There are couple of issues in current AES-CBC cipher-suite implementation.
1) Using the wrong data encryption/decryption key.
2) Using the wrong MAC Key for MAC calculation.
The reason for this is that the macros which point to the key location
in the key block were designed for AES-CCM cipher suites.
Change-Id: I410175302a2f23d1fa64f2b15b774c48d4ec19b3
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/3441
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>
--- /dev/null
+SUPPORTED CIPHER-SUITES
+ TLS_PSK_WITH_AES_128_CCM_8(0xC0A8)
+ TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8(0xC0AE)
+ TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256(0xC037)
+ TLS_ECDH_anon_WITH_AES_128_CBC_SHA256(0xC018)
+
+TEST APPLICATIONS
+These applications can be build from Iotivity's root directory using below commands:
+scons extlibs/tinydtls/dtls-client SECURED=1 RELEASE=0
+scons extlibs/tinydtls/dtls-server SECURED=1 RELEASE=0
+
+
+INTER-OPERABILITY TESTING
+tinyDTLS's cipher-suite implementations can be verified for compatibility against other
+SSL libraries.
+Use below commands to perform compatibility testing against mBed SSL library.
+./ssl_server2 debug_level=5 dtls=1 psk=73656372657450534b psk_identity=Client_identity \
+ force_version=dtls1_2 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256
+./dtls-client -v 6 -c 4 localhost 4433
+
+./ssl_client2 debug_level=5 dtls=1 psk=73656372657450534b psk_identity=Client_identity \
+ force_version=dtls1_2 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256
+./dtls-server -v 6 localhost -p 4433
+
+Above commands can also be tested with TLS-PSK-WITH-AES-128-CCM-8 cipher suite.
+
static size_t
dtls_cbc_encrypt(aes128_t *aes_ctx,
- unsigned char *key, size_t keylen,
+ unsigned char *mac_key, size_t mac_keylen,
const unsigned char *iv,
const unsigned char *src, size_t srclen,
unsigned char *buf) {
dtls_hdr = src - DTLS_CBC_IV_LENGTH - sizeof(dtls_record_header_t);
//Calculate MAC : Append the MAC code to end of content
- hmac_ctx = dtls_hmac_new(key, keylen);
+ hmac_ctx = dtls_hmac_new(mac_key, mac_keylen);
dtls_mac(hmac_ctx,
dtls_hdr,
src, srclen,
static size_t
dtls_cbc_decrypt(aes128_t *aes_ctx,
- unsigned char *key, size_t keylen,
+ unsigned char *mac_key, size_t mac_keylen,
const unsigned char *iv,
const unsigned char *src, size_t srclen,
unsigned char *buf) {
depaddinglen = buf[srclen -1];
//Calculate MAC
- hmac_ctx = dtls_hmac_new(key, keylen);
+ hmac_ctx = dtls_hmac_new(mac_key, mac_keylen);
if(!hmac_ctx) {
return -1;
}
dtls_encrypt(const unsigned char *src, size_t length,
unsigned char *buf,
unsigned char *nounce,
- unsigned char *key, size_t keylen,
+ unsigned char *write_key, size_t write_keylen,
+ unsigned char *mac_key, size_t mac_keylen,
const unsigned char *aad, size_t la,
const dtls_cipher_t cipher)
{
if(cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ||
cipher == TLS_PSK_WITH_AES_128_CCM_8) {
- ret = rijndael_set_key_enc_only(&ctx->data.ctx, key, 8 * keylen);
+ ret = rijndael_set_key_enc_only(&ctx->data.ctx, write_key, 8 * write_keylen);
if (ret < 0) {
/* cleanup everything in case the key has the wrong size */
dtls_warn("cannot set rijndael key\n");
}
if(cipher == TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256 ||
cipher == TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256) {
- ret = rijndael_set_key(&ctx->data.ctx, key, 8 * keylen);
+ ret = rijndael_set_key(&ctx->data.ctx, write_key, 8 * write_keylen);
if (ret < 0) {
/* cleanup everything in case the key has the wrong size */
dtls_warn("cannot set rijndael key\n");
if (src != buf)
memmove(buf, src, length);
- ret = dtls_cbc_encrypt(&ctx->data, key, keylen, nounce, src, length, buf);
+ ret = dtls_cbc_encrypt(&ctx->data, mac_key, mac_keylen, nounce, src, length, buf);
}
error:
dtls_decrypt(const unsigned char *src, size_t length,
unsigned char *buf,
unsigned char *nounce,
- unsigned char *key, size_t keylen,
+ unsigned char *read_key, size_t read_keylen,
+ unsigned char *mac_key, size_t mac_keylen,
const unsigned char *aad, size_t la,
const dtls_cipher_t cipher)
{
if(cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ||
cipher == TLS_PSK_WITH_AES_128_CCM_8) {
- ret = rijndael_set_key_enc_only(&ctx->data.ctx, key, 8 * keylen);
+ ret = rijndael_set_key_enc_only(&ctx->data.ctx, read_key, 8 * read_keylen);
if (ret < 0) {
/* cleanup everything in case the key has the wrong size */
dtls_warn("cannot set rijndael key\n");
if(cipher == TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256 ||
cipher == TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256) {
- ret = rijndael_set_key(&ctx->data.ctx, key, 8 * keylen);
+ ret = rijndael_set_key(&ctx->data.ctx, read_key, 8 * read_keylen);
if (ret < 0) {
/* cleanup everything in case the key has the wrong size */
dtls_warn("cannot set rijndael key\n");
if (src != buf)
memmove(buf, src, length);
- ret = dtls_cbc_decrypt(&ctx->data, key, keylen, nounce, src, length, buf);
+ ret = dtls_cbc_decrypt(&ctx->data, mac_key, mac_keylen, nounce, src, length, buf);
}
error:
#include "ecc/ecc.h"
/* TLS_PSK_WITH_AES_128_CCM_8 */
-#define DTLS_MAC_KEY_LENGTH 0
+#define DTLS_CCM_MAC_KEY_LENGTH 0 /* MAC Key length for AES-CCM cipher suites */
+#define DTLS_CBC_MAC_KEY_LENGTH 32 /* MAC Key length for AES-CBC Cipher suites */
#define DTLS_KEY_LENGTH 16 /* AES-128 */
#define DTLS_BLK_LENGTH 16 /* AES-128 */
#define DTLS_MAC_LENGTH DTLS_HMAC_DIGEST_SIZE
-#define DTLS_IV_LENGTH 4 /* length of nonce_explicit */
+#define DTLS_CCM_IV_LENGTH 4 /* length of nonce_explicit */
#define DTLS_CBC_IV_LENGTH 16
/**
* be large enough to hold the pre_master_secret, i.e. twice the length of the
* pre-shared key + 1.
*/
+#define CCM_KB_LENGTH \
+ (2 * DTLS_KEY_LENGTH + 2 * DTLS_CCM_IV_LENGTH)
+
+#define CBC_KB_LENGTH \
+ (2 * DTLS_CBC_MAC_KEY_LENGTH + 2 * DTLS_KEY_LENGTH )
+
#define MAX_KEYBLOCK_LENGTH \
- (2 * DTLS_MAC_KEY_LENGTH + 2 * DTLS_KEY_LENGTH + 2 * DTLS_IV_LENGTH)
+ ((CCM_KB_LENGTH) > (CBC_KB_LENGTH) ? (CCM_KB_LENGTH) : (CBC_KB_LENGTH) )
/** Length of DTLS master_secret */
#define DTLS_MASTER_SECRET_LENGTH 48
/* The following macros provide access to the components of the
* key_block in the security parameters. */
+static inline int dtls_kb_mac_secret_size(dtls_cipher_t cipher)
+{
+ switch(cipher)
+ {
+ case TLS_NULL_WITH_NULL_NULL:
+
+ return 0;
+ break;
+
+ case TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256:
+ case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256:
+
+ return DTLS_CBC_MAC_KEY_LENGTH;
+ break;
+
+ case TLS_PSK_WITH_AES_128_CCM_8:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
+
+ return DTLS_CCM_MAC_KEY_LENGTH;
+ break;
+ }
+
+ return -1;
+}
+
+
+static inline int dtls_kb_iv_size(dtls_cipher_t cipher)
+{
+ switch(cipher)
+ {
+ case TLS_NULL_WITH_NULL_NULL:
+ case TLS_ECDH_anon_WITH_AES_128_CBC_SHA_256:
+ case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA_256:
+
+ return 0;
+ break;
+
+ case TLS_PSK_WITH_AES_128_CCM_8:
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
+
+ return DTLS_CCM_IV_LENGTH;
+ break;
+ }
+
+ return -1;
+}
+
+
+
+
#define dtls_kb_client_mac_secret(Param, Role) ((Param)->key_block)
#define dtls_kb_server_mac_secret(Param, Role) \
- (dtls_kb_client_mac_secret(Param, Role) + DTLS_MAC_KEY_LENGTH)
+ (dtls_kb_client_mac_secret(Param, Role) + dtls_kb_mac_secret_size((Param)->cipher))
#define dtls_kb_remote_mac_secret(Param, Role) \
((Role) == DTLS_SERVER \
? dtls_kb_client_mac_secret(Param, Role) \
((Role) == DTLS_CLIENT \
? dtls_kb_client_mac_secret(Param, Role) \
: dtls_kb_server_mac_secret(Param, Role))
-#define dtls_kb_mac_secret_size(Param, Role) DTLS_MAC_KEY_LENGTH
#define dtls_kb_client_write_key(Param, Role) \
- (dtls_kb_server_mac_secret(Param, Role) + DTLS_MAC_KEY_LENGTH)
+ (dtls_kb_server_mac_secret(Param, Role) + dtls_kb_mac_secret_size((Param)->cipher))
#define dtls_kb_server_write_key(Param, Role) \
(dtls_kb_client_write_key(Param, Role) + DTLS_KEY_LENGTH)
#define dtls_kb_remote_write_key(Param, Role) \
#define dtls_kb_client_iv(Param, Role) \
(dtls_kb_server_write_key(Param, Role) + DTLS_KEY_LENGTH)
#define dtls_kb_server_iv(Param, Role) \
- (dtls_kb_client_iv(Param, Role) + DTLS_IV_LENGTH)
+ (dtls_kb_client_iv(Param, Role) + dtls_kb_iv_size((Param)->cipher))
#define dtls_kb_remote_iv(Param, Role) \
((Role) == DTLS_SERVER \
? dtls_kb_client_iv(Param, Role) \
((Role) == DTLS_CLIENT \
? dtls_kb_client_iv(Param, Role) \
: dtls_kb_server_iv(Param, Role))
-#define dtls_kb_iv_size(Param, Role) DTLS_IV_LENGTH
#define dtls_kb_size(Param, Role) \
- (2 * (dtls_kb_mac_secret_size(Param, Role) + \
- dtls_kb_key_size(Param, Role) + dtls_kb_iv_size(Param, Role)))
+ (2 * (dtls_kb_mac_secret_size((Param)->cipher) + \
+ dtls_kb_key_size(Param, Role) + dtls_kb_iv_size((Param)->cipher)))
/* just for consistency */
#define dtls_kb_digest_size(Param, Role) DTLS_MAC_LENGTH
int dtls_encrypt(const unsigned char *src, size_t length,
unsigned char *buf,
unsigned char *nounce,
- unsigned char *key, size_t keylen,
+ unsigned char *write_key, size_t write_keylen,
+ unsigned char *mac_key, size_t mac_keylen,
const unsigned char *aad, size_t aad_length,
const dtls_cipher_t cipher);
int dtls_decrypt(const unsigned char *src, size_t length,
unsigned char *buf,
unsigned char *nounce,
- unsigned char *key, size_t keylen,
+ unsigned char *read_key, size_t read_keylen,
+ unsigned char *mac_key, size_t mac_keylen,
const unsigned char *a_data, size_t a_data_length,
const dtls_cipher_t cipher);
dtls_debug("key_block (%d bytes):\n", dtls_kb_size(config, peer->role));
dtls_debug_dump(" client_MAC_secret",
dtls_kb_client_mac_secret(config, peer->role),
- dtls_kb_mac_secret_size(config, peer->role));
+ dtls_kb_mac_secret_size(config->cipher));
dtls_debug_dump(" server_MAC_secret",
dtls_kb_server_mac_secret(config, peer->role),
- dtls_kb_mac_secret_size(config, peer->role));
+ dtls_kb_mac_secret_size(config->cipher));
dtls_debug_dump(" client_write_key",
dtls_kb_client_write_key(config, peer->role),
dtls_debug_dump(" client_IV",
dtls_kb_client_iv(config, peer->role),
- dtls_kb_iv_size(config, peer->role));
+ dtls_kb_iv_size(config->cipher));
dtls_debug_dump(" server_IV",
dtls_kb_server_iv(config, peer->role),
- dtls_kb_iv_size(config, peer->role));
+ dtls_kb_iv_size(config->cipher));
}
/** returns the name of the goven handshake type number.
/* create key_block from master_secret
* key_block = PRF(master_secret,
"key expansion" + tmp.random.server + tmp.random.client) */
+ security->cipher = handshake->cipher;
+ security->compression = handshake->compression;
+ security->rseq = 0;
dtls_prf(master_secret,
DTLS_MASTER_SECRET_LENGTH,
memcpy(handshake->tmp.master_secret, master_secret, DTLS_MASTER_SECRET_LENGTH);
dtls_debug_keyblock(security);
- security->cipher = handshake->cipher;
- security->compression = handshake->compression;
- security->rseq = 0;
return 0;
}
start + DTLS_CBC_IV_LENGTH, nonce,
dtls_kb_local_write_key(security, peer->role),
dtls_kb_key_size(security, peer->role),
+ dtls_kb_local_mac_secret(security, peer->role),
+ dtls_kb_mac_secret_size(security->cipher),
NULL, 0,
security->cipher);
if (res < 0)
memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
memcpy(nonce, dtls_kb_local_iv(security, peer->role),
- dtls_kb_iv_size(security, peer->role));
- memcpy(nonce + dtls_kb_iv_size(security, peer->role), start, 8); /* epoch + seq_num */
+ dtls_kb_iv_size(security->cipher));
+ memcpy(nonce + dtls_kb_iv_size(security->cipher), start, 8); /* epoch + seq_num */
dtls_debug_dump("nonce:", nonce, DTLS_CCM_BLOCKSIZE);
dtls_debug_dump("key:", dtls_kb_local_write_key(security, peer->role),
res = dtls_encrypt(start + 8, res - 8, start + 8, nonce,
dtls_kb_local_write_key(security, peer->role),
dtls_kb_key_size(security, peer->role),
+ dtls_kb_local_mac_secret(security, peer->role),
+ dtls_kb_mac_secret_size(security->cipher),
A_DATA, A_DATA_LEN,
security->cipher);
uint8 cookie[], size_t cookie_length) {
uint8 buf[DTLS_CH_LENGTH_MAX];
uint8 *p = buf;
- uint8_t cipher_size;
- uint8_t extension_size;
+ uint8_t cipher_size = 0;
+ uint8_t extension_size = 0;
int psk = 0;
int ecdsa = 0;
int ecdh_anon = 0;
}
cipher_size = 2 + ((ecdsa || x509) ? 2 : 0) + (psk ? 2 : 0) + (ecdh_anon ? 2 : 0) + (ecdhe_psk ? 2 : 0);
- extension_size = (ecdsa || x509) ? (2 + 6 + 6 + 8 + 6) : 0;
+
+ /* Is extension needed? */
+ extension_size = (ecdsa || x509 || ecdhe_psk || ecdh_anon) ? 2 : 0;
+ /* Supported EC and Supported Point Formats */
+ extension_size += (ecdsa || x509 || ecdhe_psk | ecdh_anon) ? ( 8 + 6) : 0;
+ /* Supported Client and Server Cert Types */
+ extension_size += (ecdsa || x509) ? ( 6 + 6) : 0;
if (cipher_size == 0) {
dtls_crit("no cipher callbacks implemented\n");
p += sizeof(uint8);
- /* client certificate type extension */
+ /* server certificate type extension */
dtls_int_to_uint16(p, TLS_EXT_SERVER_CERTIFICATE_TYPE);
p += sizeof(uint16);
dtls_int_to_uint8(p, TLS_CERT_TYPE_RAW_PUBLIC_KEY);
p += sizeof(uint8);
+ }
+ if (ecdsa || x509 || ecdhe_psk || ecdh_anon ) {
/* elliptic_curves */
dtls_int_to_uint16(p, TLS_EXT_ELLIPTIC_CURVES);
p += sizeof(uint16);
clen = dtls_decrypt(*cleartext, clen, *cleartext, nonce,
dtls_kb_remote_write_key(security, peer->role),
dtls_kb_key_size(security, peer->role),
+ dtls_kb_remote_mac_secret(security, peer->role),
+ dtls_kb_mac_secret_size(security->cipher),
NULL, 0,
security->cipher);
memset(nonce, 0, DTLS_CCM_BLOCKSIZE);
memcpy(nonce, dtls_kb_remote_iv(security, peer->role),
- dtls_kb_iv_size(security, peer->role));
+ dtls_kb_iv_size(security->cipher));
/* read epoch and seq_num from message */
- memcpy(nonce + dtls_kb_iv_size(security, peer->role), *cleartext, 8);
+ memcpy(nonce + dtls_kb_iv_size(security->cipher), *cleartext, 8);
*cleartext += 8;
clen -= 8;
clen = dtls_decrypt(*cleartext, clen, *cleartext, nonce,
dtls_kb_remote_write_key(security, peer->role),
dtls_kb_key_size(security, peer->role),
+ dtls_kb_remote_mac_secret(security, peer->role),
+ dtls_kb_mac_secret_size(security->cipher),
A_DATA, A_DATA_LEN,
security->cipher);
}
return psk_client_id_length;
case DTLS_PSK_KEY:
if (id_len != psk_server_id_length || memcmp(psk_server_id, id, id_len) != 0) {
- dtls_warn("PSK for unknown id requested, exiting\n");
- return dtls_alert_fatal_create(DTLS_ALERT_ILLEGAL_PARAMETER);
- } else if (result_length < psk_key_length) {
+ dtls_debug("PSK for unknown id requested\n");
+ }
+ if (result_length < psk_key_length) {
dtls_warn("cannot set psk -- buffer too small\n");
return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
}
projects / platform / upstream / iotivity.git / commitdiff