generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove static ECDH support.

Browse Source 
Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This commit is contained in:
Dr. Stephen Henson
2016-02-11 18:19:27 +00:00
parent fd7dc201d3
commit ce0c1f2bb2
7 changed files with 30 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

341
ssl/s3_lib.c
View File

@@ -1645,85 +1645,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
#endif
#ifndef OPENSSL_NO_EC
/* Cipher C001 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
/* Cipher C002 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher C003 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
/* Cipher C004 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher C005 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_kECDHe,
SSL_aECDH,
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher C006 */
{
@@ -1805,86 +1726,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
},
/* Cipher C00B */
{
1,
TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_eNULL,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
/* Cipher C00C */
{
1,
TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher C00D */
{
1,
TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
/* Cipher C00E */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_AES128,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
/* Cipher C00F */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_kECDHr,
SSL_aECDH,
SSL_AES256,
SSL_SHA1,
SSL_SSLV3,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
/* Cipher C010 */
{
1,
@@ -2227,37 +2068,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
},
/* Cipher C025 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256,
TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256,
SSL_kECDHe,
SSL_aECDH,
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher C026 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384,
TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384,
SSL_kECDHe,
SSL_aECDH,
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* Cipher C027 */
{
@@ -2291,38 +2101,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
},
/* Cipher C029 */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
SSL_kECDHr,
SSL_aECDH,
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher C02A */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
SSL_kECDHr,
SSL_aECDH,
SSL_AES256,
SSL_SHA384,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* GCM based TLS v1.2 ciphersuites from RFC5289 */
/* Cipher C02B */
@@ -2357,38 +2135,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
},
/* Cipher C02D */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_kECDHe,
SSL_aECDH,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher C02E */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_kECDHe,
SSL_aECDH,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* Cipher C02F */
{
1,
@@ -2421,38 +2167,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
},
/* Cipher C031 */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
SSL_kECDHr,
SSL_aECDH,
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
/* Cipher C032 */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
SSL_kECDHr,
SSL_aECDH,
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
/* PSK ciphersuites from RFC 5489 */
/* Cipher C033 */
{
@@ -2627,34 +2341,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
256},
{ /* Cipher C074 */
1,
TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kECDHe,
SSL_aECDH,
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128},
{ /* Cipher C075 */
1,
TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kECDHe,
SSL_aECDH,
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
{ /* Cipher C076 */
1,
TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
@@ -2683,33 +2369,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
256},
{ /* Cipher C078 */
1,
TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kECDHr,
SSL_aECDH,
SSL_CAMELLIA128,
SSL_SHA256,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128},
{ /* Cipher C079 */
1,
TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kECDHr,
SSL_aECDH,
SSL_CAMELLIA256,
SSL_SHA384,
SSL_TLSV1_2,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256},
# endif /* OPENSSL_NO_CAMELLIA */
#endif /* OPENSSL_NO_EC */