diff --git a/src/internal.c b/src/internal.c index 515a145e0..17e7c0882 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1285,6 +1285,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, } #endif +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA + if (tls && haveECDSAsig) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA; + } +#endif + #ifdef BUILD_TLS_RSA_WITH_NULL_SHA if (tls && haveRSA) { suites->suites[idx++] = 0; @@ -3981,6 +3988,11 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) return 1; break; + case TLS_ECDHE_ECDSA_WITH_NULL_SHA : + if (requirement == REQUIRES_ECC_DSA) + return 1; + break; + default: WOLFSSL_MSG("Unsupported cipher suite, CipherRequires ECC"); return 0; @@ -9913,6 +9925,10 @@ static const char* const cipher_names[] = #ifdef BUILD_SSL_RSA_WITH_IDEA_CBC_SHA "IDEA-CBC-SHA", #endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA + "ECDHE-ECDSA-NULL-SHA", +#endif }; @@ -10327,6 +10343,10 @@ static int cipher_name_idx[] = #ifdef BUILD_SSL_RSA_WITH_IDEA_CBC_SHA SSL_RSA_WITH_IDEA_CBC_SHA, #endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA + TLS_ECDHE_ECDSA_WITH_NULL_SHA, +#endif }; diff --git a/src/keys.c b/src/keys.c index 27d7ac598..7dcf824be 100644 --- a/src/keys.c +++ b/src/keys.c @@ -58,7 +58,7 @@ int SetCipherSpecs(WOLFSSL* ssl) /* Chacha extensions, 0xcc */ if (ssl->options.cipherSuite0 == CHACHA_BYTE) { - + switch (ssl->options.cipherSuite) { #ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256: @@ -180,7 +180,7 @@ int SetCipherSpecs(WOLFSSL* ssl) /* ECC extensions, or AES-CCM */ if (ssl->options.cipherSuite0 == ECC_BYTE) { - + switch (ssl->options.cipherSuite) { #ifdef HAVE_ECC @@ -764,6 +764,23 @@ int SetCipherSpecs(WOLFSSL* ssl) break; #endif + +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA + case TLS_ECDHE_ECDSA_WITH_NULL_SHA : + ssl->specs.bulk_cipher_algorithm = wolfssl_cipher_null; + ssl->specs.cipher_type = stream; + ssl->specs.mac_algorithm = sha_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = ecc_dsa_sa_algo; + ssl->specs.hash_size = SHA_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = 0; + ssl->specs.block_size = 0; + ssl->specs.iv_size = 0; + + break; +#endif #endif /* HAVE_ECC */ #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8 diff --git a/tests/test.conf b/tests/test.conf index a7d2f5169..7cee48a1f 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -399,6 +399,39 @@ -v 3 -l ECDHE-RSA-AES256-SHA +# server TLSv1 ECDHE-ECDSA-NULL-SHA +-v 1 +-l ECDHE-ECDSA-NULL-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDHE-ECDSA-NULL-SHA +-v 1 +-l ECDHE-ECDSA-NULL-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.1 ECDHE-ECDSA-NULL-SHA +-v 2 +-l ECDHE-ECDSA-NULL-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1 ECDHE-ECDSA-NULL-SHA +-v 2 +-l ECDHE-ECDSA-NULL-SHA +-A ./certs/server-ecc.pem + +# server TLSv1.2 ECDHE-ECDSA-NULL-SHA +-v 3 +-l ECDHE-ECDSA-NULL-SHA +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-NULL-SHA +-v 3 +-l ECDHE-ECDSA-NULL-SHA +-A ./certs/server-ecc.pem + # server TLSv1 ECDHE-ECDSA-RC4 -v 1 -l ECDHE-ECDSA-RC4-SHA diff --git a/wolfssl/internal.h b/wolfssl/internal.h index b8527997d..0acb6e4de 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -520,6 +520,9 @@ typedef byte word24[3]; #endif #endif /* NO_SHA */ #endif + #if defined(HAVE_NULL_CIPHER) && !defined(NO_SHA) + #define BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA + #endif #endif #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) \ && !defined(NO_OLD_POLY1305) @@ -705,6 +708,7 @@ enum { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0x23, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0x28, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0x24, + TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0x06, /* static ECDH, first byte is 0xC0 (ECC_BYTE) */ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0x0F,