From a89398fdbc29ae453e7ac2f8143248fe7094ba53 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 20 Nov 2012 14:52:17 -0800 Subject: [PATCH] added the cipher suites PSK-NULL-SHA256 and PSK-AES128-CBC-SHA256 --- cyassl/internal.h | 8 ++++++++ src/internal.c | 40 ++++++++++++++++++++++++++++++++++++++++ src/keys.c | 34 ++++++++++++++++++++++++++++++++++ src/ssl.c | 10 ++++++++-- tests/test-psk-null.conf | 10 ++++++++++ tests/test-psk.conf | 10 ++++++++++ 6 files changed, 110 insertions(+), 2 deletions(-) diff --git a/cyassl/internal.h b/cyassl/internal.h index 6cb8a9163..dfe4c7804 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -161,6 +161,9 @@ void c32to24(word32 in, word24 out); #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA + #ifndef NO_SHA256 + #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 + #endif #endif #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) @@ -170,6 +173,9 @@ void c32to24(word32 in, word24 out); #endif #if !defined(NO_PSK) #define BUILD_TLS_PSK_WITH_NULL_SHA + #ifndef NO_SHA256 + #define BUILD_TLS_PSK_WITH_NULL_SHA256 + #endif #endif #endif @@ -281,7 +287,9 @@ enum { TLS_RSA_WITH_AES_128_CBC_SHA = 0x2F, TLS_RSA_WITH_NULL_SHA = 0x02, TLS_PSK_WITH_AES_256_CBC_SHA = 0x8d, + TLS_PSK_WITH_AES_128_CBC_SHA256 = 0xae, TLS_PSK_WITH_AES_128_CBC_SHA = 0x8c, + TLS_PSK_WITH_NULL_SHA256 = 0xb0, TLS_PSK_WITH_NULL_SHA = 0x2c, SSL_RSA_WITH_RC4_128_SHA = 0x05, SSL_RSA_WITH_RC4_128_MD5 = 0x04, diff --git a/src/internal.c b/src/internal.c index 8d80b7f17..c0e843f92 100644 --- a/src/internal.c +++ b/src/internal.c @@ -870,6 +870,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, } #endif +#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 + if (tls && havePSK) { + suites->suites[idx++] = 0; + suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA256; + } +#endif + #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA if (tls && havePSK) { suites->suites[idx++] = 0; @@ -877,6 +884,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, } #endif +#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 + if (tls & havePSK) { + suites->suites[idx++] = 0; + suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA256; + } +#endif + #ifdef BUILD_TLS_PSK_WITH_NULL_SHA if (tls & havePSK) { suites->suites[idx++] = 0; @@ -4544,6 +4558,10 @@ const char* const cipher_names[] = "DHE-RSA-AES256-SHA", #endif +#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 + "PSK-AES128-CBC-SHA256", +#endif + #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA "PSK-AES128-CBC-SHA", #endif @@ -4552,6 +4570,10 @@ const char* const cipher_names[] = "PSK-AES256-CBC-SHA", #endif +#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 + "PSK-NULL-SHA256", +#endif + #ifdef BUILD_TLS_PSK_WITH_NULL_SHA "PSK-NULL-SHA", #endif @@ -4756,6 +4778,10 @@ int cipher_name_idx[] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA, #endif +#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 + TLS_PSK_WITH_AES_128_CBC_SHA256, +#endif + #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA TLS_PSK_WITH_AES_128_CBC_SHA, #endif @@ -4764,6 +4790,10 @@ int cipher_name_idx[] = TLS_PSK_WITH_AES_256_CBC_SHA, #endif +#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 + TLS_PSK_WITH_NULL_SHA256, +#endif + #ifdef BUILD_TLS_PSK_WITH_NULL_SHA TLS_PSK_WITH_NULL_SHA, #endif @@ -6850,6 +6880,11 @@ int SetCipherList(Suites* s, const char* list) return 1; break; + case TLS_PSK_WITH_AES_128_CBC_SHA256 : + if (requirement == REQUIRES_PSK) + return 1; + break; + case TLS_PSK_WITH_AES_128_CBC_SHA : if (requirement == REQUIRES_PSK) return 1; @@ -6860,6 +6895,11 @@ int SetCipherList(Suites* s, const char* list) return 1; break; + case TLS_PSK_WITH_NULL_SHA256 : + if (requirement == REQUIRES_PSK) + return 1; + break; + case TLS_PSK_WITH_NULL_SHA : if (requirement == REQUIRES_PSK) return 1; diff --git a/src/keys.c b/src/keys.c index ece9c9fa3..3d264dda9 100644 --- a/src/keys.c +++ b/src/keys.c @@ -668,6 +668,23 @@ int SetCipherSpecs(CYASSL* ssl) break; #endif +#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 + case TLS_PSK_WITH_AES_128_CBC_SHA256 : + ssl->specs.bulk_cipher_algorithm = aes; + ssl->specs.cipher_type = block; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = psk_kea; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = AES_128_KEY_SIZE; + ssl->specs.block_size = AES_BLOCK_SIZE; + ssl->specs.iv_size = AES_IV_SIZE; + + ssl->options.usingPSK_cipher = 1; + break; +#endif + #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA case TLS_PSK_WITH_AES_128_CBC_SHA : ssl->specs.bulk_cipher_algorithm = aes; @@ -702,6 +719,23 @@ int SetCipherSpecs(CYASSL* ssl) break; #endif +#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256 + case TLS_PSK_WITH_NULL_SHA256 : + ssl->specs.bulk_cipher_algorithm = cipher_null; + ssl->specs.cipher_type = stream; + ssl->specs.mac_algorithm = sha256_mac; + ssl->specs.kea = psk_kea; + ssl->specs.hash_size = SHA256_DIGEST_SIZE; + ssl->specs.pad_size = PAD_SHA; + ssl->specs.static_ecdh = 0; + ssl->specs.key_size = 0; + ssl->specs.block_size = 0; + ssl->specs.iv_size = 0; + + ssl->options.usingPSK_cipher = 1; + break; +#endif + #ifdef BUILD_TLS_PSK_WITH_NULL_SHA case TLS_PSK_WITH_NULL_SHA : ssl->specs.bulk_cipher_algorithm = cipher_null; diff --git a/src/ssl.c b/src/ssl.c index 1a52e42ad..7d45c228f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2696,7 +2696,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) return SSL_FATAL_ERROR; } - #ifndef NO_CERTS + #ifndef NO_CERTS /* in case used set_accept_state after init */ if (!havePSK && (ssl->buffers.certificate.buffer == NULL || ssl->buffers.key.buffer == NULL)) { @@ -2705,7 +2705,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) CYASSL_ERROR(ssl->error); return SSL_FATAL_ERROR; } - #endif + #endif #ifdef HAVE_ECC /* in case used set_accept_state after init */ @@ -5411,10 +5411,16 @@ int CyaSSL_set_compression(CYASSL* ssl) return "TLS_RSA_WITH_NULL_SHA"; case TLS_RSA_WITH_NULL_SHA256 : return "TLS_RSA_WITH_NULL_SHA256"; + case TLS_PSK_WITH_AES_128_CBC_SHA256 : + return "TLS_PSK_WITH_AES_128_CBC_SHA256"; case TLS_PSK_WITH_AES_128_CBC_SHA : return "TLS_PSK_WITH_AES_128_CBC_SHA"; case TLS_PSK_WITH_AES_256_CBC_SHA : return "TLS_PSK_WITH_AES_256_CBC_SHA"; + case TLS_PSK_WITH_NULL_SHA256 : + return "TLS_PSK_WITH_NULL_SHA256"; + case TLS_PSK_WITH_NULL_SHA : + return "TLS_PSK_WITH_NULL_SHA"; case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : diff --git a/tests/test-psk-null.conf b/tests/test-psk-null.conf index 7cb288ead..c29d77476 100644 --- a/tests/test-psk-null.conf +++ b/tests/test-psk-null.conf @@ -28,3 +28,13 @@ -v 3 -l PSK-NULL-SHA +# server TLSv1.2 PSK-NULL-SHA256 +-s +-v 3 +-l PSK-NULL-SHA256 + +# client TLSv1.2 PSK-NULL-SHA256 +-s +-v 3 +-l PSK-NULL-SHA256 + diff --git a/tests/test-psk.conf b/tests/test-psk.conf index ca4b918fd..48fc77029 100644 --- a/tests/test-psk.conf +++ b/tests/test-psk.conf @@ -58,3 +58,13 @@ -v 3 -l PSK-AES256-CBC-SHA +# server TLSv1.2 PSK-AES128-SHA256 +-s +-v 3 +-l PSK-AES128-CBC-SHA256 + +# client TLSv1.2 PSK-AES128-SHA256 +-s +-v 3 +-l PSK-AES128-CBC-SHA256 +