Add support for Camellia HMAC-Based cipher suites from RFC6367
authorHubert Kario <hkario@redhat.com>
Wed, 23 Jul 2014 13:03:59 +0000 (15:03 +0200)
committerMatt Caswell <matt@openssl.org>
Fri, 15 Aug 2014 22:41:20 +0000 (23:41 +0100)
While RFC6367 focuses on Camellia-GCM cipher suites, it also adds a few
cipher suites that use SHA-2 based HMAC that can be very easily
added.

Tested against gnutls 3.3.5

PR#3443

Reviewed-by: Tim Hudson <tjh@openssl.org>
doc/apps/ciphers.pod
ssl/s3_lib.c
ssl/tls1.h

index 153e891..c41a297 100644 (file)
@@ -587,6 +587,17 @@ Note: these ciphers can also be used in SSL v3.
  TLS_DH_anon_WITH_AES_128_GCM_SHA256       ADH-AES128-GCM-SHA256
  TLS_DH_anon_WITH_AES_256_GCM_SHA384       ADH-AES256-GCM-SHA384
 
+=head2 Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2
+
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384
+ TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  ECDH-ECDSA-CAMELLIA128-SHA256
+ TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  ECDH-ECDSA-CAMELLIA256-SHA384
+ TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   ECDHE-RSA-CAMELLIA128-SHA256
+ TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   ECDHE-RSA-CAMELLIA256-SHA384
+ TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    ECDH-RSA-CAMELLIA128-SHA256
+ TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    ECDH-RSA-CAMELLIA256-SHA384
+
 =head2 Pre shared keying (PSK) cipheruites
 
  TLS_PSK_WITH_RC4_128_SHA                  PSK-RC4-SHA
index a4fa1ea..6504487 100644 (file)
@@ -3033,6 +3033,127 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[]={
        256,
        },
 
+#ifndef OPENSSL_NO_CAMELLIA
+       { /* Cipher C072 */
+       1,
+       TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+       TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+       SSL_kECDHE,
+       SSL_aECDSA,
+       SSL_CAMELLIA128,
+       SSL_SHA256,
+       SSL_TLSV1_2,
+       SSL_NOT_EXP|SSL_HIGH,
+       SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
+       128,
+       128
+       },
+
+       { /* Cipher C073 */
+       1,
+       TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+       TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+       SSL_kECDHE,
+       SSL_aECDSA,
+       SSL_CAMELLIA256,
+       SSL_SHA384,
+       SSL_TLSV1_2,
+       SSL_NOT_EXP|SSL_HIGH,
+       SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
+       256,
+       256
+       },
+
+       { /* Cipher C074 */
+       1,
+       TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+       TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+       SSL_kECDHe,
+       SSL_aECDH,
+       SSL_CAMELLIA128,
+       SSL_SHA256,
+       SSL_TLSV1_2,
+       SSL_NOT_EXP|SSL_HIGH,
+       SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
+       128,
+       128
+       },
+
+       { /* Cipher C075 */
+       1,
+       TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+       TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+       SSL_kECDHe,
+       SSL_aECDH,
+       SSL_CAMELLIA256,
+       SSL_SHA384,
+       SSL_TLSV1_2,
+       SSL_NOT_EXP|SSL_HIGH,
+       SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
+       256,
+       256
+       },
+
+       { /* Cipher C076 */
+       1,
+       TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+       TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+       SSL_kECDHE,
+       SSL_aRSA,
+       SSL_CAMELLIA128,
+       SSL_SHA256,
+       SSL_TLSV1_2,
+       SSL_NOT_EXP|SSL_HIGH,
+       SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
+       128,
+       128
+       },
+
+       { /* Cipher C077 */
+       1,
+       TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+       TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+       SSL_kECDHE,
+       SSL_aRSA,
+       SSL_CAMELLIA256,
+       SSL_SHA384,
+       SSL_TLSV1_2,
+       SSL_NOT_EXP|SSL_HIGH,
+       SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
+       256,
+       256
+       },
+
+       { /* Cipher C078 */
+       1,
+       TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+       TLS1_CK_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+       SSL_kECDHr,
+       SSL_aECDH,
+       SSL_CAMELLIA128,
+       SSL_SHA256,
+       SSL_TLSV1_2,
+       SSL_NOT_EXP|SSL_HIGH,
+       SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
+       128,
+       128
+       },
+
+       { /* Cipher C079 */
+       1,
+       TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+       TLS1_CK_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+       SSL_kECDHr,
+       SSL_aECDH,
+       SSL_CAMELLIA256,
+       SSL_SHA384,
+       SSL_TLSV1_2,
+       SSL_NOT_EXP|SSL_HIGH,
+       SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
+       256,
+       256
+       },
+#endif  /* OPENSSL_NO_CAMELLIA */
 #endif /* OPENSSL_NO_ECDH */
 
 
index 3499584..11af839 100644 (file)
@@ -575,6 +575,16 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256        0x0300C031
 #define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384        0x0300C032
 
+/* Camellia-CBC ciphersuites from RFC6367 */
+#define TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0x0300C072
+#define TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0x0300C073
+#define TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  0x0300C074
+#define TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  0x0300C075
+#define TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   0x0300C076
+#define TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   0x0300C077
+#define TLS1_CK_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    0x0300C078
+#define TLS1_CK_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    0x0300C079
+
 /* XXX
  * Backward compatibility alert:
  * Older versions of OpenSSL gave some DHE ciphers names with "EDH"
@@ -741,6 +751,16 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256       "ECDH-RSA-AES128-GCM-SHA256"
 #define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384       "ECDH-RSA-AES256-GCM-SHA384"
 
+/* Camellia-CBC ciphersuites from RFC6367 */
+#define TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 "ECDHE-ECDSA-CAMELLIA128-SHA256"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 "ECDHE-ECDSA-CAMELLIA256-SHA384"
+#define TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  "ECDH-ECDSA-CAMELLIA128-SHA256"
+#define TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  "ECDH-ECDSA-CAMELLIA256-SHA384"
+#define TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   "ECDHE-RSA-CAMELLIA128-SHA256"
+#define TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   "ECDHE-RSA-CAMELLIA256-SHA384"
+#define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    "ECDH-RSA-CAMELLIA128-SHA256"
+#define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    "ECDH-RSA-CAMELLIA256-SHA384"
+
 #define TLS_CT_RSA_SIGN                        1
 #define TLS_CT_DSS_SIGN                        2
 #define TLS_CT_RSA_FIXED_DH            3