Remove anonymous cipher suites. These are the remaining untested cipher suites. Rather than add support in runner.go, just remove them altogether. Grepping for this is a little tricky, but nothing enables aNULL (all occurrences disable it), and all occurrences of ["ALL:] seem to be either unused or explicitly disable anonymous ciphers. Change-Id: I4fd4b8dc6a273d6c04a26e93839641ddf738343f Reviewed-on: https://boringssl-review.googlesource.com/4258 Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 831b511..6ad8e83 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -175,8 +175,6 @@ #define SSL_TXT_HIGH "HIGH" #define SSL_TXT_FIPS "FIPS" -#define SSL_TXT_aNULL "aNULL" - #define SSL_TXT_kRSA "kRSA" #define SSL_TXT_kDHE "kDHE" #define SSL_TXT_kEDH "kEDH" /* same as "kDHE" */ @@ -189,14 +187,12 @@ #define SSL_TXT_aPSK "aPSK" #define SSL_TXT_DH "DH" -#define SSL_TXT_DHE "DHE" /* same as "kDHE:-ADH" */ +#define SSL_TXT_DHE "DHE" /* same as "kDHE" */ #define SSL_TXT_EDH "EDH" /* same as "DHE" */ -#define SSL_TXT_ADH "ADH" #define SSL_TXT_RSA "RSA" #define SSL_TXT_ECDH "ECDH" -#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE:-AECDH" */ +#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE" */ #define SSL_TXT_EECDH "EECDH" /* same as "ECDHE" */ -#define SSL_TXT_AECDH "AECDH" #define SSL_TXT_ECDSA "ECDSA" #define SSL_TXT_PSK "PSK" @@ -238,7 +234,7 @@ /* The following cipher list is used by default. It also is substituted when an * application-defined cipher list string starts with 'DEFAULT'. */ -#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" +#define SSL_DEFAULT_CIPHER_LIST "ALL" /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 01f5cbf..0f217aa 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c
@@ -320,13 +320,6 @@ * don't request cert during re-negotiation: */ ((s->session->peer != NULL) && (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - /* never request cert in anonymous ciphersuites - * (see section "Certificate request" in SSL 3 drafts - * and in RFC 2246): */ - ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && - /* ... except when the application insists on verification - * (against the specs, but s3_clnt.c accepts this for SSL 3) */ - !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || /* With normal PSK Certificates and * Certificate Requests are omitted */ (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index a6e76c9..7826bf49 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c
@@ -1411,15 +1411,6 @@ goto err; } - /* TLS does not like anon-DH with client cert */ - if (s->version > SSL3_VERSION && - (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); - OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, - SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); - goto err; - } - CBS_init(&cbs, s->init_msg, n); ca_sk = sk_X509_NAME_new(ca_dn_cmp);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index fe0e760..f67267f 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c
@@ -185,16 +185,6 @@ }, - /* The Ephemeral DH ciphers */ - - /* Cipher 18 */ - { - 1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kDHE, SSL_aNULL, - SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, - }, - - /* New AES ciphersuites */ /* Cipher 2F */ @@ -211,13 +201,6 @@ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, }, - /* Cipher 34 */ - { - 1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kDHE, - SSL_aNULL, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, - }, - /* Cipher 35 */ { 1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA, @@ -232,13 +215,6 @@ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, - /* Cipher 3A */ - { - 1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kDHE, - SSL_aNULL, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, - }, - /* TLS v1.2 ciphersuites */ @@ -272,20 +248,6 @@ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, }, - /* Cipher 6C */ - { - 1, TLS1_TXT_ADH_WITH_AES_128_SHA256, TLS1_CK_ADH_WITH_AES_128_SHA256, - SSL_kDHE, SSL_aNULL, SSL_AES128, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128, - }, - - /* Cipher 6D */ - { - 1, TLS1_TXT_ADH_WITH_AES_256_SHA256, TLS1_CK_ADH_WITH_AES_256_SHA256, - SSL_kDHE, SSL_aNULL, SSL_AES256, SSL_SHA256, SSL_TLSV1_2, - SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256, - }, - /* Cipher 8A */ { 1, TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK, @@ -350,26 +312,6 @@ 256, 256, }, - /* Cipher A6 */ - { - 1, TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, - TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aNULL, SSL_AES128GCM, - SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD | - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, - 128, 128, - }, - - /* Cipher A7 */ - { - 1, TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, - TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aNULL, SSL_AES256GCM, - SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD | - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, - 256, 256, - }, - /* Cipher C007 */ { 1, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, @@ -417,29 +359,6 @@ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, }, - /* Cipher C016 */ - { - 1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, - SSL_kECDHE, SSL_aNULL, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, - }, - - /* Cipher C018 */ - { - 1, TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, - TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aNULL, SSL_AES128, - SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128, - }, - - /* Cipher C019 */ - { - 1, TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, - TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aNULL, SSL_AES256, - SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256, - }, - /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 25482a2..eb458f2 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c
@@ -414,13 +414,6 @@ * don't request cert during re-negotiation: */ ((s->session->peer != NULL) && (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - /* never request cert in anonymous ciphersuites - * (see section "Certificate request" in SSL 3 drafts - * and in RFC 2246): */ - ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && - /* ... except when the application insists on verification - * (against the specs, but s3_clnt.c accepts this for SSL 3) */ - !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || /* With normal PSK Certificates and * Certificate Requests are omitted */ (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 5ab43e7..1253f8f 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c
@@ -180,10 +180,7 @@ { {0, SSL_TXT_ALL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, - /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in - ALL!) */ - {0, SSL_TXT_CMPDEF, 0, SSL_kDHE | SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, - 0}, + /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */ /* key exchange aliases * (some of those using only a single bit here combine @@ -203,19 +200,16 @@ /* server authentication aliases */ {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, /* aliases combining key exchange and server authentication */ - {0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_DHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_EDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_EECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, /* symmetric encryption aliases */ @@ -1006,13 +1000,6 @@ ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail); - /* Move anonymous ciphers to the end. Usually, these will remain disabled. - * (For applications that allow them, they aren't too bad, but we prefer - * authenticated ciphers.) - * TODO(davidben): Remove them altogether? */ - ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, - &tail); - /* Now disable everything (maintaining the ordering!) */ ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail); @@ -1186,10 +1173,6 @@ au = "RSA"; break; - case SSL_aNULL: - au = "None"; - break; - case SSL_aECDSA: au = "ECDSA"; break; @@ -1332,8 +1315,6 @@ switch (cipher->algorithm_auth) { case SSL_aRSA: return "DHE_RSA"; - case SSL_aNULL: - return "DH_anon"; default: assert(0); return "UNKNOWN"; @@ -1347,8 +1328,6 @@ return "ECDHE_RSA"; case SSL_aPSK: return "ECDHE_PSK"; - case SSL_aNULL: - return "ECDH_anon"; default: assert(0); return "UNKNOWN"; @@ -1479,12 +1458,8 @@ * public key in the key exchange, sent in a server Certificate message. * Otherwise it returns 0. */ int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) { - /* Anonymous ciphers do not include a server certificate. */ - if (cipher->algorithm_auth & SSL_aNULL) { - return 0; - } - - /* Neither do PSK ciphers, except for RSA_PSK. */ + /* PSK-authenticated ciphers do not use a public key, except for + * RSA_PSK. */ if ((cipher->algorithm_auth & SSL_aPSK) && !(cipher->algorithm_mkey & SSL_kRSA)) { return 0;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a9d1528..1578dba 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -2030,8 +2030,6 @@ mask_a |= SSL_aRSA; } - mask_a |= SSL_aNULL; - /* An ECC certificate may be usable for ECDSA cipher suites depending on the * key usage extension and on the client's curve preferences. */ if (have_ecc_cert) {
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 6278deb..16fe2c6 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h
@@ -293,9 +293,8 @@ /* Bits for algorithm_auth (server authentication) */ #define SSL_aRSA 0x00000001L /* RSA auth */ -#define SSL_aNULL 0x00000002L /* no auth (i.e. use ADH or AECDH) */ -#define SSL_aECDSA 0x00000004L /* ECDSA auth*/ -#define SSL_aPSK 0x00000008L /* PSK auth */ +#define SSL_aECDSA 0x00000002L /* ECDSA auth*/ +#define SSL_aPSK 0x00000004L /* PSK auth */ /* Bits for algorithm_enc (symmetric encryption) */ #define SSL_3DES 0x00000001L
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 22018bb..aba758e 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc
@@ -185,6 +185,8 @@ // Empty cipher lists error at SSL_CTX_set_cipher_list. "", "BOGUS", + // COMPLEMENTOFDEFAULT is empty. + "COMPLEMENTOFDEFAULT", // Invalid command. "?BAR", // Special operators are not allowed if groups are used. @@ -428,12 +430,9 @@ { SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" }, { SSL3_CK_RSA_RC4_128_MD5, "TLS_RSA_WITH_RC4_MD5" }, { TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA" }, - { TLS1_CK_ADH_WITH_AES_128_SHA, "TLS_DH_anon_WITH_AES_128_CBC_SHA" }, { TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" }, { TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" }, - { TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" }, { TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" }, { TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,