Add support for integrity-only cipher suites for TLS v1.3

CHANGES.md

@@ -96,6 +96,11 @@ OpenSSL 3.3
 
    *Richard Levitte*
 
+ * Added to TLS v1.3 support for integrity-only cipher suites
+   TLS_SHA256_SHA256 and TLS_SHA384_SHA384, as defined in RFC 9150.
+
+   *Rajeev Ranjan, Siemens AG*
+
  * The BLAKE2s hash algorithm matches BLAKE2b's support
    for configurable output length.
 

Configure

@@ -522,6 +522,7 @@ my @disablables = (
     "thread-pool",
     "threads",
     "tls",
+    "tls1_3-integrity-only_ciphers",
     "trace",
     "ts",
     "ubsan",

crypto/evp/evp_lib.c

@@ -330,6 +330,11 @@ int EVP_CIPHER_get_type(const EVP_CIPHER *cipher)
 
         return NID_des_cfb64;
 
+    case NID_null_hmac_sha256:
+        return NID_null_hmac_sha256;
+    case NID_null_hmac_sha384:
+        return NID_null_hmac_sha384;
+
     default:
 #ifdef FIPS_MODULE
         return NID_undef;

crypto/objects/obj_dat.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by crypto/objects/obj_dat.pl
  *
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
@@ -1184,7 +1184,7 @@ static const unsigned char so[8476] = {
     0x55,0x1D,0x4B,                                /* [ 8472] OBJ_associated_information */
 };
 
-#define NUM_NID 1320
+#define NUM_NID 1322
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2506,9 +2506,11 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"altSignatureAlgorithm", "X509v3 Alternative Signature Algorithm", NID_alt_signature_algorithm, 3, &so[8466]},
     {"altSignatureValue", "X509v3 Alternative Signature Value", NID_alt_signature_value, 3, &so[8469]},
     {"associatedInformation", "X509v3 Associated Information", NID_associated_information, 3, &so[8472]},
+    {"NULL-HMAC-SHA256", "null-hmac-sha256", NID_null_hmac_sha256},
+    {"NULL-HMAC-SHA384", "null-hmac-sha384", NID_null_hmac_sha384},
 };
 
-#define NUM_SN 1311
+#define NUM_SN 1313
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -2703,6 +2705,8 @@ static const unsigned int sn_objs[NUM_SN] = {
      388,    /* "Mail" */
      393,    /* "NULL" */
      404,    /* "NULL" */
+    1320,    /* "NULL-HMAC-SHA256" */
+    1321,    /* "NULL-HMAC-SHA384" */
       57,    /* "Netscape" */
      366,    /* "Nonce" */
       17,    /* "O" */
@@ -3823,7 +3827,7 @@ static const unsigned int sn_objs[NUM_SN] = {
     1289,    /* "zstd" */
 };
 
-#define NUM_LN 1311
+#define NUM_LN 1313
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -4776,6 +4780,8 @@ static const unsigned int ln_objs[NUM_LN] = {
     1217,    /* "modp_8192" */
      481,    /* "nSRecord" */
      173,    /* "name" */
+    1320,    /* "null-hmac-sha256" */
+    1321,    /* "null-hmac-sha384" */
      681,    /* "onBasis" */
      379,    /* "org" */
     1089,    /* "organizationIdentifier" */

crypto/objects/obj_mac.num

@@ -1317,3 +1317,5 @@ subject_alt_public_key_info		1316
 alt_signature_algorithm		1317
 alt_signature_value		1318
 associated_information		1319
+null_hmac_sha256		1320
+null_hmac_sha384		1321

crypto/objects/obj_xref.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by objxref.pl
  *
- * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

crypto/objects/objects.txt

@@ -1685,6 +1685,8 @@ sm-scheme 104 10        : SM4-XTS             : sm4-xts
 			: AES-256-CBC-HMAC-SHA256	: aes-256-cbc-hmac-sha256
 			: ChaCha20-Poly1305		: chacha20-poly1305
 			: ChaCha20			: chacha20
+			: NULL-HMAC-SHA256		: null-hmac-sha256
+			: NULL-HMAC-SHA384		: null-hmac-sha384
 
 ISO-US 10046 2 1	: dhpublicnumber		: X9.42 DH
 

doc/man1/openssl-ciphers.pod.in

@@ -738,6 +738,11 @@ Note: the CBC modes mentioned in this RFC are not supported.
  TLS_AES_128_CCM_SHA256                     TLS_AES_128_CCM_SHA256
  TLS_AES_128_CCM_8_SHA256                   TLS_AES_128_CCM_8_SHA256
 
+=head2 TLS v1.3 integrity-only cipher suites according to RFC 9150
+
+ TLS_SHA256_SHA256          TLS_SHA256_SHA256
+ TLS_SHA384_SHA384          TLS_SHA384_SHA384
+
 =head2 Older names used by OpenSSL
 
 The following names are accepted by older releases:

fuzz/oids.txt

@@ -1,7 +1,7 @@
 # WARNING: do not edit!
 # Generated by fuzz/mkfuzzoids.pl
 #
-# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy

include/openssl/evp.h

@@ -33,9 +33,9 @@
 
 # define EVP_MAX_MD_SIZE                 64/* longest known is SHA512 */
 # define EVP_MAX_KEY_LENGTH              64
-# define EVP_MAX_IV_LENGTH               16
+# define EVP_MAX_IV_LENGTH               48 /* longest known for TLS_SHA384_SHA384 */
 # define EVP_MAX_BLOCK_LENGTH            32
-# define EVP_MAX_AEAD_TAG_LENGTH         16
+# define EVP_MAX_AEAD_TAG_LENGTH         48 /* longest known for TLS_SHA384_SHA384 */
 
 # define PKCS5_SALT_LEN                  8
 /* Default PKCS#5 iteration count */
@@ -479,6 +479,11 @@ typedef struct {
 
 /* Length of tag for TLS */
 # define EVP_CHACHAPOLY_TLS_TAG_LEN                      16
+/* Length of HMAC_SHA256 for TLS v1.3 integrity-only */
+# define EVP_HMACSHA256_TLS_TAG_LEN                      32
+/* Length of HMAC_SHA384 for TLS v1.3 integrity-only */
+# define EVP_HMACSHA384_TLS_TAG_LEN                      48
+
 
 typedef struct evp_cipher_info_st {
     const EVP_CIPHER *cipher;

include/openssl/obj_mac.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by crypto/objects/objects.pl
  *
- * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
@@ -5290,6 +5290,14 @@
 #define LN_chacha20             "chacha20"
 #define NID_chacha20            1019
 
+#define SN_null_hmac_sha256             "NULL-HMAC-SHA256"
+#define LN_null_hmac_sha256             "null-hmac-sha256"
+#define NID_null_hmac_sha256            1320
+
+#define SN_null_hmac_sha384             "NULL-HMAC-SHA384"
+#define LN_null_hmac_sha384             "null-hmac-sha384"
+#define NID_null_hmac_sha384            1321
+
 #define SN_dhpublicnumber               "dhpublicnumber"
 #define LN_dhpublicnumber               "X9.42 DH"
 #define NID_dhpublicnumber              920

include/openssl/tls1.h

@@ -622,6 +622,10 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb
 # define TLS1_3_CK_AES_128_CCM_SHA256                     0x03001304
 # define TLS1_3_CK_AES_128_CCM_8_SHA256                   0x03001305
 
+/* Integrity-only ciphersuites from RFC 9150 */
+# define TLS1_3_CK_SHA256_SHA256                          0x0300C0B4
+# define TLS1_3_CK_SHA384_SHA384                          0x0300C0B5
+
 /* Aria ciphersuites from RFC6209 */
 # define TLS1_CK_RSA_WITH_ARIA_128_GCM_SHA256             0x0300C050
 # define TLS1_CK_RSA_WITH_ARIA_256_GCM_SHA384             0x0300C051
@@ -699,6 +703,8 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb
 # define TLS1_3_RFC_AES_128_GCM_SHA256                   "TLS_AES_128_GCM_SHA256"
 # define TLS1_3_RFC_AES_256_GCM_SHA384                   "TLS_AES_256_GCM_SHA384"
 # define TLS1_3_RFC_CHACHA20_POLY1305_SHA256             "TLS_CHACHA20_POLY1305_SHA256"
+# define TLS1_3_RFC_SHA256_SHA256                        "TLS_SHA256_SHA256"
+# define TLS1_3_RFC_SHA384_SHA384                        "TLS_SHA384_SHA384"
 # define TLS1_3_RFC_AES_128_CCM_SHA256                   "TLS_AES_128_CCM_SHA256"
 # define TLS1_3_RFC_AES_128_CCM_8_SHA256                 "TLS_AES_128_CCM_8_SHA256"
 # define TLS1_RFC_ECDHE_ECDSA_WITH_NULL_SHA              "TLS_ECDHE_ECDSA_WITH_NULL_SHA"

providers/defltprov.c

@@ -313,6 +313,10 @@ static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = {
     ALG(PROV_NAMES_ChaCha20_Poly1305, ossl_chacha20_ossl_poly1305_functions),
 # endif /* OPENSSL_NO_POLY1305 */
 #endif /* OPENSSL_NO_CHACHA */
+#ifndef OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS
+    ALG(PROV_NAMES_NULL_HMAC_SHA256, ossl_null_hmac_sha256_functions),
+    ALG(PROV_NAMES_NULL_HMAC_SHA384, ossl_null_hmac_sha384_functions),
+#endif
     { { NULL, NULL, NULL }, NULL }
 };
 static OSSL_ALGORITHM exported_ciphers[OSSL_NELEM(deflt_ciphers)];

providers/implementations/ciphers/build.info

@@ -26,6 +26,7 @@ $CHACHA_GOAL=../../libdefault.a
 $CHACHAPOLY_GOAL=../../libdefault.a
 $SIV_GOAL=../../libdefault.a
 $SIV_GCM_GOAL=../../libdefault.a
+$NULL_HMAC_GOAL=../../libdefault.a
 
 IF[{- !$disabled{asm} -}]
   $GHASHDEF_x86=GHASH_ASM
@@ -192,3 +193,8 @@ IF[{- !$disabled{chacha} -}]
       cipher_chacha20_poly1305.c cipher_chacha20_poly1305_hw.c
  ENDIF
 ENDIF
+
+IF[{- !$disabled{tls1_3-integrity-only_ciphers} -}]
+  SOURCE[$NULL_HMAC_GOAL]=\
+      cipher_null_hmac.c cipher_null_hmac_hw.c
+ENDIF