Make all supported siphersuites available for a TLS session

Author: krizhanovsky

tls/ciphersuites.c

@@ -4,7 +4,7 @@
  * TLS ciphersuites.
  *
  * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * Copyright (C) 2015-2018 Tempesta Technologies, Inc.
+ * Copyright (C) 2015-2019 Tempesta Technologies, Inc.
  * SPDX-License-Identifier: GPL-2.0
  *
  * This program is free software; you can redistribute it and/or modify
@@ -24,58 +24,6 @@
 #include "ciphersuites.h"
 #include "ttls.h"
 
-/*
- * Ordered from most preferred to least preferred in terms of security.
- *
- * Current rule:
- * 1. By key exchange: Forward-secure non-PSK > other non-PSK
- * 2. By key length and cipher: AES-256 > AES-128
- * 3. By cipher mode when relevant GCM > CCM > CCM_8
- * 4. By hash function used when relevant
- * 5. By key exchange/auth again: EC > non-EC
- *
- * Note that there is no TLS_RSA_WITH_AES_128_CBC_SHA required by RFC 5246.
- * Current TLS version is 1.3, so we support TLS 1.2 for legacy only clients.
- * Next, CBC mode has security issues (so it was removed from TLS 1.3) and
- * incurs significant pipeline stalls that hamper its efficiency and
- * performance. Last, it requires additional code work flow.
- */
-static const int ciphersuite_preference[] = {
-	/* All AES-256 ephemeral suites */
-	TTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	TTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	TTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
-	TTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
-	TTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
-	TTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
-	TTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
-
-	/* All AES-128 ephemeral suites */
-	TTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	TTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	TTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
-	TTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
-	TTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
-	TTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
-	TTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
-
-	/* All AES-256 suites */
-	TTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
-	TTLS_TLS_RSA_WITH_AES_256_CCM,
-	TTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
-	TTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
-	TTLS_TLS_RSA_WITH_AES_256_CCM_8,
-
-	/* All AES-128 suites */
-	TTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
-	TTLS_TLS_RSA_WITH_AES_128_CCM,
-	TTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
-	TTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
-	TTLS_TLS_RSA_WITH_AES_128_CCM_8,
-
-	0
-};
-
 static const TlsCiphersuite ciphersuite_definitions[] =
 {
 	{ TTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@@ -279,7 +227,7 @@ ttls_get_ciphersuite_name(const int ciphersuite_id)
 	const TlsCiphersuite *cur;
 
 	if (!(cur = ttls_ciphersuite_from_id(ciphersuite_id)))
-		return("unknown");
+		return "unknown";
 
 	return cur->name;
 }

tls/error.c

@@ -181,8 +181,6 @@ void ttls_strerror(int ret, char *buf, size_t buflen)
 			snprintf(buf, buflen, "TLS - An invalid TLS record was received");
 		if (use_ret == -(TTLS_ERR_CONN_EOF))
 			snprintf(buf, buflen, "TLS - The connection indicated an EOF");
-		if (use_ret == -(TTLS_ERR_NO_CIPHER_CHOSEN))
-			snprintf(buf, buflen, "TLS - The server has no ciphersuites in common with the client");
 		if (use_ret == -(TTLS_ERR_NO_CLIENT_CERTIFICATE))
 			snprintf(buf, buflen, "TLS - No client certification received from the client, but required by the authentication mode");
 		if (use_ret == -(TTLS_ERR_CERTIFICATE_TOO_LARGE))
@@ -233,8 +231,6 @@ void ttls_strerror(int ret, char *buf, size_t buflen)
 			snprintf(buf, buflen, "TLS - Internal error (eg, unexpected failure in lower-level module)");
 		if (use_ret == -(TTLS_ERR_BUFFER_TOO_SMALL))
 			snprintf(buf, buflen, "TLS - A buffer is too small to receive or write a message");
-		if (use_ret == -(TTLS_ERR_NO_USABLE_CIPHERSUITE))
-			snprintf(buf, buflen, "TLS - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)");
 		if (use_ret == -(TTLS_ERR_INVALID_VERIFY_HASH))
 			snprintf(buf, buflen, "TLS - Couldn't set the hash for verifying CertificateVerify");
 

tls/tls_srv.c

@@ -550,15 +550,16 @@ ttls_choose_ciphersuite(TlsCtx *tls, const unsigned char *csp)
 		}
 
 	if (got_common_suite) {
-		T_DBG("got ciphersuites in common, but none of them usable\n");
+		T_WARN("None of the common ciphersuites is usable"
+		       " (e.g. no suitable certificate)\n");
 		ttls_send_alert(tls, TTLS_ALERT_LEVEL_FATAL,
 				TTLS_ALERT_MSG_HANDSHAKE_FAILURE);
-		return TTLS_ERR_NO_USABLE_CIPHERSUITE;
+		return -EINVAL;
 	} else {
-		T_DBG("got no ciphersuites in common\n");
+		T_WARN("Got no ciphersuites in common\n");
 		ttls_send_alert(tls, TTLS_ALERT_LEVEL_FATAL,
 				TTLS_ALERT_MSG_HANDSHAKE_FAILURE);
-		return TTLS_ERR_NO_CIPHER_CHOSEN;
+		return -EINVAL;
 	}
 
 have_ciphersuite:
@@ -1388,8 +1389,8 @@ ttls_write_server_key_exchange(TlsCtx *tls, struct sg_table *sgt,
 					goto curve_matching_done;
 curve_matching_done:
 		if (!curve || !*curve) {
-			T_DBG("no matching curve for ECDHE key exchange\n");
-			r = TTLS_ERR_NO_CIPHER_CHOSEN;
+			T_WARN("No matching curve for ECDHE key exchange\n");
+			r = -EINVAL;
 			goto err;
 		}
 		T_DBG("ECDHE curve: %s\n", (*curve)->name);

tls/ttls.c

@@ -2407,9 +2407,39 @@ ttls_config_init(ttls_config *conf)
 }
 EXPORT_SYMBOL(ttls_config_init);
 
-static int ssl_preset_suiteb_ciphersuites[] = {
+static int ttls_default_ciphersuites[] = {
+	/* All AES-128 ephemeral suites */
 	TTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	TTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	TTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	TTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+	TTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
+	TTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+	TTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
+
+	/* All AES-256 ephemeral suites */
 	TTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	TTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	TTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+	TTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+	TTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
+	TTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+	TTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
+
+	/* All AES-256 suites */
+	TTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
+	TTLS_TLS_RSA_WITH_AES_256_CCM,
+	TTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+	TTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+	TTLS_TLS_RSA_WITH_AES_256_CCM_8,
+
+	/* All AES-128 suites */
+	TTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
+	TTLS_TLS_RSA_WITH_AES_128_CCM,
+	TTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+	TTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+	TTLS_TLS_RSA_WITH_AES_128_CCM_8,
+
 	0
 };
 
@@ -2462,11 +2492,8 @@ ttls_config_defaults(ttls_config *conf, int endpoint)
 	conf->min_minor_ver = TTLS_MINOR_VERSION_3; /* TLS 1.2 */
 	conf->max_minor_ver = TTLS_MAX_MINOR_VERSION;
 
-	conf->ciphersuite_list[TTLS_MINOR_VERSION_0]
-	= conf->ciphersuite_list[TTLS_MINOR_VERSION_1]
-	= conf->ciphersuite_list[TTLS_MINOR_VERSION_2]
-	= conf->ciphersuite_list[TTLS_MINOR_VERSION_3]
-	= ssl_preset_suiteb_ciphersuites;
+	ttls_conf_ciphersuites_for_version(conf, ttls_default_ciphersuites,
+					   TTLS_MINOR_VERSION_3);
 
 	conf->cert_profile = &ttls_x509_crt_profile_suiteb;
 	conf->sig_hashes = ssl_preset_suiteb_hashes;

tls/ttls.h

@@ -51,8 +51,6 @@
 #define TTLS_ERR_INVALID_RECORD			-0x7200
 /* The connection indicated an EOF. */
 #define TTLS_ERR_CONN_EOF			-0x7280
-/* The server has no ciphersuites in common with the client. */
-#define TTLS_ERR_NO_CIPHER_CHOSEN		-0x7380
 /*
  * No client certification received from the client, but required by the
  * authentication mode.
@@ -110,11 +108,6 @@
 #define TTLS_ERR_INTERNAL_ERROR			-0x6C00
 /* A buffer is too small to receive or write a message. */
 #define TTLS_ERR_BUFFER_TOO_SMALL		-0x6A00
-/*
- * None of the common ciphersuites is usable (eg, no suitable certificate,
- * see debug messages).
- */
-#define TTLS_ERR_NO_USABLE_CIPHERSUITE		-0x6980
 /* Couldn't set the hash for verifying CertificateVerify. */
 #define TTLS_ERR_INVALID_VERIFY_HASH		-0x6600