Skip to content

Commit

Permalink
Add set of ARIA cipher suites.
Browse files Browse the repository at this point in the history
Ignore API difference in enum-order for CipherSuite.
Add interoperability tests.

Signed-off-by: Achim Kraus <achim.kraus@cloudcoap.net>
  • Loading branch information
boaks committed Mar 26, 2023
1 parent 012e857 commit 2e184f1
Show file tree
Hide file tree
Showing 6 changed files with 123 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,26 @@ public class MbedTlsUtil {
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
"TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384");

CIPHERSUITES_MAP.put(CipherSuite.TLS_PSK_WITH_ARIA_128_GCM_SHA256,
"TLS-PSK-WITH-ARIA-128-GCM-SHA256");
CIPHERSUITES_MAP.put(CipherSuite.TLS_PSK_WITH_ARIA_256_GCM_SHA384,
"TLS-PSK-WITH-ARIA-256-GCM-SHA384");
CIPHERSUITES_MAP.put(CipherSuite.TLS_PSK_WITH_ARIA_128_CBC_SHA256,
"TLS-PSK-WITH-ARIA-128-CBC-SHA256");
CIPHERSUITES_MAP.put(CipherSuite.TLS_PSK_WITH_ARIA_256_CBC_SHA384,
"TLS-PSK-WITH-ARIA-256-CBC-SHA384");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
"TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
"TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
"TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
"TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
"TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384");
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,13 @@ public class OpenSslUtil {
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "ECDHE-RSA-AES256-SHA");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "ECDHE-RSA-AES256-SHA384");

CIPHERSUITES_MAP.put(CipherSuite.TLS_PSK_WITH_ARIA_128_GCM_SHA256, "PSK-ARIA128-GCM-SHA256");
CIPHERSUITES_MAP.put(CipherSuite.TLS_PSK_WITH_ARIA_256_GCM_SHA384, "PSK-ARIA256-GCM-SHA384");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, "ECDHE-ECDSA-ARIA128-GCM-SHA256");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, "ECDHE-ECDSA-ARIA256-GCM-SHA384");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, "ECDHE-ARIA128-GCM-SHA256");
CIPHERSUITES_MAP.put(CipherSuite.TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, "ECDHE-ARIA256-GCM-SHA384");

}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,22 @@ public interface JceNames {

/**
* Name of environment variable to specify the JCE.
*
* Usage via environment variable:
* <pre>
* unix:
* export CALIFORNIUM_JCE_PROVIDER=BC
* ...
* java ...
* </pre>
*
* or via system property:
*
* <pre>
* java -DCALIFORNIUM_JCE_PROVIDER=BC ...
* </pre>
*
* Requires to add the required jars to the classpath!
*/
public String CALIFORNIUM_JCE_PROVIDER = "CALIFORNIUM_JCE_PROVIDER";
/**
Expand Down
11 changes: 10 additions & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -369,7 +369,7 @@
<dependency>
<groupId>org.revapi</groupId>
<artifactId>revapi-java</artifactId>
<version>0.28.0</version>
<version>0.28.1</version>
</dependency>
</dependencies>
</plugin>
Expand Down Expand Up @@ -564,6 +564,15 @@
Californium uses classes of slf4j in some case with scope protected.
</justification>
</item>
<item>
<regex>true</regex>
<code>java.field.enumConstantOrderChanged</code>
<class>org\.eclipse\.californium\.scandium\.dtls\.cipher\.CipherSuite</class>
<justification>
Order in CipherSuite reflects the preference by intention.
ordinal() must not be used.
</justification>
</item>
</differences>
</revapi.differences>
<revapi.filter>
Expand Down
27 changes: 27 additions & 0 deletions scandium-core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,19 @@ Also Starting with 3.0.0-RC1, a server may use a `X509KeyManager` in order to pr
- *TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
- *TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA*

ARIA cipher suites since 3.9.0, requires support by JCE, e.g. BouncyCastle 1.72:
- TLS_PSK_WITH_ARIA_128_GCM_SHA256
- TLS_PSK_WITH_ARIA_256_GCM_SHA384
- *TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256*
- *TLS_PSK_WITH_ARIA_128_CBC_SHA256*
- *TLS_PSK_WITH_ARIA_256_CBC_SHA384*
- TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
- *TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256*
- *TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384*
- TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384

Note: the *CBC* cipher suites are not longer recommended for new deployments!

Note: *SHA378* in the cipher suite names are typos. It must be *SHA384*. The straight forward fix would break the API, therefore the fix is postponed to 4.0 (no schedule for now)!
Expand Down Expand Up @@ -246,6 +259,7 @@ Supported extensions:
- [RFC 6066 - TLS Extensions](https://tools.ietf.org/html/rfc6066)
- [RFC 6066 - Server Name Indication](https://tools.ietf.org/html/rfc6066#section-3)
- [RFC 6066 - Maximum Fragment Length Negotiation](https://tools.ietf.org/html/rfc6066#section-4)
- [RFC 6209 - ARIA Cipher Suites](https://tools.ietf.org/html/rfc6209) (since 3.9.0)
- [RFC 7250 - Raw Public Keys](https://tools.ietf.org/html/rfc7250)
- [RFC 7627 - Extended Master Secret Extension](https://tools.ietf.org/html/rfc7627)
- [RFC 7748 - Elliptic Curves for Security](https://tools.ietf.org/html/rfc7748)
Expand Down Expand Up @@ -310,6 +324,19 @@ Starting with 3.0.0-RC1 an experimental support for using [Bouncy Castle](https:

And setup a environment variable `CALIFORNIUM_JCE_PROVIDER` using the value `BC` (see [JceProviderUtil](../element-connector/src/main/java/org/eclipse/californium/elements/util/JceProviderUtil.java) for more details) or use the java `System.property` `CALIFORNIUM_JCE_PROVIDER` to do so.

environment variable on unix:

```
export CALIFORNIUM_JCE_PROVIDER=BC
...
java ...
```
java `System.property`:

```
java -DCALIFORNIUM_JCE_PROVIDER=BC
```

Supporting Bouncy Castle for the unit test uncovers a couple of differences, which required to adapt the implementation. It is assumed, that more will be found and more adaption will be required. If you find some, don't hesitate to report issues, perhaps research and analysis, and fixes. On the other hand, the project Californium will for now not be able to provide support for Bouncy Castle questions with or without relation to Californium. You may create issues, but it may be not possible for us to answer them.

On issue seems to be the `SecureRandom` generator of BC. Dependent on the runtime environment, that is based on `SecureRandom.getInstanceStrong()`, which has blocking behaviour by default. If the platform your application runs on, has not enough entropy to start the `SecureRandom`, BC waits until that gets available. In common cases, that starts quite fast, but in some cases, that takes up to 60s (and more).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,18 @@
/**
* A cipher suite defines a key exchange algorithm, a bulk cipher algorithm, a
* MAC algorithm, a pseudo random number (PRF) algorithm and a cipher type.
*
* <p>
* <b>Note:</b> {@code ordinal()} must not be used!
* The order of the cipher-suites reflects the intended default precedence.
* Extensions may therefore change the related {@code ordinal()} value.
* </p>
* <p>
* See <a href="https://tools.ietf.org/html/rfc5246#appendix-A.6" target="_blank">RFC 5246</a>
* for details.
* See <a href="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml" target="_blank">
* Transport Layer Security Parameters</a> for the official codes for the cipher
* suites.
* </p>
*/
public enum CipherSuite {

Expand Down Expand Up @@ -115,28 +121,50 @@ public enum CipherSuite {
TLS_PSK_WITH_AES_128_CCM(0xC0A4, CertificateKeyAlgorithm.NONE, KeyExchangeAlgorithm.PSK, CipherSpec.AES_128_CCM, true),
TLS_PSK_WITH_AES_256_CCM(0xC0A5, CertificateKeyAlgorithm.NONE, KeyExchangeAlgorithm.PSK, CipherSpec.AES_256_CCM, true),

/**See <a href="https://www.rfc-editor.org/rfc/rfc6209#section-2.3" target="_blank">RFC 6209 - PSK</a> for details*/
TLS_PSK_WITH_ARIA_128_GCM_SHA256(0xC06A, CertificateKeyAlgorithm.NONE, KeyExchangeAlgorithm.PSK, CipherSpec.ARIA_128_GCM, true),
TLS_PSK_WITH_ARIA_256_GCM_SHA384(0xC06B, CertificateKeyAlgorithm.NONE, KeyExchangeAlgorithm.PSK, CipherSpec.ARIA_256_GCM, true, PRFAlgorithm.TLS_PRF_SHA384),

/**See <a href="https://tools.ietf.org/html/rfc5489#section-3.2" target="_blank">RFC 5489</a> for details*/
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256(0xC037, CertificateKeyAlgorithm.NONE, KeyExchangeAlgorithm.ECDHE_PSK, CipherSpec.AES_128_CBC, MACAlgorithm.HMAC_SHA256, false),
TLS_PSK_WITH_AES_128_CBC_SHA256(0x00AE, CertificateKeyAlgorithm.NONE, KeyExchangeAlgorithm.PSK, CipherSpec.AES_128_CBC, MACAlgorithm.HMAC_SHA256, false),

/**See <a href="https://www.rfc-editor.org/rfc/rfc6209#section-2.3" target="_blank">RFC 6209 - PSK</a> for details*/
TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256(0xC06C, CertificateKeyAlgorithm.NONE, KeyExchangeAlgorithm.ECDHE_PSK, CipherSpec.ARIA_128_CBC, MACAlgorithm.HMAC_SHA256, false),
TLS_PSK_WITH_ARIA_128_CBC_SHA256(0xC064, CertificateKeyAlgorithm.NONE, KeyExchangeAlgorithm.PSK, CipherSpec.ARIA_128_CBC, MACAlgorithm.HMAC_SHA256, false),
TLS_PSK_WITH_ARIA_256_CBC_SHA384(0xC065, CertificateKeyAlgorithm.NONE, KeyExchangeAlgorithm.PSK, CipherSpec.ARIA_256_CBC, MACAlgorithm.HMAC_SHA384, false, PRFAlgorithm.TLS_PRF_SHA384),

// Certificate cipher suites, ordered by default preference, see getCertificateCipherSuites or getEcdsaCipherSuites
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xc02b, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_128_GCM, true),
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xc02c, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_GCM, true, PRFAlgorithm.TLS_PRF_SHA384),
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_128_GCM, true),
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_GCM, true, PRFAlgorithm.TLS_PRF_SHA384),
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8(0xC0AE, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_128_CCM_8, true),
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8(0xC0AF, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_CCM_8, true),
TLS_ECDHE_ECDSA_WITH_AES_128_CCM(0xC0AC, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_128_CCM, true),
TLS_ECDHE_ECDSA_WITH_AES_256_CCM(0xC0AD, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_CCM, true),

/**See <a href="https://www.rfc-editor.org/rfc/rfc6209#section-2.2" target="_blank">RFC 6209 - GCM</a> for details*/
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256(0xC05C, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.ARIA_128_GCM, true),
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384(0xC05D, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.ARIA_256_GCM, true, PRFAlgorithm.TLS_PRF_SHA384),

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_128_CBC, MACAlgorithm.HMAC_SHA256, false),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_CBC, MACAlgorithm.HMAC_SHA384, false, PRFAlgorithm.TLS_PRF_SHA384),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_CBC, MACAlgorithm.HMAC_SHA1, false),

/**See <a href="https://www.rfc-editor.org/rfc/rfc6209#section-2.1" target="_blank">RFC 6209 - CBC</a> for details*/
TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256(0xC048, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.ARIA_128_CBC, MACAlgorithm.HMAC_SHA256, false),
TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384(0xC049, CertificateKeyAlgorithm.EC, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.ARIA_256_CBC, MACAlgorithm.HMAC_SHA384, false, PRFAlgorithm.TLS_PRF_SHA384),

// RSA Certificates
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xc02f, CertificateKeyAlgorithm.RSA, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_128_GCM, true),
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xc030, CertificateKeyAlgorithm.RSA, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_GCM, true, PRFAlgorithm.TLS_PRF_SHA384),
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F, CertificateKeyAlgorithm.RSA, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_128_GCM, true),
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030, CertificateKeyAlgorithm.RSA, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_GCM, true, PRFAlgorithm.TLS_PRF_SHA384),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027, CertificateKeyAlgorithm.RSA, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_128_CBC, MACAlgorithm.HMAC_SHA256, false),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028, CertificateKeyAlgorithm.RSA, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_CBC, MACAlgorithm.HMAC_SHA384, false, PRFAlgorithm.TLS_PRF_SHA384),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014, CertificateKeyAlgorithm.RSA, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.AES_256_CBC, MACAlgorithm.HMAC_SHA1, false),

/**See <a href="https://www.rfc-editor.org/rfc/rfc6209#section-2.2" target="_blank">RFC 6209</a> for details*/
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256(0xC060, CertificateKeyAlgorithm.RSA, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.ARIA_128_GCM, true),
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384(0xC061, CertificateKeyAlgorithm.RSA, KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN, CipherSpec.ARIA_256_GCM, true, PRFAlgorithm.TLS_PRF_SHA384),

// Null cipher suite
TLS_NULL_WITH_NULL_NULL(0x0000),
/**
Expand All @@ -151,9 +179,12 @@ public enum CipherSuite {
* @see DtlsSecureRenegotiation
* @since 3.8 (before that only used for logging since 3.5)
*/
TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00ff)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF),
;

// Logging ////////////////////////////////////////////////////////
private static final Logger LOGGER = LoggerFactory.getLogger(CipherSuite.class);

// DTLS-specific constants ////////////////////////////////////////
public static final int CIPHER_SUITE_BITS = 16;

Expand All @@ -177,9 +208,6 @@ public enum CipherSuite {
STRONG_ENCRYPTION_PREFERENCE = Collections.unmodifiableList(secureSuites);
}

// Logging ////////////////////////////////////////////////////////
private static final Logger LOGGER = LoggerFactory.getLogger(CipherSuite.class);

// Members ////////////////////////////////////////////////////////
private static int overallMaxCipherTextExpansion = 0;

Expand Down Expand Up @@ -1155,8 +1183,12 @@ private enum CipherSpec {
AES_256_CCM_8(AeadBlockCipher.AES_CCM_NO_PADDING, CipherType.AEAD, 32, 4, 8, 8), // explicit nonce (record IV) length = 8
AES_128_CCM(AeadBlockCipher.AES_CCM_NO_PADDING, CipherType.AEAD, 16, 4, 8, 16), // explicit nonce (record IV) length = 8
AES_256_CCM(AeadBlockCipher.AES_CCM_NO_PADDING, CipherType.AEAD, 32, 4, 8, 16), // explicit nonce (record IV) length = 8
AES_128_GCM("AES/GCM/NoPadding", CipherType.AEAD, 16, 4, 8, 16), // requires jvm implementation of AES/GCM
AES_256_GCM("AES/GCM/NoPadding", CipherType.AEAD, 32, 4, 8, 16); // requires jvm implementation of AES/GCM
AES_128_GCM("AES/GCM/NoPadding", CipherType.AEAD, 16, 4, 8, 16), // requires jce implementation of AES/GCM
AES_256_GCM("AES/GCM/NoPadding", CipherType.AEAD, 32, 4, 8, 16), // requires jce implementation of AES/GCM
ARIA_128_CBC("ARIA/CBC/NoPadding", CipherType.BLOCK, 16, 0, 16), // requires jce implementation of ARIA/CBC
ARIA_256_CBC("ARIA/CBC/NoPadding", CipherType.BLOCK, 32, 0, 16), // requires jce implementation of ARIA/CBC
ARIA_128_GCM("ARIA/GCM/NoPadding", CipherType.AEAD, 16, 4, 8, 16), // requires jce implementation of ARIA/GCM
ARIA_256_GCM("ARIA/GCM/NoPadding", CipherType.AEAD, 32, 4, 8, 16); // requires jce implementation of ARIA/GCM

/**
* The <em>transformation</em> string of the corresponding Java Cryptography Architecture
Expand Down

0 comments on commit 2e184f1

Please sign in to comment.