boringssl/ssl
David Benjamin 6e678eeb6e Remove legacy SHA-2 CBC ciphers.
All CBC ciphers in TLS are broken and insecure. TLS 1.2 introduced
AEAD-based ciphers which avoid their many problems. It also introduced
new CBC ciphers based on HMAC-SHA256 and HMAC-SHA384 that share the same
flaws as the original HMAC-SHA1 ones. These serve no purpose. Old
clients don't support them, they have the highest overhead of all TLS
ciphers, and new clients can use AEADs anyway.

Remove them from libssl. This is the smaller, more easily reverted
portion of the removal. If it survives a week or so, we can unwind a lot
more code elsewhere in libcrypto. This removal will allow us to clear
some indirect calls from crypto/cipher_extra/tls_cbc.c, aligning with
the recommendations here:

https://github.com/HACS-workshop/spectre-mitigations/blob/master/crypto_guidelines.md#2-avoid-indirect-branches-in-constant-time-code

Update-Note: The following cipher suites are removed:
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Change-Id: I7ade0fc1fa2464626560d156659893899aab6f77
Reviewed-on: https://boringssl-review.googlesource.com/27944
Reviewed-by: Adam Langley <agl@google.com>
2018-05-02 19:21:56 +00:00
..
test Remove legacy SHA-2 CBC ciphers. 2018-05-02 19:21:56 +00:00
bio_ssl.cc
CMakeLists.txt Add initial, experimental support for split handshakes. 2018-01-31 22:24:17 +00:00
custom_extensions.cc Rename ssl3_send_alert and ssl3_protocol_version. 2017-10-12 16:24:35 +00:00
d1_both.cc Remove trailing whitespace from ssl/. 2018-02-26 22:05:13 +00:00
d1_lib.cc Give DTLS1_STATE a destructor. 2017-10-25 03:23:26 +00:00
d1_pkt.cc Make SSL3_BUFFER a proper C++ class. 2017-10-24 17:32:45 +00:00
d1_srtp.cc Move srtp_profile to ssl->s3. 2018-04-16 20:07:43 +00:00
dtls_method.cc Remove trailing whitespace from ssl/. 2018-02-26 22:05:13 +00:00
dtls_record.cc Use the actual record header, rather than reassembling it. 2018-04-10 19:52:33 +00:00
handoff.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
handshake_client.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
handshake_server.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
handshake.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
internal.h Remove legacy SHA-2 CBC ciphers. 2018-05-02 19:21:56 +00:00
s3_both.cc Revert "Pack encrypted handshake messages together." 2017-10-27 14:36:37 +00:00
s3_lib.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
s3_pkt.cc Remove draft22 and experiment2. 2018-01-31 18:07:53 +00:00
span_test.cc Add bssl::SealRecord and bssl::OpenRecord. 2017-07-24 20:14:08 +00:00
ssl_aead_ctx.cc Use the actual record header, rather than reassembling it. 2018-04-10 19:52:33 +00:00
ssl_asn1.cc Expose ssl_session_serialize to libssl. 2018-01-26 22:31:47 +00:00
ssl_buffer.cc Move init_buf and rwstate into SSL3_STATE. 2017-10-24 18:55:05 +00:00
ssl_cert.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
ssl_cipher.cc Remove legacy SHA-2 CBC ciphers. 2018-05-02 19:21:56 +00:00
ssl_file.cc Avoid modifying stack in sk_find. 2018-04-12 21:02:12 +00:00
ssl_key_share.cc Check for nullptr result of SSLKeyShare::Create(). 2018-04-10 22:55:53 +00:00
ssl_lib.cc Allow renego and config shedding to coexist more smoothly. 2018-05-01 23:28:59 +00:00
ssl_privkey.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
ssl_session.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
ssl_stat.cc Remove trailing whitespace from ssl/. 2018-02-26 22:05:13 +00:00
ssl_test.cc Remove legacy SHA-2 CBC ciphers. 2018-05-02 19:21:56 +00:00
ssl_transcript.cc Hand back ECDHE split handshakes after the first server message. 2018-04-04 17:58:15 +00:00
ssl_versions.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
ssl_x509.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
t1_enc.cc Add initial, experimental support for split handshakes. 2018-01-31 22:24:17 +00:00
t1_lib.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
tls13_both.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
tls13_client.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
tls13_enc.cc Remove draft22 and experiment2. 2018-01-31 18:07:53 +00:00
tls13_server.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
tls_method.cc SSL_CONFIG: new struct for sheddable handshake configuration. 2018-05-01 20:40:16 +00:00
tls_record.cc Use the actual record header, rather than reassembling it. 2018-04-10 19:52:33 +00:00