diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index cc5428cd919cf..f4d9e6b895b11 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in @@ -743,7 +743,7 @@ Note: the CBC modes mentioned in this RFC are not supported. TLS_SHA256_SHA256 TLS_SHA256_SHA256 TLS_SHA384_SHA384 TLS_SHA384_SHA384 -Note: these ciphers are HMAC based and do not provide any confidentiality +Note: these ciphers are purely HMAC based and do not provide any confidentiality and thus are disabled by default. These ciphers are available at security level 0. diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod index de0d639b67b48..98f5362044148 100644 --- a/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/doc/man3/SSL_CTX_set_cipher_list.pod @@ -50,9 +50,9 @@ ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are: =item TLS_AES_128_CCM_8_SHA256 -=item TLS_SHA384_SHA384 +=item TLS_SHA384_SHA384 - integrity-only! -=item TLS_SHA256_SHA256 +=item TLS_SHA256_SHA256 - integrity-only! =back diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h index 727b567f359ba..5a3d010503a86 100644 --- a/ssl/record/methods/recmethod_local.h +++ b/ssl/record/methods/recmethod_local.h @@ -295,7 +295,7 @@ struct ossl_record_layer_st /* cryptographic state */ EVP_CIPHER_CTX *enc_ctx; - /* TLSv1.3 MAC ctx, only used with Integrity-Only cipher*/ + /* TLSv1.3 MAC ctx, only used with integrity-only cipher */ EVP_MAC_CTX *mac_ctx; /* Explicit IV length */ @@ -336,9 +336,8 @@ struct ossl_record_layer_st int tlstree; /* TLSv1.3 fields */ - /* static IV */ - unsigned char *iv; - unsigned char *nonce; + unsigned char *iv; /* static IV */ + unsigned char *nonce; /* part of static IV followed by sequence number */ int allow_plain_alerts; /* TLS "any" fields */ diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index 97c7e74bbc190..0485552ec5d79 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -36,7 +36,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, return OSSL_RECORD_RETURN_FATAL; } - rl->nonce = OPENSSL_zalloc(ivlen); + rl->nonce = OPENSSL_malloc(ivlen); if (rl->nonce == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return OSSL_RECORD_RETURN_FATAL; @@ -89,10 +89,10 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, size_t n_recs, int sending, SSL_MAC_BUF *mac, size_t macsize) { - EVP_CIPHER_CTX *ctx; + EVP_CIPHER_CTX *enc_ctx; unsigned char recheader[SSL3_RT_HEADER_LENGTH]; unsigned char tag[EVP_MAX_MD_SIZE]; - size_t ivlen, offset, loop, hdrlen, taglen; + size_t nonce_len, offset, loop, hdrlen, taglen; unsigned char *staticiv; unsigned char *nonce; unsigned char *seq = rl->sequence; @@ -109,11 +109,11 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, return 0; } - ctx = rl->enc_ctx; + enc_ctx = rl->enc_ctx; /* enc_ctx is ignored when rl->mac_ctx != NULL */ staticiv = rl->iv; nonce = rl->nonce; - if (ctx == NULL && rl->mac_ctx == NULL) { + if (enc_ctx == NULL && rl->mac_ctx == NULL) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } @@ -130,11 +130,11 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, return 1; } - /* For Integrity Only, ivlen is same as MAC size */ + /* For integrity-only ciphers, nonce_len is same as MAC size */ if (rl->mac_ctx != NULL) - ivlen = EVP_MAC_CTX_get_mac_size(rl->mac_ctx); + nonce_len = EVP_MAC_CTX_get_mac_size(rl->mac_ctx); else - ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); + nonce_len = EVP_CIPHER_CTX_get_iv_length(enc_ctx); if (!sending) { /* @@ -146,13 +146,13 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, rec->length -= rl->taglen; } - /* Set up IV */ - if (ivlen < SEQ_NUM_SIZE) { + /* Set up nonce: part of static IV followed by sequence number */ + if (nonce_len < SEQ_NUM_SIZE) { /* Should not happen */ RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } - offset = ivlen - SEQ_NUM_SIZE; + offset = nonce_len - SEQ_NUM_SIZE; memcpy(nonce, staticiv, offset); for (loop = 0; loop < SEQ_NUM_SIZE; loop++) nonce[offset + loop] = staticiv[offset + loop] ^ seq[loop]; @@ -179,7 +179,7 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, int ret = 0; if ((mac_ctx = EVP_MAC_CTX_dup(rl->mac_ctx)) == NULL - || !EVP_MAC_update(mac_ctx, nonce, ivlen) + || !EVP_MAC_update(mac_ctx, nonce, nonce_len) || !EVP_MAC_update(mac_ctx, recheader, sizeof(recheader)) || !EVP_MAC_update(mac_ctx, rec->input, rec->length) || !EVP_MAC_final(mac_ctx, tag, &taglen, rl->taglen)) { @@ -200,15 +200,15 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, return ret; } - cipher = EVP_CIPHER_CTX_get0_cipher(ctx); + cipher = EVP_CIPHER_CTX_get0_cipher(enc_ctx); if (cipher == NULL) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } mode = EVP_CIPHER_get_mode(cipher); - if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, nonce, sending) <= 0 - || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, + if (EVP_CipherInit_ex(enc_ctx, NULL, NULL, NULL, nonce, sending) <= 0 + || (!sending && EVP_CIPHER_CTX_ctrl(enc_ctx, EVP_CTRL_AEAD_SET_TAG, rl->taglen, rec->data + rec->length) <= 0)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -220,19 +220,19 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, * any AAD. */ if ((mode == EVP_CIPH_CCM_MODE - && EVP_CipherUpdate(ctx, NULL, &lenu, NULL, + && EVP_CipherUpdate(enc_ctx, NULL, &lenu, NULL, (unsigned int)rec->length) <= 0) - || EVP_CipherUpdate(ctx, NULL, &lenu, recheader, + || EVP_CipherUpdate(enc_ctx, NULL, &lenu, recheader, sizeof(recheader)) <= 0 - || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input, + || EVP_CipherUpdate(enc_ctx, rec->data, &lenu, rec->input, (unsigned int)rec->length) <= 0 - || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0 + || EVP_CipherFinal_ex(enc_ctx, rec->data + lenu, &lenf) <= 0 || (size_t)(lenu + lenf) != rec->length) { return 0; } if (sending) { /* Add the tag */ - if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen, + if (EVP_CIPHER_CTX_ctrl(enc_ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen, rec->data + rec->length) <= 0) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index f97b6578b2498..f6b4b9f4c21af 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -487,7 +487,7 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which) if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { - if (which & SSL3_CC_EARLY) { + if ((which & SSL3_CC_EARLY) != 0) { EVP_MD_CTX *mdctx = NULL; long handlen; void *hdata; @@ -635,7 +635,7 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which) } } - if (!(which & SSL3_CC_EARLY)) { + if ((which & SSL3_CC_EARLY) == 0) { md = ssl_handshake_md(s); cipher = s->s3.tmp.new_sym_enc; mac_md = s->s3.tmp.new_hash; diff --git a/test/sslapitest.c b/test/sslapitest.c index 3b7db33c5486c..9ed799cf6b46b 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -3942,7 +3942,7 @@ static int early_data_skip_helper(int testtype, int cipher, int idx) unsigned char buf[20]; size_t readbytes, written; - if (is_fips && cipher >= 4 ) + if (is_fips && cipher >= 4) return 1; if (ciphersuites[cipher] == NULL) @@ -4483,8 +4483,8 @@ static int test_early_data_psk_with_all_ciphers(int idx) if (cipher_str[idx] == NULL) return 1; /* - * Skip ChaCha20Poly1305 & TLS_SHA{256,384}_SHA{256,384} cipher as - * currently FIPS module does not support it. + * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers + * as currently FIPS module does not support them. */ if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1) return 1;