Remove Suite B mode.
It was added in OpenSSL 1.0.2, so nothing can be depending on it yet. If we
really want a Suite B profile, it seems better to generate a configuration for
the rest of the system rather than pepper the codebase with checks.
Change-Id: I1be3ebed0e87cbfe236ade4174dcf5bbc7e10dd5
Reviewed-on: https://boringssl-review.googlesource.com/1517
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index d03f0a7..b3b2d29 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -604,13 +604,6 @@
*/
#define SSL_CERT_FLAG_TLS_STRICT 0x00000001L
-/* Suite B modes, takes same values as certificate verify flags */
-#define SSL_CERT_FLAG_SUITEB_128_LOS_ONLY 0x10000
-/* Suite B 192 bit only mode */
-#define SSL_CERT_FLAG_SUITEB_192_LOS 0x20000
-/* Suite B 128 bit mode allowing 192 bit algorithms */
-#define SSL_CERT_FLAG_SUITEB_128_LOS 0x30000
-
/* Perform all sorts of protocol violations for testing purposes */
#define SSL_CERT_FLAG_BROKEN_PROTOCOL 0x10000000
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index d80cc98..cfa6d00 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -331,11 +331,6 @@
version_major = TLS1_2_VERSION_MAJOR;
version_minor = TLS1_2_VERSION_MINOR;
}
- else if (tls1_suiteb(s))
- {
- OPENSSL_PUT_ERROR(SSL, ssl23_client_hello, SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
- return -1;
- }
else if (version == TLS1_1_VERSION)
{
version_major = TLS1_1_VERSION_MAJOR;
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index f46e4e2..ca8e5d6 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -383,12 +383,6 @@
s->state = SSL23_ST_SR_SWITCH_VERSION;
}
- if (s->version < TLS1_2_VERSION && tls1_suiteb(s))
- {
- OPENSSL_PUT_ERROR(SSL, ssl23_get_client_hello, SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
- goto err;
- }
-
return 1;
err:
return -1;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 7219984..6b218f2 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -656,11 +656,6 @@
/* If DTLS 1.2 disabled correct the version number */
if (options & SSL_OP_NO_DTLSv1_2)
{
- if (tls1_suiteb(s))
- {
- OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
- goto err;
- }
/* Disabling all versions is silly: return an
* error.
*/
@@ -896,13 +891,6 @@
if (server_version == DTLS1_2_VERSION
&& !(options & SSL_OP_NO_DTLSv1_2))
s->method = DTLSv1_2_client_method();
- else if (tls1_suiteb(s))
- {
- OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
- s->version = server_version;
- al = SSL_AD_PROTOCOL_VERSION;
- goto f_err;
- }
else if (server_version == DTLS1_VERSION
&& !(options & SSL_OP_NO_DTLSv1))
s->method = DTLSv1_client_method();
@@ -2617,8 +2605,7 @@
/* Check a certificate can be used for client authentication. Currently
* check cert exists, if we have a suitable digest for TLS 1.2 if
- * static DH client certificates can be used and optionally checks
- * suitability for Suite B.
+ * static DH client certificates can be used.
*/
static int ssl3_check_client_certificate(SSL *s)
{
@@ -2629,7 +2616,6 @@
if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
return 0;
/* If strict mode check suitability of chain before using it.
- * This also adjusts suite B digest if necessary.
*/
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
!tls1_check_chain(s, NULL, NULL, NULL, -2))
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8beb002..3e0a9ce 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3038,7 +3038,7 @@
}
#endif
- if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s))
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
{
prio = srvr;
in_group_flags = server_pref->in_group_flags;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index d5f34af..76766b0 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1040,13 +1040,6 @@
s->version = DTLS1_2_VERSION;
s->method = DTLSv1_2_server_method();
}
- else if (tls1_suiteb(s))
- {
- OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
- s->version = s->client_version;
- al = SSL_AD_PROTOCOL_VERSION;
- goto f_err;
- }
else if (s->client_version <= DTLS1_VERSION &&
!(s->options & SSL_OP_NO_DTLSv1))
{
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 765efe4..1f0ff55 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -658,8 +658,6 @@
OPENSSL_PUT_ERROR(SSL, ssl_verify_cert_chain, ERR_R_X509_LIB);
return(0);
}
- /* Set suite B flags if needed */
- X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s));
#if 0
if (SSL_get_verify_depth(s) >= 0)
X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
@@ -1149,8 +1147,6 @@
OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, ERR_R_X509_LIB);
goto err;
}
- /* Set suite B flags if needed */
- X509_STORE_CTX_set_flags(&xs_ctx, c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS);
i = X509_verify_cert(&xs_ctx);
if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index da29878..4f374f1 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1245,64 +1245,6 @@
return(retval);
}
-#ifndef OPENSSL_NO_EC
-static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
- const char **prule_str)
- {
- unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
- if (!strcmp(*prule_str, "SUITEB128"))
- suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
- else if (!strcmp(*prule_str, "SUITEB128ONLY"))
- suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
- else if (!strcmp(*prule_str, "SUITEB128C2"))
- {
- suiteb_comb2 = 1;
- suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
- }
- else if (!strcmp(*prule_str, "SUITEB192"))
- suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
-
- if (suiteb_flags)
- {
- c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS;
- c->cert_flags |= suiteb_flags;
- }
- else
- suiteb_flags = c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS;
-
- if (!suiteb_flags)
- return 1;
- /* Check version: if TLS 1.2 ciphers allowed we can use Suite B */
-
- if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS))
- {
- if (meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
- OPENSSL_PUT_ERROR(SSL, check_suiteb_cipher_list, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
- else
- OPENSSL_PUT_ERROR(SSL, check_suiteb_cipher_list, SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
- return 0;
- }
-
- switch(suiteb_flags)
- {
- case SSL_CERT_FLAG_SUITEB_128_LOS:
- if (suiteb_comb2)
- *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
- else
- *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
- break;
- case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
- *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";
- break;
- case SSL_CERT_FLAG_SUITEB_192_LOS:
- *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
- break;
- }
- /* Set auto ECDH parameter determination */
- c->ecdh_tmp_auto = 1;
- return 1;
- }
-#endif
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1325,10 +1267,6 @@
*/
if (rule_str == NULL || cipher_list == NULL)
return NULL;
-#ifndef OPENSSL_NO_EC
- if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
- return NULL;
-#endif
/*
* To reduce the work to do we only want to process the compiled
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 3555692..e796245 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -477,11 +477,9 @@
*/
int valid_flags;
} CERT_PKEY;
-/* Retrieve Suite B flags */
-#define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
-/* Uses to check strict mode: suite B modes are always strict */
+
#define SSL_CERT_FLAGS_CHECK_TLS_STRICT \
- (SSL_CERT_FLAG_SUITEB_128_LOS|SSL_CERT_FLAG_TLS_STRICT)
+ SSL_CERT_FLAG_TLS_STRICT
typedef struct cert_st
{
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e79d4a5..f6518c4 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -411,12 +411,6 @@
25, /* secp521r1 (25) */
};
-static const uint16_t suiteb_curves[] =
- {
- TLSEXT_curve_P_256,
- TLSEXT_curve_P_384,
- };
-
int tls1_ec_curve_id2nid(uint16_t curve_id)
{
/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
@@ -451,27 +445,9 @@
*out_curve_ids_len = s->session->tlsext_ellipticcurvelist_length;
return;
}
- /* For Suite B mode only include P-256, P-384 */
- switch (tls1_suiteb(s))
- {
- case SSL_CERT_FLAG_SUITEB_128_LOS:
- *out_curve_ids = suiteb_curves;
- *out_curve_ids_len = sizeof(suiteb_curves) / sizeof(suiteb_curves[0]);
- break;
- case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
- *out_curve_ids = suiteb_curves;
- *out_curve_ids_len = 1;
- break;
-
- case SSL_CERT_FLAG_SUITEB_192_LOS:
- *out_curve_ids = suiteb_curves + 1;
- *out_curve_ids_len = 1;
- break;
- default:
- *out_curve_ids = s->tlsext_ellipticcurvelist;
- *out_curve_ids_len = s->tlsext_ellipticcurvelist_length;
- }
+ *out_curve_ids = s->tlsext_ellipticcurvelist;
+ *out_curve_ids_len = s->tlsext_ellipticcurvelist_length;
if (!*out_curve_ids)
{
*out_curve_ids = eccurves_default;
@@ -492,23 +468,6 @@
!CBS_get_u16(cbs, &curve_id))
return 0;
- /* Check curve matches Suite B preferences */
- if (tls1_suiteb(s))
- {
- unsigned long cid = s->s3->tmp.new_cipher->id;
- if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
- {
- if (curve_id != TLSEXT_curve_P_256)
- return 0;
- }
- else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
- {
- if (curve_id != TLSEXT_curve_P_384)
- return 0;
- }
- else /* Should never happen */
- return 0;
- }
tls1_get_curvelist(s, 0, &curves, &curves_len);
for (i = 0; i < curves_len; i++)
{
@@ -530,22 +489,7 @@
if (s->server == 0)
return NID_undef;
- if (tls1_suiteb(s))
- {
- /* For Suite B ciphersuite determines curve: we
- * already know these are acceptable due to previous
- * checks.
- */
- unsigned long cid = s->s3->tmp.new_cipher->id;
- if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
- return NID_X9_62_prime256v1; /* P-256 */
- if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
- return NID_secp384r1; /* P-384 */
- /* Should never happen */
- return NID_undef;
- }
-
- /* If not Suite B just return first preference shared curve */
+ /* Return first preference shared curve */
tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
&supp, &supplen);
tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
@@ -697,11 +641,7 @@
else
{
*pformats = ecformats_default;
- /* For Suite B we don't support char2 fields */
- if (tls1_suiteb(s))
- *pformatslen = sizeof(ecformats_default) - 1;
- else
- *pformatslen = sizeof(ecformats_default);
+ *pformatslen = sizeof(ecformats_default);
}
}
@@ -730,38 +670,7 @@
/* Can't check curve_id for client certs as we don't have a
* supported curves extension.
*/
- rv = tls1_check_ec_key(s, s->server ? &curve_id : NULL, &comp_id);
- if (!rv)
- return 0;
- /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
- * SHA384+P-384, adjust digest if necessary.
- */
- if (set_ee_md && tls1_suiteb(s))
- {
- int check_md;
- size_t i;
- CERT *c = s->cert;
- /* Check to see we have necessary signing algorithm */
- if (curve_id == TLSEXT_curve_P_256)
- check_md = NID_ecdsa_with_SHA256;
- else if (curve_id == TLSEXT_curve_P_384)
- check_md = NID_ecdsa_with_SHA384;
- else
- return 0; /* Should never happen */
- for (i = 0; i < c->shared_sigalgslen; i++)
- if (check_md == c->shared_sigalgs[i].signandhash_nid)
- break;
- if (i == c->shared_sigalgslen)
- return 0;
- if (set_ee_md == 2)
- {
- if (check_md == NID_ecdsa_with_SHA256)
- c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
- else
- c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
- }
- }
- return rv;
+ return tls1_check_ec_key(s, s->server ? &curve_id : NULL, &comp_id);
}
/* Check EC temporary key is compatible with client extensions */
int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
@@ -773,38 +682,6 @@
if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
return 1;
#endif
- /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
- * no other curves permitted.
- */
- if (tls1_suiteb(s))
- {
- /* Curve to check determined by ciphersuite */
- if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
- curve_id = TLSEXT_curve_P_256;
- else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
- curve_id = TLSEXT_curve_P_384;
- else
- return 0;
- /* Check this curve is acceptable */
- if (!tls1_check_ec_key(s, &curve_id, NULL))
- return 0;
- /* If auto or setting curve from callback assume OK */
- if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
- return 1;
- /* Otherwise check curve is acceptable */
- else
- {
- uint16_t curve_tmp;
- if (!ec)
- return 0;
- if (!tls1_curve_params_from_ec_key(&curve_tmp, NULL, ec))
- return 0;
- if (curve_tmp == curve_id)
- return 1;
- return 0;
- }
-
- }
if (s->cert->ecdh_tmp_auto)
{
/* Need a shared curve */
@@ -869,33 +746,8 @@
tlsext_sigalg(TLSEXT_hash_sha1)
#endif
};
-#ifndef OPENSSL_NO_ECDSA
-static unsigned char suiteb_sigalgs[] = {
- tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
- tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
-};
-#endif
size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
{
- /* If Suite B mode use Suite B sigalgs only, ignore any other
- * preferences.
- */
-#ifndef OPENSSL_NO_EC
- switch (tls1_suiteb(s))
- {
- case SSL_CERT_FLAG_SUITEB_128_LOS:
- *psigs = suiteb_sigalgs;
- return sizeof(suiteb_sigalgs);
-
- case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
- *psigs = suiteb_sigalgs;
- return 2;
-
- case SSL_CERT_FLAG_SUITEB_192_LOS:
- *psigs = suiteb_sigalgs + 2;
- return 2;
- }
-#endif
/* If server use client authentication sigalgs if not NULL */
if (s->server && s->cert->client_sigalgs)
{
@@ -965,38 +817,6 @@
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
}
- /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
- if (tls1_suiteb(s))
- {
- if (curve_id == TLSEXT_curve_P_256)
- {
- if (hash != TLSEXT_hash_sha256)
- {
- OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
- *out_alert = SSL_AD_ILLEGAL_PARAMETER;
- return 0;
- }
- }
- else if (curve_id == TLSEXT_curve_P_384)
- {
- if (hash != TLSEXT_hash_sha384)
- {
- OPENSSL_PUT_ERROR(SSL, tls12_check_peer_sigalg, SSL_R_ILLEGAL_SUITEB_DIGEST);
- *out_alert = SSL_AD_ILLEGAL_PARAMETER;
- return 0;
- }
- }
- else
- {
- *out_alert = SSL_AD_ILLEGAL_PARAMETER;
- return 0;
- }
- }
- }
- else if (tls1_suiteb(s))
- {
- *out_alert = SSL_AD_ILLEGAL_PARAMETER;
- return 0;
}
#endif
@@ -3100,26 +2920,25 @@
size_t nmatch;
TLS_SIGALGS *salgs = NULL;
CERT *c = s->cert;
- unsigned int is_suiteb = tls1_suiteb(s);
if (c->shared_sigalgs)
{
OPENSSL_free(c->shared_sigalgs);
c->shared_sigalgs = NULL;
}
/* If client use client signature algorithms if not NULL */
- if (!s->server && c->client_sigalgs && !is_suiteb)
+ if (!s->server && c->client_sigalgs)
{
conf = c->client_sigalgs;
conflen = c->client_sigalgslen;
}
- else if (c->conf_sigalgs && !is_suiteb)
+ else if (c->conf_sigalgs)
{
conf = c->conf_sigalgs;
conflen = c->conf_sigalgslen;
}
else
conflen = tls12_get_psigalgs(s, &conf);
- if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb)
+ if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
{
pref = conf;
preflen = conflen;
@@ -3516,7 +3335,6 @@
int check_flags = 0, strict_mode;
CERT_PKEY *cpk = NULL;
CERT *c = s->cert;
- unsigned int suiteb_flags = tls1_suiteb(s);
/* idx == -1 means checking server chains */
if (idx != -1)
{
@@ -3560,21 +3378,6 @@
strict_mode = 1;
}
- if (suiteb_flags)
- {
- int ok;
- if (check_flags)
- check_flags |= CERT_PKEY_SUITEB;
- ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
- if (ok != X509_V_OK)
- {
- if (check_flags)
- rv |= CERT_PKEY_SUITEB;
- else
- goto end;
- }
- }
-
/* Check all signature algorithms are consistent with
* signature algorithms extension if TLS 1.2 or later
* and strict mode.
