BCJSSE: Add integrity-only cipher suites from RFC 9150

Author: peterdettman

docs/releasenotes.html

@@ -26,6 +26,7 @@ <h3>2.1.2 Defects Fixed</h3>
 <li>SNOVA and MAYO are now correctly added to the JCA provider module-info file.</li>
 <li>TLS: Avoid nonce reuse error in JCE AEAD workaround for pre-Java7.</li>
 <li>BCJSSE: Session binding map is now shared across all stages of the session lifecycle (SunJSSE compatibility).</li>
+<li>BCJSSE: Support for integrity-only cipher suites in TLS 1.3 per RFC 9150.</li>
 </ul>
 <h3>2.1.3 Additional Features and Functionality</h3>
 <ul>

tls/src/main/java/org/bouncycastle/jsse/provider/CipherSuiteInfo.java

@@ -155,6 +155,14 @@ private static void decomposeEncryptionAlgorithm(Set<String> decomposition, int
         case EncryptionAlgorithm.NULL:
             decomposition.add("C_NULL");
             break;
+        case EncryptionAlgorithm.NULL_HMAC_SHA256:
+            decomposition.add("C_NULL_HMAC");
+            decomposeHmacSHA256(decomposition);
+            break;
+        case EncryptionAlgorithm.NULL_HMAC_SHA384:
+            decomposition.add("C_NULL_HMAC");
+            decomposeHmacSHA384(decomposition);
+            break;
         case EncryptionAlgorithm.SM4_CBC:
             decomposition.add("SM4_CBC");
             break;
@@ -174,14 +182,14 @@ private static void decomposeHashAlgorithm(Set<String> decomposition, int crypto
         switch (cryptoHashAlgorithm)
         {
         case CryptoHashAlgorithm.sha256:
-            addAll(decomposition, "SHA256", "SHA-256", "HmacSHA256");
+            decomposeHmacSHA256(decomposition);
             break;
         case CryptoHashAlgorithm.sha384:
-            addAll(decomposition, "SHA384", "SHA-384", "HmacSHA384");
+            decomposeHmacSHA384(decomposition);
+            break;
+        case CryptoHashAlgorithm.sha512:
+            decomposeHmacSHA512(decomposition);
             break;
-//        case CryptoHashAlgorithm.sha512:
-//            addAll(decomposition, "SHA512", "SHA-512", "HmacSHA512");
-//            break;
         case CryptoHashAlgorithm.sm3:
             addAll(decomposition, "SM3", "HmacSM3");
             break;
@@ -190,6 +198,21 @@ private static void decomposeHashAlgorithm(Set<String> decomposition, int crypto
         }
     }
 
+    private static void decomposeHmacSHA256(Set<String> decomposition)
+    {
+        addAll(decomposition, "SHA256", "SHA-256", "HmacSHA256");
+    }
+
+    private static void decomposeHmacSHA384(Set<String> decomposition)
+    {
+        addAll(decomposition, "SHA384", "SHA-384", "HmacSHA384");
+    }
+
+    private static void decomposeHmacSHA512(Set<String> decomposition)
+    {
+        addAll(decomposition, "SHA512", "SHA-512", "HmacSHA512");
+    }
+
     private static void decomposeKeyExchangeAlgorithm(Set<String> decomposition, int keyExchangeAlgorithm)
     {
         switch (keyExchangeAlgorithm)
@@ -263,14 +286,14 @@ private static void decomposeMACAlgorithm(Set<String> decomposition, int cipherT
             addAll(decomposition, "SHA1", "SHA-1", "HmacSHA1");
             break;
         case MACAlgorithm.hmac_sha256:
-            addAll(decomposition, "SHA256", "SHA-256", "HmacSHA256");
+            decomposeHmacSHA256(decomposition);
             break;
         case MACAlgorithm.hmac_sha384:
-            addAll(decomposition, "SHA384", "SHA-384", "HmacSHA384");
+            decomposeHmacSHA384(decomposition);
+            break;
+        case MACAlgorithm.hmac_sha512:
+            decomposeHmacSHA512(decomposition);
             break;
-//        case MACAlgorithm.hmac_sha512:
-//            addAll(decomposition, "SHA512", "SHA-512", "HmacSHA512");
-//            break;
         default:
             throw new IllegalArgumentException();
         }
@@ -381,6 +404,7 @@ private static int getCryptoHashAlgorithm(int cipherSuite)
         case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256:
         case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256:
         case CipherSuite.TLS_RSA_WITH_NULL_SHA256:
+        case CipherSuite.TLS_SHA256_SHA256:
             return CryptoHashAlgorithm.sha256;
 
         case CipherSuite.TLS_AES_256_GCM_SHA384:
@@ -412,6 +436,7 @@ private static int getCryptoHashAlgorithm(int cipherSuite)
         case CipherSuite.TLS_RSA_WITH_ARIA_256_CBC_SHA384:
         case CipherSuite.TLS_RSA_WITH_ARIA_256_GCM_SHA384:
         case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384:
+        case CipherSuite.TLS_SHA384_SHA384:
             return CryptoHashAlgorithm.sha384;
 
         case CipherSuite.TLS_SM4_CCM_SM3:
@@ -455,6 +480,8 @@ private static String getTransformation(int encryptionAlgorithm)
         case EncryptionAlgorithm.CHACHA20_POLY1305:
             return "ChaCha20-Poly1305";
         case EncryptionAlgorithm.NULL:
+        case EncryptionAlgorithm.NULL_HMAC_SHA256:
+        case EncryptionAlgorithm.NULL_HMAC_SHA384:
             return "NULL";
         case EncryptionAlgorithm.SM4_CBC:
             return "SM4/CBC/NoPadding";

tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLContextSpi.java

@@ -181,6 +181,9 @@ private static Map<String, CipherSuiteInfo> createSupportedCipherSuiteMap()
         addCipherSuite(cs, "TLS_AES_256_GCM_SHA384", CipherSuite.TLS_AES_256_GCM_SHA384);
         addCipherSuite(cs, "TLS_CHACHA20_POLY1305_SHA256", CipherSuite.TLS_CHACHA20_POLY1305_SHA256);
 
+        addCipherSuite(cs, "TLS_SHA256_SHA256", CipherSuite.TLS_SHA256_SHA256);
+        addCipherSuite(cs, "TLS_SHA384_SHA384", CipherSuite.TLS_SHA384_SHA384);
+
         // TLS 1.2-
         addCipherSuite(cs, "TLS_DH_anon_WITH_AES_128_CBC_SHA", CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA);
         addCipherSuite(cs, "TLS_DH_anon_WITH_AES_128_CBC_SHA256", CipherSuite.TLS_DH_anon_WITH_AES_128_CBC_SHA256);