These are the remaining untested cipher suites. Rather than add support in runner.go, just remove them altogether. Grepping for this is a little tricky, but nothing enables aNULL (all occurrences disable it), and all occurrences of ["ALL:] seem to be either unused or explicitly disable anonymous ciphers. Change-Id: I4fd4b8dc6a273d6c04a26e93839641ddf738343f Reviewed-on: https://boringssl-review.googlesource.com/4258 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
@@ -175,8 +175,6 @@ extern "C" { | |||
#define SSL_TXT_HIGH "HIGH" | |||
#define SSL_TXT_FIPS "FIPS" | |||
#define SSL_TXT_aNULL "aNULL" | |||
#define SSL_TXT_kRSA "kRSA" | |||
#define SSL_TXT_kDHE "kDHE" | |||
#define SSL_TXT_kEDH "kEDH" /* same as "kDHE" */ | |||
@@ -189,14 +187,12 @@ extern "C" { | |||
#define SSL_TXT_aPSK "aPSK" | |||
#define SSL_TXT_DH "DH" | |||
#define SSL_TXT_DHE "DHE" /* same as "kDHE:-ADH" */ | |||
#define SSL_TXT_DHE "DHE" /* same as "kDHE" */ | |||
#define SSL_TXT_EDH "EDH" /* same as "DHE" */ | |||
#define SSL_TXT_ADH "ADH" | |||
#define SSL_TXT_RSA "RSA" | |||
#define SSL_TXT_ECDH "ECDH" | |||
#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE:-AECDH" */ | |||
#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE" */ | |||
#define SSL_TXT_EECDH "EECDH" /* same as "ECDHE" */ | |||
#define SSL_TXT_AECDH "AECDH" | |||
#define SSL_TXT_ECDSA "ECDSA" | |||
#define SSL_TXT_PSK "PSK" | |||
@@ -238,7 +234,7 @@ extern "C" { | |||
/* The following cipher list is used by default. It also is substituted when an | |||
* application-defined cipher list string starts with 'DEFAULT'. */ | |||
#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" | |||
#define SSL_DEFAULT_CIPHER_LIST "ALL" | |||
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always | |||
* starts with a reasonable order, and all we have to do for DEFAULT is | |||
@@ -320,13 +320,6 @@ int dtls1_accept(SSL *s) { | |||
* don't request cert during re-negotiation: */ | |||
((s->session->peer != NULL) && | |||
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || | |||
/* never request cert in anonymous ciphersuites | |||
* (see section "Certificate request" in SSL 3 drafts | |||
* and in RFC 2246): */ | |||
((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && | |||
/* ... except when the application insists on verification | |||
* (against the specs, but s3_clnt.c accepts this for SSL 3) */ | |||
!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || | |||
/* With normal PSK Certificates and | |||
* Certificate Requests are omitted */ | |||
(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { | |||
@@ -1411,15 +1411,6 @@ int ssl3_get_certificate_request(SSL *s) { | |||
goto err; | |||
} | |||
/* TLS does not like anon-DH with client cert */ | |||
if (s->version > SSL3_VERSION && | |||
(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { | |||
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | |||
OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, | |||
SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); | |||
goto err; | |||
} | |||
CBS_init(&cbs, s->init_msg, n); | |||
ca_sk = sk_X509_NAME_new(ca_dn_cmp); | |||
@@ -185,16 +185,6 @@ const SSL_CIPHER ssl3_ciphers[] = { | |||
}, | |||
/* The Ephemeral DH ciphers */ | |||
/* Cipher 18 */ | |||
{ | |||
1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kDHE, SSL_aNULL, | |||
SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM, | |||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, | |||
}, | |||
/* New AES ciphersuites */ | |||
/* Cipher 2F */ | |||
@@ -211,13 +201,6 @@ const SSL_CIPHER ssl3_ciphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, | |||
}, | |||
/* Cipher 34 */ | |||
{ | |||
1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kDHE, | |||
SSL_aNULL, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, | |||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, | |||
}, | |||
/* Cipher 35 */ | |||
{ | |||
1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA, | |||
@@ -232,13 +215,6 @@ const SSL_CIPHER ssl3_ciphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, | |||
}, | |||
/* Cipher 3A */ | |||
{ | |||
1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kDHE, | |||
SSL_aNULL, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, | |||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, | |||
}, | |||
/* TLS v1.2 ciphersuites */ | |||
@@ -272,20 +248,6 @@ const SSL_CIPHER ssl3_ciphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, | |||
}, | |||
/* Cipher 6C */ | |||
{ | |||
1, TLS1_TXT_ADH_WITH_AES_128_SHA256, TLS1_CK_ADH_WITH_AES_128_SHA256, | |||
SSL_kDHE, SSL_aNULL, SSL_AES128, SSL_SHA256, SSL_TLSV1_2, | |||
SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, | |||
}, | |||
/* Cipher 6D */ | |||
{ | |||
1, TLS1_TXT_ADH_WITH_AES_256_SHA256, TLS1_CK_ADH_WITH_AES_256_SHA256, | |||
SSL_kDHE, SSL_aNULL, SSL_AES256, SSL_SHA256, SSL_TLSV1_2, | |||
SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, | |||
}, | |||
/* Cipher 8A */ | |||
{ | |||
1, TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK, | |||
@@ -350,26 +312,6 @@ const SSL_CIPHER ssl3_ciphers[] = { | |||
256, 256, | |||
}, | |||
/* Cipher A6 */ | |||
{ | |||
1, TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, | |||
TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aNULL, SSL_AES128GCM, | |||
SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, | |||
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD | | |||
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, | |||
128, 128, | |||
}, | |||
/* Cipher A7 */ | |||
{ | |||
1, TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, | |||
TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aNULL, SSL_AES256GCM, | |||
SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, | |||
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD | | |||
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, | |||
256, 256, | |||
}, | |||
/* Cipher C007 */ | |||
{ | |||
1, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, | |||
@@ -417,29 +359,6 @@ const SSL_CIPHER ssl3_ciphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, | |||
}, | |||
/* Cipher C016 */ | |||
{ | |||
1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, | |||
SSL_kECDHE, SSL_aNULL, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM, | |||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, | |||
}, | |||
/* Cipher C018 */ | |||
{ | |||
1, TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, | |||
TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aNULL, SSL_AES128, | |||
SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, | |||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, | |||
}, | |||
/* Cipher C019 */ | |||
{ | |||
1, TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, | |||
TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aNULL, SSL_AES256, | |||
SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, | |||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, | |||
}, | |||
/* HMAC based TLS v1.2 ciphersuites from RFC5289 */ | |||
@@ -414,13 +414,6 @@ int ssl3_accept(SSL *s) { | |||
* don't request cert during re-negotiation: */ | |||
((s->session->peer != NULL) && | |||
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || | |||
/* never request cert in anonymous ciphersuites | |||
* (see section "Certificate request" in SSL 3 drafts | |||
* and in RFC 2246): */ | |||
((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && | |||
/* ... except when the application insists on verification | |||
* (against the specs, but s3_clnt.c accepts this for SSL 3) */ | |||
!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || | |||
/* With normal PSK Certificates and | |||
* Certificate Requests are omitted */ | |||
(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { | |||
@@ -180,10 +180,7 @@ static const SSL_CIPHER cipher_aliases[] = | |||
{ | |||
{0, SSL_TXT_ALL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, | |||
/* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in | |||
ALL!) */ | |||
{0, SSL_TXT_CMPDEF, 0, SSL_kDHE | SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, | |||
0}, | |||
/* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */ | |||
/* key exchange aliases | |||
* (some of those using only a single bit here combine | |||
@@ -203,19 +200,16 @@ static const SSL_CIPHER cipher_aliases[] = | |||
/* server authentication aliases */ | |||
{0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, | |||
/* aliases combining key exchange and server authentication */ | |||
{0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_DHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_EDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_ECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_EECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, | |||
{0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, | |||
/* symmetric encryption aliases */ | |||
@@ -1006,13 +1000,6 @@ ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method, | |||
ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), 0, 0, 0, 0, 0, CIPHER_ORD, | |||
-1, 0, &head, &tail); | |||
/* Move anonymous ciphers to the end. Usually, these will remain disabled. | |||
* (For applications that allow them, they aren't too bad, but we prefer | |||
* authenticated ciphers.) | |||
* TODO(davidben): Remove them altogether? */ | |||
ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, | |||
&tail); | |||
/* Now disable everything (maintaining the ordering!) */ | |||
ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail); | |||
@@ -1186,10 +1173,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, | |||
au = "RSA"; | |||
break; | |||
case SSL_aNULL: | |||
au = "None"; | |||
break; | |||
case SSL_aECDSA: | |||
au = "ECDSA"; | |||
break; | |||
@@ -1332,8 +1315,6 @@ const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) { | |||
switch (cipher->algorithm_auth) { | |||
case SSL_aRSA: | |||
return "DHE_RSA"; | |||
case SSL_aNULL: | |||
return "DH_anon"; | |||
default: | |||
assert(0); | |||
return "UNKNOWN"; | |||
@@ -1347,8 +1328,6 @@ const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) { | |||
return "ECDHE_RSA"; | |||
case SSL_aPSK: | |||
return "ECDHE_PSK"; | |||
case SSL_aNULL: | |||
return "ECDH_anon"; | |||
default: | |||
assert(0); | |||
return "UNKNOWN"; | |||
@@ -1479,12 +1458,8 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c) { | |||
* public key in the key exchange, sent in a server Certificate message. | |||
* Otherwise it returns 0. */ | |||
int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) { | |||
/* Anonymous ciphers do not include a server certificate. */ | |||
if (cipher->algorithm_auth & SSL_aNULL) { | |||
return 0; | |||
} | |||
/* Neither do PSK ciphers, except for RSA_PSK. */ | |||
/* PSK-authenticated ciphers do not use a public key, except for | |||
* RSA_PSK. */ | |||
if ((cipher->algorithm_auth & SSL_aPSK) && | |||
!(cipher->algorithm_mkey & SSL_kRSA)) { | |||
return 0; | |||
@@ -2030,8 +2030,6 @@ void ssl_get_compatible_server_ciphers(SSL *s, unsigned long *out_mask_k, | |||
mask_a |= SSL_aRSA; | |||
} | |||
mask_a |= SSL_aNULL; | |||
/* An ECC certificate may be usable for ECDSA cipher suites depending on the | |||
* key usage extension and on the client's curve preferences. */ | |||
if (have_ecc_cert) { | |||
@@ -293,9 +293,8 @@ | |||
/* Bits for algorithm_auth (server authentication) */ | |||
#define SSL_aRSA 0x00000001L /* RSA auth */ | |||
#define SSL_aNULL 0x00000002L /* no auth (i.e. use ADH or AECDH) */ | |||
#define SSL_aECDSA 0x00000004L /* ECDSA auth*/ | |||
#define SSL_aPSK 0x00000008L /* PSK auth */ | |||
#define SSL_aECDSA 0x00000002L /* ECDSA auth*/ | |||
#define SSL_aPSK 0x00000004L /* PSK auth */ | |||
/* Bits for algorithm_enc (symmetric encryption) */ | |||
#define SSL_3DES 0x00000001L | |||
@@ -185,6 +185,8 @@ static const char *kBadRules[] = { | |||
// Empty cipher lists error at SSL_CTX_set_cipher_list. | |||
"", | |||
"BOGUS", | |||
// COMPLEMENTOFDEFAULT is empty. | |||
"COMPLEMENTOFDEFAULT", | |||
// Invalid command. | |||
"?BAR", | |||
// Special operators are not allowed if groups are used. | |||
@@ -428,12 +430,9 @@ static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = { | |||
{ SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" }, | |||
{ SSL3_CK_RSA_RC4_128_MD5, "TLS_RSA_WITH_RC4_MD5" }, | |||
{ TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA" }, | |||
{ TLS1_CK_ADH_WITH_AES_128_SHA, "TLS_DH_anon_WITH_AES_128_CBC_SHA" }, | |||
{ TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" }, | |||
{ TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |||
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" }, | |||
{ TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, | |||
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA" }, | |||
{ TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | |||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" }, | |||
{ TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | |||