feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge branch 'ccm'

Browse Source
This commit is contained in:
John Safranek
2013-01-15 16:37:37 -08:00
parent 1139ad76aa c7b5fbe552
commit b327925a1b
13 changed files with 395 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
commit-tests.sh
View File

@@ -23,7 +23,7 @@ RESULT=$?
# make sure full config is ok # make sure full config is ok
echo -e "\n\nTesting full config as well...\n\n" echo -e "\n\nTesting full config as well...\n\n"
./configure --enable-opensslExtra --enable-fastmath --enable-dtls --enable-aesgcm --enable-hc128 --enable-sniffer --enable-psk --enable-rabbit; ./configure --enable-opensslExtra --enable-fastmath --enable-dtls --enable-aesgcm --enable-aesccm --enable-hc128 --enable-sniffer --enable-psk --enable-rabbit;
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nFull config ./configure failed" && exit 1 [ $RESULT -ne 0 ] && echo -e "\n\nFull config ./configure failed" && exit 1

9
configure.ac
View File

@@ -339,10 +339,10 @@ AC_ARG_ENABLE([aesccm],
if test "$ENABLED_AESCCM" = "yes" if test "$ENABLED_AESCCM" = "yes"
then then
AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM" AM_CFLAGS="$AM_CFLAGS -DHAVE_AESCCM -DCYASSL_SHA384 -DCYASSL_SHA512"
fi fi
AM_CONDITIONAL([BUILD_AESGCM], [test "x$ENABLED_AESGCM" = "xyes"]) AM_CONDITIONAL([BUILD_AESCCM], [test "x$ENABLED_AESCCM" = "xyes"])
# AES-NI # AES-NI
@@ -422,6 +422,11 @@ then
ENABLED_SHA512="yes" ENABLED_SHA512="yes"
fi fi
if test "$ENABLED_AESCCM" = "yes"
then
ENABLED_SHA512="yes"
fi
AM_CONDITIONAL([BUILD_SHA512], [test "x$ENABLED_SHA512" = "xyes"]) AM_CONDITIONAL([BUILD_SHA512], [test "x$ENABLED_SHA512" = "xyes"])

9
ctaocrypt/benchmark/benchmark.c
View File

@@ -198,12 +198,11 @@ void bench_aesgcm(void)
double start, total, persec; double start, total, persec;
int i; int i;
AesGcmSetKey(&enc, key, 16, iv); AesGcmSetKey(&enc, key, 16);
AesGcmSetExpIV(&enc, iv+4);
start = current_time(); start = current_time();
for(i = 0; i < megs; i++) for(i = 0; i < megs; i++)
AesGcmEncrypt(&enc, cipher, plain, sizeof(plain), AesGcmEncrypt(&enc, cipher, plain, sizeof(plain), iv, 12,
tag, 16, additional, 13); tag, 16, additional, 13);
total = current_time() - start; total = current_time() - start;
@@ -222,11 +221,11 @@ void bench_aesccm(void)
double start, total, persec; double start, total, persec;
int i; int i;
AesCcmSetKey(&enc, key, 16, iv, 12); AesCcmSetKey(&enc, key, 16);
start = current_time(); start = current_time();
for(i = 0; i < megs; i++) for(i = 0; i < megs; i++)
AesCcmEncrypt(&enc, cipher, plain, sizeof(plain), AesCcmEncrypt(&enc, cipher, plain, sizeof(plain), iv, 12,
tag, 16, additional, 13); tag, 16, additional, 13);
total = current_time() - start; total = current_time() - start;

116
ctaocrypt/src/aes.c
View File

@@ -1807,8 +1807,6 @@ void AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
*/ */
enum { enum {
IMPLICIT_IV_SZ = 4,
EXPLICIT_IV_SZ = 8,
CTR_SZ = 4 CTR_SZ = 4
}; };
@@ -1834,36 +1832,6 @@ static INLINE void IncrementGcmCounter(byte* inOutCtr)
} }
/*
* The explicit IV is set by the caller. A common practice is to treat it as
* a sequence number seeded with a random number. The caller manages
* incrementing the explicit IV when appropriate.
*/
void AesGcmSetExpIV(Aes* aes, const byte* iv)
{
XMEMCPY((byte*)aes->reg + IMPLICIT_IV_SZ, iv, EXPLICIT_IV_SZ);
}
void AesGcmGetExpIV(Aes* aes, byte* iv)
{
XMEMCPY(iv, (byte*)aes->reg + IMPLICIT_IV_SZ, EXPLICIT_IV_SZ);
}
void AesGcmIncExpIV(Aes* aes)
{
int i;
byte* iv = (byte*)aes->reg + IMPLICIT_IV_SZ;
for (i = EXPLICIT_IV_SZ - 1; i >= 0; i--) {
if (++iv[i])
return;
}
}
#if defined(GCM_SMALL) || defined(GCM_TABLE) #if defined(GCM_SMALL) || defined(GCM_TABLE)
static INLINE void FlattenSzInBits(byte* buf, word32 sz) static INLINE void FlattenSzInBits(byte* buf, word32 sz)
@@ -1929,20 +1897,17 @@ static void GenerateM0(Aes* aes)
#endif /* GCM_TABLE */ #endif /* GCM_TABLE */
void AesGcmSetKey(Aes* aes, const byte* key, word32 len, void AesGcmSetKey(Aes* aes, const byte* key, word32 len)
const byte* implicitIV)
{ {
byte fullIV[AES_BLOCK_SIZE]; byte iv[AES_BLOCK_SIZE];
if (!((len == 16) || (len == 24) || (len == 32))) if (!((len == 16) || (len == 24) || (len == 32)))
return; return;
XMEMSET(fullIV, 0, AES_BLOCK_SIZE); XMEMSET(iv, 0, AES_BLOCK_SIZE);
XMEMCPY(fullIV, implicitIV, IMPLICIT_IV_SZ); AesSetKeyLocal(aes, key, len, iv, AES_ENCRYPTION);
AesSetKeyLocal(aes, key, len, fullIV, AES_ENCRYPTION);
XMEMSET(fullIV, 0, AES_BLOCK_SIZE); AesEncrypt(aes, iv, aes->H);
AesEncrypt(aes, fullIV, aes->H);
#ifdef GCM_TABLE #ifdef GCM_TABLE
GenerateM0(aes); GenerateM0(aes);
#endif /* GCM_TABLE */ #endif /* GCM_TABLE */
@@ -2449,6 +2414,7 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
void AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, void AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
const byte* iv, word32 ivSz,
byte* authTag, word32 authTagSz, byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz) const byte* authIn, word32 authInSz)
{ {
@@ -2461,9 +2427,8 @@ void AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
CYASSL_ENTER("AesGcmEncrypt"); CYASSL_ENTER("AesGcmEncrypt");
/* Initialize the counter with the MS 96 bits of IV, and the counter XMEMSET(ctr, 0, AES_BLOCK_SIZE);
* portion set to "1". */ XMEMCPY(ctr, iv, ivSz);
XMEMCPY(ctr, aes->reg, AES_BLOCK_SIZE);
InitGcmCounter(ctr); InitGcmCounter(ctr);
while (blocks--) { while (blocks--) {
@@ -2489,6 +2454,7 @@ void AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
int AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, int AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
const byte* iv, word32 ivSz,
const byte* authTag, word32 authTagSz, const byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz) const byte* authIn, word32 authInSz)
{ {
@@ -2501,9 +2467,8 @@ int AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
CYASSL_ENTER("AesGcmDecrypt"); CYASSL_ENTER("AesGcmDecrypt");
/* Initialize the counter with the MS 96 bits of IV, and the counter XMEMSET(ctr, 0, AES_BLOCK_SIZE);
* portion set to "1". */ XMEMCPY(ctr, iv, ivSz);
XMEMCPY(ctr, aes->reg, AES_BLOCK_SIZE);
InitGcmCounter(ctr); InitGcmCounter(ctr);
/* Calculate the authTag again using the received auth data and the /* Calculate the authTag again using the received auth data and the
@@ -2543,26 +2508,15 @@ int AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
#ifdef HAVE_AESCCM #ifdef HAVE_AESCCM
void AesCcmSetKey(Aes* aes, const byte* key, word32 keySz, void AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
const byte* implicitIV, word32 ivSz)
{ {
byte fullIV[AES_BLOCK_SIZE]; byte nonce[AES_BLOCK_SIZE];
if (!((keySz == 16) || (keySz == 24) || (keySz == 32))) if (!((keySz == 16) || (keySz == 24) || (keySz == 32)))
return; return;
if (ivSz > AES_BLOCK_SIZE - 2) { XMEMSET(nonce, 0, sizeof(nonce));
CYASSL_MSG("AES-CCM IV is too long"); AesSetKeyLocal(aes, key, keySz, nonce, AES_ENCRYPTION);
return;
}
XMEMSET(fullIV, 0, sizeof(fullIV));
XMEMCPY(fullIV + 1, implicitIV, ivSz);
AesSetKeyLocal(aes, key, keySz, fullIV, AES_ENCRYPTION);
aes->lenSz = AES_BLOCK_SIZE - 1 - ivSz;
XMEMSET(fullIV, 0, sizeof(fullIV));
} }
@@ -2641,18 +2595,20 @@ static INLINE void AesCcmCtrInc(byte* B, word32 lenSz)
void AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz, void AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
const byte* nonce, word32 nonceSz,
byte* authTag, word32 authTagSz, byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz) const byte* authIn, word32 authInSz)
{ {
byte A[AES_BLOCK_SIZE]; byte A[AES_BLOCK_SIZE];
byte B[AES_BLOCK_SIZE]; byte B[AES_BLOCK_SIZE];
word32 i; word32 i, lenSz;
XMEMCPY(B, aes->reg, AES_BLOCK_SIZE); XMEMCPY(B+1, nonce, nonceSz);
lenSz = AES_BLOCK_SIZE - 1 - nonceSz;
B[0] = (authInSz > 0 ? 64 : 0) B[0] = (authInSz > 0 ? 64 : 0)
+ (8 * ((authTagSz - 2) / 2)) + (8 * ((authTagSz - 2) / 2))
+ (aes->lenSz - 1); + (lenSz - 1);
for (i = 0; i < aes->lenSz; i++) for (i = 0; i < lenSz; i++)
B[AES_BLOCK_SIZE - 1 - i] = (inSz >> (8 * i)) & 0xFF; B[AES_BLOCK_SIZE - 1 - i] = (inSz >> (8 * i)) & 0xFF;
AesEncrypt(aes, B, A); AesEncrypt(aes, B, A);
@@ -2662,8 +2618,8 @@ void AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
roll_x(aes, in, inSz, A); roll_x(aes, in, inSz, A);
XMEMCPY(authTag, A, authTagSz); XMEMCPY(authTag, A, authTagSz);
B[0] = (aes->lenSz - 1); B[0] = (lenSz - 1);
for (i = 0; i < aes->lenSz; i++) for (i = 0; i < lenSz; i++)
B[AES_BLOCK_SIZE - 1 - i] = 0; B[AES_BLOCK_SIZE - 1 - i] = 0;
AesEncrypt(aes, B, A); AesEncrypt(aes, B, A);
xorbuf(authTag, A, authTagSz); xorbuf(authTag, A, authTagSz);
@@ -2674,7 +2630,7 @@ void AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
xorbuf(A, in, AES_BLOCK_SIZE); xorbuf(A, in, AES_BLOCK_SIZE);
XMEMCPY(out, A, AES_BLOCK_SIZE); XMEMCPY(out, A, AES_BLOCK_SIZE);
AesCcmCtrInc(B, aes->lenSz); AesCcmCtrInc(B, lenSz);
inSz -= AES_BLOCK_SIZE; inSz -= AES_BLOCK_SIZE;
in += AES_BLOCK_SIZE; in += AES_BLOCK_SIZE;
out += AES_BLOCK_SIZE; out += AES_BLOCK_SIZE;
@@ -2691,27 +2647,31 @@ void AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
int AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz, int AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
const byte* nonce, word32 nonceSz,
const byte* authTag, word32 authTagSz, const byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz) const byte* authIn, word32 authInSz)
{ {
byte A[AES_BLOCK_SIZE]; byte A[AES_BLOCK_SIZE];
byte B[AES_BLOCK_SIZE]; byte B[AES_BLOCK_SIZE];
byte* o; byte* o;
word32 i, oSz, result = 0; word32 i, lenSz, oSz, result = 0;
o = out; o = out;
oSz = inSz; oSz = inSz;
XMEMCPY(B, aes->reg, AES_BLOCK_SIZE); XMEMCPY(B+1, nonce, nonceSz);
B[0] = (aes->lenSz - 1); lenSz = AES_BLOCK_SIZE - 1 - nonceSz;
for (i = 0; i < aes->lenSz - 1; i++)
B[0] = (lenSz - 1);
for (i = 0; i < lenSz; i++)
B[AES_BLOCK_SIZE - 1 - i] = 0; B[AES_BLOCK_SIZE - 1 - i] = 0;
B[15] = 1; B[15] = 1;
while (oSz >= AES_BLOCK_SIZE) { while (oSz >= AES_BLOCK_SIZE) {
AesEncrypt(aes, B, A); AesEncrypt(aes, B, A);
xorbuf(A, in, AES_BLOCK_SIZE); xorbuf(A, in, AES_BLOCK_SIZE);
XMEMCPY(o, A, AES_BLOCK_SIZE); XMEMCPY(o, A, AES_BLOCK_SIZE);
AesCcmCtrInc(B, aes->lenSz); AesCcmCtrInc(B, lenSz);
oSz -= AES_BLOCK_SIZE; oSz -= AES_BLOCK_SIZE;
in += AES_BLOCK_SIZE; in += AES_BLOCK_SIZE;
o += AES_BLOCK_SIZE; o += AES_BLOCK_SIZE;
@@ -2722,7 +2682,7 @@ int AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
XMEMCPY(o, A, oSz); XMEMCPY(o, A, oSz);
} }
for (i = 0; i < aes->lenSz; i++) for (i = 0; i < lenSz; i++)
B[AES_BLOCK_SIZE - 1 - i] = 0; B[AES_BLOCK_SIZE - 1 - i] = 0;
AesEncrypt(aes, B, A); AesEncrypt(aes, B, A);
@@ -2731,8 +2691,8 @@ int AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
B[0] = (authInSz > 0 ? 64 : 0) B[0] = (authInSz > 0 ? 64 : 0)
+ (8 * ((authTagSz - 2) / 2)) + (8 * ((authTagSz - 2) / 2))
+ (aes->lenSz - 1); + (lenSz - 1);
for (i = 0; i < aes->lenSz; i++) for (i = 0; i < lenSz; i++)
B[AES_BLOCK_SIZE - 1 - i] = (inSz >> (8 * i)) & 0xFF; B[AES_BLOCK_SIZE - 1 - i] = (inSz >> (8 * i)) & 0xFF;
AesEncrypt(aes, B, A); AesEncrypt(aes, B, A);
@@ -2741,8 +2701,8 @@ int AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
if (inSz > 0) if (inSz > 0)
roll_x(aes, o, oSz, A); roll_x(aes, o, oSz, A);
B[0] = (aes->lenSz - 1); B[0] = (lenSz - 1);
for (i = 0; i < aes->lenSz; i++) for (i = 0; i < lenSz; i++)
B[AES_BLOCK_SIZE - 1 - i] = 0; B[AES_BLOCK_SIZE - 1 - i] = 0;
AesEncrypt(aes, B, B); AesEncrypt(aes, B, B);
xorbuf(A, B, authTagSz); xorbuf(A, B, authTagSz);

46
ctaocrypt/test/test.c
View File

@@ -1518,7 +1518,7 @@ int aesgcm_test(void)
const byte iv[] = const byte iv[] =
{ {
0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
0xde, 0xca, 0xf8, 0x88, 0x00, 0x00, 0x00, 0x00 0xde, 0xca, 0xf8, 0x88
}; };
const byte p[] = const byte p[] =
@@ -1558,27 +1558,27 @@ int aesgcm_test(void)
0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b 0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b
}; };
byte t2[16]; byte t2[sizeof(t)];
byte p2[60]; byte p2[sizeof(c)];
byte c2[60]; byte c2[sizeof(p)];
int result; int result;
memset(t2, 0, 16); memset(t2, 0, sizeof(t2));
memset(c2, 0, 60); memset(c2, 0, sizeof(c2));
memset(p2, 0, 60); memset(p2, 0, sizeof(p2));
AesGcmSetKey(&enc, k, sizeof(k), iv); AesGcmSetKey(&enc, k, sizeof(k));
AesGcmSetExpIV(&enc, iv + /*AES_GCM_IMP_IV_SZ*/ 4);
/* AES-GCM encrypt and decrypt both use AES encrypt internally */ /* AES-GCM encrypt and decrypt both use AES encrypt internally */
AesGcmEncrypt(&enc, c2, p, sizeof(c2), t2, sizeof(t2), a, sizeof(a)); AesGcmEncrypt(&enc, c2, p, sizeof(c2), iv, sizeof(iv),
t2, sizeof(t2), a, sizeof(a));
if (memcmp(c, c2, sizeof(c2))) if (memcmp(c, c2, sizeof(c2)))
return -68; return -68;
if (memcmp(t, t2, sizeof(t2))) if (memcmp(t, t2, sizeof(t2)))
return -69; return -69;
result = AesGcmDecrypt(&enc, result = AesGcmDecrypt(&enc, p2, c2, sizeof(p2), iv, sizeof(iv),
p2, c2, sizeof(p2), t2, sizeof(t2), a, sizeof(a)); t2, sizeof(t2), a, sizeof(a));
if (result != 0) if (result != 0)
return -70; return -70;
if (memcmp(p, p2, sizeof(p2))) if (memcmp(p, p2, sizeof(p2)))
@@ -1642,21 +1642,35 @@ int aesccm_test(void)
memset(c2, 0, sizeof(c2)); memset(c2, 0, sizeof(c2));
memset(p2, 0, sizeof(p2)); memset(p2, 0, sizeof(p2));
AesCcmSetKey(&enc, k, sizeof(k), iv, sizeof(iv)); AesCcmSetKey(&enc, k, sizeof(k));
/* AES-CCM encrypt and decrypt both use AES encrypt internally */ /* AES-CCM encrypt and decrypt both use AES encrypt internally */
AesCcmEncrypt(&enc, c2, p, sizeof(c2), t2, sizeof(t2), a, sizeof(a)); AesCcmEncrypt(&enc, c2, p, sizeof(c2), iv, sizeof(iv),
t2, sizeof(t2), a, sizeof(a));
if (memcmp(c, c2, sizeof(c2))) if (memcmp(c, c2, sizeof(c2)))
return -107; return -107;
if (memcmp(t, t2, sizeof(t2))) if (memcmp(t, t2, sizeof(t2)))
return -108; return -108;
result = AesCcmDecrypt(&enc, result = AesCcmDecrypt(&enc, p2, c2, sizeof(p2), iv, sizeof(iv),
p2, c2, sizeof(p2), t2, sizeof(t2), a, sizeof(a)); t2, sizeof(t2), a, sizeof(a));
if (result != 0) if (result != 0)
return -109; return -109;
if (memcmp(p, p2, sizeof(p2))) if (memcmp(p, p2, sizeof(p2)))
return -110; return -110;
/* Test the authentication failure */
t2[0]++; /* Corrupt the authentication tag. */
result = AesCcmDecrypt(&enc, p2, c, sizeof(p2), iv, sizeof(iv),
t2, sizeof(t2), a, sizeof(a));
if (result == 0)
return -111;
/* Clear c2 to compare against p2. p2 should be set to zero in case of
* authentication fail. */
memset(c2, 0, sizeof(c2));
if (memcmp(p2, c2, sizeof(p2)))
return -112;
return 0; return 0;
} }
#endif /* HAVE_AESCCM */ #endif /* HAVE_AESCCM */

24
cyassl/ctaocrypt/aes.h
View File

@@ -76,9 +76,6 @@ typedef struct Aes {
ALIGN16 byte M0[256][AES_BLOCK_SIZE]; ALIGN16 byte M0[256][AES_BLOCK_SIZE];
#endif /* GCM_TABLE */ #endif /* GCM_TABLE */
#endif /* HAVE_AESGCM */ #endif /* HAVE_AESGCM */
#ifdef HAVE_AESCCM
word32 lenSz;
#endif
#ifdef CYASSL_AESNI #ifdef CYASSL_AESNI
byte use_aesni; byte use_aesni;
#endif /* CYASSL_AESNI */ #endif /* CYASSL_AESNI */
@@ -96,27 +93,26 @@ CYASSL_API void AesDecryptDirect(Aes* aes, byte* out, const byte* in);
CYASSL_API int AesSetKeyDirect(Aes* aes, const byte* key, word32 len, CYASSL_API int AesSetKeyDirect(Aes* aes, const byte* key, word32 len,
const byte* iv, int dir); const byte* iv, int dir);
#ifdef HAVE_AESGCM #ifdef HAVE_AESGCM
CYASSL_API void AesGcmSetKey(Aes* aes, const byte* key, word32 len, CYASSL_API void AesGcmSetKey(Aes* aes, const byte* key, word32 len);
const byte* implicitIV);
CYASSL_API void AesGcmSetExpIV(Aes* aes, const byte* iv);
CYASSL_API void AesGcmGetExpIV(Aes* aes, byte* iv);
CYASSL_API void AesGcmIncExpIV(Aes* aes);
CYASSL_API void AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, CYASSL_API void AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
const byte* iv, word32 ivSz,
byte* authTag, word32 authTagSz, byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz); const byte* authIn, word32 authInSz);
CYASSL_API int AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, CYASSL_API int AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
const byte* iv, word32 ivSz,
const byte* authTag, word32 authTagSz, const byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz); const byte* authIn, word32 authInSz);
#endif /* HAVE_AESGCM */ #endif /* HAVE_AESGCM */
#ifdef HAVE_AESCCM #ifdef HAVE_AESCCM
CYASSL_API void AesCcmSetKey(Aes* aes, const byte* key, word32 keySz, CYASSL_API void AesCcmSetKey(Aes* aes, const byte* key, word32 keySz);
const byte* implicitIV, word32 ivSz);
CYASSL_API void AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz, CYASSL_API void AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
byte* authTag, word32 authTagSz, const byte* nonce, word32 nonceSz,
const byte* authIn, word32 authInSz); byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz);
CYASSL_API int AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz, CYASSL_API int AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
const byte* authTag, word32 authTagSz, const byte* nonce, word32 nonceSz,
const byte* authIn, word32 authInSz); const byte* authTag, word32 authTagSz,
const byte* authIn, word32 authInSz);
#endif /* HAVE_AESCCM */ #endif /* HAVE_AESCCM */

29
cyassl/internal.h
View File

@@ -162,6 +162,10 @@ void c32to24(word32 in, word24 out);
#define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
#endif #endif
#if defined (HAVE_AESCCM)
#define BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256
#define BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384
#endif
#endif #endif
#if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS)
@@ -284,6 +288,10 @@ void c32to24(word32 in, word24 out);
#define AES_BLOCK_SIZE 16 #define AES_BLOCK_SIZE 16
#endif #endif
#if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
#define HAVE_AEAD
#endif
/* actual cipher values, 2nd byte */ /* actual cipher values, 2nd byte */
enum { enum {
@@ -353,7 +361,14 @@ enum {
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0x2f, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0x2f,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0x30, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0x30,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0x31, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0x31,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0x32 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0x32,
/* AES-CCM, first byte is 0xC0 but isn't ECC,
* also, in some of the other AES-CCM suites
* there will be second byte number conflicts
* with non-ECC AES-GCM */
TLS_RSA_WITH_AES_128_CCM_8_SHA256 = 0xa0,
TLS_RSA_WITH_AES_256_CCM_8_SHA384 = 0xa1
}; };
@@ -459,9 +474,6 @@ enum Misc {
AES_256_KEY_SIZE = 32, /* for 256 bit */ AES_256_KEY_SIZE = 32, /* for 256 bit */
AES_192_KEY_SIZE = 24, /* for 192 bit */ AES_192_KEY_SIZE = 24, /* for 192 bit */
AES_IV_SIZE = 16, /* always block size */ AES_IV_SIZE = 16, /* always block size */
AES_GCM_IMP_IV_SZ = 4, /* Implicit part of IV */
AES_GCM_EXP_IV_SZ = 8, /* Explicit part of IV */
AES_GCM_CTR_IV_SZ = 4, /* Counter part of IV */
AES_128_KEY_SIZE = 16, /* for 128 bit */ AES_128_KEY_SIZE = 16, /* for 128 bit */
AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */ AEAD_SEQ_OFFSET = 4, /* Auth Data: Sequence number */
@@ -471,6 +483,9 @@ enum Misc {
AEAD_LEN_OFFSET = 11, /* Auth Data: Length */ AEAD_LEN_OFFSET = 11, /* Auth Data: Length */
AEAD_AUTH_TAG_SZ = 16, /* Size of the authentication tag */ AEAD_AUTH_TAG_SZ = 16, /* Size of the authentication tag */
AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */ AEAD_AUTH_DATA_SZ = 13, /* Size of the data to authenticate */
AEAD_IMP_IV_SZ = 4, /* Size of the implicit IV */
AEAD_EXP_IV_SZ = 8, /* Size of the explicit IV */
AEAD_NONCE_SZ = AEAD_EXP_IV_SZ + AEAD_IMP_IV_SZ,
HC_128_KEY_SIZE = 16, /* 128 bits */ HC_128_KEY_SIZE = 16, /* 128 bits */
HC_128_IV_SIZE = 16, /* also 128 bits */ HC_128_IV_SIZE = 16, /* also 128 bits */
@@ -965,6 +980,7 @@ enum BulkCipherAlgorithm {
idea, idea,
aes, aes,
aes_gcm, aes_gcm,
aes_ccm,
hc128, /* CyaSSL extensions */ hc128, /* CyaSSL extensions */
rabbit rabbit
}; };
@@ -1046,6 +1062,11 @@ typedef struct Keys {
byte server_write_key[AES_256_KEY_SIZE]; byte server_write_key[AES_256_KEY_SIZE];
byte client_write_IV[AES_IV_SIZE]; /* max sizes */ byte client_write_IV[AES_IV_SIZE]; /* max sizes */
byte server_write_IV[AES_IV_SIZE]; byte server_write_IV[AES_IV_SIZE];
#ifdef HAVE_AEAD
byte aead_exp_IV[AEAD_EXP_IV_SZ];
byte aead_enc_imp_IV[AEAD_IMP_IV_SZ];
byte aead_dec_imp_IV[AEAD_IMP_IV_SZ];
#endif
word32 peer_sequence_number; word32 peer_sequence_number;
word32 sequence_number; word32 sequence_number;

163
src/internal.c
View File

@@ -767,6 +767,20 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK,
} }
#endif #endif
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256
if (tls1_2 && haveRSA) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8_SHA256;
}
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384
if (tls1_2 && haveRSA) {
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8_SHA384;
}
#endif
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
if (tls1_2 && haveDH && haveRSA) { if (tls1_2 && haveDH && haveRSA) {
suites->suites[idx++] = 0; suites->suites[idx++] = 0;
@@ -2930,6 +2944,17 @@ static INLINE word32 GetSEQIncrement(CYASSL* ssl, int verify)
} }
#ifdef HAVE_AEAD
static INLINE void AeadIncrementExpIV(CYASSL* ssl)
{
int i;
for (i = AEAD_EXP_IV_SZ-1; i >= 0; i--) {
if (++ssl->keys.aead_exp_IV[i]) return;
}
}
#endif
static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz) static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
{ {
(void)out; (void)out;
@@ -2976,6 +3001,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
case aes_gcm: case aes_gcm:
{ {
byte additional[AES_BLOCK_SIZE]; byte additional[AES_BLOCK_SIZE];
byte nonce[AEAD_NONCE_SZ];
XMEMSET(additional, 0, AES_BLOCK_SIZE); XMEMSET(additional, 0, AES_BLOCK_SIZE);
@@ -2989,14 +3015,56 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word32 sz)
/* Store the length of the plain text minus the explicit /* Store the length of the plain text minus the explicit
* IV length minus the authentication tag size. */ * IV length minus the authentication tag size. */
c16toa(sz - AES_GCM_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, c16toa(sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ,
additional + AEAD_LEN_OFFSET); additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce,
ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ,
ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
AesGcmEncrypt(ssl->encrypt.aes, AesGcmEncrypt(ssl->encrypt.aes,
out + AES_GCM_EXP_IV_SZ, input + AES_GCM_EXP_IV_SZ, out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ,
sz - AES_GCM_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ,
nonce, AEAD_NONCE_SZ,
out + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ, out + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ,
additional, AEAD_AUTH_DATA_SZ); additional, AEAD_AUTH_DATA_SZ);
AesGcmIncExpIV(ssl->encrypt.aes); AeadIncrementExpIV(ssl);
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
}
break;
#endif
#ifdef HAVE_AESCCM
case aes_ccm:
{
byte additional[AES_BLOCK_SIZE];
byte nonce[AEAD_NONCE_SZ];
XMEMSET(additional, 0, AES_BLOCK_SIZE);
/* sequence number field is 64-bits, we only use 32-bits */
c32toa(GetSEQIncrement(ssl, 0),
additional + AEAD_SEQ_OFFSET);
/* Store the type, version. Unfortunately, they are in
* the input buffer ahead of the plaintext. */
XMEMCPY(additional + AEAD_TYPE_OFFSET, input - 5, 3);
/* Store the length of the plain text minus the explicit
* IV length minus the authentication tag size. */
c16toa(sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ,
additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce,
ssl->keys.aead_enc_imp_IV, AEAD_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ,
ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
AesCcmEncrypt(ssl->encrypt.aes,
out + AEAD_EXP_IV_SZ, input + AEAD_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ,
nonce, AEAD_NONCE_SZ,
out + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ,
additional, AEAD_AUTH_DATA_SZ);
AeadIncrementExpIV(ssl);
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
} }
break; break;
#endif #endif
@@ -3089,8 +3157,8 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input,
case aes_gcm: case aes_gcm:
{ {
byte additional[AES_BLOCK_SIZE]; byte additional[AES_BLOCK_SIZE];
byte nonce[AEAD_NONCE_SZ];
AesGcmSetExpIV(ssl->decrypt.aes, input);
XMEMSET(additional, 0, AES_BLOCK_SIZE); XMEMSET(additional, 0, AES_BLOCK_SIZE);
/* sequence number field is 64-bits, we only use 32-bits */ /* sequence number field is 64-bits, we only use 32-bits */
@@ -3100,17 +3168,58 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input,
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
c16toa(sz - AES_GCM_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, c16toa(sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ,
additional + AEAD_LEN_OFFSET); additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
if (AesGcmDecrypt(ssl->decrypt.aes, if (AesGcmDecrypt(ssl->decrypt.aes,
plain + AES_GCM_EXP_IV_SZ, plain + AEAD_EXP_IV_SZ,
input + AES_GCM_EXP_IV_SZ, input + AEAD_EXP_IV_SZ,
sz - AES_GCM_EXP_IV_SZ - AEAD_AUTH_TAG_SZ, sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ,
nonce, AEAD_NONCE_SZ,
input + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ, input + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ,
additional, AEAD_AUTH_DATA_SZ) < 0) { additional, AEAD_AUTH_DATA_SZ) < 0) {
SendAlert(ssl, alert_fatal, bad_record_mac); SendAlert(ssl, alert_fatal, bad_record_mac);
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
return VERIFY_MAC_ERROR; return VERIFY_MAC_ERROR;
} }
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
break;
}
#endif
#ifdef HAVE_AESCCM
case aes_ccm:
{
byte additional[AES_BLOCK_SIZE];
byte nonce[AEAD_NONCE_SZ];
XMEMSET(additional, 0, AES_BLOCK_SIZE);
/* sequence number field is 64-bits, we only use 32-bits */
c32toa(GetSEQIncrement(ssl, 1), additional + AEAD_SEQ_OFFSET);
additional[AEAD_TYPE_OFFSET] = ssl->curRL.type;
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
c16toa(sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ,
additional + AEAD_LEN_OFFSET);
XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AEAD_IMP_IV_SZ);
XMEMCPY(nonce + AEAD_IMP_IV_SZ, input, AEAD_EXP_IV_SZ);
if (AesCcmDecrypt(ssl->decrypt.aes,
plain + AEAD_EXP_IV_SZ,
input + AEAD_EXP_IV_SZ,
sz - AEAD_EXP_IV_SZ - AEAD_AUTH_TAG_SZ,
nonce, AEAD_NONCE_SZ,
input + sz - AEAD_AUTH_TAG_SZ, AEAD_AUTH_TAG_SZ,
additional, AEAD_AUTH_DATA_SZ) < 0) {
/* XXX HERE!@ */
SendAlert(ssl, alert_fatal, bad_record_mac);
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
return VERIFY_MAC_ERROR;
}
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
break; break;
} }
#endif #endif
@@ -3195,7 +3304,7 @@ static int DecryptMessage(CYASSL* ssl, byte* input, word32 sz, word32* idx)
if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
*idx += ssl->specs.block_size; /* go past TLSv1.1 IV */ *idx += ssl->specs.block_size; /* go past TLSv1.1 IV */
if (ssl->specs.cipher_type == aead) if (ssl->specs.cipher_type == aead)
*idx += AES_GCM_EXP_IV_SZ; *idx += AEAD_EXP_IV_SZ;
} }
return decryptResult; return decryptResult;
@@ -3507,7 +3616,7 @@ int DoApplicationData(CYASSL* ssl, byte* input, word32* inOutIdx)
} }
} }
else if (ssl->specs.cipher_type == aead) { else if (ssl->specs.cipher_type == aead) {
ivExtra = AES_GCM_EXP_IV_SZ; ivExtra = AEAD_EXP_IV_SZ;
digestSz = AEAD_AUTH_TAG_SZ; digestSz = AEAD_AUTH_TAG_SZ;
} }
@@ -4145,11 +4254,11 @@ static int BuildMessage(CYASSL* ssl, byte* output, const byte* input, int inSz,
sz += pad; sz += pad;
} }
#ifdef BUILD_AESGCM #ifdef HAVE_AEAD
if (ssl->specs.cipher_type == aead) { if (ssl->specs.cipher_type == aead) {
ivSz = AES_GCM_EXP_IV_SZ; ivSz = AEAD_EXP_IV_SZ;
sz += (ivSz + 16 - digestSz); sz += (ivSz + 16 - digestSz);
AesGcmGetExpIV(ssl->encrypt.aes, iv); XMEMCPY(iv, ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
} }
#endif #endif
size = (word16)(sz - headerSz); /* include mac and digest */ size = (word16)(sz - headerSz); /* include mac and digest */
@@ -5059,6 +5168,14 @@ const char* const cipher_names[] =
"NTRU-AES256-SHA", "NTRU-AES256-SHA",
#endif #endif
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256
"AES128-CCM-8-SHA256",
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384
"AES256-CCM-8-SHA384",
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
"ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES128-SHA",
#endif #endif
@@ -5279,6 +5396,14 @@ int cipher_name_idx[] =
TLS_NTRU_RSA_WITH_AES_256_CBC_SHA, TLS_NTRU_RSA_WITH_AES_256_CBC_SHA,
#endif #endif
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256
TLS_RSA_WITH_AES_128_CCM_8_SHA256,
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384
TLS_RSA_WITH_AES_256_CCM_8_SHA384,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
#endif #endif
@@ -5451,7 +5576,7 @@ int SetCipherList(Suites* s, const char* list)
for (i = 0; i < suiteSz; i++) for (i = 0; i < suiteSz; i++)
if (XSTRNCMP(name, cipher_names[i], sizeof(name)) == 0) { if (XSTRNCMP(name, cipher_names[i], sizeof(name)) == 0) {
if (XSTRSTR(name, "EC")) if (XSTRSTR(name, "EC") || XSTRSTR(name, "CCM"))
s->suites[idx++] = ECC_BYTE; /* ECC suite */ s->suites[idx++] = ECC_BYTE; /* ECC suite */
else else
s->suites[idx++] = 0x00; /* normal */ s->suites[idx++] = 0x00; /* normal */
@@ -7268,6 +7393,14 @@ int SetCipherList(Suites* s, const char* list)
return 1; return 1;
break; break;
case TLS_RSA_WITH_AES_128_CCM_8_SHA256 :
case TLS_RSA_WITH_AES_256_CCM_8_SHA384 :
if (requirement == REQUIRES_RSA)
return 1;
if (requirement == REQUIRES_RSA_SIG)
return 1;
break;
default: default:
CYASSL_MSG("Unsupported cipher suite, CipherRequires ECC"); CYASSL_MSG("Unsupported cipher suite, CipherRequires ECC");
return 0; return 0;

130
src/keys.c
View File

@@ -37,12 +37,13 @@
int SetCipherSpecs(CYASSL* ssl) int SetCipherSpecs(CYASSL* ssl)
{ {
#ifdef HAVE_ECC /* ECC extensions, or AES-CCM */
/* ECC extensions */
if (ssl->options.cipherSuite0 == ECC_BYTE) { if (ssl->options.cipherSuite0 == ECC_BYTE) {
switch (ssl->options.cipherSuite) { switch (ssl->options.cipherSuite) {
#ifdef HAVE_ECC
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA : case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA :
ssl->specs.bulk_cipher_algorithm = aes; ssl->specs.bulk_cipher_algorithm = aes;
@@ -327,7 +328,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -344,7 +345,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -361,7 +362,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -378,7 +379,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -395,7 +396,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 1; ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -412,7 +413,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 1; ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -429,7 +430,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 1; ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -446,17 +447,49 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 1; ssl->specs.static_ecdh = 1;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
#endif /* HAVE_ECC */
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8_SHA256
case TLS_RSA_WITH_AES_128_CCM_8_SHA256 :
ssl->specs.bulk_cipher_algorithm = aes_ccm;
ssl->specs.cipher_type = aead;
ssl->specs.mac_algorithm = sha256_mac;
ssl->specs.kea = rsa_kea;
ssl->specs.sig_algo = rsa_sa_algo;
ssl->specs.hash_size = SHA256_DIGEST_SIZE;
ssl->specs.pad_size = PAD_SHA;
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break;
#endif
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8_SHA384
case TLS_RSA_WITH_AES_256_CCM_8_SHA384 :
ssl->specs.bulk_cipher_algorithm = aes_ccm;
ssl->specs.cipher_type = aead;
ssl->specs.mac_algorithm = sha384_mac;
ssl->specs.kea = rsa_kea;
ssl->specs.sig_algo = rsa_sa_algo;
ssl->specs.hash_size = SHA384_DIGEST_SIZE;
ssl->specs.pad_size = PAD_SHA;
ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break;
#endif
default: default:
CYASSL_MSG("Unsupported cipher suite, SetCipherSpecs ECC"); CYASSL_MSG("Unsupported cipher suite, SetCipherSpecs ECC");
return UNSUPPORTED_SUITE; return UNSUPPORTED_SUITE;
} /* switch */ } /* switch */
} /* if */ } /* if */
#endif /* HAVE_ECC */
if (ssl->options.cipherSuite0 != ECC_BYTE) { /* normal suites */ if (ssl->options.cipherSuite0 != ECC_BYTE) { /* normal suites */
switch (ssl->options.cipherSuite) { switch (ssl->options.cipherSuite) {
@@ -881,7 +914,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -898,7 +931,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -915,7 +948,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_128_KEY_SIZE; ssl->specs.key_size = AES_128_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -932,7 +965,7 @@ int SetCipherSpecs(CYASSL* ssl)
ssl->specs.static_ecdh = 0; ssl->specs.static_ecdh = 0;
ssl->specs.key_size = AES_256_KEY_SIZE; ssl->specs.key_size = AES_256_KEY_SIZE;
ssl->specs.block_size = AES_BLOCK_SIZE; ssl->specs.block_size = AES_BLOCK_SIZE;
ssl->specs.iv_size = AES_GCM_IMP_IV_SZ; ssl->specs.iv_size = AEAD_IMP_IV_SZ;
break; break;
#endif #endif
@@ -1006,7 +1039,7 @@ static int SetPrefix(byte* sha_input, int idx)
static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
byte side, void* heap, RNG* rng) byte side, void* heap)
{ {
#ifdef BUILD_ARC4 #ifdef BUILD_ARC4
word32 sz = specs->key_size; word32 sz = specs->key_size;
@@ -1136,7 +1169,6 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#ifdef BUILD_AESGCM #ifdef BUILD_AESGCM
if (specs->bulk_cipher_algorithm == aes_gcm) { if (specs->bulk_cipher_algorithm == aes_gcm) {
byte iv[AES_GCM_EXP_IV_SZ];
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER); enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (enc->aes == NULL) if (enc->aes == NULL)
return MEMORY_E; return MEMORY_E;
@@ -1144,21 +1176,51 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
if (dec->aes == NULL) if (dec->aes == NULL)
return MEMORY_E; return MEMORY_E;
/* Initialize the AES-GCM explicit IV to a random number. */
RNG_GenerateBlock(rng, iv, sizeof(iv));
AesGcmSetExpIV(enc->aes, iv);
if (side == CLIENT_END) { if (side == CLIENT_END) {
AesGcmSetKey(enc->aes, keys->client_write_key, specs->key_size, AesGcmSetKey(enc->aes, keys->client_write_key, specs->key_size);
keys->client_write_IV); XMEMCPY(keys->aead_enc_imp_IV,
AesGcmSetKey(dec->aes, keys->server_write_key, specs->key_size, keys->client_write_IV, AEAD_IMP_IV_SZ);
keys->server_write_IV); AesGcmSetKey(dec->aes, keys->server_write_key, specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV,
keys->server_write_IV, AEAD_IMP_IV_SZ);
} }
else { else {
AesGcmSetKey(enc->aes, keys->server_write_key, specs->key_size, AesGcmSetKey(enc->aes, keys->server_write_key, specs->key_size);
keys->server_write_IV); XMEMCPY(keys->aead_enc_imp_IV,
AesGcmSetKey(dec->aes, keys->client_write_key, specs->key_size, keys->server_write_IV, AEAD_IMP_IV_SZ);
keys->client_write_IV); AesGcmSetKey(dec->aes, keys->client_write_key, specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV,
keys->client_write_IV, AEAD_IMP_IV_SZ);
}
enc->setup = 1;
dec->setup = 1;
}
#endif
#ifdef HAVE_AESCCM
if (specs->bulk_cipher_algorithm == aes_ccm) {
enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (enc->aes == NULL)
return MEMORY_E;
dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
if (dec->aes == NULL)
return MEMORY_E;
if (side == CLIENT_END) {
AesCcmSetKey(enc->aes, keys->client_write_key, specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV,
keys->client_write_IV, AEAD_IMP_IV_SZ);
AesCcmSetKey(dec->aes, keys->server_write_key, specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV,
keys->server_write_IV, AEAD_IMP_IV_SZ);
}
else {
AesCcmSetKey(enc->aes, keys->server_write_key, specs->key_size);
XMEMCPY(keys->aead_enc_imp_IV,
keys->server_write_IV, AEAD_IMP_IV_SZ);
AesCcmSetKey(dec->aes, keys->client_write_key, specs->key_size);
XMEMCPY(keys->aead_dec_imp_IV,
keys->client_write_IV, AEAD_IMP_IV_SZ);
} }
enc->setup = 1; enc->setup = 1;
dec->setup = 1; dec->setup = 1;
@@ -1175,7 +1237,6 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
keys->sequence_number = 0; keys->sequence_number = 0;
keys->peer_sequence_number = 0; keys->peer_sequence_number = 0;
keys->encryptionOn = 0; keys->encryptionOn = 0;
(void)rng;
(void)side; (void)side;
(void)heap; (void)heap;
(void)enc; (void)enc;
@@ -1209,8 +1270,15 @@ int StoreKeys(CYASSL* ssl, const byte* keyData)
i += sz; i += sz;
XMEMCPY(ssl->keys.server_write_IV, &keyData[i], sz); XMEMCPY(ssl->keys.server_write_IV, &keyData[i], sz);
#ifdef HAVE_AEAD
if (ssl->specs.cipher_type == aead) {
/* Initialize the AES-GCM explicit IV to a random number. */
RNG_GenerateBlock(ssl->rng, ssl->keys.aead_exp_IV, AEAD_EXP_IV_SZ);
}
#endif
return SetKeys(&ssl->encrypt, &ssl->decrypt, &ssl->keys, &ssl->specs, return SetKeys(&ssl->encrypt, &ssl->decrypt, &ssl->keys, &ssl->specs,
ssl->options.side, ssl->heap, ssl->rng); ssl->options.side, ssl->heap);
} }
#ifndef NO_OLD_TLS #ifndef NO_OLD_TLS

5
src/ssl.c
View File

@@ -5430,6 +5430,11 @@ int CyaSSL_set_compression(CYASSL* ssl)
case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 : case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 :
return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
case TLS_RSA_WITH_AES_128_CCM_8_SHA256 :
return "TLS_RSA_WITH_AES_128_CCM_8_SHA256";
case TLS_RSA_WITH_AES_256_CCM_8_SHA384 :
return "TLS_RSA_WITH_AES_256_CCM_8_SHA384";
default: default:
return "NONE"; return "NONE";
} }

1
tests/include.am
View File

@@ -27,6 +27,7 @@ EXTRA_DIST += tests/test.conf \
tests/test-aesgcm.conf \ tests/test-aesgcm.conf \
tests/test-aesgcm-ecc.conf \ tests/test-aesgcm-ecc.conf \
tests/test-aesgcm-openssl.conf \ tests/test-aesgcm-openssl.conf \
tests/test-aesccm.conf \
tests/test-dtls.conf \ tests/test-dtls.conf \
tests/test-rabbit.conf \ tests/test-rabbit.conf \
tests/test-null.conf \ tests/test-null.conf \

11
tests/suites.c
View File

@@ -370,6 +370,17 @@ int SuiteTest(void)
} }
#endif #endif
#if defined(HAVE_AESCCM)
/* add aesccm extra suites */
strcpy(argv0[1], "tests/test-aesccm.conf");
printf("starting aesccm extra cipher suite tests\n");
test_harness(&args);
if (args.return_code != 0) {
printf("error from script %d\n", args.return_code);
exit(EXIT_FAILURE);
}
#endif
#ifdef CYASSL_DTLS #ifdef CYASSL_DTLS
/* add dtls extra suites */ /* add dtls extra suites */
strcpy(argv0[1], "tests/test-dtls.conf"); strcpy(argv0[1], "tests/test-dtls.conf");

16
tests/test-aesccm.conf Normal file
View File

@@ -0,0 +1,16 @@
# server TLSv1.2 AES128-CCM-8-SHA256
-v 3
-l AES128-CCM-8-SHA256
# client TLSv1.2 AES128-CCM-8-SHA256
-v 3
-l AES128-CCM-8-SHA256
# server TLSv1.2 AES256-CCM-8-SHA384
-v 3
-l AES256-CCM-8-SHA384
# client TLSv1.2 AES256-CCM-8-SHA384
-v 3
-l AES256-CCM-8-SHA384