From 6ea08110dc46a1f990879100adb73cc50e6b4ea2 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Sun, 3 Dec 2023 00:26:18 +0100
Subject: [PATCH] Replace the TLS_AEGIS_256_SHA384 ciphersuite with
 TLS_AEGIS_256_SHA512

The latest AEGIS draft, as well as the IANA TLS registry [1] have been
updated to replace TLS_AEGIS_256_SHA384 with TLS_AEGIS_256_SHA512.

This follows the recommendations from [2] for new cipher suites.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
[2] https://eprint.iacr.org/2023/913.pdf
---
 include/picotls.h            | 4 ++--
 include/picotls/minicrypto.h | 4 ++--
 include/picotls/openssl.h    | 2 +-
 lib/cifra.c                  | 6 +++---
 lib/cifra/aes256.c           | 5 +++++
 lib/cifra/libaegis.c         | 8 ++++----
 lib/openssl.c                | 8 ++++----
 t/openssl.c                  | 3 ++-
 t/picotls.c                  | 4 ++--
 9 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/include/picotls.h b/include/picotls.h
index 3b7a96dec..e0c390811 100644
--- a/include/picotls.h
+++ b/include/picotls.h
@@ -130,8 +130,8 @@ extern "C" {
 #define PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384 "TLS_AES_256_GCM_SHA384"
 #define PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256 0x1303
 #define PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256 "TLS_CHACHA20_POLY1305_SHA256"
-#define PTLS_CIPHER_SUITE_AEGIS256_SHA384 0x1306
-#define PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA384 "TLS_AEGIS_256_SHA384"
+#define PTLS_CIPHER_SUITE_AEGIS256_SHA512 0x1306
+#define PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512 "TLS_AEGIS_256_SHA512"
 #define PTLS_CIPHER_SUITE_AEGIS128L_SHA256 0x1307
 #define PTLS_CIPHER_SUITE_NAME_AEGIS128L_SHA256 "TLS_AEGIS_128L_SHA256"
 
diff --git a/include/picotls/minicrypto.h b/include/picotls/minicrypto.h
index ca3a31d9d..9e6db1ade 100644
--- a/include/picotls/minicrypto.h
+++ b/include/picotls/minicrypto.h
@@ -51,11 +51,11 @@ extern ptls_aead_algorithm_t ptls_minicrypto_aes128gcm, ptls_minicrypto_aes256gc
 extern ptls_aead_algorithm_t ptls_minicrypto_aegis128l;
 extern ptls_aead_algorithm_t ptls_minicrypto_aegis256;
 #endif
-extern ptls_hash_algorithm_t ptls_minicrypto_sha256, ptls_minicrypto_sha384;
+extern ptls_hash_algorithm_t ptls_minicrypto_sha256, ptls_minicrypto_sha384, pts_minicrypto_sha512;
 extern ptls_cipher_suite_t ptls_minicrypto_aes128gcmsha256, ptls_minicrypto_aes256gcmsha384, ptls_minicrypto_chacha20poly1305sha256;
 #ifdef PTLS_HAVE_AEGIS
 extern ptls_cipher_suite_t ptls_minicrypto_aegis128lsha256;
-extern ptls_cipher_suite_t ptls_minicrypto_aegis256sha384;
+extern ptls_cipher_suite_t ptls_minicrypto_aegis256sha512;
 #endif
 extern ptls_cipher_suite_t *ptls_minicrypto_cipher_suites[];
 extern ptls_cipher_suite_t *ptls_minicrypto_cipher_suites_all[];
diff --git a/include/picotls/openssl.h b/include/picotls/openssl.h
index 987b9b1f2..de777c8dc 100644
--- a/include/picotls/openssl.h
+++ b/include/picotls/openssl.h
@@ -98,7 +98,7 @@ extern ptls_cipher_suite_t ptls_openssl_chacha20poly1305sha256;
 extern ptls_aead_algorithm_t ptls_openssl_aegis128l;
 extern ptls_aead_algorithm_t ptls_openssl_aegis256;
 extern ptls_cipher_suite_t ptls_openssl_aegis128lsha256;
-extern ptls_cipher_suite_t ptls_openssl_aegis256sha384;
+extern ptls_cipher_suite_t ptls_openssl_aegis256sha512;
 #endif
 
 extern ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_rsa_aes128gcmsha256;
diff --git a/lib/cifra.c b/lib/cifra.c
index d51f2b703..5fe9febab 100644
--- a/lib/cifra.c
+++ b/lib/cifra.c
@@ -23,7 +23,7 @@
 #include "picotls.h"
 #include "picotls/minicrypto.h"
 
-ptls_cipher_suite_t *ptls_minicrypto_cipher_suites[] = {// ciphers used with sha384 (must be first)
+ptls_cipher_suite_t *ptls_minicrypto_cipher_suites[] = {// ciphers used with sha512 and sha384 (must be first)
                                                         &ptls_minicrypto_aes256gcmsha384,
 
                                                         // ciphers used with sha256
@@ -31,9 +31,9 @@ ptls_cipher_suite_t *ptls_minicrypto_cipher_suites[] = {// ciphers used with sha
                                                         &ptls_minicrypto_chacha20poly1305sha256,
                                                         NULL};
 
-ptls_cipher_suite_t *ptls_minicrypto_cipher_suites_all[] = {// ciphers used with sha384 (must be first)
+ptls_cipher_suite_t *ptls_minicrypto_cipher_suites_all[] = {// ciphers used with sha512 and sha384 (must be first)
 #ifdef PTLS_HAVE_AEGIS
-                                                           &ptls_minicrypto_aegis256sha384,
+                                                           &ptls_minicrypto_aegis256sha512,
 #endif
                                                            &ptls_minicrypto_aes256gcmsha384,
 
diff --git a/lib/cifra/aes256.c b/lib/cifra/aes256.c
index d4cefa9e9..e074dea8f 100644
--- a/lib/cifra/aes256.c
+++ b/lib/cifra/aes256.c
@@ -41,6 +41,11 @@ ptls_define_hash(sha384, cf_sha512_context, cf_sha384_init, cf_sha384_update, cf
 ptls_hash_algorithm_t ptls_minicrypto_sha384 = {"sha384", PTLS_SHA384_BLOCK_SIZE, PTLS_SHA384_DIGEST_SIZE, sha384_create,
                                                 PTLS_ZERO_DIGEST_SHA384};
 
+ptls_define_hash(sha512, cf_sha512_context, cf_sha512_init, cf_sha512_update, cf_sha512_digest_final);
+
+ptls_hash_algorithm_t ptls_minicrypto_sha512 = {"sha512", PTLS_SHA512_BLOCK_SIZE, PTLS_SHA512_DIGEST_SIZE, sha512_create,
+                                                PTLS_ZERO_DIGEST_SHA512};
+
 ptls_cipher_algorithm_t ptls_minicrypto_aes256ecb = {
     "AES256-ECB",          PTLS_AES256_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct aesecb_context_t),
     aes256ecb_setup_crypto};
diff --git a/lib/cifra/libaegis.c b/lib/cifra/libaegis.c
index 0b4af9349..5771d7915 100644
--- a/lib/cifra/libaegis.c
+++ b/lib/cifra/libaegis.c
@@ -23,7 +23,7 @@
 #include "../libaegis.h"
 
 extern ptls_hash_algorithm_t ptls_minicrypto_sha256;
-extern ptls_hash_algorithm_t ptls_minicrypto_sha384;
+extern ptls_hash_algorithm_t ptls_minicrypto_sha512;
 
 ptls_aead_algorithm_t ptls_minicrypto_aegis128l = {"AEGIS-128L",
                                                    PTLS_AEGIS128L_CONFIDENTIALITY_LIMIT,
@@ -56,7 +56,7 @@ ptls_aead_algorithm_t ptls_minicrypto_aegis256 = {"AEGIS-256",
                                                   0,
                                                   sizeof(struct aegis256_context_t),
                                                   aegis256_setup_crypto};
-ptls_cipher_suite_t ptls_minicrypto_aegis256sha384 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA384,
-                                                      .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA384,
+ptls_cipher_suite_t ptls_minicrypto_aegis256sha512 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA512,
+                                                      .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512,
                                                       .aead = &ptls_minicrypto_aegis256,
-                                                      .hash = &ptls_minicrypto_sha384};
+                                                      .hash = &ptls_minicrypto_sha512};
diff --git a/lib/openssl.c b/lib/openssl.c
index a6abafe51..70a3e7e9a 100644
--- a/lib/openssl.c
+++ b/lib/openssl.c
@@ -2220,10 +2220,10 @@ ptls_aead_algorithm_t ptls_openssl_aegis256 = {
     .context_size = sizeof(struct aegis256_context_t),
     .setup_crypto = aegis256_setup_crypto,
 };
-ptls_cipher_suite_t ptls_openssl_aegis256sha384 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA384,
-                                                    .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA384,
+ptls_cipher_suite_t ptls_openssl_aegis256sha512 = {.id = PTLS_CIPHER_SUITE_AEGIS256_SHA512,
+                                                    .name = PTLS_CIPHER_SUITE_NAME_AEGIS256_SHA512,
                                                     .aead = &ptls_openssl_aegis256,
-                                                    .hash = &ptls_openssl_sha384};
+                                                    .hash = &ptls_openssl_sha512};
 #endif
 
 
@@ -2240,7 +2240,7 @@ ptls_cipher_suite_t *ptls_openssl_cipher_suites[] = {// ciphers used with sha384
 
 ptls_cipher_suite_t *ptls_openssl_cipher_suites_all[] = {// ciphers used with sha384 (must be first)
 #if PTLS_HAVE_AEGIS
-                                                        &ptls_openssl_aegis256sha384,
+                                                        &ptls_openssl_aegis256sha512,
 #endif
                                                         &ptls_openssl_aes256gcmsha384,
 
diff --git a/t/openssl.c b/t/openssl.c
index b3188ff0a..d48744522 100644
--- a/t/openssl.c
+++ b/t/openssl.c
@@ -564,7 +564,8 @@ int main(int argc, char **argv)
                                   .sign_certificate = &openssl_sign_certificate.super};
     ptls_context_t openssl_ctx_sha256only = openssl_ctx;
     while (openssl_ctx_sha256only.cipher_suites[0]->hash->digest_size != 32) {
-        assert(openssl_ctx.cipher_suites[0]->hash->digest_size == 48); /* sha384 */
+        assert(openssl_ctx.cipher_suites[0]->hash->digest_size == 64 || /* sha512 */
+               openssl_ctx.cipher_suites[0]->hash->digest_size == 48);  /* sha384 */
         ++openssl_ctx_sha256only.cipher_suites;
     }
     assert(openssl_ctx_sha256only.cipher_suites[0]->hash->digest_size == 32); /* sha256 */
diff --git a/t/picotls.c b/t/picotls.c
index 80c8543f5..c82cc414a 100644
--- a/t/picotls.c
+++ b/t/picotls.c
@@ -506,8 +506,8 @@ static void test_aegis128l(void)
 
 static void test_aegis256(void)
 {
-    ptls_cipher_suite_t *cs = find_cipher(ctx, PTLS_CIPHER_SUITE_AEGIS256_SHA384),
-                        *cs_peer = find_cipher(ctx_peer, PTLS_CIPHER_SUITE_AEGIS256_SHA384);
+    ptls_cipher_suite_t *cs = find_cipher(ctx, PTLS_CIPHER_SUITE_AEGIS256_SHA512),
+                        *cs_peer = find_cipher(ctx_peer, PTLS_CIPHER_SUITE_AEGIS256_SHA512);
 
     if (cs != NULL && cs_peer != NULL) {
         test_ciphersuite(cs, cs_peer);