Remove single-DES cipher suites.

This also removes the 'LOW' strength class. Change-Id: Iffd2356dadb4a4875c1547a613d51061101358fd Reviewed-on: https://boringssl-review.googlesource.com/1562 Reviewed-by: Adam Langley <agl@google.com>
2014-08-19 15:25:49 -04:00 · 2014-08-19 15:25:49 -04:00 · d0639af978
commit d0639af978
parent ebf42b5f6f
4 changed files with 12 additions and 125 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -188,7 +188,6 @@ extern "C" {

 /* These are used to specify which ciphers to use and not to use */

-#define SSL_TXT_LOW		"LOW"
 #define SSL_TXT_MEDIUM		"MEDIUM"
 #define SSL_TXT_HIGH		"HIGH"
 #define SSL_TXT_FIPS		"FIPS"
@ -224,7 +223,6 @@ extern "C" {
 #define SSL_TXT_ECDSA		"ECDSA"
 #define SSL_TXT_PSK             "PSK"

-#define SSL_TXT_DES		"DES"
 #define SSL_TXT_3DES		"3DES"
 #define SSL_TXT_RC4		"RC4"
 #define SSL_TXT_AES128		"AES128"
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -200,22 +200,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	128,
 	},

-/* Cipher 09 */
-	{
-	1,
-	SSL3_TXT_RSA_DES_64_CBC_SHA,
-	SSL3_CK_RSA_DES_64_CBC_SHA,
-	SSL_kRSA,
-	SSL_aRSA,
-	SSL_DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	56,
-	56,
-	},
-
 /* Cipher 0A */
 	{
 	1,
@ -232,74 +216,8 @@ const SSL_CIPHER ssl3_ciphers[]={
 	168,
 	},

-/* The DH ciphers */
-
-/* Cipher 0C */
-	{
-	1,
-	SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
-	SSL3_CK_DH_DSS_DES_64_CBC_SHA,
-	SSL_kDHd,
-	SSL_aDH,
-	SSL_DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	56,
-	56,
-	},
-
-/* Cipher 0F */
-	{
-	1,
-	SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
-	SSL3_CK_DH_RSA_DES_64_CBC_SHA,
-	SSL_kDHr,
-	SSL_aDH,
-	SSL_DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	56,
-	56,
-	},
-
 /* The Ephemeral DH ciphers */

-/* Cipher 12 */
-	{
-	1,
-	SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
-	SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
-	SSL_kEDH,
-	SSL_aDSS,
-	SSL_DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	56,
-	56,
-	},
-
-/* Cipher 15 */
-	{
-	1,
-	SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
-	SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
-	SSL_kEDH,
-	SSL_aRSA,
-	SSL_DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	56,
-	56,
-	},
-
 /* Cipher 18 */
 	{
 	1,
@ -316,22 +234,6 @@ const SSL_CIPHER ssl3_ciphers[]={
 	128,
 	},

-/* Cipher 1A */
-	{
-	1,
-	SSL3_TXT_ADH_DES_64_CBC_SHA,
-	SSL3_CK_ADH_DES_64_CBC_SHA,
-	SSL_kEDH,
-	SSL_aNULL,
-	SSL_DES,
-	SSL_SHA1,
-	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW,
-	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	56,
-	56,
-	},
-
 /* New AES ciphersuites */
 /* Cipher 2F */
 	{
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@ -147,12 +147,11 @@

 #include "ssl_locl.h"

-#define SSL_ENC_DES_IDX		0
-#define SSL_ENC_3DES_IDX	1
-#define SSL_ENC_RC4_IDX		2
-#define SSL_ENC_AES128_IDX	3
-#define SSL_ENC_AES256_IDX	4
-#define SSL_ENC_NUM_IDX		5
+#define SSL_ENC_3DES_IDX	0
+#define SSL_ENC_RC4_IDX		1
+#define SSL_ENC_AES128_IDX	2
+#define SSL_ENC_AES256_IDX	3
+#define SSL_ENC_NUM_IDX		4


 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]= { 0 };
@ -239,7 +238,6 @@ static const SSL_CIPHER cipher_aliases[]={


 	/* symmetric encryption aliases */
-	{0,SSL_TXT_DES,0,     0,0,SSL_DES,   0,0,0,0,0,0},
 	{0,SSL_TXT_3DES,0,    0,0,SSL_3DES,  0,0,0,0,0,0},
 	{0,SSL_TXT_RC4,0,     0,0,SSL_RC4,   0,0,0,0,0,0},
 	{0,SSL_TXT_AES128,0,  0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0},
@ -261,7 +259,6 @@ static const SSL_CIPHER cipher_aliases[]={
 	{0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},

 	/* strength classes */
-	{0,SSL_TXT_LOW,0,     0,0,0,0,0,SSL_LOW,   0,0,0},
 	{0,SSL_TXT_MEDIUM,0,  0,0,0,0,0,SSL_MEDIUM,0,0,0},
 	{0,SSL_TXT_HIGH,0,    0,0,0,0,0,SSL_HIGH,  0,0,0},
 	/* FIPS 140-2 approved ciphersuite */
@ -270,7 +267,6 @@ static const SSL_CIPHER cipher_aliases[]={

 void ssl_load_ciphers(void)
 	{
-	ssl_cipher_methods[SSL_ENC_DES_IDX]= EVP_des_cbc();
 	ssl_cipher_methods[SSL_ENC_3DES_IDX]= EVP_des_ede3_cbc();
 	ssl_cipher_methods[SSL_ENC_RC4_IDX]= EVP_rc4();
 	ssl_cipher_methods[SSL_ENC_AES128_IDX]= EVP_aes_128_cbc();
@ -345,9 +341,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,

 	switch (c->algorithm_enc)
 		{
-	case SSL_DES:
-		i=SSL_ENC_DES_IDX;
-		break;
 	case SSL_3DES:
 		i=SSL_ENC_3DES_IDX;
 		break;
@ -519,7 +512,6 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
 		


-	*enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
 	*enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
 	*enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
 	*enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
@ -1467,9 +1459,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)

 	switch (alg_enc)
 		{
-	case SSL_DES:
-		enc="DES(56)";
-		break;
 	case SSL_3DES:
 		enc="3DES(168)";
 		break;
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@ -294,14 +294,13 @@


 /* Bits for algorithm_enc (symmetric encryption) */
-#define SSL_DES			0x00000001L
-#define SSL_3DES		0x00000002L
-#define SSL_RC4			0x00000004L
-#define SSL_AES128		0x00000008L
-#define SSL_AES256		0x00000010L
-#define SSL_AES128GCM		0x00000020L
-#define SSL_AES256GCM		0x00000040L
-#define SSL_CHACHA20POLY1305	0x00000080L
+#define SSL_3DES		0x00000001L
+#define SSL_RC4			0x00000002L
+#define SSL_AES128		0x00000004L
+#define SSL_AES256		0x00000008L
+#define SSL_AES128GCM		0x00000010L
+#define SSL_AES256GCM		0x00000020L
+#define SSL_CHACHA20POLY1305	0x00000040L

 #define SSL_AES        		(SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)

@ -372,7 +371,6 @@

 #define SSL_NOT_EXP		0x00000001L

-#define SSL_LOW			0x00000020L
 #define SSL_MEDIUM		0x00000040L
 #define SSL_HIGH		0x00000080L
 #define SSL_FIPS		0x00000100L