Merge branch 'truncated-hmac' into development
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 4e1d25a..1557d39 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -148,6 +148,10 @@
#define SSL_LEGACY_ALLOW_RENEGOTIATION 1
#define SSL_LEGACY_BREAK_HANDSHAKE 2
+#define SSL_TRUNC_HMAC_DISABLED 0
+#define SSL_TRUNC_HMAC_ENABLED 1
+#define SSL_TRUNCATED_HMAC_LEN 10 /* 80 bits, rfc 6066 section 7 */
+
/*
* Size of the input / output buffer.
* Note: the RFC defines the default size of SSL / TLS messages. If you
@@ -251,6 +255,8 @@
#define TLS_EXT_MAX_FRAGMENT_LENGTH 1
+#define TLS_EXT_TRUNCATED_HMAC 4
+
#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10
#define TLS_EXT_SUPPORTED_POINT_FORMATS 11
@@ -333,6 +339,7 @@
#endif /* POLARSSL_X509_PARSE_C */
unsigned char mfl_code; /*!< MaxFragmentLength negotiated by peer */
+ int trunc_hmac; /*!< flag for truncated hmac activation */
};
/*
@@ -540,6 +547,7 @@
int disable_renegotiation; /*!< enable/disable renegotiation */
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
+ int trunc_hmac; /*!< negotiate truncated hmac? */
#if defined(POLARSSL_DHM_C)
mpi dhm_P; /*!< prime modulus for DHM */
@@ -977,6 +985,19 @@
int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
/**
+ * \brief Activate negotiation of truncated HMAC (Client only)
+ * (Default: SSL_TRUNC_HMAC_ENABLED)
+ *
+ * \param ssl SSL context
+ * \param truncate Enable or disable (SSL_TRUNC_HMAC_ENABLED or
+ * SSL_TRUNC_HMAC_DISABLED)
+ *
+ * \return O if successful,
+ * POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side
+ */
+int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
+
+/**
* \brief Enable / Disable renegotiation support for connection when
* initiated by peer
* (Default: SSL_RENEGOTIATION_DISABLED)
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index c89bf0c..877d6cd 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -293,6 +293,28 @@
*olen = 5;
}
+static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
+ unsigned char *buf, size_t *olen )
+{
+ unsigned char *p = buf;
+
+ if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
+ {
+ *olen = 0;
+ return;
+ }
+
+ SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
+
+ *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
+
+ *p++ = 0x00;
+ *p++ = 0x00;
+
+ *olen = 4;
+}
+
static int ssl_write_client_hello( ssl_context *ssl )
{
int ret;
@@ -463,6 +485,9 @@
ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
+ ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+ ext_len += olen;
+
SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
ext_len ) );
@@ -526,6 +551,7 @@
return( 0 );
}
+
static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -544,6 +570,23 @@
return( 0 );
}
+static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len )
+{
+ if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED ||
+ len != 0 )
+ {
+ return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+ }
+
+ ((void) buf);
+
+ ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
+
+ return( 0 );
+}
+
static int ssl_parse_server_hello( ssl_context *ssl )
{
uint32_t t;
@@ -771,6 +814,17 @@
break;
+ case TLS_EXT_TRUNCATED_HMAC:
+ SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
+
+ if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
+ ext + 4, ext_size ) ) != 0 )
+ {
+ return( ret );
+ }
+
+ break;
+
default:
SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
ext_id ) );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 3e18386..6cbc5f4 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -306,6 +306,23 @@
return( 0 );
}
+static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len )
+{
+ if( len != 0 )
+ {
+ SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+ return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
+
+ ((void) buf);
+
+ ssl->session_negotiate->trunc_hmac = SSL_TRUNC_HMAC_ENABLED;
+
+ return( 0 );
+}
+
#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
static int ssl_parse_client_hello_v2( ssl_context *ssl )
{
@@ -848,6 +865,14 @@
return( ret );
break;
+ case TLS_EXT_TRUNCATED_HMAC:
+ SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
+
+ ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
+
default:
SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
ext_id ) );
@@ -957,6 +982,29 @@
return( 0 );
}
+static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen )
+{
+ unsigned char *p = buf;
+
+ if( ssl->session_negotiate->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
+ {
+ *olen = 0;
+ return;
+ }
+
+ SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
+
+ *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
+
+ *p++ = 0x00;
+ *p++ = 0x00;
+
+ *olen = 4;
+}
+
static void ssl_write_renegotiation_ext( ssl_context *ssl,
unsigned char *buf,
size_t *olen )
@@ -1128,6 +1176,9 @@
ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
+ ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+ ext_len += olen;
+
SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f701a8a..b9fca44 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -475,6 +475,14 @@
}
transform->maclen = md_get_size( md_info );
+
+ /*
+ * If HMAC is to be truncated, we shall keep the leftmost bytes,
+ * (rfc 6066 page 13 or rfc 2104 section 4),
+ * so we only need to adjust the length here.
+ */
+ if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
+ transform->maclen = SSL_TRUNCATED_HMAC_LEN;
}
transform->keylen = cipher_info->key_length;
@@ -3141,6 +3149,16 @@
return( 0 );
}
+int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
+{
+ if( ssl->endpoint != SSL_IS_CLIENT )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
+ ssl->trunc_hmac = truncate;
+
+ return( 0 );
+}
+
void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
{
ssl->disable_renegotiation = renegotiation;
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 56d0e91..ca4d7c7 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -58,6 +58,7 @@
#define DFL_MAX_VERSION -1
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
+#define DFL_TRUNC_HMAC 0
#define LONG_HEADER "User-agent: blah-blah-blah-blah-blah-blah-blah-blah-" \
"-01--blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-" \
@@ -94,6 +95,7 @@
int max_version; /* maximum protocol version accepted */
int auth_mode; /* verify mode for connection */
unsigned char mfl_code; /* code for maximum fragment length */
+ int trunc_hmac; /* negotiate truncated hmac or not */
} opt;
static void my_debug( void *ctx, int level, const char *str )
@@ -191,6 +193,7 @@
" options: none, optional, required\n" \
" max_frag_len=%%d default: 16384 (tls default)" \
" options: 512, 1024, 2048, 4096" \
+ " trunc_hmac=%%d default: 0 (disabled)\n" \
USAGE_PSK \
"\n" \
" force_ciphersuite=<name> default: all enabled\n"\
@@ -281,6 +284,7 @@
opt.max_version = DFL_MAX_VERSION;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
+ opt.trunc_hmac = DFL_TRUNC_HMAC;
for( i = 1; i < argc; i++ )
{
@@ -416,6 +420,12 @@
else
goto usage;
}
+ else if( strcmp( p, "trunc_hmac" ) == 0 )
+ {
+ opt.trunc_hmac = atoi( q );
+ if( opt.trunc_hmac < 0 || opt.trunc_hmac > 1 )
+ goto usage;
+ }
else
goto usage;
}
@@ -623,6 +633,9 @@
ssl_set_max_frag_len( &ssl, opt.mfl_code );
+ if( opt.trunc_hmac != 0 )
+ ssl_set_truncated_hmac( &ssl, SSL_TRUNC_HMAC_ENABLED );
+
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd,