Implemented support for DICOM CP 2311.

DICOM CP 2311 has made optional the support of the TLS 1.2 CAMELLIA
ciphersuites in GCM mode, which are not supported by OpenSSL, in the
Modified BCP 195 RFC 8996 TLS Profile. Accordingly, this TLS profile is
now enabled in DCMTK and support for Camellia is included if available in
OpenSSL, which is checked by a feature test.

Author: Marco Eichelberg

config/docs/macros.txt

@@ -106,24 +106,6 @@ DCMTK_GUI
     them to the user or store them in a log file.  See comments in
     ofstd/include/dcmtk/ofstd/ofconsol.h.
 
-DCMTK_IGNORE_BCP195M_CAMELLIA_GCM_REQUIREMENT
-  Affected: dcmtls
-  Type of modification: Enables experimental feature
-  Explanation: Starting with release 3.6.8, DCMTK contains a feature-complete
-    implementation of the "Modified BCP 195 RFC 8996 TLS Secure Transport
-    Connection Profile". Unfortunately, this profile cannot be implemented
-    with any current version of OpenSSL or LibreSSL because the DICOM committee
-    has declared support for the TLS 1.2 Camellia ciphersuites in GCM mode
-    mandatory, and these are not supported in either OpenSSL or LibreSSL.
-    This macro will enable the support for this profile on library and
-    command line tool level, but in a manner that is not fully DICOM compliant
-    (i.e. without the Camellia GCM ciphersuites).
-    Should OpenSSL/LibreSSL add support for these ciphersuites in the
-    future, support for the TLS profile will automatically be enabled
-    when compiling DCMTK against such a future release, because there is
-    a configure test that checks the availability of this feature.
-    This macro is primarily intended for testing purposes.
-
 DCMTK_LOG4CPLUS_AVOID_WIN32_FLS
   Affected: oflog
   Type of modification: Disables feature

dcmtls/docs/certstor.dox

@@ -100,13 +100,6 @@ choice while providing backward compatibility with the earlier BCP 195 profiles.
 It does not support backward compatibility with the older profiles.
 It uses either TLS version 1.2 or 1.3 and will default to TLS 1.3 when possible.
 
-The Modified BCP 195 RFC 8996 TLS Profile, which adds further constraints
-compared to the BCP 195 RFC 8996 TLS Profile, cannot be implemented with
-OpenSSL 1.0.2 to 3.0.x because it requires support for the TLS 1.2 Camellia
-ciphersuites in GCM mode, which is not available in OpenSSL. Should future
-OpenSSL releases add support for these ciphersuites, then this option will
-automatically be enabled when compiling DCMTK.
-
 The Non-downgrading BCP 195 TLS Profile, which was the default in DCMTK 3.6.7,
 also disables older protocol versions and cipher suites. It does, however,
 support DHE ciphersuites, whereas RFC 9325 recommends that these should not

dcmtls/docs/ciphers.txt

@@ -52,14 +52,14 @@ follow the secure profiles define in DICOM Part 15:
 - Modified BCP 195 RFC 8996 TLS Profile
   This profile proposes the following set of ciphersuites:
 
-  - TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 (only TLS 1.2)
-  - TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 (only TLS 1.2)
+  - TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 (only TLS 1.2)*
+  - TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 (only TLS 1.2)*
   - TLS_ECDHE_ECDSA_WITH_AES_128_CCM (only TLS 1.2)
   - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (only TLS 1.2)
   - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (only TLS 1.2)
   - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (only TLS 1.2)
-  - TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 (only TLS 1.2)
-  - TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 (only TLS 1.2)
+  - TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 (only TLS 1.2)*
+  - TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 (only TLS 1.2)*
   - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (only TLS 1.2)
   - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (only TLS 1.2)
   - TLS_ECDHE_ECDSA_WITH_AES_256_CCM (only TLS 1.2)
@@ -73,6 +73,9 @@ follow the secure profiles define in DICOM Part 15:
   - TLS_AES_128_CCM_SHA256 (only TLS 1.3)
   - TLS_AES_128_CCM_8_SHA256 (only TLS 1.3)
 
+  * only if available in OpenSSL, which is not the case in any OpenSSL 
+    version up to OpenSSL 3.3.x
+
 - BCP 195 TLS Profile (retired)
   This profile proposes the following set of ciphersuites:
   - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (only TLS 1.2)

dcmtls/libsrc/tlsciphr.cc

@@ -375,7 +375,7 @@ OFCondition DcmTLSCiphersuiteHandler::setTLSProfile(DcmTLSSecurityProfile profil
       tls13_enabled = OFTrue;
       ciphersuiteList.clear();
       tls13ciphersuiteList.clear();
-      // required TLS 1.0-1.2 ciphersuites as defined in the DICOM profile
+      // required and optional TLS 1.0-1.2 ciphersuites as defined in the DICOM profile
 #ifdef HAVE_OPENSSL_PROTOTYPE_TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
       result = addRequiredCipherSuite("TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256");
       if (result.bad()) return result;

dcmtls/libsrc/tlsfmacr.h

@@ -33,20 +33,12 @@ BEGIN_EXTERN_C
 END_EXTERN_C
 
 /* check if we fulfil all requirements for implementing the 
- * Modified BCP 195 RFC 8996 TLS Profile
+ * Modified BCP 195 RFC 8996 TLS Profile. With DICOM CP 2311
+ * making support for Camellia in GCM mode optional, this is now rather simple.
  */
 #ifdef HAVE_OPENSSL_PROTOTYPE_TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM_8
-
-/* all feature tests except Camellia in GCM mode are successful
- * We now check if we either have Camellia in GCM more or have been
- * instructed to ignore this requirement
- */
-#if defined(HAVE_OPENSSL_PROTOTYPE_TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384) \
-  || defined(DCMTK_IGNORE_BCP195M_CAMELLIA_GCM_REQUIREMENT)
-
 #define DCMTK_Modified_BCP195_RFC8996_TLS_Profile_Supported
 #endif
-#endif
 
 #endif /* WITH_OPENSSL */
 #endif /* TLSFMAC_H */

dcmtls/libsrc/tlsopt.cc

@@ -1,6 +1,6 @@
 /*
  *
- *  Copyright (C) 2017-2023, OFFIS e.V.
+ *  Copyright (C) 2017-2024, OFFIS e.V.
  *  All rights reserved.  See COPYRIGHT file for details.
  *
  *  This software and supporting documentation were developed by