diff options
author | Rajeev Ranjan <ranjan.rajeev@siemens.com> | 2023-12-01 12:47:07 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-05-14 15:39:15 +0200 |
commit | b6a5e801679663c13875cf6e18f475f8700d72a9 (patch) | |
tree | 437ddfdbc1fbcf49974cc2daa89bfeadd68876ae /test | |
parent | 61f32392dd67d47018ce46f427339e7191426e45 (diff) |
Add support for integrity-only cipher suites for TLS v1.3
- add test vectors for tls1_3 integrity-only ciphers
- recmethod_local.h: add new member for MAC
- tls13_meth.c: add MAC only to tls 1.3
- tls13_enc.c: extend function to add MAC only
- ssl_local.h: add ssl_cipher_get_evp_md_mac()
- s3_lib.c: add the new ciphers and add #ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS
- ssl_ciph.c : add ssl_cipher_get_evp_md_mac() and use it
- tls13secretstest.c: add dummy test function
- Configure: add integrity-only-ciphers option
- document the new ciphers
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22903)
Diffstat (limited to 'test')
-rw-r--r-- | test/ciphername_test.c | 2 | ||||
-rw-r--r-- | test/evp_libctx_test.c | 12 | ||||
-rw-r--r-- | test/evp_test.c | 2 | ||||
-rw-r--r-- | test/helpers/ssltestlib.h | 2 | ||||
-rw-r--r-- | test/quicapitest.c | 10 | ||||
-rw-r--r-- | test/sslapitest.c | 65 | ||||
-rw-r--r-- | test/tls13secretstest.c | 7 |
7 files changed, 81 insertions, 19 deletions
diff --git a/test/ciphername_test.c b/test/ciphername_test.c index c4ec6cadd7..8f10f26ba1 100644 --- a/test/ciphername_test.c +++ b/test/ciphername_test.c @@ -361,6 +361,8 @@ static CIPHER_ID_NAME cipher_names[] = { {0x1303, "TLS_CHACHA20_POLY1305_SHA256"}, {0x1304, "TLS_AES_128_CCM_SHA256"}, {0x1305, "TLS_AES_128_CCM_8_SHA256"}, + {0xC0B4, "TLS_SHA256_SHA256"}, + {0xC0B5, "TLS_SHA384_SHA384"}, {0xFEFE, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"}, }; diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c index 30fc85e8d3..3ca25d12f7 100644 --- a/test/evp_libctx_test.c +++ b/test/evp_libctx_test.c @@ -365,7 +365,11 @@ static int test_cipher_reinit(int test_id) 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, }; - unsigned char iv[16] = { + unsigned char iv[48] = { + 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, + 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00, + 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, + 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00, 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00 }; @@ -456,7 +460,11 @@ static int test_cipher_reinit_partialupdate(int test_id) 0x03, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, }; - static const unsigned char iv[16] = { + static const unsigned char iv[48] = { + 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, + 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00, + 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, + 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00, 0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00 }; diff --git a/test/evp_test.c b/test/evp_test.c index 21106dd633..71fea6f47f 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1195,7 +1195,7 @@ static int cipher_test_enc(EVP_TEST *t, int enc, size_t out_misalign, tmp + out_misalign, tmplen + tmpflen)) goto err; if (enc && expected->aead && !expected->tls_aad) { - unsigned char rtag[16]; + unsigned char rtag[48]; /* longest known for TLS_SHA384_SHA384 */ if (!TEST_size_t_le(expected->tag_len, sizeof(rtag))) { t->err = "TAG_LENGTH_INTERNAL_ERROR"; diff --git a/test/helpers/ssltestlib.h b/test/helpers/ssltestlib.h index 871f9bd52e..468662ed0b 100644 --- a/test/helpers/ssltestlib.h +++ b/test/helpers/ssltestlib.h @@ -17,6 +17,8 @@ #define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03") #define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04") #define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05") +#define TLS13_SHA256_SHA256_BYTES ((const unsigned char *)"\xC0\xB4") +#define TLS13_SHA384_SHA384_BYTES ((const unsigned char *)"\xC0\xB5") int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm, const SSL_METHOD *cm, int min_proto_version, diff --git a/test/quicapitest.c b/test/quicapitest.c index 227f6de8c8..d8e65dc4e5 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -342,7 +342,11 @@ static int test_cipher_find(void) { TLS13_AES_256_GCM_SHA384_BYTES, 1 }, { TLS13_CHACHA20_POLY1305_SHA256_BYTES, 1 }, { TLS13_AES_128_CCM_SHA256_BYTES, 0 }, - { TLS13_AES_128_CCM_8_SHA256_BYTES, 0 } + { TLS13_AES_128_CCM_8_SHA256_BYTES, 0 }, +#if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) + { TLS13_SHA256_SHA256_BYTES, 0 }, + { TLS13_SHA384_SHA384_BYTES, 0 } +#endif }; size_t i; int testresult = 0; @@ -588,7 +592,9 @@ static int test_quic_forbidden_apis_ctx(void) #define NON_QUIC_CIPHERSUITES \ "TLS_AES_128_CCM_SHA256:" \ "TLS_AES_256_CCM_SHA384:" \ - "TLS_AES_128_CCM_8_SHA256" + "TLS_AES_128_CCM_8_SHA256:" \ + "TLS_SHA256_SHA256:" \ + "TLS_SHA384_SHA384" /* Set TLSv1.3 ciphersuite list for the SSL_CTX. */ if (!TEST_true(SSL_CTX_set_ciphersuites(ctx, diff --git a/test/sslapitest.c b/test/sslapitest.c index e948ae01a2..21027a9db4 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -3915,7 +3915,13 @@ static const char *ciphersuites[] = { "TLS_AES_256_GCM_SHA384", "TLS_AES_128_CCM_SHA256", #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) - "TLS_CHACHA20_POLY1305_SHA256" + "TLS_CHACHA20_POLY1305_SHA256", +#else + NULL, +#endif +#if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) + "TLS_SHA256_SHA256", + "TLS_SHA384_SHA384" #endif }; @@ -3936,16 +3942,19 @@ static int early_data_skip_helper(int testtype, int cipher, int idx) unsigned char buf[20]; size_t readbytes, written; - if (is_fips && cipher == 4) + if (is_fips && cipher >= 4) return 1; + if (ciphersuites[cipher] == NULL) + return TEST_skip("Cipher not supported"); + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; - if (cipher == 0) { + if (cipher == 0 || cipher == 5 || cipher == 6) { SSL_CTX_set_security_level(sctx, 0); SSL_CTX_set_security_level(cctx, 0); } @@ -3956,8 +3965,9 @@ static int early_data_skip_helper(int testtype, int cipher, int idx) if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess, idx, - cipher == 2 ? SHA384_DIGEST_LENGTH - : SHA256_DIGEST_LENGTH))) + (cipher == 2 || cipher == 6) + ? SHA384_DIGEST_LENGTH + : SHA256_DIGEST_LENGTH))) goto end; if (testtype == 1 || testtype == 2) { @@ -4414,12 +4424,14 @@ static int test_early_data_psk(int idx) } /* - * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites + * Test TLSv1.3 PSK can be used to send early_data with all 7 ciphersuites * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256 * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384 * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256, * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256 * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256 + * idx == 5: Test with TLS1_3_RFC_SHA256_SHA256 + * idx == 6: Test with TLS1_3_RFC_SHA384_SHA384 */ static int test_early_data_psk_with_all_ciphers(int idx) { @@ -4440,7 +4452,14 @@ static int test_early_data_psk_with_all_ciphers(int idx) NULL, # endif TLS1_3_RFC_AES_128_CCM_SHA256, - TLS1_3_RFC_AES_128_CCM_8_SHA256 + TLS1_3_RFC_AES_128_CCM_8_SHA256, +# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) + TLS1_3_RFC_SHA256_SHA256, + TLS1_3_RFC_SHA384_SHA384 +#else + NULL, + NULL +#endif }; const unsigned char *cipher_bytes[] = { TLS13_AES_128_GCM_SHA256_BYTES, @@ -4451,13 +4470,23 @@ static int test_early_data_psk_with_all_ciphers(int idx) NULL, # endif TLS13_AES_128_CCM_SHA256_BYTES, - TLS13_AES_128_CCM_8_SHA256_BYTES + TLS13_AES_128_CCM_8_SHA256_BYTES, +# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) + TLS13_SHA256_SHA256_BYTES, + TLS13_SHA384_SHA384_BYTES +#else + NULL, + NULL +#endif }; if (cipher_str[idx] == NULL) return 1; - /* Skip ChaCha20Poly1305 as currently FIPS module does not support it */ - if (idx == 2 && is_fips == 1) + /* + * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers + * as currently FIPS module does not support them. + */ + if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1) return 1; /* We always set this up with a final parameter of "2" for PSK */ @@ -4466,8 +4495,11 @@ static int test_early_data_psk_with_all_ciphers(int idx) SHA384_DIGEST_LENGTH))) goto end; - if (idx == 4) { - /* CCM8 ciphers are considered low security due to their short tag */ + if (idx == 4 || idx == 5 || idx == 6) { + /* + * CCM8 ciphers are considered low security due to their short tag. + * Integrity-only cipher do not provide any confidentiality. + */ SSL_set_security_level(clientssl, 0); SSL_set_security_level(serverssl, 0); } @@ -5318,7 +5350,12 @@ static int test_tls13_ciphersuite(int idx) # endif /* CCM8 ciphers are considered low security due to their short tag */ { TLS1_3_RFC_AES_128_CCM_8_SHA256 - ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 } + ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 }, +# if !defined(OPENSSL_NO_INTEGRITY_ONLY_CIPHERS) + /* Integrity-only cipher do not provide any confidentiality */ + { TLS1_3_RFC_SHA256_SHA256, 0, 1 }, + { TLS1_3_RFC_SHA384_SHA384, 0, 1 } +# endif }; const char *t13_cipher = NULL; const char *t12_cipher = NULL; @@ -12152,7 +12189,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_early_data_skip_abort, OSSL_NELEM(ciphersuites) * 3); ADD_ALL_TESTS(test_early_data_not_sent, 3); ADD_ALL_TESTS(test_early_data_psk, 8); - ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5); + ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 7); ADD_ALL_TESTS(test_early_data_not_expected, 3); # ifndef OPENSSL_NO_TLS1_2 ADD_ALL_TESTS(test_early_data_tls1_2, 3); diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c index 352c1898ad..71123b947f 100644 --- a/test/tls13secretstest.c +++ b/test/tls13secretstest.c @@ -163,6 +163,13 @@ int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc, return 0; } +int ssl_cipher_get_evp_md_mac(SSL_CTX *ctx, const SSL_CIPHER *sslc, + const EVP_MD **md, + int *mac_pkey_type, size_t *mac_secret_size) +{ + return 0; +} + int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, size_t *mac_secret_size, |