifdef WOLFSSL_MULTICAST @@ -24466,25 +24521,15 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } } - if (first == CIPHER_BYTE && ssl->version.major == SSLv3_MAJOR && + if (CipherRequires(first, second, REQUIRES_AEAD)) { + WOLFSSL_MSG("Requires AEAD"); + if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor < TLSv1_2_MINOR) { - switch(second) { - case TLS_RSA_WITH_AES_128_GCM_SHA256: - case TLS_RSA_WITH_AES_256_GCM_SHA384: - case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case TLS_DH_anon_WITH_AES_256_GCM_SHA384: - case TLS_PSK_WITH_AES_128_GCM_SHA256: - case TLS_PSK_WITH_AES_256_GCM_SHA384: - case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: - case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: - WOLFSSL_MSG("Version of SSL does not support AES-GCM"); - return WOLFSSL_FAILURE; - default: - break; + WOLFSSL_MSG("Version of SSL does not support AEAD ciphers"); + return 0; } - } + } #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && \ defined(HAVE_SUPPORTED_CURVES) From ad9522c76532da621f524c33bbbb0296072df336 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Fri, 25 Oct 2019 09:51:11 -0700 Subject: [PATCH 4/5] Add WOLFSSL_OLDTLS_AEAD_CIPHERSUITES to allow AEAD cipher suites in TLSv1.0 and TLSv1.1 --- src/internal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/internal.c b/src/internal.c index 4bcacdf6d..0e714d802 100644 --- a/src/internal.c +++ b/src/internal.c @@ -24521,6 +24521,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } } +#if !defined(WOLFSSL_OLDTLS_AEAD_CIPHERSUITES) if (CipherRequires(first, second, REQUIRES_AEAD)) { WOLFSSL_MSG("Requires AEAD"); if (ssl->version.major == SSLv3_MAJOR && @@ -24530,6 +24531,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } } +#endif #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && \ defined(HAVE_SUPPORTED_CURVES) From 39eaaddeaeb1a5ae10985efb1634687ba82afcbe Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Fri, 8 Nov 2019 10:04:58 -0800 Subject: [PATCH 5/5] Add tests for AEAD cipher suites with TLSv1.1 and TLSv1.0 --- tests/test.conf | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/tests/test.conf b/tests/test.conf index c21929124..5b7a3ebc1 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -1802,6 +1802,39 @@ -l ADH-AES256-GCM-SHA384 -H exitWithRet +# server TLSv1.1 DHE-RSA-AES256-GCM-SHA384 +-a +-v 2 +-l DHE-RSA-AES256-GCM-SHA384 +-H exitWithRet + +# client TLSv1.1 DHE-RSA-AES256-GCM-SHA384 +-a +-v 2 +-l DHE-RSA-AES256-GCM-SHA384 +-H exitWithRet + +# server TLSv1.0 DHE-RSA-AES256-GCM-SHA384 +-a +-v 1 +-l DHE-RSA-AES256-GCM-SHA384 +-H exitWithRet + +# client TLSv1.0 DHE-RSA-AES256-GCM-SHA384 +-a +-v 1 +-l DHE-RSA-AES256-GCM-SHA384 +-H exitWithRet + +# server TLSv1.1 +-a +-v 2 + +# client TLSv1.1 DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA +-a +-v 2 +-l DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA + # server TLSv1 NTRU_RC4 -v 1 -l NTRU-RC4-SHA