Update TLS OCB ciphersuites to match draft-zauner-tls-aes-ocb-00

and enable them in the default build, though still not enabled in the runtime policy.
author: lloyd <[email protected]> 2015-01-21 20:58:04 +0000
committer: lloyd <[email protected]> 2015-01-21 20:58:04 +0000
commit: 316a7b79146e8003d33f50b58e1c6c3ba9874a32 (patch)
tree: e9b049271ac1e4ff963e67caac30cb29f9e7b9a0
parent: 1f59fa09984cb364c1dc560043ffa735e1f23494 (diff)
7 files changed, 84 insertions, 20 deletions
diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst
index c2cdeb667..4ac7b5cb3 100644
--- a/doc/manual/tls.rst
+++ b/doc/manual/tls.rst
@@ -517,6 +517,9 @@ be negotiated during a handshake.
      Also allowed: "Camellia-256/GCM", "Camellia-128/GCM",
      "Camellia-256", "Camellia-128"
 
+     Also allowed (though currently experimental): "AES-128/OCB(12)",
+     "AES-256/OCB(12)"
+
      Also allowed (although **not recommended**): "SEED", "3DES", "RC4"
 
      .. note::
diff --git a/doc/relnotes/1_11_14.rst b/doc/relnotes/1_11_14.rst
new file mode 100644
index 000000000..0fabe190e
--- /dev/null
+++ b/doc/relnotes/1_11_14.rst
@@ -0,0 +1,9 @@
+1.11.14, Not Yet Released
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* OCB mode, which provides a fast and constant time AEAD mode without
+  requiring hardware support, is now supported in TLS, following
+  draft-zauner-tls-aes-ocb-00. Because this specification is not yet
+  finalized is not yet enabled by the default policy, and the
+  ciphersuite numbers used are in the experimental range and may
+  conflict with other uses.
diff --git a/doc/relnotes/index.rst b/doc/relnotes/index.rst
index 24a13dfb9..ff92f9e4f 100644
--- a/doc/relnotes/index.rst
+++ b/doc/relnotes/index.rst
@@ -8,6 +8,7 @@ Series 1.11
 .. toctree::
    :maxdepth: 1
 
+   1_11_14
    1_11_13
    1_11_12
    1_11_11
diff --git a/src/lib/tls/tls_ciphersuite.cpp b/src/lib/tls/tls_ciphersuite.cpp
index c912965c6..b2ff2476b 100644
--- a/src/lib/tls/tls_ciphersuite.cpp
+++ b/src/lib/tls/tls_ciphersuite.cpp
@@ -134,7 +134,7 @@ bool Ciphersuite::valid() const
 #endif
 
 #if !defined(BOTAN_HAS_AEAD_OCB)
-         if(mode == "OCB")
+         if(mode == "OCB(12)" || mode == "OCB")
             return false;
 #endif
          }
@@ -233,7 +233,13 @@ std::string Ciphersuite::to_string() const
       else if(cipher_algo().find("Camellia") == 0)
          out << "CAMELLIA_" << std::to_string(8*cipher_keylen());
       else
-         out << replace_chars(cipher_algo(), {'-', '/'}, '_');
+         {
+         if(cipher_algo().find("OCB(12)") != std::string::npos)
+            out << replace_chars(cipher_algo().substr(0, cipher_algo().size() - 4),
+                                 {'-', '/'}, '_');
+         else
+            out << replace_chars(cipher_algo(), {'-', '/'}, '_');
+         }
 
       if(cipher_algo().find("/") != std::string::npos)
          out << "_"; // some explicit mode already included
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index d8d241a2a..fc8f54e8e 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -18,6 +18,8 @@ namespace TLS {
 std::vector<std::string> Policy::allowed_ciphers() const
    {
    return std::vector<std::string>({
+      //"AES-256/OCB(12)",
+      //"AES-128/OCB(12)",
       "ChaCha20Poly1305",
       "AES-256/GCM",
       "AES-128/GCM",
diff --git a/src/lib/tls/tls_suite_info.cpp b/src/lib/tls/tls_suite_info.cpp
index a8862c3b2..60777672a 100644
--- a/src/lib/tls/tls_suite_info.cpp
+++ b/src/lib/tls/tls_suite_info.cpp
@@ -3,7 +3,7 @@
 *
 * This file was automatically generated from the IANA assignments
 * (tls-parameters.txt hash 4bc98b6f75ad5b63952b5f457fa7adbfef60f095)
-* by ./src/scripts/tls_suite_info.py on 2014-12-31
+* by ./src/scripts/tls_suite_info.py on 2015-01-21
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -78,6 +78,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0x00AA: // DHE_PSK_WITH_AES_128_GCM_SHA256
          return Ciphersuite(0x00AA, "", "DHE_PSK", "AES-128/GCM", 16, 4, 8, "AEAD", 0, "SHA-256");
 
+      case 0xFFFA: // DHE_PSK_WITH_AES_128_OCB_SHA256
+         return Ciphersuite(0xFFFA, "", "DHE_PSK", "AES-128/OCB(12)", 16, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0x0091: // DHE_PSK_WITH_AES_256_CBC_SHA
          return Ciphersuite(0x0091, "", "DHE_PSK", "AES-256", 32, 16, 0, "SHA-1", 20);
 
@@ -90,6 +93,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0x00AB: // DHE_PSK_WITH_AES_256_GCM_SHA384
          return Ciphersuite(0x00AB, "", "DHE_PSK", "AES-256/GCM", 32, 4, 8, "AEAD", 0, "SHA-384");
 
+      case 0xFFFB: // DHE_PSK_WITH_AES_256_OCB_SHA256
+         return Ciphersuite(0xFFFB, "", "DHE_PSK", "AES-256/OCB(12)", 32, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0xC096: // DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
          return Ciphersuite(0xC096, "", "DHE_PSK", "Camellia-128", 16, 16, 0, "SHA-256", 32);
 
@@ -123,6 +129,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0x009E: // DHE_RSA_WITH_AES_128_GCM_SHA256
          return Ciphersuite(0x009E, "RSA", "DH", "AES-128/GCM", 16, 4, 8, "AEAD", 0, "SHA-256");
 
+      case 0xFFF4: // DHE_RSA_WITH_AES_128_OCB_SHA256
+         return Ciphersuite(0xFFF4, "RSA", "DH", "AES-128/OCB(12)", 16, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0x0039: // DHE_RSA_WITH_AES_256_CBC_SHA
          return Ciphersuite(0x0039, "RSA", "DH", "AES-256", 32, 16, 0, "SHA-1", 20);
 
@@ -138,6 +147,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0x009F: // DHE_RSA_WITH_AES_256_GCM_SHA384
          return Ciphersuite(0x009F, "RSA", "DH", "AES-256/GCM", 32, 4, 8, "AEAD", 0, "SHA-384");
 
+      case 0xFFF5: // DHE_RSA_WITH_AES_256_OCB_SHA256
+         return Ciphersuite(0xFFF5, "RSA", "DH", "AES-256/OCB(12)", 32, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0x0045: // DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
          return Ciphersuite(0x0045, "RSA", "DH", "Camellia-128", 16, 16, 0, "SHA-1", 20);
 
@@ -225,6 +237,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0xC02B: // ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          return Ciphersuite(0xC02B, "ECDSA", "ECDH", "AES-128/GCM", 16, 4, 8, "AEAD", 0, "SHA-256");
 
+      case 0xFFF2: // ECDHE_ECDSA_WITH_AES_128_OCB_SHA256
+         return Ciphersuite(0xFFF2, "ECDSA", "ECDH", "AES-128/OCB(12)", 16, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0xC00A: // ECDHE_ECDSA_WITH_AES_256_CBC_SHA
          return Ciphersuite(0xC00A, "ECDSA", "ECDH", "AES-256", 32, 16, 0, "SHA-1", 20);
 
@@ -240,6 +255,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0xC02C: // ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          return Ciphersuite(0xC02C, "ECDSA", "ECDH", "AES-256/GCM", 32, 4, 8, "AEAD", 0, "SHA-384");
 
+      case 0xFFF3: // ECDHE_ECDSA_WITH_AES_256_OCB_SHA256
+         return Ciphersuite(0xFFF3, "ECDSA", "ECDH", "AES-256/OCB(12)", 32, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0xC072: // ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
          return Ciphersuite(0xC072, "ECDSA", "ECDH", "Camellia-128", 16, 16, 0, "SHA-256", 32);
 
@@ -267,12 +285,18 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0xC037: // ECDHE_PSK_WITH_AES_128_CBC_SHA256
          return Ciphersuite(0xC037, "", "ECDHE_PSK", "AES-128", 16, 16, 0, "SHA-256", 32);
 
+      case 0xFFF8: // ECDHE_PSK_WITH_AES_128_OCB_SHA256
+         return Ciphersuite(0xFFF8, "", "ECDHE_PSK", "AES-128/OCB(12)", 16, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0xC036: // ECDHE_PSK_WITH_AES_256_CBC_SHA
          return Ciphersuite(0xC036, "", "ECDHE_PSK", "AES-256", 32, 16, 0, "SHA-1", 20);
 
       case 0xC038: // ECDHE_PSK_WITH_AES_256_CBC_SHA384
          return Ciphersuite(0xC038, "", "ECDHE_PSK", "AES-256", 32, 16, 0, "SHA-384", 48);
 
+      case 0xFFF9: // ECDHE_PSK_WITH_AES_256_OCB_SHA256
+         return Ciphersuite(0xFFF9, "", "ECDHE_PSK", "AES-256/OCB(12)", 32, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0xC09A: // ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
          return Ciphersuite(0xC09A, "", "ECDHE_PSK", "Camellia-128", 16, 16, 0, "SHA-256", 32);
 
@@ -294,6 +318,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0xC02F: // ECDHE_RSA_WITH_AES_128_GCM_SHA256
          return Ciphersuite(0xC02F, "RSA", "ECDH", "AES-128/GCM", 16, 4, 8, "AEAD", 0, "SHA-256");
 
+      case 0xFFF0: // ECDHE_RSA_WITH_AES_128_OCB_SHA256
+         return Ciphersuite(0xFFF0, "RSA", "ECDH", "AES-128/OCB(12)", 16, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0xC014: // ECDHE_RSA_WITH_AES_256_CBC_SHA
          return Ciphersuite(0xC014, "RSA", "ECDH", "AES-256", 32, 16, 0, "SHA-1", 20);
 
@@ -303,6 +330,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0xC030: // ECDHE_RSA_WITH_AES_256_GCM_SHA384
          return Ciphersuite(0xC030, "RSA", "ECDH", "AES-256/GCM", 32, 4, 8, "AEAD", 0, "SHA-384");
 
+      case 0xFFF1: // ECDHE_RSA_WITH_AES_256_OCB_SHA256
+         return Ciphersuite(0xFFF1, "RSA", "ECDH", "AES-256/OCB(12)", 32, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0xC076: // ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
          return Ciphersuite(0xC076, "RSA", "ECDH", "Camellia-128", 16, 16, 0, "SHA-256", 32);
 
@@ -357,6 +387,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0x00A8: // PSK_WITH_AES_128_GCM_SHA256
          return Ciphersuite(0x00A8, "", "PSK", "AES-128/GCM", 16, 4, 8, "AEAD", 0, "SHA-256");
 
+      case 0xFFF6: // PSK_WITH_AES_128_OCB_SHA256
+         return Ciphersuite(0xFFF6, "", "PSK", "AES-128/OCB(12)", 16, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0x008D: // PSK_WITH_AES_256_CBC_SHA
          return Ciphersuite(0x008D, "", "PSK", "AES-256", 32, 16, 0, "SHA-1", 20);
 
@@ -372,6 +405,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0x00A9: // PSK_WITH_AES_256_GCM_SHA384
          return Ciphersuite(0x00A9, "", "PSK", "AES-256/GCM", 32, 4, 8, "AEAD", 0, "SHA-384");
 
+      case 0xFFF7: // PSK_WITH_AES_256_OCB_SHA256
+         return Ciphersuite(0xFFF7, "", "PSK", "AES-256/OCB(12)", 32, 4, 0, "AEAD", 0, "SHA-256");
+
       case 0xC094: // PSK_WITH_CAMELLIA_128_CBC_SHA256
          return Ciphersuite(0xC094, "", "PSK", "Camellia-128", 16, 16, 0, "SHA-256", 32);
 
diff --git a/src/scripts/tls_suite_info.py b/src/scripts/tls_suite_info.py
index 4fb3c430a..d569352ef 100755
--- a/src/scripts/tls_suite_info.py
+++ b/src/scripts/tls_suite_info.py
@@ -129,17 +129,24 @@ def to_ciphersuite_info(code, name):
         ivlen = 8 if cipher_algo == '3DES' else 16
 
         if mode != 'CBC':
-            cipher_algo += '/' + mode
+            if mode == 'OCB':
+                cipher_algo += '/OCB(12)'
+            else:
+                cipher_algo += '/' + mode
 
     if cipher_algo in stream_ciphers or mode == 'CBC':
         return 'Ciphersuite(0x%s, "%s", "%s", "%s", %d, %d, 0, "%s", %d)' % (
             code, sig_algo, kex_algo, cipher_algo, cipher_keylen, ivlen, mac_algo, mac_keylen[mac_algo])
+    elif mode == 'OCB':
+
+        return 'Ciphersuite(0x%s, "%s", "%s", "%s", %d, %d, %d, "AEAD", %d, "%s")' % (
+            code, sig_algo, kex_algo, cipher_algo, cipher_keylen, 4, 0, 0, mac_algo)
     else:
-        imp_iv_len = 4
-        exp_iv_len = 8
+        iv_bytes_from_hs = 4
+        iv_bytes_from_rec = 8
 
         return 'Ciphersuite(0x%s, "%s", "%s", "%s", %d, %d, %d, "AEAD", %d, "%s")' % (
-            code, sig_algo, kex_algo, cipher_algo, cipher_keylen, imp_iv_len, exp_iv_len, 0, mac_algo)
+            code, sig_algo, kex_algo, cipher_algo, cipher_keylen, iv_bytes_from_hs, iv_bytes_from_rec, 0, mac_algo)
 
 def open_input(args):
     iana_url = 'https://www.iana.org/assignments/tls-parameters/tls-parameters.txt'
@@ -234,13 +241,19 @@ def main(args = None):
 
     # Expermental things
     if options.with_ocb:
-        define_custom_ciphersuite('ECDHE_ECDSA_WITH_AES_128_OCB_SHA256', 'FF80')
-        define_custom_ciphersuite('ECDHE_ECDSA_WITH_AES_256_OCB_SHA384', 'FF81')
-        define_custom_ciphersuite('ECDHE_RSA_WITH_AES_128_OCB_SHA256', 'FF82')
-        define_custom_ciphersuite('ECDHE_RSA_WITH_AES_256_OCB_SHA384', 'FF83')
-
-        define_custom_ciphersuite('ECDHE_PSK_WITH_AES_128_OCB_SHA256', 'FF85')
-        define_custom_ciphersuite('ECDHE_PSK_WITH_AES_256_OCB_SHA384', 'FF86')
+        define_custom_ciphersuite('ECDHE_RSA_WITH_AES_128_OCB_SHA256', 'FFF0')
+        define_custom_ciphersuite('ECDHE_RSA_WITH_AES_256_OCB_SHA256', 'FFF1')
+        define_custom_ciphersuite('ECDHE_ECDSA_WITH_AES_128_OCB_SHA256', 'FFF2')
+        define_custom_ciphersuite('ECDHE_ECDSA_WITH_AES_256_OCB_SHA256', 'FFF3')
+        define_custom_ciphersuite('DHE_RSA_WITH_AES_128_OCB_SHA256', 'FFF4')
+        define_custom_ciphersuite('DHE_RSA_WITH_AES_256_OCB_SHA256', 'FFF5')
+
+        define_custom_ciphersuite('PSK_WITH_AES_128_OCB_SHA256', 'FFF6')
+        define_custom_ciphersuite('PSK_WITH_AES_256_OCB_SHA256', 'FFF7')
+        define_custom_ciphersuite('ECDHE_PSK_WITH_AES_128_OCB_SHA256', 'FFF8')
+        define_custom_ciphersuite('ECDHE_PSK_WITH_AES_256_OCB_SHA256', 'FFF9')
+        define_custom_ciphersuite('DHE_PSK_WITH_AES_128_OCB_SHA256', 'FFFA')
+        define_custom_ciphersuite('DHE_PSK_WITH_AES_256_OCB_SHA256', 'FFFB')
 
     if options.with_eax:
         define_custom_ciphersuite('ECDHE_ECDSA_WITH_AES_128_EAX_SHA256', 'FF90')
@@ -254,12 +267,6 @@ def main(args = None):
         define_custom_ciphersuite('SRP_SHA_DSS_WITH_AES_256_GCM_SHA384', 'FFA2')
         define_custom_ciphersuite('SRP_SHA_ECDSA_WITH_AES_256_GCM_SHA384', 'FFA3')
 
-        if options.with_ocb:
-            define_custom_ciphersuite('SRP_SHA_WITH_AES_256_OCB_SHA384', 'FFA4')
-            define_custom_ciphersuite('SRP_SHA_RSA_WITH_AES_256_OCB_SHA384', 'FFA5')
-            define_custom_ciphersuite('SRP_SHA_DSS_WITH_AES_256_OCB_SHA384', 'FFA6')
-            define_custom_ciphersuite('SRP_SHA_ECDSA_WITH_AES_256_OCB_SHA384', 'FFA7')
-
         if options.with_eax:
             define_custom_ciphersuite('SRP_SHA_WITH_AES_256_EAX_SHA384', 'FFA8')
             define_custom_ciphersuite('SRP_SHA_RSA_WITH_AES_256_EAX_SHA384', 'FFA9')
author	lloyd <[email protected]>	2015-01-21 20:58:04 +0000
committer	lloyd <[email protected]>	2015-01-21 20:58:04 +0000
commit	316a7b79146e8003d33f50b58e1c6c3ba9874a32 (patch)
tree	e9b049271ac1e4ff963e67caac30cb29f9e7b9a0
parent	1f59fa09984cb364c1dc560043ffa735e1f23494 (diff)