aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlloyd <[email protected]>2014-12-31 14:30:32 +0000
committerlloyd <[email protected]>2014-12-31 14:30:32 +0000
commitde3fb4a8aa5957a37bae11d3662638f79551f826 (patch)
tree1a82d6b50bb7dd01a2d5e0bba772a980b0ba345f
parent205bbde9dc315562f11c16e15c1787d84f0d0185 (diff)
Add ChaCha20Poly1305 TLS ciphersuites compatible with Google's implementation
-rw-r--r--doc/manual/tls.rst19
-rw-r--r--doc/relnotes/1_11_12.rst3
-rw-r--r--src/lib/tls/tls_ciphersuite.cpp41
-rw-r--r--src/lib/tls/tls_ciphersuite.h11
-rw-r--r--src/lib/tls/tls_policy.cpp1
-rw-r--r--src/lib/tls/tls_record.cpp142
-rw-r--r--src/lib/tls/tls_record.h9
-rw-r--r--src/lib/tls/tls_session_key.cpp2
-rw-r--r--src/lib/tls/tls_suite_info.cpp11
-rwxr-xr-xsrc/scripts/tls_suite_info.py35
10 files changed, 149 insertions, 125 deletions
diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst
index c1d03c452..ac0f14fe2 100644
--- a/doc/manual/tls.rst
+++ b/doc/manual/tls.rst
@@ -512,9 +512,9 @@ be negotiated during a handshake.
authentication, sending data in cleartext) are also not supported
by the implementation and cannot be negotiated.
- Default value: "AES-256/GCM", "AES-128/GCM", "AES-256/CCM",
- "AES-128/CCM", "AES-256/CCM-8", "AES-128/CCM-8", "AES-256",
- "AES-128"
+ Default value: "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM",
+ "AES-256/CCM", "AES-128/CCM", "AES-256/CCM-8", "AES-128/CCM-8",
+ "AES-256", "AES-128"
Also allowed: "Camellia-256/GCM", "Camellia-128/GCM",
"Camellia-256", "Camellia-128"
@@ -569,7 +569,7 @@ be negotiated during a handshake.
Return a list of ECC curves we are willing to use, in order of preference.
Default: "brainpool512r1", "brainpool384r1", "brainpool256r1",
- "secp521r1", "secp384r1", "secp256r1", "secp256k1"
+ "secp521r1", "secp384r1", "secp256r1", "secp256k1"
Also allowed (disabled by default): "secp224r1", "secp224k1",
"secp192r1", "secp192k1", "secp160r2", "secp160r1", "secp160k1"
@@ -588,12 +588,13 @@ be negotiated during a handshake.
Return true if this version of the protocol is one that we are
willing to negotiate.
- Default: Accepts TLS v1.0 or higher, or DTLS v1.2. Note that
- SSLv3 is rejected by default; it has serious security
- flaws which cannot be fixed without protocol changes.
+ Default: Accepts TLS v1.0 or higher, or DTLS v1.2.
- .. note:: SSLv3 support is deprecated and will be removed in a
- future release.
+ .. note::
+
+ SSLv3 is rejected by default; it has serious security flaws
+ which cannot be fixed without protocol changes. SSLv3 support
+ is deprecated and will be removed in a future release.
.. cpp:function:: bool server_uses_own_ciphersuite_preferences() const
diff --git a/doc/relnotes/1_11_12.rst b/doc/relnotes/1_11_12.rst
index 288c30a5c..294561a4e 100644
--- a/doc/relnotes/1_11_12.rst
+++ b/doc/relnotes/1_11_12.rst
@@ -10,6 +10,9 @@ Version 1.11.12, Not Yet Released
* Add the ChaCha20Poly1305 AEAD defined in draft-irtf-cfrg-chacha20-poly1305-03
+* Add ChaCha20Poly1305 ciphersuites for TLS compatible with Google's servers
+ following draft-agl-tls-chacha20poly1305-04
+
* When encrypted as PKCS #8 structures, Curve25519 and McEliece
private keys default to using AES-256/GCM instead of AES-256/CBC
diff --git a/src/lib/tls/tls_ciphersuite.cpp b/src/lib/tls/tls_ciphersuite.cpp
index e6a69126c..2ed5d24e6 100644
--- a/src/lib/tls/tls_ciphersuite.cpp
+++ b/src/lib/tls/tls_ciphersuite.cpp
@@ -66,8 +66,8 @@ Ciphersuite::Ciphersuite(u16bit ciphersuite_code,
const char* kex_algo,
const char* cipher_algo,
size_t cipher_keylen,
- size_t exp_nonce_bytes,
- size_t imp_nonce_bytes,
+ size_t nonce_bytes_from_handshake,
+ size_t nonce_bytes_from_record,
const char* mac_algo,
size_t mac_keylen,
const char* prf_algo) :
@@ -77,8 +77,8 @@ Ciphersuite::Ciphersuite(u16bit ciphersuite_code,
m_prf_algo(prf_algo),
m_cipher_algo(cipher_algo),
m_cipher_keylen(cipher_keylen),
- m_explicit_nonce_bytes(exp_nonce_bytes),
- m_implicit_nonce_bytes(imp_nonce_bytes),
+ m_nonce_bytes_from_handshake(nonce_bytes_from_handshake),
+ m_nonce_bytes_from_record(nonce_bytes_from_record),
m_mac_algo(mac_algo),
m_mac_keylen(mac_keylen)
{
@@ -108,27 +108,36 @@ bool Ciphersuite::valid() const
if(mac_algo() == "AEAD")
{
- auto cipher_and_mode = split_on(cipher_algo(), '/');
- BOTAN_ASSERT(cipher_and_mode.size() == 2, "Expected format for AEAD algo");
- if(!af.prototype_block_cipher(cipher_and_mode[0]))
+ if(cipher_algo() == "ChaCha20Poly1305")
+ {
+#if !defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305)
return false;
+#endif
+ }
+ else
+ {
+ auto cipher_and_mode = split_on(cipher_algo(), '/');
+ BOTAN_ASSERT(cipher_and_mode.size() == 2, "Expected format for AEAD algo");
+ if(!af.prototype_block_cipher(cipher_and_mode[0]))
+ return false;
- const auto mode = cipher_and_mode[1];
+ const auto mode = cipher_and_mode[1];
#if !defined(BOTAN_HAS_AEAD_CCM)
- if(mode == "CCM" || mode == "CCM-8")
- return false;
+ if(mode == "CCM" || mode == "CCM-8")
+ return false;
#endif
#if !defined(BOTAN_HAS_AEAD_GCM)
- if(mode == "GCM")
- return false;
+ if(mode == "GCM")
+ return false;
#endif
#if !defined(BOTAN_HAS_AEAD_OCB)
- if(mode == "OCB")
- return false;
+ if(mode == "OCB")
+ return false;
#endif
+ }
}
else
{
@@ -213,6 +222,10 @@ std::string Ciphersuite::to_string() const
{
out << "RC4_128_";
}
+ else if(cipher_algo() == "ChaCha20Poly1305")
+ {
+ out << "CHACHA20_POLY1305_";
+ }
else
{
if(cipher_algo() == "3DES")
diff --git a/src/lib/tls/tls_ciphersuite.h b/src/lib/tls/tls_ciphersuite.h
index e92eafd5f..bff5b0d9d 100644
--- a/src/lib/tls/tls_ciphersuite.h
+++ b/src/lib/tls/tls_ciphersuite.h
@@ -99,9 +99,9 @@ class BOTAN_DLL Ciphersuite
*/
size_t cipher_keylen() const { return m_cipher_keylen; }
- size_t explicit_nonce_bytes() const { return m_explicit_nonce_bytes; }
+ size_t nonce_bytes_from_record() const { return m_nonce_bytes_from_record; }
- size_t implicit_nonce_bytes() const { return m_implicit_nonce_bytes; }
+ size_t nonce_bytes_from_handshake() const { return m_nonce_bytes_from_handshake; }
size_t mac_keylen() const { return m_mac_keylen; }
@@ -119,8 +119,8 @@ class BOTAN_DLL Ciphersuite
const char* kex_algo,
const char* cipher_algo,
size_t cipher_keylen,
- size_t explicit_nonce_bytes,
- size_t implicit_nonce_bytes,
+ size_t nonce_bytes_from_handshake,
+ size_t nonce_bytes_from_record,
const char* mac_algo,
size_t mac_keylen,
const char* prf_algo = "");
@@ -133,7 +133,8 @@ class BOTAN_DLL Ciphersuite
std::string m_cipher_algo;
size_t m_cipher_keylen = 0;
- size_t m_explicit_nonce_bytes = 0, m_implicit_nonce_bytes = 0;
+ size_t m_nonce_bytes_from_handshake = 0;
+ size_t m_nonce_bytes_from_record = 0;
std::string m_mac_algo;
size_t m_mac_keylen = 0;
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 0f2190562..d0e227d2e 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -18,6 +18,7 @@ namespace TLS {
std::vector<std::string> Policy::allowed_ciphers() const
{
return std::vector<std::string>({
+ "ChaCha20Poly1305",
"AES-256/GCM",
"AES-128/GCM",
"AES-256/CCM",
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index 0b356fad3..5f3801024 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -25,8 +25,8 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
const Ciphersuite& suite,
const Session_Keys& keys) :
m_start_time(std::chrono::system_clock::now()),
- m_implicit_nonce_size(suite.implicit_nonce_bytes()),
- m_explicit_nonce_size(suite.explicit_nonce_bytes()),
+ m_nonce_bytes_from_handshake(suite.nonce_bytes_from_handshake()),
+ m_nonce_bytes_from_record(suite.nonce_bytes_from_record()),
m_is_ssl3(version == Protocol_Version::SSL_V3)
{
SymmetricKey mac_key, cipher_key;
@@ -53,9 +53,13 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
m_aead.reset(aead);
m_aead->set_key(cipher_key + mac_key);
- BOTAN_ASSERT(iv.length() == explicit_nonce_bytes(), "Matching nonce sizes");
+ BOTAN_ASSERT_EQUAL(iv.length(), nonce_bytes_from_handshake(), "Matching nonce sizes");
m_nonce = iv.bits_of();
- m_nonce.resize(implicit_nonce_bytes() + explicit_nonce_bytes());
+
+ BOTAN_ASSERT(nonce_bytes_from_record() == 0 || nonce_bytes_from_record() == 8,
+ "Ciphersuite uses implemented IV length");
+
+ m_nonce.resize(m_nonce.size() + 8);
return;
}
@@ -89,15 +93,27 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
const secure_vector<byte>& Connection_Cipher_State::aead_nonce(u64bit seq)
{
- store_be(seq, &m_nonce[explicit_nonce_bytes()]);
+ store_be(seq, &m_nonce[nonce_bytes_from_handshake()]);
return m_nonce;
}
const secure_vector<byte>&
-Connection_Cipher_State::aead_nonce(const byte record[], size_t record_len)
+Connection_Cipher_State::aead_nonce(const byte record[], size_t record_len, u64bit seq)
{
- BOTAN_ASSERT(record_len >= implicit_nonce_bytes(), "Record includes nonce");
- copy_mem(&m_nonce[explicit_nonce_bytes()], record, implicit_nonce_bytes());
+ if(nonce_bytes_from_record())
+ {
+ if(record_len < nonce_bytes_from_record())
+ throw Decoding_Error("Invalid AEAD packet too short to be valid");
+ copy_mem(&m_nonce[nonce_bytes_from_handshake()], record, nonce_bytes_from_record());
+ }
+ else
+ {
+ /*
+ nonce_len == 0 is assumed to mean no nonce in the message but
+ instead the AEAD uses the seq number in network order.
+ */
+ store_be(seq, &m_nonce[nonce_bytes_from_handshake()]);
+ }
return m_nonce;
}
@@ -127,8 +143,8 @@ Connection_Cipher_State::format_ad(u64bit msg_sequence,
void write_record(secure_vector<byte>& output,
byte msg_type, const byte msg[], size_t msg_length,
Protocol_Version version,
- u64bit msg_sequence,
- Connection_Cipher_State* cipherstate,
+ u64bit seq,
+ Connection_Cipher_State* cs,
RandomNumberGenerator& rng)
{
output.clear();
@@ -140,10 +156,10 @@ void write_record(secure_vector<byte>& output,
if(version.is_datagram_protocol())
{
for(size_t i = 0; i != 8; ++i)
- output.push_back(get_byte(i, msg_sequence));
+ output.push_back(get_byte(i, seq));
}
- if(!cipherstate) // initial unencrypted handshake records
+ if(!cs) // initial unencrypted handshake records
{
output.push_back(get_byte<u16bit>(0, msg_length));
output.push_back(get_byte<u16bit>(1, msg_length));
@@ -153,30 +169,22 @@ void write_record(secure_vector<byte>& output,
return;
}
- if(AEAD_Mode* aead = cipherstate->aead())
+ if(AEAD_Mode* aead = cs->aead())
{
const size_t ctext_size = aead->output_length(msg_length);
- auto nonce = cipherstate->aead_nonce(msg_sequence);
- const size_t implicit_nonce_bytes = cipherstate->implicit_nonce_bytes();
- const size_t explicit_nonce_bytes = cipherstate->explicit_nonce_bytes();
-
- BOTAN_ASSERT(nonce.size() == implicit_nonce_bytes + explicit_nonce_bytes,
- "Expected nonce size");
+ const secure_vector<byte>& nonce = cs->aead_nonce(seq);
// wrong if start returns something
- const size_t rec_size = ctext_size + implicit_nonce_bytes;
+ const size_t rec_size = ctext_size + cs->nonce_bytes_from_record();
BOTAN_ASSERT(rec_size <= 0xFFFF, "Ciphertext length fits in field");
-
output.push_back(get_byte<u16bit>(0, rec_size));
output.push_back(get_byte<u16bit>(1, rec_size));
- aead->set_associated_data_vec(
- cipherstate->format_ad(msg_sequence, msg_type, version, msg_length)
- );
+ aead->set_ad(cs->format_ad(seq, msg_type, version, msg_length));
- output += std::make_pair(&nonce[explicit_nonce_bytes], implicit_nonce_bytes);
+ output += std::make_pair(&nonce[cs->nonce_bytes_from_handshake()], cs->nonce_bytes_from_record());
BOTAN_ASSERT(aead->start(nonce).empty(), "AEAD doesn't return anything from start");
const size_t offset = output.size();
@@ -190,15 +198,13 @@ void write_record(secure_vector<byte>& output,
return;
}
- cipherstate->mac()->update(
- cipherstate->format_ad(msg_sequence, msg_type, version, msg_length)
- );
+ cs->mac()->update(cs->format_ad(seq, msg_type, version, msg_length));
- cipherstate->mac()->update(msg, msg_length);
+ cs->mac()->update(msg, msg_length);
- const size_t block_size = cipherstate->block_size();
- const size_t iv_size = cipherstate->iv_size();
- const size_t mac_size = cipherstate->mac_size();
+ const size_t block_size = cs->block_size();
+ const size_t iv_size = cs->iv_size();
+ const size_t mac_size = cs->mac_size();
const size_t buf_size = round_up(
iv_size + msg_length + mac_size + (block_size ? 1 : 0),
@@ -221,7 +227,7 @@ void write_record(secure_vector<byte>& output,
output.insert(output.end(), &msg[0], &msg[msg_length]);
output.resize(output.size() + mac_size);
- cipherstate->mac()->final(&output[output.size() - mac_size]);
+ cs->mac()->final(&output[output.size() - mac_size]);
if(block_size)
{
@@ -235,16 +241,16 @@ void write_record(secure_vector<byte>& output,
if(buf_size > MAX_CIPHERTEXT_SIZE)
throw Internal_Error("Produced ciphertext larger than protocol allows");
- BOTAN_ASSERT(buf_size + header_size == output.size(),
- "Output buffer is sized properly");
+ BOTAN_ASSERT_EQUAL(buf_size + header_size, output.size(),
+ "Output buffer is sized properly");
- if(StreamCipher* sc = cipherstate->stream_cipher())
+ if(StreamCipher* sc = cs->stream_cipher())
{
sc->cipher1(&output[header_size], buf_size);
}
- else if(BlockCipher* bc = cipherstate->block_cipher())
+ else if(BlockCipher* bc = cs->block_cipher())
{
- secure_vector<byte>& cbc_state = cipherstate->cbc_state();
+ secure_vector<byte>& cbc_state = cs->cbc_state();
BOTAN_ASSERT(buf_size % block_size == 0,
"Buffer is an even multiple of block size");
@@ -343,10 +349,10 @@ size_t tls_padding_check(bool sslv3_padding,
}
void cbc_decrypt_record(byte record_contents[], size_t record_len,
- Connection_Cipher_State& cipherstate,
+ Connection_Cipher_State& cs,
const BlockCipher& bc)
{
- const size_t block_size = cipherstate.block_size();
+ const size_t block_size = cs.block_size();
BOTAN_ASSERT(record_len % block_size == 0,
"Buffer is an even multiple of block size");
@@ -361,7 +367,7 @@ void cbc_decrypt_record(byte record_contents[], size_t record_len,
copy_mem(&last_ciphertext[0], &buf[0], block_size);
bc.decrypt(&buf[0]);
- xor_buf(&buf[0], &cipherstate.cbc_state()[0], block_size);
+ xor_buf(&buf[0], &cs.cbc_state()[0], block_size);
secure_vector<byte> last_ciphertext2;
@@ -373,7 +379,7 @@ void cbc_decrypt_record(byte record_contents[], size_t record_len,
std::swap(last_ciphertext, last_ciphertext2);
}
- cipherstate.cbc_state() = last_ciphertext;
+ cs.cbc_state() = last_ciphertext;
}
void decrypt_record(secure_vector<byte>& output,
@@ -381,21 +387,18 @@ void decrypt_record(secure_vector<byte>& output,
u64bit record_sequence,
Protocol_Version record_version,
Record_Type record_type,
- Connection_Cipher_State& cipherstate)
+ Connection_Cipher_State& cs)
{
- if(AEAD_Mode* aead = cipherstate.aead())
+ if(AEAD_Mode* aead = cs.aead())
{
- auto nonce = cipherstate.aead_nonce(record_contents, record_len);
- const size_t nonce_length = cipherstate.implicit_nonce_bytes();
-
- BOTAN_ASSERT(record_len > nonce_length, "Have data past the nonce");
- const byte* msg = &record_contents[nonce_length];
- const size_t msg_length = record_len - nonce_length;
+ const secure_vector<byte>& nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
+ const byte* msg = &record_contents[cs.nonce_bytes_from_record()];
+ const size_t msg_length = record_len - cs.nonce_bytes_from_record();
const size_t ptext_size = aead->output_length(msg_length);
aead->set_associated_data_vec(
- cipherstate.format_ad(record_sequence, record_type, record_version, ptext_size)
+ cs.format_ad(record_sequence, record_type, record_version, ptext_size)
);
output += aead->start(nonce);
@@ -413,17 +416,17 @@ void decrypt_record(secure_vector<byte>& output,
volatile bool padding_bad = false;
size_t pad_size = 0;
- if(StreamCipher* sc = cipherstate.stream_cipher())
+ if(StreamCipher* sc = cs.stream_cipher())
{
sc->cipher1(record_contents, record_len);
// no padding to check or remove
}
- else if(BlockCipher* bc = cipherstate.block_cipher())
+ else if(BlockCipher* bc = cs.block_cipher())
{
- cbc_decrypt_record(record_contents, record_len, cipherstate, *bc);
+ cbc_decrypt_record(record_contents, record_len, cs, *bc);
- pad_size = tls_padding_check(cipherstate.cipher_padding_single_byte(),
- cipherstate.block_size(),
+ pad_size = tls_padding_check(cs.cipher_padding_single_byte(),
+ cs.block_size(),
record_contents, record_len);
padding_bad = (pad_size == 0);
@@ -433,8 +436,8 @@ void decrypt_record(secure_vector<byte>& output,
throw Internal_Error("No cipher state set but needed to decrypt");
}
- const size_t mac_size = cipherstate.mac_size();
- const size_t iv_size = cipherstate.iv_size();
+ const size_t mac_size = cs.mac_size();
+ const size_t iv_size = cs.iv_size();
const size_t mac_pad_iv_size = mac_size + pad_size + iv_size;
@@ -444,14 +447,14 @@ void decrypt_record(secure_vector<byte>& output,
const byte* plaintext_block = &record_contents[iv_size];
const u16bit plaintext_length = record_len - mac_pad_iv_size;
- cipherstate.mac()->update(
- cipherstate.format_ad(record_sequence, record_type, record_version, plaintext_length)
+ cs.mac()->update(
+ cs.format_ad(record_sequence, record_type, record_version, plaintext_length)
);
- cipherstate.mac()->update(plaintext_block, plaintext_length);
+ cs.mac()->update(plaintext_block, plaintext_length);
std::vector<byte> mac_buf(mac_size);
- cipherstate.mac()->final(&mac_buf[0]);
+ cs.mac()->final(&mac_buf[0]);
const size_t mac_offset = record_len - (mac_size + pad_size);
@@ -484,8 +487,7 @@ size_t read_tls_record(secure_vector<byte>& readbuf,
TLS_HEADER_SIZE))
return needed;
- BOTAN_ASSERT_EQUAL(readbuf.size(), TLS_HEADER_SIZE,
- "Have an entire header");
+ BOTAN_ASSERT_EQUAL(readbuf.size(), TLS_HEADER_SIZE, "Have an entire header");
}
// Possible SSLv2 format client hello
@@ -571,9 +573,9 @@ size_t read_tls_record(secure_vector<byte>& readbuf,
}
// Otherwise, decrypt, check MAC, return plaintext
- auto cipherstate = get_cipherstate(epoch);
+ auto cs = get_cipherstate(epoch);
- BOTAN_ASSERT(cipherstate, "Have cipherstate for this epoch");
+ BOTAN_ASSERT(cs, "Have cipherstate for this epoch");
decrypt_record(record,
record_contents,
@@ -581,7 +583,7 @@ size_t read_tls_record(secure_vector<byte>& readbuf,
*record_sequence,
*record_version,
*record_type,
- *cipherstate);
+ *cs);
if(sequence_numbers)
sequence_numbers->read_accept(*record_sequence);
@@ -660,9 +662,9 @@ size_t read_dtls_record(secure_vector<byte>& readbuf,
try
{
// Otherwise, decrypt, check MAC, return plaintext
- auto cipherstate = get_cipherstate(epoch);
+ auto cs = get_cipherstate(epoch);
- BOTAN_ASSERT(cipherstate, "Have cipherstate for this epoch");
+ BOTAN_ASSERT(cs, "Have cipherstate for this epoch");
decrypt_record(record,
record_contents,
@@ -670,7 +672,7 @@ size_t read_dtls_record(secure_vector<byte>& readbuf,
*record_sequence,
*record_version,
*record_type,
- *cipherstate);
+ *cs);
}
catch(std::exception)
{
diff --git a/src/lib/tls/tls_record.h b/src/lib/tls/tls_record.h
index 2dae96164..d7e85dcab 100644
--- a/src/lib/tls/tls_record.h
+++ b/src/lib/tls/tls_record.h
@@ -45,7 +45,7 @@ class Connection_Cipher_State
const secure_vector<byte>& aead_nonce(u64bit seq);
- const secure_vector<byte>& aead_nonce(const byte record[], size_t record_len);
+ const secure_vector<byte>& aead_nonce(const byte record[], size_t record_len, u64bit seq);
const secure_vector<byte>& format_ad(u64bit seq, byte type,
Protocol_Version version,
@@ -65,9 +65,9 @@ class Connection_Cipher_State
size_t iv_size() const { return m_iv_size; }
- size_t implicit_nonce_bytes() const { return m_implicit_nonce_size; }
+ size_t nonce_bytes_from_record() const { return m_nonce_bytes_from_record; }
- size_t explicit_nonce_bytes() const { return m_explicit_nonce_size; }
+ size_t nonce_bytes_from_handshake() const { return m_nonce_bytes_from_handshake; }
bool cipher_padding_single_byte() const { return m_is_ssl3; }
@@ -91,7 +91,8 @@ class Connection_Cipher_State
secure_vector<byte> m_nonce, m_ad;
size_t m_block_size = 0;
- size_t m_implicit_nonce_size = 0, m_explicit_nonce_size = 0;
+ size_t m_nonce_bytes_from_handshake;
+ size_t m_nonce_bytes_from_record;
size_t m_iv_size = 0;
bool m_is_ssl3 = false;
};
diff --git a/src/lib/tls/tls_session_key.cpp b/src/lib/tls/tls_session_key.cpp
index 4c09b29fd..3ea80ecb0 100644
--- a/src/lib/tls/tls_session_key.cpp
+++ b/src/lib/tls/tls_session_key.cpp
@@ -22,7 +22,7 @@ Session_Keys::Session_Keys(const Handshake_State* state,
{
const size_t cipher_keylen = state->ciphersuite().cipher_keylen();
const size_t mac_keylen = state->ciphersuite().mac_keylen();
- const size_t cipher_nonce_bytes = state->ciphersuite().explicit_nonce_bytes();
+ const size_t cipher_nonce_bytes = state->ciphersuite().nonce_bytes_from_handshake();
const size_t prf_gen = 2 * (mac_keylen + cipher_keylen + cipher_nonce_bytes);
diff --git a/src/lib/tls/tls_suite_info.cpp b/src/lib/tls/tls_suite_info.cpp
index b19986dff..90ff2ae61 100644
--- a/src/lib/tls/tls_suite_info.cpp
+++ b/src/lib/tls/tls_suite_info.cpp
@@ -3,7 +3,7 @@
*
* This file was automatically generated from the IANA assignments
* (tls-parameters.txt hash 4bc98b6f75ad5b63952b5f457fa7adbfef60f095)
-* by ./src/scripts/tls_suite_info.py on 2014-11-03
+* by ./src/scripts/tls_suite_info.py on 2014-12-31
*
* Released under the terms of the Botan license
*/
@@ -156,6 +156,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
case 0xC07D: // DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
return Ciphersuite(0xC07D, "RSA", "DH", "Camellia-256/GCM", 32, 4, 8, "AEAD", 0, "SHA-384");
+ case 0xCC15: // DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ return Ciphersuite(0xCC15, "RSA", "DH", "ChaCha20Poly1305", 32, 0, 0, "AEAD", 0, "SHA-256");
+
case 0x009A: // DHE_RSA_WITH_SEED_CBC_SHA
return Ciphersuite(0x009A, "RSA", "DH", "SEED", 16, 16, 0, "SHA-1", 20);
@@ -249,6 +252,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
case 0xC087: // ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
return Ciphersuite(0xC087, "ECDSA", "ECDH", "Camellia-256/GCM", 32, 4, 8, "AEAD", 0, "SHA-384");
+ case 0xCC14: // ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+ return Ciphersuite(0xCC14, "ECDSA", "ECDH", "ChaCha20Poly1305", 32, 0, 0, "AEAD", 0, "SHA-256");
+
case 0xC007: // ECDHE_ECDSA_WITH_RC4_128_SHA
return Ciphersuite(0xC007, "ECDSA", "ECDH", "RC4", 16, 0, 0, "SHA-1", 20);
@@ -309,6 +315,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
case 0xC08B: // ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
return Ciphersuite(0xC08B, "RSA", "ECDH", "Camellia-256/GCM", 32, 4, 8, "AEAD", 0, "SHA-384");
+ case 0xCC13: // ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ return Ciphersuite(0xCC13, "RSA", "ECDH", "ChaCha20Poly1305", 32, 0, 0, "AEAD", 0, "SHA-256");
+
case 0xC011: // ECDHE_RSA_WITH_RC4_128_SHA
return Ciphersuite(0xC011, "RSA", "ECDH", "RC4", 16, 0, 0, "SHA-1", 20);
diff --git a/src/scripts/tls_suite_info.py b/src/scripts/tls_suite_info.py
index 31bc70a4f..89e1dae5b 100755
--- a/src/scripts/tls_suite_info.py
+++ b/src/scripts/tls_suite_info.py
@@ -54,14 +54,14 @@ def to_ciphersuite_info(code, name):
cipher_info = {
'RC4': ('RC4',None),
- 'CHACHA': ('ChaCha',32),
+ 'CHACHA20': ('ChaCha',32),
'IDEA': ('IDEA',16),
'DES': ('DES',8),
'3DES': ('3DES',24),
'CAMELLIA': ('Camellia',None),
'AES': ('AES',None),
'SEED': ('SEED',16),
- 'ARIA': ('ARIA',16)
+ 'ARIA': ('ARIA',16),
}
tls_to_botan_names = {
@@ -115,7 +115,11 @@ def to_ciphersuite_info(code, name):
mode = ''
ivlen = 0
- stream_ciphers = ['RC4', 'ChaCha']
+ if cipher[0] == 'CHACHA20' and cipher[1] == 'POLY1305':
+ return 'Ciphersuite(0x%s, "%s", "%s", "%s", %d, %d, %d, "AEAD", %d, "%s")' % (
+ code, sig_algo, kex_algo, "ChaCha20Poly1305", cipher_keylen, 0, 0, 0, mac_algo)
+
+ stream_ciphers = ['RC4']
if cipher_algo not in stream_ciphers:
mode = cipher[-1]
@@ -164,13 +168,12 @@ def process_command_line(args):
help='add experimental OCB AEAD suites')
parser.add_option('--with-eax', action='store_true', default=False,
help='add experimental EAX AEAD suites')
- parser.add_option('--with-chacha', action='store_true', default=False,
- help='add experimental ChaCha suites')
parser.add_option('--save-download', action='store_true', default=True,
help='save downloaded tls-parameters.txt')
- parser.add_option('--output', help='save output to named file instead of stdout')
+ parser.add_option('--output', '-o',
+ help='save output to named file instead of stdout')
return parser.parse_args(args)
@@ -223,6 +226,11 @@ def main(args = None):
# From http://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01
define_custom_ciphersuite('DHE_DSS_WITH_RC4_128_SHA', '0066')
+ # Google servers - draft-agl-tls-chacha20poly1305-04
+ define_custom_ciphersuite('ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'CC13')
+ define_custom_ciphersuite('ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'CC14')
+ define_custom_ciphersuite('DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'CC15')
+
# Expermental things
if options.with_ocb:
define_custom_ciphersuite('ECDHE_ECDSA_WITH_AES_128_OCB_SHA256', 'FF80')
@@ -239,21 +247,6 @@ def main(args = None):
define_custom_ciphersuite('ECDHE_RSA_WITH_AES_128_EAX_SHA256', 'FF92')
define_custom_ciphersuite('ECDHE_RSA_WITH_AES_256_EAX_SHA384', 'FF93')
- if options.with_chacha:
- define_custom_ciphersuite('RSA_WITH_CHACHA_SHA', 'CC20')
- define_custom_ciphersuite('ECDHE_RSA_WITH_CHACHA_SHA', 'CC21')
- define_custom_ciphersuite('ECDHE_ECDSA_WITH_CHACHA_SHA', 'CC22')
- define_custom_ciphersuite('DHE_RSA_WITH_CHACHA_SHA', 'CC23')
-
- define_custom_ciphersuite('DHE_PSK_WITH_CHACHA_SHA', 'CC24')
- define_custom_ciphersuite('PSK_WITH_CHACHA_SHA', 'CC25')
- define_custom_ciphersuite('ECDHE_PSK_WITH_CHACHA_SHA', 'CC26')
- #define_custom_ciphersuite('RSA_PSK_WITH_CHACHA_SHA', 'CC26')
-
- define_custom_ciphersuite('SRP_SHA_WITH_CHACHA_SHA', 'CC27')
- define_custom_ciphersuite('SRP_SHA_RSA_WITH_CHACHA_SHA', 'CC28')
- define_custom_ciphersuite('SRP_SHA_ECDSA_WITH_CHACHA_SHA', 'CC29')
-
if options.with_srp_aead:
define_custom_ciphersuite('SRP_SHA_WITH_AES_256_GCM_SHA384', 'FFA0')
define_custom_ciphersuite('SRP_SHA_RSA_WITH_AES_256_GCM_SHA384', 'FFA1')