Merge pull request #497 from kazuho/pull/497

Replace the TLS_AEGIS_256_SHA384 ciphersuite with TLS_AEGIS_256_SHA512
h2o · Dec 4, 2023 · 651c1de · 651c1de
2 parents 020bca0 + 6ea0811
commit 651c1de
Show file tree

Hide file tree

Showing 9 changed files with 24 additions and 18 deletions.
diff --git a/include/picotls.h b/include/picotls.h
@@ -130,8 +130,8 @@ extern "C" {
 #define PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384 "TLS_AES_256_GCM_SHA384"
 #define PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256 0x1303
 #define PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256 "TLS_CHACHA20_POLY1305_SHA256"
-#define PTLS_CIPHER_SUITE_AEGIS256_SHA384 0x1306
-#define PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA384 "TLS_AEGIS_256_SHA384"
+#define PTLS_CIPHER_SUITE_AEGIS256_SHA512 0x1306
+#define PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512 "TLS_AEGIS_256_SHA512"
 #define PTLS_CIPHER_SUITE_AEGIS128L_SHA256 0x1307
 #define PTLS_CIPHER_SUITE_NAME_AEGIS128L_SHA256 "TLS_AEGIS_128L_SHA256"
 

diff --git a/include/picotls/minicrypto.h b/include/picotls/minicrypto.h
@@ -51,11 +51,11 @@ extern ptls_aead_algorithm_t ptls_minicrypto_aes128gcm, ptls_minicrypto_aes256gc
 extern ptls_aead_algorithm_t ptls_minicrypto_aegis128l;
 extern ptls_aead_algorithm_t ptls_minicrypto_aegis256;
 #endif
-extern ptls_hash_algorithm_t ptls_minicrypto_sha256, ptls_minicrypto_sha384;
+extern ptls_hash_algorithm_t ptls_minicrypto_sha256, ptls_minicrypto_sha384, pts_minicrypto_sha512;
 extern ptls_cipher_suite_t ptls_minicrypto_aes128gcmsha256, ptls_minicrypto_aes256gcmsha384, ptls_minicrypto_chacha20poly1305sha256;
 #ifdef PTLS_HAVE_AEGIS
 extern ptls_cipher_suite_t ptls_minicrypto_aegis128lsha256;
-extern ptls_cipher_suite_t ptls_minicrypto_aegis256sha384;
+extern ptls_cipher_suite_t ptls_minicrypto_aegis256sha512;
 #endif
 extern ptls_cipher_suite_t *ptls_minicrypto_cipher_suites[];
 extern ptls_cipher_suite_t *ptls_minicrypto_cipher_suites_all[];

diff --git a/include/picotls/openssl.h b/include/picotls/openssl.h
@@ -98,7 +98,7 @@ extern ptls_cipher_suite_t ptls_openssl_chacha20poly1305sha256;
 extern ptls_aead_algorithm_t ptls_openssl_aegis128l;
 extern ptls_aead_algorithm_t ptls_openssl_aegis256;
 extern ptls_cipher_suite_t ptls_openssl_aegis128lsha256;
-extern ptls_cipher_suite_t ptls_openssl_aegis256sha384;
+extern ptls_cipher_suite_t ptls_openssl_aegis256sha512;
 #endif
 
 extern ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_rsa_aes128gcmsha256;

diff --git a/lib/cifra.c b/lib/cifra.c
@@ -23,17 +23,17 @@
 #include "picotls.h"
 #include "picotls/minicrypto.h"
 
-ptls_cipher_suite_t *ptls_minicrypto_cipher_suites[] = {// ciphers used with sha384 (must be first)
+ptls_cipher_suite_t *ptls_minicrypto_cipher_suites[] = {// ciphers used with sha512 and sha384 (must be first)
                                                         &ptls_minicrypto_aes256gcmsha384,
 
                                                         // ciphers used with sha256
                                                         &ptls_minicrypto_aes128gcmsha256,
                                                         &ptls_minicrypto_chacha20poly1305sha256,
                                                         NULL};
 
-ptls_cipher_suite_t *ptls_minicrypto_cipher_suites_all[] = {// ciphers used with sha384 (must be first)
+ptls_cipher_suite_t *ptls_minicrypto_cipher_suites_all[] = {// ciphers used with sha512 and sha384 (must be first)
 #ifdef PTLS_HAVE_AEGIS
-                                                           &ptls_minicrypto_aegis256sha384,
+                                                           &ptls_minicrypto_aegis256sha512,
 #endif
                                                            &ptls_minicrypto_aes256gcmsha384,
 

diff --git a/lib/cifra/aes256.c b/lib/cifra/aes256.c
@@ -41,6 +41,11 @@ ptls_define_hash(sha384, cf_sha512_context, cf_sha384_init, cf_sha384_update, cf
 ptls_hash_algorithm_t ptls_minicrypto_sha384 = {"sha384", PTLS_SHA384_BLOCK_SIZE, PTLS_SHA384_DIGEST_SIZE, sha384_create,
                                                 PTLS_ZERO_DIGEST_SHA384};
 
+ptls_define_hash(sha512, cf_sha512_context, cf_sha512_init, cf_sha512_update, cf_sha512_digest_final);
+
+ptls_hash_algorithm_t ptls_minicrypto_sha512 = {"sha512", PTLS_SHA512_BLOCK_SIZE, PTLS_SHA512_DIGEST_SIZE, sha512_create,
+                                                PTLS_ZERO_DIGEST_SHA512};
+
 ptls_cipher_algorithm_t ptls_minicrypto_aes256ecb = {
     "AES256-ECB",          PTLS_AES256_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct aesecb_context_t),
     aes256ecb_setup_crypto};

diff --git a/lib/cifra/libaegis.c b/lib/cifra/libaegis.c
@@ -54,7 +54,7 @@ ptls_aead_algorithm_t ptls_minicrypto_aegis256 = {"AEGIS-256",
                                                   0,
                                                   sizeof(struct aegis256_context_t),
                                                   aegis256_setup_crypto};
-ptls_cipher_suite_t ptls_minicrypto_aegis256sha384 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA384,
-                                                      .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA384,
+ptls_cipher_suite_t ptls_minicrypto_aegis256sha512 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA512,
+                                                      .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512,
                                                       .aead = &ptls_minicrypto_aegis256,
-                                                      .hash = &ptls_minicrypto_sha384};
+                                                      .hash = &ptls_minicrypto_sha512};
diff --git a/lib/openssl.c b/lib/openssl.c
@@ -2220,10 +2220,10 @@ ptls_aead_algorithm_t ptls_openssl_aegis256 = {
     .context_size = sizeof(struct aegis256_context_t),
     .setup_crypto = aegis256_setup_crypto,
 };
-ptls_cipher_suite_t ptls_openssl_aegis256sha384 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA384,
-                                                    .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA384,
+ptls_cipher_suite_t ptls_openssl_aegis256sha512 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA512,
+                                                    .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512,
                                                     .aead = &ptls_openssl_aegis256,
-                                                    .hash = &ptls_openssl_sha384};
+                                                    .hash = &ptls_openssl_sha512};
 #endif
 
 
@@ -2240,7 +2240,7 @@ ptls_cipher_suite_t *ptls_openssl_cipher_suites[] = {// ciphers used with sha384
 
 ptls_cipher_suite_t *ptls_openssl_cipher_suites_all[] = {// ciphers used with sha384 (must be first)
 #if PTLS_HAVE_AEGIS
-                                                        &ptls_openssl_aegis256sha384,
+                                                        &ptls_openssl_aegis256sha512,
 #endif
                                                         &ptls_openssl_aes256gcmsha384,
 

diff --git a/t/openssl.c b/t/openssl.c
@@ -564,7 +564,8 @@ int main(int argc, char **argv)
                                   .sign_certificate = &openssl_sign_certificate.super};
     ptls_context_t openssl_ctx_sha256only = openssl_ctx;
     while (openssl_ctx_sha256only.cipher_suites[0]->hash->digest_size != 32) {
-        assert(openssl_ctx.cipher_suites[0]->hash->digest_size == 48); /* sha384 */
+        assert(openssl_ctx.cipher_suites[0]->hash->digest_size == 64 || /* sha512 */
+               openssl_ctx.cipher_suites[0]->hash->digest_size == 48);  /* sha384 */
         ++openssl_ctx_sha256only.cipher_suites;
     }
     assert(openssl_ctx_sha256only.cipher_suites[0]->hash->digest_size == 32); /* sha256 */

diff --git a/t/picotls.c b/t/picotls.c
@@ -506,8 +506,8 @@ static void test_aegis128l(void)
 
 static void test_aegis256(void)
 {
-    ptls_cipher_suite_t *cs = find_cipher(ctx, PTLS_CIPHER_SUITE_AEGIS256_SHA384),
-                        *cs_peer = find_cipher(ctx_peer, PTLS_CIPHER_SUITE_AEGIS256_SHA384);
+    ptls_cipher_suite_t *cs = find_cipher(ctx, PTLS_CIPHER_SUITE_AEGIS256_SHA512),
+                        *cs_peer = find_cipher(ctx_peer, PTLS_CIPHER_SUITE_AEGIS256_SHA512);
 
     if (cs != NULL && cs_peer != NULL) {
         test_ciphersuite(cs, cs_peer);