generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove fixed DH ciphersuites.

Browse Source 
Remove all fixed DH ciphersuites and associated logic.

Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
Dr. Stephen Henson
2015-12-15 23:57:18 +00:00
parent 74a62e9629
commit bc71f91064
10 changed files with 64 additions and 656 deletions
Download Patch File Download Diff File Expand all files Collapse all files

400
ssl/s3_lib.c
View File

@@ -261,38 +261,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
168,
},
/* Cipher 0D */
{
1,
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
SSL_kDHd,
SSL_aDH,
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
/* Cipher 10 */
{
1,
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
SSL_kDHr,
SSL_aDH,
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
/* Cipher 13 */
{
1,
@@ -420,36 +388,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
128,
128,
},
/* Cipher 30 */
{
1,
TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
TLS1_CK_DH_DSS_WITH_AES_128_SHA,
SSL_kDHd,
SSL_aDH,
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher 31 */
{
1,
TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
TLS1_CK_DH_RSA_WITH_AES_128_SHA,
SSL_kDHr,
SSL_aDH,
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher 32 */
{
1,
@@ -511,37 +449,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},
/* Cipher 36 */
{
1,
TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
TLS1_CK_DH_DSS_WITH_AES_256_SHA,
SSL_kDHd,
SSL_aDH,
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher 37 */
{
1,
TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
TLS1_CK_DH_RSA_WITH_AES_256_SHA,
SSL_kDHr,
SSL_aDH,
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher 38 */
{
@@ -640,38 +547,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
},
/* Cipher 3E */
{
1,
TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
SSL_kDHd,
SSL_aDH,
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher 3F */
{
1,
TLS1_TXT_DH_RSA_WITH_AES_128_SHA256,
TLS1_CK_DH_RSA_WITH_AES_128_SHA256,
SSL_kDHr,
SSL_aDH,
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher 40 */
{
1,
@@ -707,38 +582,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
128,
},
/* Cipher 42 */
{
1,
TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
SSL_kDHd,
SSL_aDH,
SSL_CAMELLIA128,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher 43 */
{
1,
TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_kDHr,
SSL_aDH,
SSL_CAMELLIA128,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher 44 */
{
1,
@@ -805,38 +648,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
128,
},
/* Cipher 68 */
{
1,
TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
SSL_kDHd,
SSL_aDH,
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher 69 */
{
1,
TLS1_TXT_DH_RSA_WITH_AES_256_SHA256,
TLS1_CK_DH_RSA_WITH_AES_256_SHA256,
SSL_kDHr,
SSL_aDH,
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher 6A */
{
1,
@@ -950,37 +761,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},
/* Cipher 85 */
{
1,
TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
SSL_kDHd,
SSL_aDH,
SSL_CAMELLIA256,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher 86 */
{
1,
TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
SSL_kDHr,
SSL_aDH,
SSL_CAMELLIA256,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher 87 */
{
@@ -1245,38 +1025,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
128,
},
/* Cipher 97 */
{
1,
TLS1_TXT_DH_DSS_WITH_SEED_SHA,
TLS1_CK_DH_DSS_WITH_SEED_SHA,
SSL_kDHd,
SSL_aDH,
SSL_SEED,
SSL_SHA1,
SSL_SSLV3,
SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher 98 */
{
1,
TLS1_TXT_DH_RSA_WITH_SEED_SHA,
TLS1_CK_DH_RSA_WITH_SEED_SHA,
SSL_kDHr,
SSL_aDH,
SSL_SEED,
SSL_SHA1,
SSL_SSLV3,
SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher 99 */
{
1,
@@ -1393,38 +1141,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
},
/* Cipher A0 */
{
1,
TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256,
SSL_kDHr,
SSL_aDH,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher A1 */
{
1,
TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384,
SSL_kDHr,
SSL_aDH,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* Cipher A2 */
{
1,
@@ -1457,38 +1173,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
},
/* Cipher A4 */
{
1,
TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
SSL_kDHd,
SSL_aDH,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher A5 */
{
1,
TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
SSL_kDHd,
SSL_aDH,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* Cipher A6 */
{
1,
@@ -1831,38 +1515,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
128,
},
/* Cipher BB */
{
1,
TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kDHd,
SSL_aDH,
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher BC */
{
1,
TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kDHr,
SSL_aDH,
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher BD */
{
1,
@@ -1927,38 +1579,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
},
/* Cipher C1 */
{
1,
TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,
SSL_kDHd,
SSL_aDH,
SSL_CAMELLIA256,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
/* Cipher C2 */
{
1,
TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,
SSL_kDHr,
SSL_aDH,
SSL_CAMELLIA256,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
/* Cipher C3 */
{
1,
@@ -4665,7 +4285,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
{
int ret = 0;
int nostrict = 1;
uint32_t alg_k, alg_a = 0;
/* If we have custom certificate types set, use them */
@@ -4675,8 +4294,6 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
}
/* Get mask of algorithms disabled by signature list */
ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK);
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
nostrict = 0;
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
@@ -4691,23 +4308,8 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
}
#endif
if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) {
#ifndef OPENSSL_NO_DH
if (alg_k & (SSL_kDHr | SSL_kDHE)) {
# ifndef OPENSSL_NO_RSA
/*
* Since this refers to a certificate signed with an RSA algorithm,
* only check for rsa signing in strict mode.
*/
if (nostrict || !(alg_a & SSL_aRSA))
p[ret++] = SSL3_CT_RSA_FIXED_DH;
# endif
# ifndef OPENSSL_NO_DSA
if (nostrict || !(alg_a & SSL_aDSS))
p[ret++] = SSL3_CT_DSS_FIXED_DH;
# endif
}
if ((s->version == SSL3_VERSION) &&
(alg_k & (SSL_kDHE | SSL_kDHd | SSL_kDHr))) {
# ifndef OPENSSL_NO_RSA
p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
# endif