From 2f9c9b9a2203f1e6f645db8f9f291d8e770fcc0b Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 13 Jun 2016 14:39:41 -0700 Subject: [PATCH] Add cipher suite ECDHE-ECDSA-AES128-CCM 1. Added the usual cipher suite changes for the new suite. 2. Added a build option, WOLFSSL_ALT_TEST_STRINGS, for testing against GnuTLS. It wants to receive strings with newlines. 3. Updated the test configs for the new suite. Tested against GnuTLS's client and server using the options: $ gnutls-cli --priority "NONE:+VERS-TLS-ALL:+AEAD:+ECDHE-ECDSA:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509" --x509cafile=./certs/server-ecc.pem --no-ca-verification -p 11111 localhost $ gnutls-serv --echo --x509keyfile=./certs/ecc-key.pem --x509certfile=./certs/server-ecc.pem --port=11111 -a --priority "NONE:+VERS-TLS-ALL:+AEAD:+ECDHE-ECDSA:+AES-128-CCM:+SIGN-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509" To talk to GnuTLS, wolfSSL also needed the supported curves option enabled. --- examples/client/client.c | 10 ++++++++-- examples/server/server.c | 4 ++++ src/internal.c | 16 ++++++++++++++++ src/keys.c | 18 ++++++++++++++++++ src/ssl.c | 2 ++ tests/test-dtls.conf | 13 +++++++++++++ tests/test-qsh.conf | 11 +++++++++++ tests/test-sig.conf | 11 +++++++++++ tests/test.conf | 11 +++++++++++ wolfssl/internal.h | 2 ++ 10 files changed, 96 insertions(+), 2 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 3e79a732a..8c609d427 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -517,13 +517,19 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) WOLFSSL* sslResume = 0; WOLFSSL_SESSION* session = 0; - char resumeMsg[32] = "resuming wolfssl!"; - int resumeSz = (int)strlen(resumeMsg); +#ifndef WOLFSSL_ALT_TEST_STRINGS char msg[32] = "hello wolfssl!"; /* GET may make bigger */ + char resumeMsg[32] = "resuming wolfssl!"; +#else + char msg[32] = "hello wolfssl!\n"; + char resumeMsg[32] = "resuming wolfssl!\n"; +#endif + char reply[80]; int input; int msgSz = (int)strlen(msg); + int resumeSz = (int)strlen(resumeMsg); word16 port = wolfSSLPort; char* host = (char*)wolfSSLIP; diff --git a/examples/server/server.c b/examples/server/server.c index df3110a39..0fdbdd2e6 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -256,7 +256,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) SSL_CTX* ctx = 0; SSL* ssl = 0; +#ifndef WOLFSSL_ALT_TEST_STRINGS const char msg[] = "I hear you fa shizzle!"; +#else + const char msg[] = "I hear you fa shizzle!\n"; +#endif char input[80]; int ch; int version = SERVER_DEFAULT_VERSION; diff --git a/src/internal.c b/src/internal.c index 746182a6e..fd1f9b63b 100755 --- a/src/internal.c +++ b/src/internal.c @@ -2123,6 +2123,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, } #endif +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM + if (tls1_2 && haveECC) { + suites->suites[idx++] = ECC_BYTE; + suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM; + } +#endif + #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 if (tls1_2 && haveECC) { suites->suites[idx++] = ECC_BYTE; @@ -5540,6 +5547,7 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) break; #endif + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM : case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : if (requirement == REQUIRES_ECC) @@ -11500,6 +11508,10 @@ static const char* const cipher_names[] = "AES256-CCM-8", #endif +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM + "ECDHE-ECDSA-AES128-CCM", +#endif + #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 "ECDHE-ECDSA-AES128-CCM-8", #endif @@ -11942,6 +11954,10 @@ static int cipher_name_idx[] = TLS_RSA_WITH_AES_256_CCM_8, #endif +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM + TLS_ECDHE_ECDSA_WITH_AES_128_CCM, +#endif + #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, #endif diff --git a/src/keys.c b/src/keys.c index 849636ee1..dd3207c88 100644 --- a/src/keys.c +++ b/src/keys.c @@ -790,6 +790,24 @@ int SetCipherSpecs(WOLFSSL* ssl) break; #endif +#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM : + ssl->specs.bulk_cipher_algorithm = wolfssl_aes_ccm; + ssl->specs.cipher_type = aead; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = ecc_diffie_hellman_kea; + ssl->specs.sig_algo = ecc_dsa_sa_algo; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = AES_128_KEY_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + ssl->specs.iv_size = AESGCM_IMP_IV_SZ; + ssl->specs.aead_mac_size = AES_CCM_16_AUTH_SZ; + + break; +#endif + #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 : ssl->specs.bulk_cipher_algorithm = wolfssl_aes_ccm; diff --git a/src/ssl.c b/src/ssl.c index 4a45ba34e..2595f3d35 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -11760,6 +11760,8 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) return "TLS_DHE_PSK_WITH_AES_256_CCM"; #endif #ifdef HAVE_ECC + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM: + return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM"; case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"; case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 : diff --git a/tests/test-dtls.conf b/tests/test-dtls.conf index 7faa856f2..fb4260e62 100644 --- a/tests/test-dtls.conf +++ b/tests/test-dtls.conf @@ -1046,6 +1046,19 @@ -v 3 -l PSK-AES256-GCM-SHA384 +# server DTLSv1.2 ECDHE-ECDSA-AES128-CCM +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client DTLSv1.2 ECDHE-ECDSA-AES128-CCM +-u +-v 3 +-l ECDHE-ECDSA-AES128-CCM +-A ./certs/server-ecc.pem + # server DTLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -u -v 3 diff --git a/tests/test-qsh.conf b/tests/test-qsh.conf index b12b49cf7..211ecabed 100644 --- a/tests/test-qsh.conf +++ b/tests/test-qsh.conf @@ -1823,6 +1823,17 @@ -v 3 -l QSH:AES256-CCM-8 +# server TLSv1.2 ECDHE-ECDSA-AES128-CCM +-v 3 +-l QSH:ECDHE-ECDSA-AES128-CCM +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-CCM +-v 3 +-l QSH:ECDHE-ECDSA-AES128-CCM +-A ./certs/server-ecc.pem + # server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -v 3 -l QSH:ECDHE-ECDSA-AES128-CCM-8 diff --git a/tests/test-sig.conf b/tests/test-sig.conf index db643c5c2..4ce46ca83 100644 --- a/tests/test-sig.conf +++ b/tests/test-sig.conf @@ -185,6 +185,17 @@ -l ECDHE-ECDSA-AES256-GCM-SHA384 -A ./certs/ca-cert.pem +# server TLSv1.2 ECDHE-ECDSA-AES128-CCM +-v 3 +-l ECDHE-ECDSA-AES128-CCM +-c ./certs/server-ecc-rsa.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-CCM +-v 3 +-l ECDHE-ECDSA-AES128-CCM +-A ./certs/ca-cert.pem + # server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -v 3 -l ECDHE-ECDSA-AES128-CCM-8 diff --git a/tests/test.conf b/tests/test.conf index 40beed1cc..37f672ab0 100644 --- a/tests/test.conf +++ b/tests/test.conf @@ -1812,6 +1812,17 @@ -v 3 -l AES256-CCM-8 +# server TLSv1.2 ECDHE-ECDSA-AES128-CCM +-v 3 +-l ECDHE-ECDSA-AES128-CCM +-c ./certs/server-ecc.pem +-k ./certs/ecc-key.pem + +# client TLSv1.2 ECDHE-ECDSA-AES128-CCM +-v 3 +-l ECDHE-ECDSA-AES128-CCM +-A ./certs/server-ecc.pem + # server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8 -v 3 -l ECDHE-ECDSA-AES128-CCM-8 diff --git a/wolfssl/internal.h b/wolfssl/internal.h index fd53f97de..01301001a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -608,6 +608,7 @@ typedef byte word24[3]; #endif #endif #if defined(HAVE_AESCCM) && !defined(NO_SHA256) + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 #endif @@ -812,6 +813,7 @@ enum { * with non-ECC AES-GCM */ TLS_RSA_WITH_AES_128_CCM_8 = 0xa0, TLS_RSA_WITH_AES_256_CCM_8 = 0xa1, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM = 0xac, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xae, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xaf, TLS_PSK_WITH_AES_128_CCM = 0xa4,