Commit aed53d6c authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Backport GCM support from HEAD.

parent 61cdb9f3
Loading
Loading
Loading
Loading
+11 −0
Original line number Diff line number Diff line
@@ -4,6 +4,17 @@

 Changes between 1.0.0e and 1.0.1  [xx XXX xxxx]

  *) Add GCM support to TLS library. Some custom code is needed to split
     the IV between the fixed (from PRF) and explicit (from TLS record)
     portions. This adds all GCM ciphersuites supported by RFC5288 and 
     RFC5289. Generalise some AES* cipherstrings to inlclude GCM and
     add a special AESGCM string for GCM only.
     [Steve Henson]

  *) Expand range of ctrls for AES GCM. Permit setting invocation
     field on decrypt and retrieval of invocation field only on encrypt.
     [Steve Henson]

  *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
     As required by RFC5289 these ciphersuites cannot be used if for
     versions of TLS earlier than 1.2.
+324 −0
Original line number Diff line number Diff line
@@ -1823,6 +1823,200 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={

#endif /* OPENSSL_NO_SEED */

	/* GCM ciphersuites from RFC5288 */

	/* Cipher 9C */
	{
	1,
	TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
	TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
	SSL_kRSA,
	SSL_aRSA,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher 9D */
	{
	1,
	TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
	TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
	SSL_kRSA,
	SSL_aRSA,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

	/* Cipher 9E */
	{
	1,
	TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
	TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
	SSL_kEDH,
	SSL_aRSA,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher 9F */
	{
	1,
	TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
	TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
	SSL_kEDH,
	SSL_aRSA,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

	/* Cipher A0 */
	{
	0,
	TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256,
	TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256,
	SSL_kDHr,
	SSL_aDH,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher A1 */
	{
	0,
	TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384,
	TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384,
	SSL_kDHr,
	SSL_aDH,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

	/* Cipher A2 */
	{
	1,
	TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256,
	TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
	SSL_kEDH,
	SSL_aDSS,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher A3 */
	{
	1,
	TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384,
	TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
	SSL_kEDH,
	SSL_aDSS,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

	/* Cipher A4 */
	{
	0,
	TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
	TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
	SSL_kDHr,
	SSL_aDH,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher A5 */
	{
	0,
	TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
	TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
	SSL_kDHr,
	SSL_aDH,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

	/* Cipher A6 */
	{
	1,
	TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
	TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
	SSL_kEDH,
	SSL_aNULL,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher A7 */
	{
	1,
	TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
	TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
	SSL_kEDH,
	SSL_aNULL,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

#ifndef OPENSSL_NO_ECDH
	/* Cipher C001 */
	{
@@ -2502,6 +2696,136 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
	256,
	},

	/* GCM based TLS v1.2 ciphersuites from RFC5289 */

	/* Cipher C02B */
	{
	1,
	TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
	TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
	SSL_kEECDH,
	SSL_aECDSA,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher C02C */
	{
	1,
	TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
	TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
	SSL_kEECDH,
	SSL_aECDSA,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

	/* Cipher C02D */
	{
	1,
	TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
	TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
	SSL_kECDHe,
	SSL_aECDH,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher C02E */
	{
	1,
	TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
	TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
	SSL_kECDHe,
	SSL_aECDH,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

	/* Cipher C02F */
	{
	1,
	TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
	TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
	SSL_kEECDH,
	SSL_aRSA,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher C030 */
	{
	1,
	TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
	TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
	SSL_kEECDH,
	SSL_aRSA,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

	/* Cipher C031 */
	{
	1,
	TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
	TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
	SSL_kECDHe,
	SSL_aECDH,
	SSL_AES128GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
	128,
	128,
	},

	/* Cipher C032 */
	{
	1,
	TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
	TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
	SSL_kECDHe,
	SSL_aECDH,
	SSL_AES256GCM,
	SSL_AEAD,
	SSL_TLSV1_2,
	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
	256,
	256,
	},

#endif /* OPENSSL_NO_ECDH */


+11 −5
Original line number Diff line number Diff line
@@ -742,13 +742,19 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
	plen=p; 
	p+=2;
	/* Explicit IV length, block ciphers and TLS version 1.1 or later */
	if (s->enc_write_ctx && s->version >= TLS1_1_VERSION
		&& EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)
	if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)
		{
		int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
		if (mode == EVP_CIPH_CBC_MODE)
			{
			eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
			if (eivlen <= 1)
				eivlen = 0;
			}
		/* Need explicit part of IV for GCM mode */
		else if (mode == EVP_CIPH_GCM_MODE)
			eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
		}
	else 
		eivlen = 0;

+1 −0
Original line number Diff line number Diff line
@@ -287,6 +287,7 @@ extern "C" {
#define SSL_TXT_AES128		"AES128"
#define SSL_TXT_AES256		"AES256"
#define SSL_TXT_AES		"AES"
#define SSL_TXT_AES_GCM		"AESGCM"
#define SSL_TXT_CAMELLIA128	"CAMELLIA128"
#define SSL_TXT_CAMELLIA256	"CAMELLIA256"
#define SSL_TXT_CAMELLIA	"CAMELLIA"
+31 −7
Original line number Diff line number Diff line
@@ -162,11 +162,13 @@
#define SSL_ENC_CAMELLIA256_IDX	9
#define SSL_ENC_GOST89_IDX	10
#define SSL_ENC_SEED_IDX    	11
#define SSL_ENC_NUM_IDX		12
#define SSL_ENC_AES128GCM_IDX	12
#define SSL_ENC_AES256GCM_IDX	13
#define SSL_ENC_NUM_IDX		14


static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
	NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
	NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
	};

#define SSL_COMP_NULL_IDX	0
@@ -289,9 +291,10 @@ static const SSL_CIPHER cipher_aliases[]={
	{0,SSL_TXT_IDEA,0,    0,0,SSL_IDEA,  0,0,0,0,0,0},
	{0,SSL_TXT_SEED,0,    0,0,SSL_SEED,  0,0,0,0,0,0},
	{0,SSL_TXT_eNULL,0,   0,0,SSL_eNULL, 0,0,0,0,0,0},
	{0,SSL_TXT_AES128,0,  0,0,SSL_AES128,0,0,0,0,0,0},
	{0,SSL_TXT_AES256,0,  0,0,SSL_AES256,0,0,0,0,0,0},
	{0,SSL_TXT_AES,0,     0,0,SSL_AES128|SSL_AES256,0,0,0,0,0,0},
	{0,SSL_TXT_AES128,0,  0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0},
	{0,SSL_TXT_AES256,0,  0,0,SSL_AES256|SSL_AES256GCM,0,0,0,0,0,0},
	{0,SSL_TXT_AES,0,     0,0,SSL_AES,0,0,0,0,0,0},
	{0,SSL_TXT_AES_GCM,0, 0,0,SSL_AES128GCM|SSL_AES256GCM,0,0,0,0,0,0},
	{0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},
	{0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},
	{0,SSL_TXT_CAMELLIA   ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0},
@@ -387,6 +390,11 @@ void ssl_load_ciphers(void)
	ssl_cipher_methods[SSL_ENC_SEED_IDX]=
	  EVP_get_cipherbyname(SN_seed_cbc);

	ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]=
	  EVP_get_cipherbyname(SN_aes_128_gcm);
	ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]=
	  EVP_get_cipherbyname(SN_aes_256_gcm);

	ssl_digest_methods[SSL_MD_MD5_IDX]=
		EVP_get_digestbyname(SN_md5);
	ssl_mac_secret_size[SSL_MD_MD5_IDX]=
@@ -541,6 +549,12 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
	case SSL_SEED:
		i=SSL_ENC_SEED_IDX;
		break;
	case SSL_AES128GCM:
		i=SSL_ENC_AES128GCM_IDX;
		break;
	case SSL_AES256GCM:
		i=SSL_ENC_AES256GCM_IDX;
		break;
	default:
		i= -1;
		break;
@@ -585,7 +599,8 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
		*md=NULL; 
		if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
		if (mac_secret_size!=NULL) *mac_secret_size = 0;

		if (c->algorithm_mac == SSL_AEAD)
			mac_pkey_type = NULL;
	}
	else
	{
@@ -1635,6 +1650,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
	case SSL_AES256:
		enc="AES(256)";
		break;
	case SSL_AES128GCM:
		enc="AESGCM(128)";
		break;
	case SSL_AES256GCM:
		enc="AESGCM(256)";
		break;
	case SSL_CAMELLIA128:
		enc="Camellia(128)";
		break;
@@ -1663,6 +1684,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
	case SSL_SHA384:
		mac="SHA384";
		break;
	case SSL_AEAD:
		mac="AEAD";
		break;
	default:
		mac="unknown";
		break;
Loading