[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Wed Feb 8 02:22:01 UTC 2017


The branch master has been updated
       via  21d94d44246bfe2c220bc3b219443ccaedce308d (commit)
       via  1bbede20e3f5ac98a46568604b8c1d56bf8d2185 (commit)
       via  f68521ee41ce72d291e6ac9778758584d6bd3c70 (commit)
       via  00212c6662b52f20e7ecdf17901c02f388bfd98d (commit)
       via  197421b120396a16588a8d9d969fe75908ea9d2e (commit)
       via  20fc2051d2f8ec678b62d5f5c9d799ce51368120 (commit)
       via  ec07b1d872300f347c436ff5e549b94f79c0fa63 (commit)
       via  aa24c47c834015dd34d00bcf9373113f0c57e1f0 (commit)
       via  7114af3054c005d9ff587b78f193d75e4ddf1775 (commit)
       via  e5c4bf93a9b65652138ca0433b2d37d5113da5dd (commit)
      from  e9681f8314c64c6802b11997c471bd763de38c8c (commit)


- Log -----------------------------------------------------------------
commit 21d94d44246bfe2c220bc3b219443ccaedce308d
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Feb 4 13:12:49 2017 +0000

    Update documentation
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

commit 1bbede20e3f5ac98a46568604b8c1d56bf8d2185
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Feb 4 18:25:09 2017 +0000

    update test
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

commit f68521ee41ce72d291e6ac9778758584d6bd3c70
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Feb 2 23:11:07 2017 +0000

    Add remaining TLS1.3 ciphersuites
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

commit 00212c6662b52f20e7ecdf17901c02f388bfd98d
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Feb 3 02:49:26 2017 +0000

    Call EVP_CipherFinal in CCM mode for tests.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

commit 197421b120396a16588a8d9d969fe75908ea9d2e
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Feb 3 02:47:56 2017 +0000

    Make EVP_*Final work for CCM ciphers
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

commit 20fc2051d2f8ec678b62d5f5c9d799ce51368120
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Feb 6 19:25:34 2017 +0000

    Use contants for Chacha/Poly, redo algorithm expressions.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

commit ec07b1d872300f347c436ff5e549b94f79c0fa63
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Feb 3 02:44:15 2017 +0000

    Add CCM mode support for TLS 1.3
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

commit aa24c47c834015dd34d00bcf9373113f0c57e1f0
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Feb 3 02:43:03 2017 +0000

    Add constants to CCM and TLS.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

commit 7114af3054c005d9ff587b78f193d75e4ddf1775
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Feb 4 12:42:57 2017 +0000

    Add NID_auth_any and NID_kx_any NIDs.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

commit e5c4bf93a9b65652138ca0433b2d37d5113da5dd
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Feb 4 03:17:32 2017 +0000

    Add SSL_kANY and SSL_aANY
    
    Add SSL_kANY and SSL_aANY contants for TLS 1.3 ciphersuites. Return
    appropriate text strings when they are used.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2550)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/e_aes.c               |  7 +++--
 crypto/objects/obj_dat.h         | 12 ++++++--
 crypto/objects/obj_mac.num       |  2 ++
 crypto/objects/objects.txt       |  2 ++
 doc/man1/ciphers.pod             |  8 +++++
 doc/man3/SSL_CIPHER_get_name.pod |  7 +++--
 include/openssl/evp.h            |  9 ++++++
 include/openssl/obj_mac.h        |  8 +++++
 include/openssl/tls1.h           |  8 +++++
 ssl/record/ssl3_record_tls13.c   | 41 +++++++++++++++----------
 ssl/s3_lib.c                     | 65 +++++++++++++++++++++++++++++++++++++++-
 ssl/ssl_ciph.c                   | 12 ++++++--
 ssl/ssl_locl.h                   |  5 ++++
 ssl/t1_enc.c                     |  4 +--
 ssl/tls13_enc.c                  | 22 +++++++++++---
 test/cipherlist_test.c           |  2 ++
 test/evp_test.c                  | 10 ++-----
 17 files changed, 184 insertions(+), 40 deletions(-)

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 857a402..451d32d 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -2129,6 +2129,10 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     if (cctx->tls_aad_len >= 0)
         return aes_ccm_tls_cipher(ctx, out, in, len);
 
+    /* EVP_*Final() doesn't return any data */
+    if (in == NULL && out != NULL)
+        return 0;
+
     if (!cctx->iv_set)
         return -1;
 
@@ -2148,9 +2152,6 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         CRYPTO_ccm128_aad(ccm, in, len);
         return len;
     }
-    /* EVP_*Final() doesn't return any data */
-    if (!in)
-        return 0;
     /* If not set length yet do it */
     if (!cctx->len_set) {
         if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 88d371a..8de2592 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -963,7 +963,7 @@ static const unsigned char so[6765] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1C,  /* [ 6753] OBJ_id_ct_xml */
 };
 
-#define NUM_NID 1063
+#define NUM_NID 1065
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2028,9 +2028,11 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"id-ct-xml", "id-ct-xml", NID_id_ct_xml, 11, &so[6753]},
     {"Poly1305", "poly1305", NID_poly1305},
     {"SipHash", "siphash", NID_siphash},
+    {"KxANY", "kx-any", NID_kx_any},
+    {"AuthANY", "auth-any", NID_auth_any},
 };
 
-#define NUM_SN 1054
+#define NUM_SN 1056
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -2065,6 +2067,7 @@ static const unsigned int sn_objs[NUM_SN] = {
      960,    /* "AES-256-OCB" */
      428,    /* "AES-256-OFB" */
      914,    /* "AES-256-XTS" */
+    1064,    /* "AuthANY" */
     1049,    /* "AuthDSS" */
     1047,    /* "AuthECDSA" */
     1050,    /* "AuthGOST01" */
@@ -2163,6 +2166,7 @@ static const unsigned int sn_objs[NUM_SN] = {
      645,    /* "ITU-T" */
      646,    /* "JOINT-ISO-ITU-T" */
      773,    /* "KISA" */
+    1063,    /* "KxANY" */
     1039,    /* "KxDHE" */
     1041,    /* "KxDHE-PSK" */
     1038,    /* "KxECDHE" */
@@ -3088,7 +3092,7 @@ static const unsigned int sn_objs[NUM_SN] = {
      160,    /* "x509Crl" */
 };
 
-#define NUM_LN 1054
+#define NUM_LN 1056
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -3310,6 +3314,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      484,    /* "associatedDomain" */
      485,    /* "associatedName" */
      501,    /* "audio" */
+    1064,    /* "auth-any" */
     1049,    /* "auth-dss" */
     1047,    /* "auth-ecdsa" */
     1050,    /* "auth-gost01" */
@@ -3783,6 +3788,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      956,    /* "jurisdictionStateOrProvinceName" */
      150,    /* "keyBag" */
      773,    /* "kisa" */
+    1063,    /* "kx-any" */
     1039,    /* "kx-dhe" */
     1041,    /* "kx-dhe-psk" */
     1038,    /* "kx-ecdhe" */
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 3793951..5ca5260 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -1060,3 +1060,5 @@ id_smime_ct_authEnvelopedData		1059
 id_ct_xml		1060
 poly1305		1061
 siphash		1062
+kx_any		1063
+auth_any		1064
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 5b1f2bd..0d189f8 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -1472,6 +1472,7 @@ id-pkinit 5                     : pkInitKDC             : Signing KDC Response
                             : KxPSK        : kx-psk
                             : KxSRP        : kx-srp
                             : KxGOST       : kx-gost
+                            : KxANY        : kx-any
 
 # NIDs for cipher authentication
                             : AuthRSA      : auth-rsa
@@ -1482,6 +1483,7 @@ id-pkinit 5                     : pkInitKDC             : Signing KDC Response
                             : AuthGOST12   : auth-gost12
                             : AuthSRP      : auth-srp
                             : AuthNULL     : auth-null
+                            : AuthANY      : auth-any
 # NID for Poly1305
                             : Poly1305     : poly1305
 # NID for SipHash
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
index c1d1cb2..aa8ace2 100644
--- a/doc/man1/ciphers.pod
+++ b/doc/man1/ciphers.pod
@@ -670,6 +670,14 @@ Note: these ciphers can also be used in SSL v3.
  TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256        DHE-PSK-CHACHA20-POLY1305
  TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256        RSA-PSK-CHACHA20-POLY1305
 
+=head2 TLS v1.3 cipher suites
+
+ TLS_AES_128_GCM_SHA256                     TLS13-AES-128-GCM-SHA256
+ TLS_AES_256_GCM_SHA384                     TLS13-AES-256-GCM-SHA384
+ TLS_CHACHA20_POLY1305_SHA256               TLS13-CHACHA20-POLY1305-SHA256
+ TLS_AES_128_CCM_SHA256                     TLS13-AES-128-CCM-SHA256
+ TLS_AES_128_CCM_8_SHA256                   TLS13-AES-128-CCM-8-SHA256
+
 =head2 Older names used by OpenSSL
 
 The following names are accepted by older releases:
diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod
index b648e09..872e37d 100644
--- a/doc/man3/SSL_CIPHER_get_name.pod
+++ b/doc/man3/SSL_CIPHER_get_name.pod
@@ -42,7 +42,9 @@ used by B<c>. If there is no digest (e.g. for AEAD ciphersuites) then
 B<NID_undef> is returned.
 
 SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method
-used by B<c>. If there is no key exchange, then B<NID_undef> is returned. Examples (not comprehensive):
+used by B<c>. If there is no key exchange, then B<NID_undef> is returned.
+If any appropriate key exchange algorithm can be used (as in the case of TLS 1.3
+ciphersuites) B<NID_kx_any> is returned. Examples (not comprehensive):
 
  NID_kx_rsa
  NID_kx_ecdhe
@@ -51,7 +53,8 @@ used by B<c>. If there is no key exchange, then B<NID_undef> is returned. Exampl
 
 SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method
 used by B<c>. If there is no authentication, then B<NID_undef> is returned.
-Examples (not comprehensive):
+If any appropriate authentication algorithm can be used (as in the case of
+TLS 1.3 ciphersuites) B<NID_auth_any> is returned. Examples (not comprehensive):
 
  NID_auth_rsa
  NID_auth_ecdsa
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index e44521c..f34f30e 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -367,6 +367,15 @@ typedef struct {
 # define EVP_CCM_TLS_FIXED_IV_LEN                        4
 /* Length of explicit part of IV part of TLS records */
 # define EVP_CCM_TLS_EXPLICIT_IV_LEN                     8
+/* Total length of CCM IV length for TLS */
+# define EVP_CCM_TLS_IV_LEN                              12
+/* Length of tag for TLS */
+# define EVP_CCM_TLS_TAG_LEN                             16
+/* Length of CCM8 tag for TLS */
+# define EVP_CCM8_TLS_TAG_LEN                            8
+
+/* Length of tag for TLS */
+# define EVP_CHACHAPOLY_TLS_TAG_LEN                      16
 
 typedef struct evp_cipher_info_st {
     const EVP_CIPHER *cipher;
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
index c8f876e..2e317ad 100644
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@@ -4544,6 +4544,10 @@
 #define LN_kx_gost              "kx-gost"
 #define NID_kx_gost             1045
 
+#define SN_kx_any               "KxANY"
+#define LN_kx_any               "kx-any"
+#define NID_kx_any              1063
+
 #define SN_auth_rsa             "AuthRSA"
 #define LN_auth_rsa             "auth-rsa"
 #define NID_auth_rsa            1046
@@ -4576,6 +4580,10 @@
 #define LN_auth_null            "auth-null"
 #define NID_auth_null           1053
 
+#define SN_auth_any             "AuthANY"
+#define LN_auth_any             "auth-any"
+#define NID_auth_any            1064
+
 #define SN_poly1305             "Poly1305"
 #define LN_poly1305             "poly1305"
 #define NID_poly1305            1061
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index a4258ac..6902f50 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -622,6 +622,10 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 
 /* TLS v1.3 ciphersuites */
 # define TLS1_3_CK_AES_128_GCM_SHA256                     0x03001301
+# define TLS1_3_CK_AES_256_GCM_SHA384                     0x03001302
+# define TLS1_3_CK_CHACHA20_POLY1305_SHA256               0x03001303
+# define TLS1_3_CK_AES_128_CCM_SHA256                     0x03001304
+# define TLS1_3_CK_AES_128_CCM_8_SHA256                   0x03001305
 
 /*
  * XXX Backward compatibility alert: Older versions of OpenSSL gave some DHE
@@ -898,6 +902,10 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
  * cipherstring selection process for these ciphers
  */
 # define TLS1_3_TXT_AES_128_GCM_SHA256                     "TLS13-AES-128-GCM-SHA256"
+# define TLS1_3_TXT_AES_256_GCM_SHA384                     "TLS13-AES-256-GCM-SHA384"
+# define TLS1_3_TXT_CHACHA20_POLY1305_SHA256               "TLS13-CHACHA20-POLY1305-SHA256"
+# define TLS1_3_TXT_AES_128_CCM_SHA256                     "TLS13-AES-128-CCM-SHA256"
+# define TLS1_3_TXT_AES_128_CCM_8_SHA256                   "TLS13-AES-128-CCM-8-SHA256"
 
 # define TLS_CT_RSA_SIGN                 1
 # define TLS_CT_DSS_SIGN                 2
diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
index 2099e79..9dc7075 100644
--- a/ssl/record/ssl3_record_tls13.c
+++ b/ssl/record/ssl3_record_tls13.c
@@ -24,11 +24,12 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
 {
     EVP_CIPHER_CTX *ctx;
     unsigned char iv[EVP_MAX_IV_LENGTH];
-    size_t ivlen, offset, loop;
+    size_t ivlen, taglen, offset, loop;
     unsigned char *staticiv;
     unsigned char *seq;
     int lenu, lenf;
     SSL3_RECORD *rec = &recs[0];
+    uint32_t alg_enc = s->s3->tmp.new_cipher->algorithm_enc;
 
     if (n_recs != 1) {
         /* Should not happen */
@@ -53,21 +54,30 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
     }
     ivlen = EVP_CIPHER_CTX_iv_length(ctx);
 
+    if (alg_enc & SSL_AESCCM) {
+        if (alg_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
+            taglen = EVP_CCM8_TLS_TAG_LEN;
+         else
+            taglen = EVP_CCM_TLS_TAG_LEN;
+         if (send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen,
+                                         NULL) <= 0)
+            return -1;
+    } else if (alg_enc & SSL_AESGCM) {
+        taglen = EVP_GCM_TLS_TAG_LEN;
+    } else if (alg_enc & SSL_CHACHA20) {
+        taglen = EVP_CHACHAPOLY_TLS_TAG_LEN;
+    } else {
+        return -1;
+    }
+
     if (!send) {
         /*
          * Take off tag. There must be at least one byte of content type as
          * well as the tag
          */
-        /*
-         * TODO(TLS1.3): We're going to need to figure out the tag len based on
-         * the cipher. For now we just support GCM tags.
-         * TODO(TLS1.3): When we've swapped over the record layer to TLSv1.3
-         * then the length must be 1 + the tag len to account for the content
-         * byte that we know must have been encrypted.
-         */
-        if (rec->length < EVP_GCM_TLS_TAG_LEN)
+        if (rec->length < taglen + 1)
             return 0;
-        rec->length -= EVP_GCM_TLS_TAG_LEN;
+        rec->length -= taglen;
     }
 
     /* Set up IV */
@@ -93,22 +103,21 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
 
     /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */
     if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, send) <= 0
-            || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
-                                (unsigned int)rec->length) <= 0
             || (!send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
-                                             EVP_GCM_TLS_TAG_LEN,
+                                             taglen,
                                              rec->data + rec->length) <= 0)
+            || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
+                                (unsigned int)rec->length) <= 0
             || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
             || (size_t)(lenu + lenf) != rec->length) {
         return -1;
     }
-
     if (send) {
         /* Add the tag */
-        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, EVP_GCM_TLS_TAG_LEN,
+        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen,
                                 rec->data + rec->length) <= 0)
             return -1;
-        rec->length += EVP_GCM_TLS_TAG_LEN;
+        rec->length += taglen;
     }
 
     return 1;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0d84210..8065e15 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -842,9 +842,72 @@ static SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES128GCM,
      SSL_AEAD,
      TLS1_3_VERSION, TLS1_3_VERSION,
+     SSL_kANY,
+     SSL_aANY,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256,
+     128,
+     128,
+     },
+    {
+     1,
+     TLS1_3_TXT_AES_256_GCM_SHA384,
+     TLS1_3_CK_AES_256_GCM_SHA384,
+     SSL_kANY,
+     SSL_aANY,
+     SSL_AES256GCM,
+     SSL_AEAD,
+     TLS1_3_VERSION, TLS1_3_VERSION,
      0, 0,
      SSL_HIGH,
-     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     SSL_HANDSHAKE_MAC_SHA384,
+     256,
+     256,
+     },
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+    {
+     1,
+     TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
+     TLS1_3_CK_CHACHA20_POLY1305_SHA256,
+     SSL_kANY,
+     SSL_aANY,
+     SSL_CHACHA20POLY1305,
+     SSL_AEAD,
+     TLS1_3_VERSION, TLS1_3_VERSION,
+     0, 0,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256,
+     256,
+     256,
+     },
+#endif
+    {
+     1,
+     TLS1_3_TXT_AES_128_CCM_SHA256,
+     TLS1_3_CK_AES_128_CCM_SHA256,
+     SSL_kANY,
+     SSL_aANY,
+     SSL_AES128CCM,
+     SSL_AEAD,
+     TLS1_3_VERSION, TLS1_3_VERSION,
+     0, 0,
+     SSL_NOT_DEFAULT | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256,
+     128,
+     128,
+     },
+    {
+     1,
+     TLS1_3_TXT_AES_128_CCM_8_SHA256,
+     TLS1_3_CK_AES_128_CCM_8_SHA256,
+     SSL_kANY,
+     SSL_aANY,
+     SSL_AES128CCM8,
+     SSL_AEAD,
+     TLS1_3_VERSION, TLS1_3_VERSION,
+     0, 0,
+     SSL_NOT_DEFAULT | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256,
      128,
      128,
      },
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 88b99cc..3149c39 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -153,7 +153,8 @@ static const ssl_cipher_table ssl_cipher_table_kx[] = {
     {SSL_kRSAPSK,   NID_kx_rsa_psk},
     {SSL_kPSK,      NID_kx_psk},
     {SSL_kSRP,      NID_kx_srp},
-    {SSL_kGOST,     NID_kx_gost}
+    {SSL_kGOST,     NID_kx_gost},
+    {SSL_kANY,      NID_kx_any}
 };
 
 static const ssl_cipher_table ssl_cipher_table_auth[] = {
@@ -164,7 +165,8 @@ static const ssl_cipher_table ssl_cipher_table_auth[] = {
     {SSL_aGOST01, NID_auth_gost01},
     {SSL_aGOST12, NID_auth_gost12},
     {SSL_aSRP,    NID_auth_srp},
-    {SSL_aNULL,   NID_auth_null}
+    {SSL_aNULL,   NID_auth_null},
+    {SSL_aANY,    NID_auth_any}
 };
 /* *INDENT-ON* */
 
@@ -1576,6 +1578,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case SSL_kGOST:
         kx = "GOST";
         break;
+    case SSL_kANY:
+        kx = "any";
+        break;
     default:
         kx = "unknown";
     }
@@ -1606,6 +1611,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case (SSL_aGOST12 | SSL_aGOST01):
         au = "GOST12";
         break;
+    case SSL_aANY:
+        au = "any";
+        break;
     default:
         au = "unknown";
         break;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d0c4eb9..b868813 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -229,6 +229,9 @@
 
 # define SSL_PSK     (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK)
 
+/* Any appropriate key exchange algorithm (for TLS 1.3 ciphersuites) */
+# define SSL_kANY                0x00000000U
+
 /* Bits for algorithm_auth (server authentication) */
 /* RSA auth */
 # define SSL_aRSA                0x00000001U
@@ -246,6 +249,8 @@
 # define SSL_aSRP                0x00000040U
 /* GOST R 34.10-2012 signature auth */
 # define SSL_aGOST12             0x00000080U
+/* Any appropriate signature auth (for TLS 1.3 ciphersuites) */
+# define SSL_aANY                0x00000000U
 
 /* Bits for algorithm_enc (symmetric encryption) */
 # define SSL_DES                 0x00000001U
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index d97b9a8..ebdc0fb 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -281,9 +281,9 @@ int tls1_change_cipher_state(SSL *s, int which)
         int taglen;
         if (s->s3->tmp.
             new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
-            taglen = 8;
+            taglen = EVP_CCM8_TLS_TAG_LEN;
         else
-            taglen = 16;
+            taglen = EVP_CCM_TLS_TAG_LEN;
         if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
             || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
             || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 0d29dae..ebfeecd 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -264,7 +264,7 @@ int tls13_change_cipher_state(SSL *s, int which)
     const char *log_label = NULL;
     EVP_CIPHER_CTX *ciph_ctx;
     const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc;
-    size_t ivlen, keylen, finsecretlen = 0;
+    size_t ivlen, keylen, taglen, finsecretlen = 0;
     const unsigned char *label;
     size_t labellen, hashlen = 0;
     int ret = 0;
@@ -373,7 +373,17 @@ int tls13_change_cipher_state(SSL *s, int which)
 
     /* TODO(size_t): convert me */
     keylen = EVP_CIPHER_key_length(ciph);
-    ivlen = EVP_CIPHER_iv_length(ciph);
+    if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) {
+        ivlen = EVP_CCM_TLS_IV_LEN;
+        if (s->s3->tmp.new_cipher->algorithm_enc
+                & (SSL_AES128CCM8 | SSL_AES256CCM8))
+            taglen = EVP_CCM8_TLS_TAG_LEN;
+         else
+            taglen = EVP_CCM_TLS_TAG_LEN;
+    } else {
+        ivlen = EVP_CIPHER_iv_length(ciph);
+        taglen = 0;
+    }
 
     if (!ssl_log_secret(s, log_label, secret, hashlen)) {
         SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
@@ -391,8 +401,12 @@ int tls13_change_cipher_state(SSL *s, int which)
         goto err;
     }
 
-    if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, NULL,
-                          (which & SSL3_CC_WRITE)) <= 0) {
+    if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL,
+                          (which & SSL3_CC_WRITE)) <= 0
+        || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
+        || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
+                                                taglen, NULL))
+        || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) {
         SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB);
         goto err;
     }
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
index 40596bc..0c344c9 100644
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -110,6 +110,8 @@ static const uint32_t default_ciphers_in_order[] = {
     TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
 #endif
 #ifndef OPENSSL_NO_TLS1_3
+    TLS1_3_CK_AES_256_GCM_SHA384,
+    TLS1_3_CK_CHACHA20_POLY1305_SHA256,
     TLS1_3_CK_AES_128_GCM_SHA256,
 #endif
 #ifndef OPENSSL_NO_TLS1_2
diff --git a/test/evp_test.c b/test/evp_test.c
index 2f651b6..494a46b 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1040,13 +1040,9 @@ static int cipher_test_enc(struct evp_test *t, int enc,
             tmplen += chunklen;
         }
     }
-    if (cdat->aead == EVP_CIPH_CCM_MODE)
-        tmpflen = 0;
-    else {
-        err = "CIPHERFINAL_ERROR";
-        if (!EVP_CipherFinal_ex(ctx, tmp + out_misalign + tmplen, &tmpflen))
-            goto err;
-    }
+    err = "CIPHERFINAL_ERROR";
+    if (!EVP_CipherFinal_ex(ctx, tmp + out_misalign + tmplen, &tmpflen))
+        goto err;
     err = "LENGTH_MISMATCH";
     if (out_len != (size_t)(tmplen + tmpflen))
         goto err;


More information about the openssl-commits mailing list