boringssl/include/openssl
David Benjamin f6094e05ef Don't allow EVP_PKEY_RSA2.
OpenSSL accepts both OID 2.5.8.1.1 and OID 1.2.840.113549.1.1.1 for RSA
public keys. The latter comes from RFC 3279 and is widely implemented.
The former comes from the ITU-T version of X.509. Interestingly,
2.5.8.1.1 actually has a parameter, which OpenSSL ignores:

  rsa ALGORITHM ::= {
     KeySize
     IDENTIFIED BY id-ea-rsa
  }
  KeySize ::= INTEGER

Remove support for 2.5.8.1.1 completely. In tests with a self-signed
certificate and code inspection:

- IE11 on Win8 does not accept the certificate in a TLS handshake at
  all. Such a certificate is fatal and unbypassable. However Microsoft's
  libraries do seem to parse it, so Chrome on Windows allows one to
  click through the error. I'm guessing either the X.509 stack accepts
  it while the TLS stack doesn't recognize it as RSA or the X.509 stack
  is able to lightly parse it but not actually understand the key. (The
  system certificate UI didn't display it as an RSA key, so probably the
  latter?)

- Apple's certificate library on 10.11.2 does not parse the certificate
  at all. Both Safari and Chrome on Mac treat it as a fatal and
  unbypassable error.

- mozilla::pkix, from code inspection, does not accept such
  certificates. However, Firefox does allow clicking through the error.
  This is likely a consequence of mozilla::pkix and NSS having different
  ASN.1 stacks. I did not test this, but I expect this means Chrome on
  Linux also accepts it.

Given IE and Safari's results, it should be safe to simply remove this.
Firefox's data point is weak (perhaps someone is relying on being able
to click-through a self-signed 2.5.8.1.1 certificate), but it does
further ensure no valid certificate could be doing this.

The following is the 2.5.8.1.1 certificate I constructed to test with.
The private key is key.pem from ssl/test/runner:

-----BEGIN CERTIFICATE-----
MIICVTCCAb6gAwIBAgIJAPuwTC6rEJsMMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwNDIzMjA1MDQwWhcNMTcwNDIyMjA1MDQwWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGcMAoGBFUIAQECAgQAA4GNADCBiQKBgQDY
K8imMuRi/03z0K1Zi0WnvfFHvwlYeyK9Na6XJYaUoIDAtB92kWdGMdAQhLciHnAj
kXLI6W15OoV3gA/ElRZ1xUpxTMhjP6PyY5wqT5r6y8FxbiiFKKAnHmUcrgfVW28t
Q+0rkLGMryRtrukXOgXBv7gcrmU7G1jC2a7WqmeI8QIDAQABo1AwTjAdBgNVHQ4E
FgQUi3XVrMsIvg4fZbf6Vr5sp3Xaha8wHwYDVR0jBBgwFoAUi3XVrMsIvg4fZbf6
Vr5sp3Xaha8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAIZuUICtYv
w3cbpCGX6HNCtyI0guOfbytcdwzRkQaCsYNSDrTxrSSWxHwqg3Dl/RlvS+T3Yaua
Xkioadstwt7GDP6MwpIpdbjchh0XZd3kjdJWqXSvihUDpRePNjNS2LmJW8GWfB3c
F6UVyNK+wcApRY+goREIhyYupAHUexR7FQ==
-----END CERTIFICATE-----

BUG=522228

Change-Id: I031d03c0f53a16cbc749c4a5d8be6efca50dc863
Reviewed-on: https://boringssl-review.googlesource.com/6852
Reviewed-by: Adam Langley <alangley@gmail.com>
2016-01-28 00:43:37 +00:00
..
aead.h Point EVP_aead_chacha20_poly1305 at the standardized version. 2015-12-16 21:22:11 +00:00
aes.h
arm_arch.h
asn1_mac.h
asn1.h Remove ASN1_R_MALLOC_FAILURE. 2015-12-22 00:12:24 +00:00
asn1t.h
base64.h
base.h Fold EC_GROUP_new_curve_GFp and EC_GROUP_set_generator into a EC_GROUP_new_arbitrary. 2016-01-21 22:35:46 +00:00
bio.h Tweaks for node.js 2016-01-26 23:23:42 +00:00
blowfish.h
bn.h Rename the BIGNUM ASN.1 functions. 2016-01-27 22:37:44 +00:00
buf.h Have doc.go parse struct comments. 2016-01-26 23:23:23 +00:00
buffer.h
bytestring.h Rewrite ssl3_send_server_key_exchange to use CBB. 2015-12-22 17:23:58 +00:00
cast.h
chacha.h
cipher.h
cmac.h
conf.h Also add a no-op stub for OPENSSL_config. 2016-01-26 15:48:51 +00:00
cpu.h
crypto.h Tweaks for node.js 2016-01-26 23:23:42 +00:00
curve25519.h Add #defines for ED25519 key and signature lengths. 2015-12-22 16:06:07 +00:00
des.h
dh.h Update comments to better document in-place semantics. 2016-01-19 17:01:37 +00:00
digest.h
dsa.h Have doc.go parse struct comments. 2016-01-26 23:23:23 +00:00
dtls1.h
ec_key.h Update comments to better document in-place semantics. 2016-01-19 17:01:37 +00:00
ec.h Tweaks for node.js 2016-01-26 23:23:42 +00:00
ecdh.h
ecdsa.h Update comments to better document in-place semantics. 2016-01-19 17:01:37 +00:00
engine.h
err.h Have doc.go parse struct comments. 2016-01-26 23:23:23 +00:00
evp.h Don't allow EVP_PKEY_RSA2. 2016-01-28 00:43:37 +00:00
ex_data.h Skip free callbacks on empty CRYPTO_EX_DATAs. 2015-12-15 21:32:14 +00:00
hkdf.h
hmac.h
lhash_macros.h
lhash.h
md4.h Store the partial block as uint8_t, not uint32_t. 2015-12-16 19:59:29 +00:00
md5.h Store the partial block as uint8_t, not uint32_t. 2015-12-16 19:59:29 +00:00
mem.h Fix some documentation comments. 2016-01-21 22:12:08 +00:00
obj_mac.h Allocate a NID for X25519. 2015-12-22 18:56:53 +00:00
obj.h
objects.h
opensslfeatures.h
opensslv.h
ossl_typ.h
pem.h Resolve a few old TODOs. 2015-12-22 00:14:35 +00:00
pkcs7.h
pkcs8.h
pkcs12.h
poly1305.h
pqueue.h
rand.h Add a few more no-op stubs for cURL compatibility. 2016-01-26 15:48:41 +00:00
rc4.h
rsa.h Update comments to better document in-place semantics. 2016-01-19 17:01:37 +00:00
safestack.h
sha.h Store the partial block as uint8_t, not uint32_t. 2015-12-16 19:59:29 +00:00
srtp.h
ssl3.h
ssl.h Fix documentation string. 2016-01-27 22:20:32 +00:00
stack_macros.h Remove stack macros for nonexistent types. 2015-12-22 00:12:38 +00:00
stack.h Remove stack macros for nonexistent types. 2015-12-22 00:12:38 +00:00
thread.h
time_support.h
tls1.h Implement draft-ietf-tls-chacha20-poly1305-04. 2015-12-16 23:34:56 +00:00
type_check.h
x509_vfy.h Import “altchains” support. 2016-01-19 17:02:31 +00:00
x509.h Resolve a few old TODOs. 2015-12-22 00:14:35 +00:00
x509v3.h