fixup! Add support for integrity-only cipher suites for TLS v1.3

siemens · May 12, 2024 · a5241b0 · a5241b0
1 parent 5189582
commit a5241b0
Show file tree

Hide file tree

Showing 9 changed files with 41 additions and 20 deletions.
diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml
@@ -33,6 +33,7 @@ jobs:
           no-srp,
           no-srtp,
           no-ts,
+          no-integrity-only-ciphers,
           enable-weak-ssl-ciphers,
           enable-zlib,
         ]

diff --git a/CHANGES.md b/CHANGES.md
@@ -47,8 +47,8 @@ OpenSSL 3.4
 
    *Tim Perry*
 
- * Added to TLS v1.3 support for integrity-only cipher suites
-   TLS_SHA256_SHA256 and TLS_SHA384_SHA384, as defined in RFC 9150.
+ * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
+   TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150.
 
    This work was sponsored by Siemens AG.
 

diff --git a/Configure b/Configure
@@ -528,7 +528,7 @@ my @disablables = (
     "thread-pool",
     "threads",
     "tls",
-    "tls1_3-integrity-only_ciphers",
+    "integrity-only-ciphers",
     "trace",
     "ts",
     "ubsan",

diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
@@ -745,7 +745,7 @@ Note: the CBC modes mentioned in this RFC are not supported.
 
 Note: these ciphers are purely HMAC based and do not provide any confidentiality
 and thus are disabled by default.
-These ciphers are available at security level 0.
+These ciphers are only available at security level 0.
 
 =head2 Older names used by OpenSSL
 
@@ -811,7 +811,7 @@ The B<-convert> option was added in OpenSSL 1.1.1.
 Support for standard IANA names in cipher lists was added in
 OpenSSL 3.2.0.
 
-The support for TLS v1.3 integrity-only cipher suites was added in OpenSSL 3.3.
+The support for TLS v1.3 integrity-only cipher suites was added in OpenSSL 3.4.
 
 =head1 COPYRIGHT
 

diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod
@@ -50,9 +50,9 @@ ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are:
 
 =item TLS_AES_128_CCM_8_SHA256
 
-=item TLS_SHA384_SHA384 - integrity-only!
+=item TLS_SHA384_SHA384 - integrity-only
 
-=item TLS_SHA256_SHA256 - integrity-only!
+=item TLS_SHA256_SHA256 - integrity-only
 
 =back
 

diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c
@@ -31,16 +31,13 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
     int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0;
 
     rl->iv = OPENSSL_malloc(ivlen);
-    if (rl->iv == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+    if (rl->iv == NULL)
         return OSSL_RECORD_RETURN_FATAL;
-    }
 
     rl->nonce = OPENSSL_malloc(ivlen);
-    if (rl->nonce == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
+    if (rl->nonce == NULL)
         return OSSL_RECORD_RETURN_FATAL;
-    }
+
     memcpy(rl->iv, iv, ivlen);
 
     /* Integrity only */

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
@@ -113,7 +113,7 @@ static SSL_CIPHER tls13_ciphers[] = {
         64, /* CCM8 uses a short tag, so we have a low security strength */
         128,
     },
-#ifndef OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
         1,
         TLS1_3_RFC_SHA256_SHA256,
@@ -159,6 +159,7 @@ static SSL_CIPHER tls13_ciphers[] = {
  *      Weak ciphers
  */
 static SSL_CIPHER ssl3_ciphers[] = {
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      SSL3_TXT_RSA_NULL_MD5,
@@ -191,6 +192,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+#endif
 #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
@@ -385,6 +387,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      TLS1_TXT_RSA_WITH_NULL_SHA256,
@@ -401,6 +404,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+#endif
     {
      1,
      TLS1_TXT_RSA_WITH_AES_128_SHA256,
@@ -977,6 +981,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      64, /* CCM8 uses a short tag, so we have a low security strength */
      256,
      },
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
@@ -993,6 +998,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+#endif
 # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
@@ -1043,6 +1049,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
@@ -1059,6 +1066,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+#endif
 # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
@@ -1109,6 +1117,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
@@ -1125,6 +1134,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+#endif
 # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
@@ -1303,6 +1313,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      TLS1_TXT_PSK_WITH_NULL_SHA,
@@ -1351,6 +1362,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+#endif
 # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
@@ -1629,6 +1641,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      TLS1_TXT_PSK_WITH_NULL_SHA256,
@@ -1661,6 +1674,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+#endif
     {
      1,
      TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA256,
@@ -1693,6 +1707,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      TLS1_TXT_DHE_PSK_WITH_NULL_SHA256,
@@ -1725,6 +1740,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+#endif
     {
      1,
      TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA256,
@@ -1757,6 +1773,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      TLS1_TXT_RSA_PSK_WITH_NULL_SHA256,
@@ -1789,6 +1806,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+#endif
 #  ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
@@ -1871,6 +1889,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA,
@@ -1919,7 +1938,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
-
+#endif
 # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
      1,
@@ -2646,6 +2665,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+# ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      "GOST2001-NULL-GOST94",
@@ -2662,6 +2682,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+# endif
     {
      1,
      "IANA-GOST2012-GOST8912-GOST8912",
@@ -2694,6 +2715,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+# ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
     {
      1,
      "GOST2012-NULL-GOST12",
@@ -2710,6 +2732,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      0,
      0,
      },
+# endif
     {
      1,
      "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC",

diff --git a/test/quicapitest.c b/test/quicapitest.c
@@ -343,7 +343,7 @@ static int test_cipher_find(void)
         { TLS13_CHACHA20_POLY1305_SHA256_BYTES, 1 },
         { TLS13_AES_128_CCM_SHA256_BYTES, 0 },
         { TLS13_AES_128_CCM_8_SHA256_BYTES, 0 },
-#if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS)
+#if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
         { TLS13_SHA256_SHA256_BYTES, 0 },
         { TLS13_SHA384_SHA384_BYTES, 0 }
 #endif

diff --git a/test/sslapitest.c b/test/sslapitest.c
@@ -3919,7 +3919,7 @@ static const char *ciphersuites[] = {
 #else
     NULL,
 #endif
-#if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS)
+#if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
     "TLS_SHA256_SHA256",
     "TLS_SHA384_SHA384"
 #endif
@@ -4453,7 +4453,7 @@ static int test_early_data_psk_with_all_ciphers(int idx)
 # endif
         TLS1_3_RFC_AES_128_CCM_SHA256,
         TLS1_3_RFC_AES_128_CCM_8_SHA256,
-# if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS)
+# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
         TLS1_3_RFC_SHA256_SHA256,
         TLS1_3_RFC_SHA384_SHA384
 #else
@@ -4471,7 +4471,7 @@ static int test_early_data_psk_with_all_ciphers(int idx)
 # endif
         TLS13_AES_128_CCM_SHA256_BYTES,
         TLS13_AES_128_CCM_8_SHA256_BYTES,
-# if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS)
+# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
         TLS13_SHA256_SHA256_BYTES,
         TLS13_SHA384_SHA384_BYTES
 #else
@@ -5351,7 +5351,7 @@ static int test_tls13_ciphersuite(int idx)
         /* CCM8 ciphers are considered low security due to their short tag */
         { TLS1_3_RFC_AES_128_CCM_8_SHA256
           ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 },
-# if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS)
+# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS)
         /* Integrity-only cipher do not provide any confidentiality */
         { TLS1_3_RFC_SHA256_SHA256, 0, 1 },
         { TLS1_3_RFC_SHA384_SHA384, 0, 1 }