Implement Aria GCM/CCM Modes and TLS cipher suites
AEAD cipher mode implementation is based on that used for AES:
https://tools.ietf.org/html/rfc5116
TLS GCM cipher suites as specified in:
https://tools.ietf.org/html/rfc6209
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4287)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index c9371af..8895388 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2945,6 +2945,266 @@
#endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */
+#ifndef OPENSSL_NO_ARIA
+ {
+ 1,
+ TLS1_TXT_RSA_WITH_ARIA_128_GCM_SHA256,
+ TLS1_RFC_RSA_WITH_ARIA_128_GCM_SHA256,
+ TLS1_CK_RSA_WITH_ARIA_128_GCM_SHA256,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_ARIA128GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+ },
+ {
+ 1,
+ TLS1_TXT_RSA_WITH_ARIA_256_GCM_SHA384,
+ TLS1_RFC_RSA_WITH_ARIA_256_GCM_SHA384,
+ TLS1_CK_RSA_WITH_ARIA_256_GCM_SHA384,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_ARIA256GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+ 256,
+ 256,
+ },
+ {
+ 1,
+ TLS1_TXT_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ TLS1_RFC_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ TLS1_CK_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ SSL_kDHE,
+ SSL_aRSA,
+ SSL_ARIA128GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+ },
+ {
+ 1,
+ TLS1_TXT_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ TLS1_RFC_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ TLS1_CK_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ SSL_kDHE,
+ SSL_aRSA,
+ SSL_ARIA256GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+ 256,
+ 256,
+ },
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
+ TLS1_RFC_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
+ TLS1_CK_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
+ SSL_kDHE,
+ SSL_aDSS,
+ SSL_ARIA128GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+ },
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
+ TLS1_RFC_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
+ TLS1_CK_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
+ SSL_kDHE,
+ SSL_aDSS,
+ SSL_ARIA256GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+ 256,
+ 256,
+ },
+ {
+ 1,
+ TLS1_TXT_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ TLS1_RFC_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ TLS1_CK_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+ SSL_kECDHE,
+ SSL_aECDSA,
+ SSL_ARIA128GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+ },
+ {
+ 1,
+ TLS1_TXT_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ TLS1_RFC_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ TLS1_CK_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+ SSL_kECDHE,
+ SSL_aECDSA,
+ SSL_ARIA256GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+ 256,
+ 256,
+ },
+
+ {
+ 1,
+ TLS1_TXT_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ TLS1_RFC_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ TLS1_CK_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+ SSL_kECDHE,
+ SSL_aRSA,
+ SSL_ARIA128GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+ },
+ {
+ 1,
+ TLS1_TXT_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ TLS1_RFC_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ TLS1_CK_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+ SSL_kECDHE,
+ SSL_aRSA,
+ SSL_ARIA256GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+ 256,
+ 256,
+ },
+ {
+ 1,
+ TLS1_TXT_PSK_WITH_ARIA_128_GCM_SHA256,
+ TLS1_RFC_PSK_WITH_ARIA_128_GCM_SHA256,
+ TLS1_CK_PSK_WITH_ARIA_128_GCM_SHA256,
+ SSL_kPSK,
+ SSL_aPSK,
+ SSL_ARIA128GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+ },
+ {
+ 1,
+ TLS1_TXT_PSK_WITH_ARIA_256_GCM_SHA384,
+ TLS1_RFC_PSK_WITH_ARIA_256_GCM_SHA384,
+ TLS1_CK_PSK_WITH_ARIA_256_GCM_SHA384,
+ SSL_kPSK,
+ SSL_aPSK,
+ SSL_ARIA256GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+ 256,
+ 256,
+ },
+ {
+ 1,
+ TLS1_TXT_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+ TLS1_RFC_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+ TLS1_CK_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+ SSL_kDHEPSK,
+ SSL_aPSK,
+ SSL_ARIA128GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+ },
+ {
+ 1,
+ TLS1_TXT_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+ TLS1_RFC_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+ TLS1_CK_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+ SSL_kDHEPSK,
+ SSL_aPSK,
+ SSL_ARIA256GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+ 256,
+ 256,
+ },
+
+ {
+ 1,
+ TLS1_TXT_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+ TLS1_RFC_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+ TLS1_CK_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+ SSL_kRSAPSK,
+ SSL_aRSA,
+ SSL_ARIA128GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 128,
+ 128,
+ },
+ {
+ 1,
+ TLS1_TXT_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+ TLS1_RFC_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+ TLS1_CK_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+ SSL_kRSAPSK,
+ SSL_aRSA,
+ SSL_ARIA256GCM,
+ SSL_AEAD,
+ TLS1_2_VERSION, TLS1_2_VERSION,
+ DTLS1_2_VERSION, DTLS1_2_VERSION,
+ SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+ 256,
+ 256,
+ },
+#endif /* OPENSSL_NO_ARIA */
};
/*
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 17bd939..deacef7 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -40,7 +40,9 @@
#define SSL_ENC_AES256CCM8_IDX 17
#define SSL_ENC_GOST8912_IDX 18
#define SSL_ENC_CHACHA_IDX 19
-#define SSL_ENC_NUM_IDX 20
+#define SSL_ENC_ARIA128GCM_IDX 20
+#define SSL_ENC_ARIA256GCM_IDX 21
+#define SSL_ENC_NUM_IDX 22
/* NB: make sure indices in these tables match values above */
@@ -69,8 +71,10 @@
{SSL_AES256CCM, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM_IDX 15 */
{SSL_AES128CCM8, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM8_IDX 16 */
{SSL_AES256CCM8, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM8_IDX 17 */
- {SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX */
- {SSL_CHACHA20POLY1305, NID_chacha20_poly1305},
+ {SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX 18 */
+ {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
+ {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
+ {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
};
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
@@ -269,6 +273,10 @@
{0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA},
{0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20},
+ {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
+ {0, SSL_TXT_ARIA128, NULL, 0, 0, 0, SSL_ARIA128GCM},
+ {0, SSL_TXT_ARIA256, NULL, 0, 0, 0, SSL_ARIA256GCM},
+
/* MAC aliases */
{0, SSL_TXT_MD5, NULL, 0, 0, 0, 0, SSL_MD5},
{0, SSL_TXT_SHA1, NULL, 0, 0, 0, 0, SSL_SHA1},
@@ -1639,6 +1647,12 @@
case SSL_CAMELLIA256:
enc = "Camellia(256)";
break;
+ case SSL_ARIA128GCM:
+ enc = "ARIAGCM(128)";
+ break;
+ case SSL_ARIA256GCM:
+ enc = "ARIAGCM(256)";
+ break;
case SSL_SEED:
enc = "SEED(128)";
break;
@@ -1962,7 +1976,7 @@
/* Some hard-coded numbers for the CCM/Poly1305 MAC overhead
* because there are no handy #defines for those. */
- if (c->algorithm_enc & SSL_AESGCM) {
+ if (c->algorithm_enc & (SSL_AESGCM | SSL_ARIAGCM)) {
out = EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
} else if (c->algorithm_enc & (SSL_AES128CCM | SSL_AES256CCM)) {
out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;
diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c
index 478a48e..8eb6ef1 100644
--- a/ssl/ssl_init.c
+++ b/ssl/ssl_init.c
@@ -59,6 +59,10 @@
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha256());
+#ifndef OPENSSL_NO_ARIA
+ EVP_add_cipher(EVP_aria_128_gcm());
+ EVP_add_cipher(EVP_aria_256_gcm());
+#endif
#ifndef OPENSSL_NO_CAMELLIA
EVP_add_cipher(EVP_camellia_128_cbc());
EVP_add_cipher(EVP_camellia_256_cbc());
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index f3fc5bc..4896c35 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -231,12 +231,16 @@
# define SSL_AES256CCM8 0x00020000U
# define SSL_eGOST2814789CNT12 0x00040000U
# define SSL_CHACHA20POLY1305 0x00080000U
+# define SSL_ARIA128GCM 0x00100000U
+# define SSL_ARIA256GCM 0x00200000U
# define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
# define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
# define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
# define SSL_CHACHA20 (SSL_CHACHA20POLY1305)
+# define SSL_ARIAGCM (SSL_ARIA128GCM | SSL_ARIA256GCM)
+# define SSL_ARIA (SSL_ARIAGCM)
/* Bits for algorithm_mac (symmetric authentication) */
