From 40afb4ba13be5cc8a2970bf421a5c6352bf75ca6 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Fri, 19 Apr 2013 22:03:30 +0200 Subject: [PATCH] Added PSK GCM, SHA256 and SHA384 ciphers from RFC5487 --- include/polarssl/ssl_ciphersuites.h | 22 +++++ library/ssl_ciphersuites.c | 120 ++++++++++++++++++++++++++++ tests/compat.sh | 12 +++ 3 files changed, 154 insertions(+) diff --git a/include/polarssl/ssl_ciphersuites.h b/include/polarssl/ssl_ciphersuites.h index 18729cb23..88fc8705e 100644 --- a/include/polarssl/ssl_ciphersuites.h +++ b/include/polarssl/ssl_ciphersuites.h @@ -91,6 +91,28 @@ extern "C" { #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x9E #define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x9F +#define TLS_PSK_WITH_AES_128_GCM_SHA256 0xA8 /**< TLS 1.2 */ +#define TLS_PSK_WITH_AES_256_GCM_SHA384 0xA9 /**< TLS 1.2 */ +#define TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 0xAA /**< TLS 1.2 */ +#define TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 0xAB /**< TLS 1.2 */ +#define TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 0xAC /**< TLS 1.2 */ +#define TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 0xAD /**< TLS 1.2 */ + +#define TLS_PSK_WITH_AES_128_CBC_SHA256 0xAE /**< TLS 1.2 */ +#define TLS_PSK_WITH_AES_256_CBC_SHA384 0xAF /**< TLS 1.2 */ +#define TLS_PSK_WITH_NULL_SHA256 0xB0 /**< TLS 1.2 */ +#define TLS_PSK_WITH_NULL_SHA384 0xB1 /**< TLS 1.2 */ + +#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 0xB2 /**< TLS 1.2 */ +#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 0xB3 /**< TLS 1.2 */ +#define TLS_DHE_PSK_WITH_NULL_SHA256 0xB4 /**< TLS 1.2 */ +#define TLS_DHE_PSK_WITH_NULL_SHA384 0xB5 /**< TLS 1.2 */ + +#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 0xB6 /**< TLS 1.2 */ +#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 0xB7 /**< TLS 1.2 */ +#define TLS_RSA_PSK_WITH_NULL_SHA256 0xB8 /**< TLS 1.2 */ +#define TLS_RSA_PSK_WITH_NULL_SHA384 0xB9 /**< TLS 1.2 */ + #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBA /**< TLS 1.2 */ #define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE /**< TLS 1.2 */ diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 6f5bfff0b..347fe8085 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -71,8 +71,12 @@ static const int ciphersuite_preference[] = TLS_ECDHE_RSA_WITH_RC4_128_SHA, /* The PSK ephemeral suites */ + TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, TLS_DHE_PSK_WITH_AES_256_CBC_SHA, + TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, TLS_DHE_PSK_WITH_AES_128_CBC_SHA, + TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, TLS_DHE_PSK_WITH_RC4_128_SHA, @@ -100,14 +104,22 @@ static const int ciphersuite_preference[] = TLS_RSA_WITH_RC4_128_MD5, /* The RSA PSK suites */ + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, TLS_RSA_PSK_WITH_AES_256_CBC_SHA, + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, TLS_RSA_PSK_WITH_AES_128_CBC_SHA, + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, TLS_RSA_PSK_WITH_RC4_128_SHA, /* The PSK suites */ + TLS_PSK_WITH_AES_256_CBC_SHA384, TLS_PSK_WITH_AES_256_CBC_SHA, + TLS_PSK_WITH_AES_256_GCM_SHA384, + TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_PSK_WITH_AES_128_CBC_SHA, + TLS_PSK_WITH_AES_128_GCM_SHA256, TLS_PSK_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_RC4_128_SHA, @@ -118,8 +130,14 @@ static const int ciphersuite_preference[] = TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_NULL_SHA, TLS_RSA_WITH_NULL_MD5, + TLS_PSK_WITH_NULL_SHA384, + TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA, + TLS_DHE_PSK_WITH_NULL_SHA384, + TLS_DHE_PSK_WITH_NULL_SHA256, TLS_DHE_PSK_WITH_NULL_SHA, + TLS_RSA_PSK_WITH_NULL_SHA384, + TLS_RSA_PSK_WITH_NULL_SHA256, TLS_RSA_PSK_WITH_NULL_SHA, 0 @@ -395,6 +413,40 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) #if defined(POLARSSL_AES_C) +#if defined(POLARSSL_GCM_C) +#if defined(POLARSSL_SHA2_C) + { TLS_PSK_WITH_AES_128_GCM_SHA256, "TLS-PSK-WITH-AES-128-GCM-SHA256", + POLARSSL_CIPHER_AES_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA2_C */ + +#if defined(POLARSSL_SHA4_C) + { TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384", + POLARSSL_CIPHER_AES_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA4_C */ +#endif /* POLARSSL_GCM_C */ + +#if defined(POLARSSL_SHA2_C) + { TLS_PSK_WITH_AES_128_CBC_SHA256, "TLS-PSK-WITH-AES-128-CBC-SHA256", + POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA2_C */ + +#if defined(POLARSSL_SHA4_C) + { TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384", + POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA4_C */ + { TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA", POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0, @@ -427,6 +479,40 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED) #if defined(POLARSSL_AES_C) +#if defined(POLARSSL_GCM_C) +#if defined(POLARSSL_SHA2_C) + { TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256", + POLARSSL_CIPHER_AES_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA2_C */ + +#if defined(POLARSSL_SHA4_C) + { TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384", + POLARSSL_CIPHER_AES_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_DHE_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA4_C */ +#endif /* POLARSSL_GCM_C */ + +#if defined(POLARSSL_SHA2_C) + { TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256", + POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_DHE_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA2_C */ + +#if defined(POLARSSL_SHA4_C) + { TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384", + POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_DHE_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA4_C */ + { TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA", POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_DHE_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0, @@ -459,6 +545,40 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) #if defined(POLARSSL_AES_C) +#if defined(POLARSSL_GCM_C) +#if defined(POLARSSL_SHA2_C) + { TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256", + POLARSSL_CIPHER_AES_128_GCM, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA2_C */ + +#if defined(POLARSSL_SHA4_C) + { TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384", + POLARSSL_CIPHER_AES_256_GCM, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_RSA_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA4_C */ +#endif /* POLARSSL_GCM_C */ + +#if defined(POLARSSL_SHA2_C) + { TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256", + POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA256, POLARSSL_KEY_EXCHANGE_RSA_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA2_C */ + +#if defined(POLARSSL_SHA4_C) + { TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384", + POLARSSL_CIPHER_AES_256_CBC, POLARSSL_MD_SHA384, POLARSSL_KEY_EXCHANGE_RSA_PSK, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3, + 0 }, +#endif /* POLARSSL_SHA4_C */ + { TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA", POLARSSL_CIPHER_AES_128_CBC, POLARSSL_MD_SHA1, POLARSSL_KEY_EXCHANGE_RSA_PSK, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0, diff --git a/tests/compat.sh b/tests/compat.sh index f805b9fcc..a17a34cfe 100644 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -194,6 +194,18 @@ then TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 \ TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \ + TLS-PSK-WITH-AES-128-CBC-SHA256 \ + TLS-PSK-WITH-AES-256-CBC-SHA384 \ + TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \ + TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ + TLS-PSK-WITH-AES-128-GCM-SHA256 \ + TLS-PSK-WITH-AES-256-GCM-SHA384 \ + TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \ + TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \ + TLS-PSK-WITH-NULL-SHA256 \ + TLS-PSK-WITH-NULL-SHA384 \ + TLS-DHE-PSK-WITH-NULL-SHA256 \ + TLS-DHE-PSK-WITH-NULL-SHA384 \ " fi