diff --git a/ChangeLog b/ChangeLog index 1b02751d3..a7e6288ee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,8 +4,9 @@ mbed TLS ChangeLog (Sorted per branch, date) Features * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time - authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed by - Daniel King (#485). + authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed + by Daniel King (#485). + * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905. * Add platform support for the Haiku OS. (https://www.haiku-os.org). Contributed by Augustin Cavalier. * Make the receive and transmit buffers independent sizes, for situations diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index a783e6b73..c9b58dd53 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -81,7 +81,7 @@ * both ends of the connection! (See comments in "mbedtls/ssl.h".) * The optimal size here depends on the typical size of records. */ -#define MBEDTLS_SSL_MAX_CONTENT_LEN 512 +#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024 #include "mbedtls/check_config.h" diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 7d5eba091..cda8b4835 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -271,6 +271,15 @@ extern "C" { #define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 0xC0FF /**< experimental */ +/* RFC 7905 */ +#define MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA /**< TLS 1.2 */ +#define MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB /**< TLS 1.2 */ +#define MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC /**< TLS 1.2 */ +#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD /**< TLS 1.2 */ +#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE /**< TLS 1.2 */ + /* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange. * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below */ diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 2e9a0fd79..59cdc7a80 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -47,7 +47,7 @@ * 1. By key exchange: * Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK * 2. By key length and cipher: - * AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128 > 3DES + * ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128 > 3DES * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8 * 4. By hash function used when relevant * 5. By key exchange/auth again: EC > non-EC @@ -57,6 +57,11 @@ static const int ciphersuite_preference[] = #if defined(MBEDTLS_SSL_CIPHERSUITES) MBEDTLS_SSL_CIPHERSUITES, #else + /* Chacha-Poly ephemeral suites */ + MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + /* All AES-256 ephemeral suites */ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, @@ -127,6 +132,8 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* The PSK ephemeral suites */ + MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, + MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, @@ -227,6 +234,7 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, /* The RSA PSK suites */ + MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, @@ -246,6 +254,7 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, /* The PSK suites */ + MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_PSK_WITH_AES_256_CCM, MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, @@ -312,6 +321,75 @@ static const int ciphersuite_preference[] = static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = { +#if defined(MBEDTLS_CHACHAPOLY_C) && \ + defined(MBEDTLS_SHA256_C) && \ + defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) + { MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256", + MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) + { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256", + MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) + { MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256", + MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_DHE_RSA, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) + { MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256, + "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256", + MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) + { MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, + "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256", + MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) + { MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256, + "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256", + MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_DHE_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) + { MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256, + "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256", + MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256, + MBEDTLS_KEY_EXCHANGE_RSA_PSK, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3, + 0 }, +#endif +#endif /* MBEDTLS_CHACHAPOLY_C && + MBEDTLS_SHA256_C && + MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) #if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_SHA1_C) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 12a20180d..1c35f0dec 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -698,18 +698,32 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) transform->keylen = cipher_info->key_bitlen / 8; if( cipher_info->mode == MBEDTLS_MODE_GCM || - cipher_info->mode == MBEDTLS_MODE_CCM ) + cipher_info->mode == MBEDTLS_MODE_CCM || + cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) { + size_t taglen, explicit_ivlen; + transform->maclen = 0; mac_key_len = 0; + /* All modes haves 96-bit IVs; + * GCM and CCM has 4 implicit and 8 explicit bytes + * ChachaPoly has all 12 bytes implicit + */ transform->ivlen = 12; - transform->fixed_ivlen = 4; + if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) + transform->fixed_ivlen = 12; + else + transform->fixed_ivlen = 4; - /* Minimum length is expicit IV + tag */ - transform->minlen = transform->ivlen - transform->fixed_ivlen - + ( transform->ciphersuite_info->flags & - MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 ); + /* All modes have 128-bit tags, except CCM_8 (ciphersuite flag) */ + taglen = transform->ciphersuite_info->flags & + MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; + + + /* Minimum length of encrypted record */ + explicit_ivlen = transform->ivlen - transform->fixed_ivlen; + transform->minlen = explicit_ivlen + taglen; } else { @@ -1407,17 +1421,26 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ -#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) +#if defined(MBEDTLS_GCM_C) || \ + defined(MBEDTLS_CCM_C) || \ + defined(MBEDTLS_CHACHAPOLY_C) if( mode == MBEDTLS_MODE_GCM || - mode == MBEDTLS_MODE_CCM ) + mode == MBEDTLS_MODE_CCM || + mode == MBEDTLS_MODE_CHACHAPOLY ) { int ret; size_t enc_msglen, olen; unsigned char *enc_msg; unsigned char add_data[13]; - unsigned char taglen = ssl->transform_out->ciphersuite_info->flags & + unsigned char iv[12]; + mbedtls_ssl_transform *transform = ssl->transform_out; + unsigned char taglen = transform->ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; + size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen; + /* + * Prepare additional authenticated data + */ memcpy( add_data, ssl->out_ctr, 8 ); add_data[8] = ssl->out_msgtype; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, @@ -1425,44 +1448,57 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF; add_data[12] = ssl->out_msglen & 0xFF; - MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", - add_data, 13 ); + MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 ); /* * Generate IV */ - if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) + if( transform->ivlen == 12 && transform->fixed_ivlen == 4 ) + { + /* GCM and CCM: fixed || explicit (=seqnum) */ + memcpy( iv, transform->iv_enc, transform->fixed_ivlen ); + memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 ); + memcpy( ssl->out_iv, ssl->out_ctr, 8 ); + + } + else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 ) + { + /* ChachaPoly: fixed XOR sequence number */ + unsigned char i; + + memcpy( iv, transform->iv_enc, transform->fixed_ivlen ); + + for( i = 0; i < 8; i++ ) + iv[i+4] ^= ssl->out_ctr[i]; + } + else { /* Reminder if we ever add an AEAD mode with a different size */ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, - ssl->out_ctr, 8 ); - memcpy( ssl->out_iv, ssl->out_ctr, 8 ); - - MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, - ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)", + iv, transform->ivlen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)", + ssl->out_iv, explicit_ivlen ); /* - * Fix pointer positions and message length with added IV + * Fix message length with added IV */ enc_msg = ssl->out_msg; enc_msglen = ssl->out_msglen; - ssl->out_msglen += ssl->transform_out->ivlen - - ssl->transform_out->fixed_ivlen; + ssl->out_msglen += explicit_ivlen; MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " - "including %d bytes of padding", - ssl->out_msglen, 0 ) ); + "including 0 bytes of padding", + ssl->out_msglen ) ); /* * Encrypt and authenticate */ - if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc, - ssl->transform_out->iv_enc, - ssl->transform_out->ivlen, + if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc, + iv, transform->ivlen, add_data, 13, enc_msg, enc_msglen, enc_msg, &olen, @@ -1622,7 +1658,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) { - size_t i; mbedtls_cipher_mode_t mode; int auth_done = 0; #if defined(SSL_SOME_MODES_USE_MAC) @@ -1672,20 +1707,27 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ -#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) +#if defined(MBEDTLS_GCM_C) || \ + defined(MBEDTLS_CCM_C) || \ + defined(MBEDTLS_CHACHAPOLY_C) if( mode == MBEDTLS_MODE_GCM || - mode == MBEDTLS_MODE_CCM ) + mode == MBEDTLS_MODE_CCM || + mode == MBEDTLS_MODE_CHACHAPOLY ) { int ret; size_t dec_msglen, olen; unsigned char *dec_msg; unsigned char *dec_msg_result; unsigned char add_data[13]; - unsigned char taglen = ssl->transform_in->ciphersuite_info->flags & + unsigned char iv[12]; + mbedtls_ssl_transform *transform = ssl->transform_in; + unsigned char taglen = transform->ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; - size_t explicit_iv_len = ssl->transform_in->ivlen - - ssl->transform_in->fixed_ivlen; + size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen; + /* + * Compute and update sizes + */ if( ssl->in_msglen < explicit_iv_len + taglen ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) " @@ -1699,6 +1741,9 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) dec_msg_result = ssl->in_msg; ssl->in_msglen = dec_msglen; + /* + * Prepare additional authenticated data + */ memcpy( add_data, ssl->in_ctr, 8 ); add_data[8] = ssl->in_msgtype; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, @@ -1706,23 +1751,43 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF; add_data[12] = ssl->in_msglen & 0xFF; - MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", - add_data, 13 ); + MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 ); - memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen, - ssl->in_iv, - ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen ); + /* + * Prepare IV + */ + if( transform->ivlen == 12 && transform->fixed_ivlen == 4 ) + { + /* GCM and CCM: fixed || explicit (transmitted) */ + memcpy( iv, transform->iv_dec, transform->fixed_ivlen ); + memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 ); - MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec, - ssl->transform_in->ivlen ); + } + else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 ) + { + /* ChachaPoly: fixed XOR sequence number */ + unsigned char i; + + memcpy( iv, transform->iv_dec, transform->fixed_ivlen ); + + for( i = 0; i < 8; i++ ) + iv[i+4] ^= ssl->in_ctr[i]; + } + else + { + /* Reminder if we ever add an AEAD mode with a different size */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen ); MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen ); /* * Decrypt and authenticate */ if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec, - ssl->transform_in->iv_dec, - ssl->transform_in->ivlen, + iv, transform->ivlen, add_data, 13, dec_msg, dec_msglen, dec_msg_result, &olen, @@ -1840,6 +1905,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) */ if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) { + unsigned char i; dec_msglen -= ssl->transform_in->ivlen; ssl->in_msglen -= ssl->transform_in->ivlen; @@ -1914,6 +1980,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) */ size_t pad_count = 0, real_count = 1; size_t padding_idx = ssl->in_msglen - padlen - 1; + size_t i; /* * Padding is guaranteed to be incorrect if: @@ -2090,6 +2157,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) else #endif { + unsigned char i; for( i = 8; i > ssl_ep_len( ssl ); i-- ) if( ++ssl->in_ctr[i - 1] != 0 ) break; diff --git a/tests/compat.sh b/tests/compat.sh index d383cb478..bf65e5e61 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -42,6 +42,9 @@ if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then PEER_GNUTLS="" else PEER_GNUTLS=" GnuTLS" + if [ $MINOR -lt 4 ]; then + GNUTLS_MINOR_LT_FOUR='x' + fi fi fi else @@ -58,7 +61,8 @@ FILTER="" # - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) # - ARIA: not in default config.h + requires OpenSSL >= 1.1.1 -EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA' +# - ChachaPoly: requires OpenSSL >= 1.1.0 +EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305' VERBOSE="" MEMCHECK=0 PEERS="OpenSSL$PEER_GNUTLS mbedTLS" @@ -437,6 +441,9 @@ add_common_ciphersuites() # NOTE: for some reason RSA-PSK doesn't work with OpenSSL, # so RSA-PSK ciphersuites need to go in other sections, see # https://github.com/ARMmbed/mbedtls/issues/1419 +# +# ChachaPoly suites are here rather than in "common", as they were added in +# GnuTLS in 3.5.0 and the CI only has 3.4.x so far. add_openssl_ciphersuites() { case $TYPE in @@ -468,6 +475,7 @@ add_openssl_ciphersuites() TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \ TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \ TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \ " O_CIPHERS="$O_CIPHERS \ ECDH-ECDSA-AES128-SHA256 \ @@ -476,6 +484,7 @@ add_openssl_ciphersuites() ECDH-ECDSA-AES256-GCM-SHA384 \ ECDHE-ECDSA-ARIA256-GCM-SHA384 \ ECDHE-ECDSA-ARIA128-GCM-SHA256 \ + ECDHE-ECDSA-CHACHA20-POLY1305 \ " fi ;; @@ -498,6 +507,8 @@ add_openssl_ciphersuites() TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \ TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \ TLS-RSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ + TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ " O_CIPHERS="$O_CIPHERS \ ECDHE-ARIA256-GCM-SHA384 \ @@ -506,6 +517,8 @@ add_openssl_ciphersuites() ECDHE-ARIA128-GCM-SHA256 \ DHE-RSA-ARIA128-GCM-SHA256 \ ARIA128-GCM-SHA256 \ + DHE-RSA-CHACHA20-POLY1305 \ + ECDHE-RSA-CHACHA20-POLY1305 \ " fi ;; @@ -518,12 +531,18 @@ add_openssl_ciphersuites() TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \ TLS-PSK-WITH-ARIA-256-GCM-SHA384 \ TLS-PSK-WITH-ARIA-128-GCM-SHA256 \ + TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \ + TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ + TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ " O_CIPHERS="$O_CIPHERS \ DHE-PSK-ARIA256-GCM-SHA384 \ DHE-PSK-ARIA128-GCM-SHA256 \ PSK-ARIA256-GCM-SHA384 \ PSK-ARIA128-GCM-SHA256 \ + DHE-PSK-CHACHA20-POLY1305 \ + ECDHE-PSK-CHACHA20-POLY1305 \ + PSK-CHACHA20-POLY1305 \ " fi ;; @@ -545,12 +564,20 @@ add_gnutls_ciphersuites() TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \ TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ + TLS-ECDHE-ECDSA-WITH-AES-128-CCM \ + TLS-ECDHE-ECDSA-WITH-AES-256-CCM \ + TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ + TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \ " G_CIPHERS="$G_CIPHERS \ +ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256 \ +ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384 \ +ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD \ +ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD \ + +ECDHE-ECDSA:+AES-128-CCM:+AEAD \ + +ECDHE-ECDSA:+AES-256-CCM:+AEAD \ + +ECDHE-ECDSA:+AES-128-CCM-8:+AEAD \ + +ECDHE-ECDSA:+AES-256-CCM-8:+AEAD \ " fi ;; @@ -580,6 +607,14 @@ add_gnutls_ciphersuites() TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ + TLS-RSA-WITH-AES-128-CCM \ + TLS-RSA-WITH-AES-256-CCM \ + TLS-DHE-RSA-WITH-AES-128-CCM \ + TLS-DHE-RSA-WITH-AES-256-CCM \ + TLS-RSA-WITH-AES-128-CCM-8 \ + TLS-RSA-WITH-AES-256-CCM-8 \ + TLS-DHE-RSA-WITH-AES-128-CCM-8 \ + TLS-DHE-RSA-WITH-AES-256-CCM-8 \ " G_CIPHERS="$G_CIPHERS \ +ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256 \ @@ -594,6 +629,14 @@ add_gnutls_ciphersuites() +DHE-RSA:+CAMELLIA-256-GCM:+AEAD \ +RSA:+CAMELLIA-128-GCM:+AEAD \ +RSA:+CAMELLIA-256-GCM:+AEAD \ + +RSA:+AES-128-CCM:+AEAD \ + +RSA:+AES-256-CCM:+AEAD \ + +RSA:+AES-128-CCM-8:+AEAD \ + +RSA:+AES-256-CCM-8:+AEAD \ + +DHE-RSA:+AES-128-CCM:+AEAD \ + +DHE-RSA:+AES-256-CCM:+AEAD \ + +DHE-RSA:+AES-128-CCM-8:+AEAD \ + +DHE-RSA:+AES-256-CCM-8:+AEAD \ " fi ;; @@ -665,6 +708,14 @@ add_gnutls_ciphersuites() TLS-PSK-WITH-AES-256-GCM-SHA384 \ TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \ TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \ + TLS-PSK-WITH-AES-128-CCM \ + TLS-PSK-WITH-AES-256-CCM \ + TLS-DHE-PSK-WITH-AES-128-CCM \ + TLS-DHE-PSK-WITH-AES-256-CCM \ + TLS-PSK-WITH-AES-128-CCM-8 \ + TLS-PSK-WITH-AES-256-CCM-8 \ + TLS-DHE-PSK-WITH-AES-128-CCM-8 \ + TLS-DHE-PSK-WITH-AES-256-CCM-8 \ TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ @@ -695,6 +746,14 @@ add_gnutls_ciphersuites() +PSK:+AES-256-GCM:+AEAD \ +DHE-PSK:+AES-128-GCM:+AEAD \ +DHE-PSK:+AES-256-GCM:+AEAD \ + +PSK:+AES-128-CCM:+AEAD \ + +PSK:+AES-256-CCM:+AEAD \ + +DHE-PSK:+AES-128-CCM:+AEAD \ + +DHE-PSK:+AES-256-CCM:+AEAD \ + +PSK:+AES-128-CCM-8:+AEAD \ + +PSK:+AES-256-CCM-8:+AEAD \ + +DHE-PSK:+AES-128-CCM-8:+AEAD \ + +DHE-PSK:+AES-256-CCM-8:+AEAD \ +RSA-PSK:+CAMELLIA-128-GCM:+AEAD \ +RSA-PSK:+CAMELLIA-256-GCM:+AEAD \ +PSK:+CAMELLIA-128-GCM:+AEAD \ @@ -737,10 +796,6 @@ add_mbedtls_ciphersuites() M_CIPHERS="$M_CIPHERS \ TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-ECDHE-ECDSA-WITH-AES-128-CCM \ - TLS-ECDHE-ECDSA-WITH-AES-256-CCM \ - TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ - TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \ TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \ TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \ TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \ @@ -755,14 +810,6 @@ add_mbedtls_ciphersuites() if [ `minor_ver "$MODE"` -ge 3 ] then M_CIPHERS="$M_CIPHERS \ - TLS-RSA-WITH-AES-128-CCM \ - TLS-RSA-WITH-AES-256-CCM \ - TLS-DHE-RSA-WITH-AES-128-CCM \ - TLS-DHE-RSA-WITH-AES-256-CCM \ - TLS-RSA-WITH-AES-128-CCM-8 \ - TLS-RSA-WITH-AES-256-CCM-8 \ - TLS-DHE-RSA-WITH-AES-128-CCM-8 \ - TLS-DHE-RSA-WITH-AES-256-CCM-8 \ TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \ TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \ TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \ @@ -789,14 +836,6 @@ add_mbedtls_ciphersuites() if [ `minor_ver "$MODE"` -ge 3 ] then M_CIPHERS="$M_CIPHERS \ - TLS-PSK-WITH-AES-128-CCM \ - TLS-PSK-WITH-AES-256-CCM \ - TLS-DHE-PSK-WITH-AES-128-CCM \ - TLS-DHE-PSK-WITH-AES-256-CCM \ - TLS-PSK-WITH-AES-128-CCM-8 \ - TLS-PSK-WITH-AES-256-CCM-8 \ - TLS-DHE-PSK-WITH-AES-128-CCM-8 \ - TLS-DHE-PSK-WITH-AES-256-CCM-8 \ TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \ TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \ TLS-PSK-WITH-ARIA-256-CBC-SHA384 \ @@ -807,6 +846,7 @@ add_mbedtls_ciphersuites() TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \ TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \ TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \ + TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \ " fi ;; @@ -842,10 +882,17 @@ setup_arguments() exit 1; esac + # GnuTLS < 3.4 will choke if we try to allow CCM-8 + if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then + G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:" + else + G_PRIO_CCM="" + fi + M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1" O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem" G_SERVER_ARGS="-p $PORT --http $G_MODE" - G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" + G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes if is_dtls "$MODE"; then diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1e1cf3597..82a8bddc6 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -565,8 +565,8 @@ if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' -msg "test: compat.sh ARIA" -if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA' +msg "test: compat.sh ARIA + ChachaPoly" +if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s cleanup diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9fc91c722..0f6153565 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -742,7 +742,7 @@ run_test "Default" \ "$P_CLI" \ 0 \ -s "Protocol is TLSv1.2" \ - -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ + -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \ -s "client hello v3, signature_algorithm ext: 6" \ -s "ECDHE curve: secp521r1" \ -S "error" \ @@ -753,20 +753,14 @@ run_test "Default, DTLS" \ "$P_CLI dtls=1" \ 0 \ -s "Protocol is DTLSv1.2" \ - -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" + -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" # Test current time in ServerHello requires_config_enabled MBEDTLS_HAVE_TIME -run_test "Default, ServerHello contains gmt_unix_time" \ +run_test "ServerHello contains gmt_unix_time" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ - -s "Protocol is TLSv1.2" \ - -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ - -s "client hello v3, signature_algorithm ext: 6" \ - -s "ECDHE curve: secp521r1" \ - -S "error" \ - -C "error" \ -f "check_server_hello_time" \ -F "check_server_hello_time"