From a5241b020780350654188b55841699110dcd4159 Mon Sep 17 00:00:00 2001 From: Rajeev Ranjan Date: Mon, 13 May 2024 01:01:34 +0200 Subject: [PATCH] fixup! Add support for integrity-only cipher suites for TLS v1.3 --- .github/workflows/run-checker-merge.yml | 1 + CHANGES.md | 4 ++-- Configure | 2 +- doc/man1/openssl-ciphers.pod.in | 4 ++-- doc/man3/SSL_CTX_set_cipher_list.pod | 4 ++-- ssl/record/methods/tls13_meth.c | 9 +++------ ssl/s3_lib.c | 27 +++++++++++++++++++++++-- test/quicapitest.c | 2 +- test/sslapitest.c | 8 ++++---- 9 files changed, 41 insertions(+), 20 deletions(-) diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index e5746d75bdf8c..c278617a66ce8 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -33,6 +33,7 @@ jobs: no-srp, no-srtp, no-ts, + no-integrity-only-ciphers, enable-weak-ssl-ciphers, enable-zlib, ] diff --git a/CHANGES.md b/CHANGES.md index 3b2481f160a43..1733dd220b53b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -47,8 +47,8 @@ OpenSSL 3.4 *Tim Perry* - * Added to TLS v1.3 support for integrity-only cipher suites - TLS_SHA256_SHA256 and TLS_SHA384_SHA384, as defined in RFC 9150. + * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and + TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150. This work was sponsored by Siemens AG. diff --git a/Configure b/Configure index 571482cd88a29..7d45e92e4022f 100755 --- a/Configure +++ b/Configure @@ -528,7 +528,7 @@ my @disablables = ( "thread-pool", "threads", "tls", - "tls1_3-integrity-only_ciphers", + "integrity-only-ciphers", "trace", "ts", "ubsan", diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index f4d9e6b895b11..5239beca1d692 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in @@ -745,7 +745,7 @@ Note: the CBC modes mentioned in this RFC are not supported. Note: these ciphers are purely HMAC based and do not provide any confidentiality and thus are disabled by default. -These ciphers are available at security level 0. +These ciphers are only available at security level 0. =head2 Older names used by OpenSSL @@ -811,7 +811,7 @@ The B<-convert> option was added in OpenSSL 1.1.1. Support for standard IANA names in cipher lists was added in OpenSSL 3.2.0. -The support for TLS v1.3 integrity-only cipher suites was added in OpenSSL 3.3. +The support for TLS v1.3 integrity-only cipher suites was added in OpenSSL 3.4. =head1 COPYRIGHT diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod index 98f5362044148..0fe8be8094c8f 100644 --- a/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/doc/man3/SSL_CTX_set_cipher_list.pod @@ -50,9 +50,9 @@ ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are: =item TLS_AES_128_CCM_8_SHA256 -=item TLS_SHA384_SHA384 - integrity-only! +=item TLS_SHA384_SHA384 - integrity-only -=item TLS_SHA256_SHA256 - integrity-only! +=item TLS_SHA256_SHA256 - integrity-only =back diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index 0485552ec5d79..afae14ad22b20 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -31,16 +31,13 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, int enc = (rl->direction == OSSL_RECORD_DIRECTION_WRITE) ? 1 : 0; rl->iv = OPENSSL_malloc(ivlen); - if (rl->iv == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + if (rl->iv == NULL) return OSSL_RECORD_RETURN_FATAL; - } rl->nonce = OPENSSL_malloc(ivlen); - if (rl->nonce == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + if (rl->nonce == NULL) return OSSL_RECORD_RETURN_FATAL; - } + memcpy(rl->iv, iv, ivlen); /* Integrity only */ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 4b3640b9259bc..5c7f338c65283 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -113,7 +113,7 @@ static SSL_CIPHER tls13_ciphers[] = { 64, /* CCM8 uses a short tag, so we have a low security strength */ 128, }, -#ifndef OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_3_RFC_SHA256_SHA256, @@ -159,6 +159,7 @@ static SSL_CIPHER tls13_ciphers[] = { * Weak ciphers */ static SSL_CIPHER ssl3_ciphers[] = { +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, SSL3_TXT_RSA_NULL_MD5, @@ -191,6 +192,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +#endif #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -385,6 +387,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_TXT_RSA_WITH_NULL_SHA256, @@ -401,6 +404,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +#endif { 1, TLS1_TXT_RSA_WITH_AES_128_SHA256, @@ -977,6 +981,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 64, /* CCM8 uses a short tag, so we have a low security strength */ 256, }, +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, @@ -993,6 +998,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +#endif # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -1043,6 +1049,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, @@ -1059,6 +1066,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +#endif # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -1109,6 +1117,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_TXT_ECDH_anon_WITH_NULL_SHA, @@ -1125,6 +1134,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +#endif # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -1303,6 +1313,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_TXT_PSK_WITH_NULL_SHA, @@ -1351,6 +1362,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +#endif # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -1629,6 +1641,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_TXT_PSK_WITH_NULL_SHA256, @@ -1661,6 +1674,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +#endif { 1, TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA256, @@ -1693,6 +1707,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_TXT_DHE_PSK_WITH_NULL_SHA256, @@ -1725,6 +1740,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +#endif { 1, TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA256, @@ -1757,6 +1773,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_TXT_RSA_PSK_WITH_NULL_SHA256, @@ -1789,6 +1806,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +#endif # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -1871,6 +1889,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +#ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA, @@ -1919,7 +1938,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, - +#endif # ifndef OPENSSL_NO_WEAK_SSL_CIPHERS { 1, @@ -2646,6 +2665,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +# ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, "GOST2001-NULL-GOST94", @@ -2662,6 +2682,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +# endif { 1, "IANA-GOST2012-GOST8912-GOST8912", @@ -2694,6 +2715,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, +# ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS { 1, "GOST2012-NULL-GOST12", @@ -2710,6 +2732,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, }, +# endif { 1, "GOST2012-KUZNYECHIK-KUZNYECHIKOMAC", diff --git a/test/quicapitest.c b/test/quicapitest.c index 8d8ad87686c48..d8e65dc4e5b0c 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -343,7 +343,7 @@ static int test_cipher_find(void) { TLS13_CHACHA20_POLY1305_SHA256_BYTES, 1 }, { TLS13_AES_128_CCM_SHA256_BYTES, 0 }, { TLS13_AES_128_CCM_8_SHA256_BYTES, 0 }, -#if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS) +#if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) { TLS13_SHA256_SHA256_BYTES, 0 }, { TLS13_SHA384_SHA384_BYTES, 0 } #endif diff --git a/test/sslapitest.c b/test/sslapitest.c index 9ed799cf6b46b..8601b79299f5e 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -3919,7 +3919,7 @@ static const char *ciphersuites[] = { #else NULL, #endif -#if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS) +#if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) "TLS_SHA256_SHA256", "TLS_SHA384_SHA384" #endif @@ -4453,7 +4453,7 @@ static int test_early_data_psk_with_all_ciphers(int idx) # endif TLS1_3_RFC_AES_128_CCM_SHA256, TLS1_3_RFC_AES_128_CCM_8_SHA256, -# if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS) +# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) TLS1_3_RFC_SHA256_SHA256, TLS1_3_RFC_SHA384_SHA384 #else @@ -4471,7 +4471,7 @@ static int test_early_data_psk_with_all_ciphers(int idx) # endif TLS13_AES_128_CCM_SHA256_BYTES, TLS13_AES_128_CCM_8_SHA256_BYTES, -# if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS) +# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) TLS13_SHA256_SHA256_BYTES, TLS13_SHA384_SHA384_BYTES #else @@ -5351,7 +5351,7 @@ static int test_tls13_ciphersuite(int idx) /* CCM8 ciphers are considered low security due to their short tag */ { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }, -# if !defined(OPENSSL_NO_TLS1_3_INTEGRITY_ONLY_CIPHERS) +# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) /* Integrity-only cipher do not provide any confidentiality */ { TLS1_3_RFC_SHA256_SHA256, 0, 1 }, { TLS1_3_RFC_SHA384_SHA384, 0, 1 }