fixup! Add support for integrity-only cipher suites for TLS v1.3

Author: rajeev-0

doc/man1/openssl-ciphers.pod.in

@@ -743,7 +743,7 @@ Note: the CBC modes mentioned in this RFC are not supported.
  TLS_SHA256_SHA256          TLS_SHA256_SHA256
  TLS_SHA384_SHA384          TLS_SHA384_SHA384
 
-Note: these ciphers are HMAC based and do not provide any confidentiality
+Note: these ciphers are purely HMAC based and do not provide any confidentiality
 and thus are disabled by default.
 These ciphers are available at security level 0.
 

doc/man3/SSL_CTX_set_cipher_list.pod

@@ -50,9 +50,9 @@ ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are:
 
 =item TLS_AES_128_CCM_8_SHA256
 
-=item TLS_SHA384_SHA384
+=item TLS_SHA384_SHA384 - integrity-only!
 
-=item TLS_SHA256_SHA256
+=item TLS_SHA256_SHA256 - integrity-only!
 
 =back
 

ssl/record/methods/recmethod_local.h

@@ -295,7 +295,7 @@ struct ossl_record_layer_st
     /* cryptographic state */
     EVP_CIPHER_CTX *enc_ctx;
 
-    /* TLSv1.3 MAC ctx, only used with Integrity-Only cipher*/
+    /* TLSv1.3 MAC ctx, only used with integrity-only cipher */
     EVP_MAC_CTX *mac_ctx;
 
     /* Explicit IV length */
@@ -336,9 +336,8 @@ struct ossl_record_layer_st
     int tlstree;
 
     /* TLSv1.3 fields */
-    /* static IV */
-    unsigned char *iv;
-    unsigned char *nonce;
+    unsigned char *iv;     /* static IV */
+    unsigned char *nonce;  /* part of static IV followed by sequence number */
     int allow_plain_alerts;
 
     /* TLS "any" fields */

ssl/record/methods/tls13_meth.c

@@ -36,7 +36,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
         return OSSL_RECORD_RETURN_FATAL;
     }
 
-    rl->nonce = OPENSSL_zalloc(ivlen);
+    rl->nonce = OPENSSL_malloc(ivlen);
     if (rl->nonce == NULL) {
         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
         return OSSL_RECORD_RETURN_FATAL;
@@ -89,10 +89,10 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs,
                         size_t n_recs, int sending, SSL_MAC_BUF *mac,
                         size_t macsize)
 {
-    EVP_CIPHER_CTX *ctx;
+    EVP_CIPHER_CTX *enc_ctx;
     unsigned char recheader[SSL3_RT_HEADER_LENGTH];
     unsigned char tag[EVP_MAX_MD_SIZE];
-    size_t ivlen, offset, loop, hdrlen, taglen;
+    size_t nonce_len, offset, loop, hdrlen, taglen;
     unsigned char *staticiv;
     unsigned char *nonce;
     unsigned char *seq = rl->sequence;
@@ -109,11 +109,11 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs,
         return 0;
     }
 
-    ctx = rl->enc_ctx;
+    enc_ctx = rl->enc_ctx; /* enc_ctx is ignored when rl->mac_ctx != NULL */
     staticiv = rl->iv;
     nonce = rl->nonce;
 
-    if (ctx == NULL && rl->mac_ctx == NULL) {
+    if (enc_ctx == NULL && rl->mac_ctx == NULL) {
         RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         return 0;
     }
@@ -130,11 +130,11 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs,
         return 1;
     }
 
-    /* For Integrity Only, ivlen is same as MAC size */
+    /* For integrity-only ciphers, nonce_len is same as MAC size */
     if (rl->mac_ctx != NULL)
-        ivlen = EVP_MAC_CTX_get_mac_size(rl->mac_ctx);
+        nonce_len = EVP_MAC_CTX_get_mac_size(rl->mac_ctx);
     else
-        ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
+        nonce_len = EVP_CIPHER_CTX_get_iv_length(enc_ctx);
 
     if (!sending) {
         /*
@@ -146,13 +146,13 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs,
         rec->length -= rl->taglen;
     }
 
-    /* Set up IV */
-    if (ivlen < SEQ_NUM_SIZE) {
+    /* Set up nonce: part of static IV followed by sequence number */
+    if (nonce_len < SEQ_NUM_SIZE) {
         /* Should not happen */
         RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         return 0;
     }
-    offset = ivlen - SEQ_NUM_SIZE;
+    offset = nonce_len - SEQ_NUM_SIZE;
     memcpy(nonce, staticiv, offset);
     for (loop = 0; loop < SEQ_NUM_SIZE; loop++)
         nonce[offset + loop] = staticiv[offset + loop] ^ seq[loop];
@@ -179,7 +179,7 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs,
         int ret = 0;
 
         if ((mac_ctx = EVP_MAC_CTX_dup(rl->mac_ctx)) == NULL
-            || !EVP_MAC_update(mac_ctx, nonce, ivlen)
+            || !EVP_MAC_update(mac_ctx, nonce, nonce_len)
             || !EVP_MAC_update(mac_ctx, recheader, sizeof(recheader))
             || !EVP_MAC_update(mac_ctx, rec->input, rec->length)
             || !EVP_MAC_final(mac_ctx, tag, &taglen, rl->taglen)) {
@@ -200,15 +200,15 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs,
         return ret;
     }
 
-    cipher = EVP_CIPHER_CTX_get0_cipher(ctx);
+    cipher = EVP_CIPHER_CTX_get0_cipher(enc_ctx);
     if (cipher == NULL) {
         RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         return 0;
     }
     mode = EVP_CIPHER_get_mode(cipher);
 
-    if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, nonce, sending) <= 0
-        || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
+    if (EVP_CipherInit_ex(enc_ctx, NULL, NULL, NULL, nonce, sending) <= 0
+        || (!sending && EVP_CIPHER_CTX_ctrl(enc_ctx, EVP_CTRL_AEAD_SET_TAG,
                                             rl->taglen,
                                             rec->data + rec->length) <= 0)) {
         RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@@ -220,19 +220,19 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs,
      * any AAD.
      */
     if ((mode == EVP_CIPH_CCM_MODE
-                 && EVP_CipherUpdate(ctx, NULL, &lenu, NULL,
+                 && EVP_CipherUpdate(enc_ctx, NULL, &lenu, NULL,
                                      (unsigned int)rec->length) <= 0)
-            || EVP_CipherUpdate(ctx, NULL, &lenu, recheader,
+            || EVP_CipherUpdate(enc_ctx, NULL, &lenu, recheader,
                                 sizeof(recheader)) <= 0
-            || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
+            || EVP_CipherUpdate(enc_ctx, rec->data, &lenu, rec->input,
                                 (unsigned int)rec->length) <= 0
-            || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
+            || EVP_CipherFinal_ex(enc_ctx, rec->data + lenu, &lenf) <= 0
             || (size_t)(lenu + lenf) != rec->length) {
         return 0;
     }
     if (sending) {
         /* Add the tag */
-        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen,
+        if (EVP_CIPHER_CTX_ctrl(enc_ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen,
                                 rec->data + rec->length) <= 0) {
             RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
             return 0;

ssl/tls13_enc.c

@@ -487,7 +487,7 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which)
 
     if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE))
             || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) {
-        if (which & SSL3_CC_EARLY) {
+        if ((which & SSL3_CC_EARLY) != 0) {
             EVP_MD_CTX *mdctx = NULL;
             long handlen;
             void *hdata;
@@ -635,7 +635,7 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which)
         }
     }
 
-    if (!(which & SSL3_CC_EARLY)) {
+    if ((which & SSL3_CC_EARLY) == 0) {
         md = ssl_handshake_md(s);
         cipher = s->s3.tmp.new_sym_enc;
         mac_md = s->s3.tmp.new_hash;

test/sslapitest.c

@@ -3942,7 +3942,7 @@ static int early_data_skip_helper(int testtype, int cipher, int idx)
     unsigned char buf[20];
     size_t readbytes, written;
 
-    if (is_fips && cipher >= 4 )
+    if (is_fips && cipher >= 4)
         return 1;
 
     if (ciphersuites[cipher] == NULL)
@@ -4483,8 +4483,8 @@ static int test_early_data_psk_with_all_ciphers(int idx)
     if (cipher_str[idx] == NULL)
         return 1;
     /*
-     * Skip ChaCha20Poly1305 & TLS_SHA{256,384}_SHA{256,384} cipher as
-     * currently FIPS module does not support it.
+     * Skip ChaCha20Poly1305 and TLS_SHA{256,384}_SHA{256,384} ciphers
+     * as currently FIPS module does not support them.
      */
     if ((idx == 2 || idx == 5 || idx == 6) && is_fips == 1)
         return 1;