Remove CECPQ1 (experimental post-quantum key agreement). Change-Id: Ie947ab176d10feb709c6e135d5241c6cf605b8e8 Reviewed-on: https://boringssl-review.googlesource.com/12700 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num index 3a7844c..074657a 100644 --- a/crypto/obj/obj_mac.num +++ b/crypto/obj/obj_mac.num
@@ -946,4 +946,3 @@ dh_std_kdf 946 dh_cofactor_kdf 947 X25519 948 -cecpq1 949
diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt index 75f2cbf..f3990d0 100644 --- a/crypto/obj/objects.txt +++ b/crypto/obj/objects.txt
@@ -1333,6 +1333,3 @@ # NID for X25519 (no corresponding OID). : X25519 - -# NID for CECPQ1 (no corresponding OID) - : cecpq1
diff --git a/fuzz/client.cc b/fuzz/client.cc index bd0d8fa..35b122e 100644 --- a/fuzz/client.cc +++ b/fuzz/client.cc
@@ -277,7 +277,7 @@ SSL_set_alpn_protos(client, kALPNProtocols, sizeof(kALPNProtocols)); // Enable ciphers that are off by default. - SSL_set_cipher_list(client, "ALL:kCECPQ1:NULL-SHA"); + SSL_set_cipher_list(client, "ALL:NULL-SHA"); BIO_write(in, buf, len); if (SSL_do_handshake(client) == 1) {
diff --git a/fuzz/server.cc b/fuzz/server.cc index 82affbc..7cee0c7 100644 --- a/fuzz/server.cc +++ b/fuzz/server.cc
@@ -272,7 +272,7 @@ SSL_set_tls_channel_id_enabled(server, 1); // Enable ciphers that are off by default. - SSL_set_cipher_list(server, "ALL:kCECPQ1:NULL-SHA"); + SSL_set_cipher_list(server, "ALL:NULL-SHA"); DH *dh = DH_get_1024_160(nullptr); SSL_set_tmp_dh(server, dh);
diff --git a/include/openssl/nid.h b/include/openssl/nid.h index 5ed44ee..d51a67c 100644 --- a/include/openssl/nid.h +++ b/include/openssl/nid.h
@@ -4159,8 +4159,5 @@ #define SN_X25519 "X25519" #define NID_X25519 948 -#define SN_cecpq1 "cecpq1" -#define NID_cecpq1 949 - #endif /* OPENSSL_HEADER_NID_H */
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 689fa82..85c1adc 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -1196,9 +1196,6 @@ /* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. */ OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher); -/* SSL_CIPHER_is_CECPQ1 returns one if |cipher| uses CECPQ1. */ -OPENSSL_EXPORT int SSL_CIPHER_is_CECPQ1(const SSL_CIPHER *cipher); - /* SSL_CIPHER_get_min_version returns the minimum protocol version required * for |cipher|. */ OPENSSL_EXPORT uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher); @@ -3540,7 +3537,6 @@ #define SSL_TXT_kDHE "kDHE" #define SSL_TXT_kEDH "kEDH" #define SSL_TXT_kECDHE "kECDHE" -#define SSL_TXT_kCECPQ1 "kCECPQ1" #define SSL_TXT_kEECDH "kEECDH" #define SSL_TXT_kPSK "kPSK" #define SSL_TXT_aRSA "aRSA"
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index dfaf78a..54c2800 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h
@@ -425,12 +425,6 @@ #define TLS1_CK_AES_256_GCM_SHA384 0x03001302 #define TLS1_CK_CHACHA20_POLY1305_SHA256 0x03001303 -/* CECPQ1 ciphersuites. These are specific to BoringSSL and not standard. */ -#define TLS1_CK_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 0x030016B7 -#define TLS1_CK_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0x030016B8 -#define TLS1_CK_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 0x030016B9 -#define TLS1_CK_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 0x030016BA - /* XXX * Inconsistency alert: * The OpenSSL names of ciphers with ephemeral DH here include the string @@ -616,16 +610,6 @@ #define TLS1_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384" #define TLS1_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256" -/* CECPQ1 ciphersuites. These are specific to BoringSSL and not standard. */ -#define TLS1_TXT_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 \ - "CECPQ1-RSA-CHACHA20-POLY1305-SHA256" -#define TLS1_TXT_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \ - "CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256" -#define TLS1_TXT_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 \ - "CECPQ1-RSA-AES256-GCM-SHA384" -#define TLS1_TXT_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 \ - "CECPQ1-ECDSA-AES256-GCM-SHA384" - #define TLS_CT_RSA_SIGN 1 #define TLS_CT_DSS_SIGN 2
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c index 816255b..2603fb2 100644 --- a/ssl/handshake_client.c +++ b/ssl/handshake_client.c
@@ -1274,18 +1274,6 @@ !CBS_stow(&point, &hs->peer_key, &hs->peer_key_len)) { goto err; } - } else if (alg_k & SSL_kCECPQ1) { - SSL_ECDH_CTX_init_for_cecpq1(&hs->ecdh_ctx); - CBS key; - if (!CBS_get_u16_length_prefixed(&server_key_exchange, &key)) { - al = SSL_AD_DECODE_ERROR; - OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); - goto f_err; - } - - if (!CBS_stow(&key, &hs->peer_key, &hs->peer_key_len)) { - goto err; - } } else if (!(alg_k & SSL_kPSK)) { al = SSL_AD_UNEXPECTED_MESSAGE; OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); @@ -1634,7 +1622,7 @@ !CBB_flush(&body)) { goto err; } - } else if (alg_k & (SSL_kECDHE|SSL_kDHE|SSL_kCECPQ1)) { + } else if (alg_k & (SSL_kECDHE|SSL_kDHE)) { /* Generate a keypair and serialize the public half. */ CBB child; if (!SSL_ECDH_CTX_add_key(&hs->ecdh_ctx, &body, &child)) {
diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c index 4686b01..7ba9946 100644 --- a/ssl/handshake_server.c +++ b/ssl/handshake_server.c
@@ -724,9 +724,6 @@ mask_k |= SSL_kECDHE; } - /* CECPQ1 ciphers are always acceptable if supported by both sides. */ - mask_k |= SSL_kCECPQ1; - /* PSK requires a server callback. */ if (ssl->psk_server_callback != NULL) { mask_k |= SSL_kPSK; @@ -1231,12 +1228,6 @@ !SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &child)) { goto err; } - } else if (alg_k & SSL_kCECPQ1) { - SSL_ECDH_CTX_init_for_cecpq1(&hs->ecdh_ctx); - if (!CBB_add_u16_length_prefixed(&cbb, &child) || - !SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &child)) { - goto err; - } } else { assert(alg_k & SSL_kPSK); } @@ -1726,7 +1717,7 @@ OPENSSL_free(decrypt_buf); decrypt_buf = NULL; - } else if (alg_k & (SSL_kECDHE|SSL_kDHE|SSL_kCECPQ1)) { + } else if (alg_k & (SSL_kECDHE|SSL_kDHE)) { /* Parse the ClientKeyExchange. */ CBS peer_key; if (!SSL_ECDH_CTX_get_key(&hs->ecdh_ctx, &client_key_exchange, &peer_key) ||
diff --git a/ssl/internal.h b/ssl/internal.h index 08ccd07..1802610 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -171,8 +171,7 @@ #define SSL_kECDHE 0x00000004L /* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */ #define SSL_kPSK 0x00000008L -#define SSL_kCECPQ1 0x00000010L -#define SSL_kGENERIC 0x00000020L +#define SSL_kGENERIC 0x00000010L /* Bits for |algorithm_auth| (server authentication). */ #define SSL_aRSA 0x00000001L @@ -617,9 +616,6 @@ * where the server specifies a group. It takes ownership of |params|. */ void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params); -/* SSL_ECDH_CTX_init_for_cecpq1 sets up |ctx| for use with CECPQ1. */ -void SSL_ECDH_CTX_init_for_cecpq1(SSL_ECDH_CTX *ctx); - /* SSL_ECDH_CTX_cleanup releases memory associated with |ctx|. It is legal to * call it in the zero state. */ void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx);
diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c index 99aba72..5223721 100644 --- a/ssl/ssl_cipher.c +++ b/ssl/ssl_cipher.c
@@ -378,52 +378,6 @@ SSL_HANDSHAKE_MAC_SHA256, }, - /* CECPQ1 (combined elliptic curve + post-quantum) suites. */ - - /* Cipher 16B7 */ - { - TLS1_TXT_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256, - TLS1_CK_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256, - SSL_kCECPQ1, - SSL_aRSA, - SSL_CHACHA20POLY1305, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, - }, - - /* Cipher 16B8 */ - { - TLS1_TXT_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - TLS1_CK_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - SSL_kCECPQ1, - SSL_aECDSA, - SSL_CHACHA20POLY1305, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA256, - }, - - /* Cipher 16B9 */ - { - TLS1_TXT_CECPQ1_RSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_CECPQ1_RSA_WITH_AES_256_GCM_SHA384, - SSL_kCECPQ1, - SSL_aRSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA384, - }, - - /* Cipher 16BA */ - { - TLS1_TXT_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384, - TLS1_CK_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384, - SSL_kCECPQ1, - SSL_aECDSA, - SSL_AES256GCM, - SSL_AEAD, - SSL_HANDSHAKE_MAC_SHA384, - }, - /* Cipher C009 */ { TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, @@ -679,9 +633,8 @@ } CIPHER_ALIAS; static const CIPHER_ALIAS kCipherAliases[] = { - /* "ALL" doesn't include eNULL nor kCECPQ1. These must be explicitly - * enabled. */ - {"ALL", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0}, + /* "ALL" doesn't include eNULL. It must be explicitly enabled. */ + {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */ @@ -696,16 +649,15 @@ {"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0}, {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, - {"kCECPQ1", SSL_kCECPQ1, ~0u, ~0u, ~0u, 0}, {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0}, /* server authentication aliases */ - {"aRSA", ~SSL_kCECPQ1, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, - {"aECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0}, - {"ECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0}, + {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, + {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, + {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0}, /* aliases combining key exchange and server authentication */ @@ -719,28 +671,28 @@ /* symmetric encryption aliases */ {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0}, {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0}, - {"AES256", ~SSL_kCECPQ1, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0}, - {"AES", ~SSL_kCECPQ1, ~0u, SSL_AES, ~0u, 0}, - {"AESGCM", ~SSL_kCECPQ1, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0}, - {"CHACHA20", ~SSL_kCECPQ1, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u, + {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0}, + {"AES", ~0u, ~0u, SSL_AES, ~0u, 0}, + {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0}, + {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u, 0}, /* MAC aliases */ {"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0}, {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, - {"SHA256", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA256, 0}, - {"SHA384", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA384, 0}, + {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0}, + {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0}, /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the * same as "SSLv3". */ - {"SSLv3", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, - {"TLSv1", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, - {"TLSv1.2", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION}, + {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, + {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, + {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION}, /* Legacy strength classes. */ - {"HIGH", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0}, - {"FIPS", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0}, + {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, + {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, }; static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases); @@ -1574,10 +1526,6 @@ return (cipher->algorithm_mkey & SSL_kECDHE) != 0; } -int SSL_CIPHER_is_CECPQ1(const SSL_CIPHER *cipher) { - return (cipher->algorithm_mkey & SSL_kCECPQ1) != 0; -} - uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) { if (cipher->algorithm_mkey == SSL_kGENERIC || cipher->algorithm_auth == SSL_aGENERIC) { @@ -1640,17 +1588,6 @@ return "UNKNOWN"; } - case SSL_kCECPQ1: - switch (cipher->algorithm_auth) { - case SSL_aECDSA: - return "CECPQ1_ECDSA"; - case SSL_aRSA: - return "CECPQ1_RSA"; - default: - assert(0); - return "UNKNOWN"; - } - case SSL_kPSK: assert(cipher->algorithm_auth == SSL_aPSK); return "PSK"; @@ -1814,10 +1751,6 @@ kx = "ECDH"; break; - case SSL_kCECPQ1: - kx = "CECPQ1"; - break; - case SSL_kPSK: kx = "PSK"; break; @@ -1962,8 +1895,7 @@ int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) { /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */ if (cipher->algorithm_mkey & SSL_kDHE || - cipher->algorithm_mkey & SSL_kECDHE || - cipher->algorithm_mkey & SSL_kCECPQ1) { + cipher->algorithm_mkey & SSL_kECDHE) { return 1; }
diff --git a/ssl/ssl_ecdh.c b/ssl/ssl_ecdh.c index bcb3af4..772a8e8 100644 --- a/ssl/ssl_ecdh.c +++ b/ssl/ssl_ecdh.c
@@ -220,153 +220,6 @@ } -/* Combined X25119 + New Hope (post-quantum) implementation. */ - -typedef struct { - uint8_t x25519_key[32]; - NEWHOPE_POLY *newhope_sk; -} cecpq1_data; - -#define CECPQ1_OFFERMSG_LENGTH (32 + NEWHOPE_OFFERMSG_LENGTH) -#define CECPQ1_ACCEPTMSG_LENGTH (32 + NEWHOPE_ACCEPTMSG_LENGTH) -#define CECPQ1_SECRET_LENGTH (32 + SHA256_DIGEST_LENGTH) - -static void ssl_cecpq1_cleanup(SSL_ECDH_CTX *ctx) { - if (ctx->data == NULL) { - return; - } - cecpq1_data *data = ctx->data; - NEWHOPE_POLY_free(data->newhope_sk); - OPENSSL_cleanse(data, sizeof(cecpq1_data)); - OPENSSL_free(data); -} - -static int ssl_cecpq1_offer(SSL_ECDH_CTX *ctx, CBB *out) { - assert(ctx->data == NULL); - cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data)); - if (data == NULL) { - OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); - return 0; - } - ctx->data = data; - data->newhope_sk = NEWHOPE_POLY_new(); - if (data->newhope_sk == NULL) { - OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); - return 0; - } - - uint8_t x25519_public_key[32]; - X25519_keypair(x25519_public_key, data->x25519_key); - - uint8_t newhope_offermsg[NEWHOPE_OFFERMSG_LENGTH]; - NEWHOPE_offer(newhope_offermsg, data->newhope_sk); - - if (!CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key)) || - !CBB_add_bytes(out, newhope_offermsg, sizeof(newhope_offermsg))) { - return 0; - } - return 1; -} - -static int ssl_cecpq1_accept(SSL_ECDH_CTX *ctx, CBB *cbb, uint8_t **out_secret, - size_t *out_secret_len, uint8_t *out_alert, - const uint8_t *peer_key, size_t peer_key_len) { - if (peer_key_len != CECPQ1_OFFERMSG_LENGTH) { - *out_alert = SSL_AD_DECODE_ERROR; - return 0; - } - - *out_alert = SSL_AD_INTERNAL_ERROR; - - assert(ctx->data == NULL); - cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data)); - if (data == NULL) { - OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); - return 0; - } - data->newhope_sk = NULL; - ctx->data = data; - - uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH); - if (secret == NULL) { - OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); - return 0; - } - - /* Generate message to server, and secret key, at once. */ - - uint8_t x25519_public_key[32]; - X25519_keypair(x25519_public_key, data->x25519_key); - if (!X25519(secret, data->x25519_key, peer_key)) { - *out_alert = SSL_AD_DECODE_ERROR; - OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); - goto err; - } - - uint8_t newhope_acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH]; - if (!NEWHOPE_accept(secret + 32, newhope_acceptmsg, peer_key + 32, - NEWHOPE_OFFERMSG_LENGTH)) { - *out_alert = SSL_AD_DECODE_ERROR; - goto err; - } - - if (!CBB_add_bytes(cbb, x25519_public_key, sizeof(x25519_public_key)) || - !CBB_add_bytes(cbb, newhope_acceptmsg, sizeof(newhope_acceptmsg))) { - goto err; - } - - *out_secret = secret; - *out_secret_len = CECPQ1_SECRET_LENGTH; - return 1; - - err: - OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH); - OPENSSL_free(secret); - return 0; -} - -static int ssl_cecpq1_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret, - size_t *out_secret_len, uint8_t *out_alert, - const uint8_t *peer_key, size_t peer_key_len) { - if (peer_key_len != CECPQ1_ACCEPTMSG_LENGTH) { - *out_alert = SSL_AD_DECODE_ERROR; - return 0; - } - - *out_alert = SSL_AD_INTERNAL_ERROR; - - assert(ctx->data != NULL); - cecpq1_data *data = ctx->data; - - uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH); - if (secret == NULL) { - OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); - return 0; - } - - if (!X25519(secret, data->x25519_key, peer_key)) { - *out_alert = SSL_AD_DECODE_ERROR; - OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); - goto err; - } - - if (!NEWHOPE_finish(secret + 32, data->newhope_sk, peer_key + 32, - NEWHOPE_ACCEPTMSG_LENGTH)) { - *out_alert = SSL_AD_DECODE_ERROR; - goto err; - } - - *out_secret = secret; - *out_secret_len = CECPQ1_SECRET_LENGTH; - return 1; - - err: - OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH); - OPENSSL_free(secret); - return 0; -} - - /* Legacy DHE-based implementation. */ static void ssl_dhe_cleanup(SSL_ECDH_CTX *ctx) { @@ -446,16 +299,6 @@ CBB_add_u16_length_prefixed, }; -static const SSL_ECDH_METHOD kCECPQ1Method = { - NID_undef, 0, "", - ssl_cecpq1_cleanup, - ssl_cecpq1_offer, - ssl_cecpq1_accept, - ssl_cecpq1_finish, - CBS_get_u16_length_prefixed, - CBB_add_u16_length_prefixed, -}; - static const SSL_ECDH_METHOD kMethods[] = { { NID_X9_62_prime256v1, @@ -576,12 +419,6 @@ ctx->data = params; } -void SSL_ECDH_CTX_init_for_cecpq1(SSL_ECDH_CTX *ctx) { - SSL_ECDH_CTX_cleanup(ctx); - - ctx->method = &kCECPQ1Method; -} - void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx) { if (ctx->method == NULL) { return;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ad4d1b2..f3610a5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -2658,8 +2658,7 @@ (ssl->s3->alpn_selected != NULL || ssl->s3->next_proto_negotiated != NULL) && cipher != NULL && - (cipher->algorithm_mkey == SSL_kECDHE || - cipher->algorithm_mkey == SSL_kCECPQ1) && + cipher->algorithm_mkey == SSL_kECDHE && cipher->algorithm_mac == SSL_AEAD; }
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index ad4d1f4..af02e44 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc
@@ -274,30 +274,6 @@ "TLSv1.2", }; -static const char *kMustNotIncludeCECPQ1[] = { - "ALL", - "DEFAULT", - "HIGH", - "FIPS", - "SHA", - "SHA1", - "SHA256", - "SHA384", - "RSA", - "SSLv3", - "TLSv1", - "TLSv1.2", - "aRSA", - "RSA", - "aECDSA", - "ECDSA", - "AES", - "AES128", - "AES256", - "AESGCM", - "CHACHA20", -}; - static const CurveTest kCurveTests[] = { { "P-256", @@ -395,24 +371,6 @@ return true; } -static bool TestRuleDoesNotIncludeCECPQ1(const char *rule) { - bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); - if (!ctx) { - return false; - } - if (!SSL_CTX_set_cipher_list(ctx.get(), rule)) { - fprintf(stderr, "Error: cipher rule '%s' failed\n", rule); - return false; - } - for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) { - if (SSL_CIPHER_is_CECPQ1(sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i))) { - fprintf(stderr, "Error: cipher rule '%s' includes CECPQ1\n",rule); - return false; - } - } - return true; -} - static bool TestCipherRules() { for (const CipherTest &test : kCipherTests) { if (!TestCipherRule(test)) { @@ -438,12 +396,6 @@ } } - for (const char *rule : kMustNotIncludeCECPQ1) { - if (!TestRuleDoesNotIncludeCECPQ1(rule)) { - return false; - } - } - return true; }
diff --git a/ssl/test/runner/cipher_suites.go b/ssl/test/runner/cipher_suites.go index a997016..fe283eb 100644 --- a/ssl/test/runner/cipher_suites.go +++ b/ssl/test/runner/cipher_suites.go
@@ -48,9 +48,6 @@ // client indicates that it supports ECC with a curve and point format // that we're happy with. suiteECDHE = 1 << iota - // suiteCECPQ1 indicates that the cipher suite uses the - // experimental, temporary, and non-standard CECPQ1 key agreement. - suiteCECPQ1 // suiteECDSA indicates that the cipher suite involves an ECDSA // signature and therefore may only be selected when the server's // certificate is ECDSA. If this is not set then the cipher suite is @@ -125,10 +122,6 @@ {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil}, {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, - {TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, cecpq1RSAKA, suiteCECPQ1 | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, - {TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, cecpq1ECDSAKA, suiteCECPQ1 | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, - {TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, cecpq1RSAKA, suiteCECPQ1 | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, - {TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, cecpq1ECDSAKA, suiteCECPQ1 | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, dheRSAKA, suiteTLS12, nil, nil, aeadAESGCM}, {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, dheRSAKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil}, @@ -425,15 +418,6 @@ } } -func cecpq1ECDSAKA(version uint16) keyAgreement { - return &cecpq1KeyAgreement{ - auth: &signedKeyAgreement{ - keyType: keyTypeECDSA, - version: version, - }, - } -} - func ecdheRSAKA(version uint16) keyAgreement { return &ecdheKeyAgreement{ auth: &signedKeyAgreement{ @@ -443,15 +427,6 @@ } } -func cecpq1RSAKA(version uint16) keyAgreement { - return &cecpq1KeyAgreement{ - auth: &signedKeyAgreement{ - keyType: keyTypeRSA, - version: version, - }, - } -} - func dheRSAKA(version uint16) keyAgreement { return &dheKeyAgreement{ auth: &signedKeyAgreement{ @@ -549,8 +524,4 @@ TLS_AES_128_GCM_SHA256 uint16 = 0x1301 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 - TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0x16b7 - TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0x16b8 - TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x16b9 - TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0x16ba )
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index 9fbf5dc..f5fedb0 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go
@@ -1025,14 +1025,6 @@ // reject extensions on intermediate certificates. ExpectNoExtensionsOnIntermediate bool - // CECPQ1BadX25519Part corrupts the X25519 part of a CECPQ1 key exchange, as - // a trivial proof that it is actually used. - CECPQ1BadX25519Part bool - - // CECPQ1BadNewhopePart corrupts the Newhope part of a CECPQ1 key exchange, - // as a trivial proof that it is actually used. - CECPQ1BadNewhopePart bool - // RecordPadding is the number of bytes of padding to add to each // encrypted record in TLS 1.3. RecordPadding int
diff --git a/ssl/test/runner/fuzzer_mode.json b/ssl/test/runner/fuzzer_mode.json index 24f3bd6..cb2befa 100644 --- a/ssl/test/runner/fuzzer_mode.json +++ b/ssl/test/runner/fuzzer_mode.json
@@ -11,8 +11,6 @@ "*-BadRecord": "Fuzzer mode has no bad packets.", "BadRSAClientKeyExchange*": "Fuzzer mode does not notice a bad premaster secret.", - "CECPQ1-*-BadNewhopePart": "Fuzzer mode does not notice a bad premaster secret.", - "CECPQ1-*-BadX25519Part": "Fuzzer mode does not notice a bad premaster secret.", "TrailingMessageData-TLS13-ServerHello": "Fuzzer mode will not read the peer's alert as a MAC error", "UnexpectedUnencryptedExtension-Client-TLS13": "Fuzzer mode will not read the peer's alert as a MAC error",
diff --git a/ssl/test/runner/key_agreement.go b/ssl/test/runner/key_agreement.go index 271a9d1..8aa9118 100644 --- a/ssl/test/runner/key_agreement.go +++ b/ssl/test/runner/key_agreement.go
@@ -17,7 +17,6 @@ "math/big" "./curve25519" - "./newhope" ) type keyType int @@ -282,66 +281,6 @@ return out[:], nil } -// cecpq1Curve is combined elliptic curve (X25519) and post-quantum (new hope) key -// agreement. -type cecpq1Curve struct { - x25519 *x25519ECDHCurve - newhope *newhope.Poly -} - -func (e *cecpq1Curve) offer(rand io.Reader) (publicKey []byte, err error) { - var x25519OfferMsg, newhopeOfferMsg []byte - - e.x25519 = new(x25519ECDHCurve) - if x25519OfferMsg, err = e.x25519.offer(rand); err != nil { - return nil, err - } - - newhopeOfferMsg, e.newhope = newhope.Offer(rand) - - return append(x25519OfferMsg, newhopeOfferMsg[:]...), nil -} - -func (e *cecpq1Curve) accept(rand io.Reader, peerKey []byte) (publicKey []byte, preMasterSecret []byte, err error) { - if len(peerKey) != 32+newhope.OfferMsgLen { - return nil, nil, errors.New("cecpq1: invalid offer message") - } - - var x25519AcceptMsg, newhopeAcceptMsg []byte - var x25519Secret []byte - var newhopeSecret newhope.Key - - x25519 := new(x25519ECDHCurve) - if x25519AcceptMsg, x25519Secret, err = x25519.accept(rand, peerKey[:32]); err != nil { - return nil, nil, err - } - - if newhopeSecret, newhopeAcceptMsg, err = newhope.Accept(rand, peerKey[32:]); err != nil { - return nil, nil, err - } - - return append(x25519AcceptMsg, newhopeAcceptMsg[:]...), append(x25519Secret, newhopeSecret[:]...), nil -} - -func (e *cecpq1Curve) finish(peerKey []byte) (preMasterSecret []byte, err error) { - if len(peerKey) != 32+newhope.AcceptMsgLen { - return nil, errors.New("cecpq1: invalid accept message") - } - - var x25519Secret []byte - var newhopeSecret newhope.Key - - if x25519Secret, err = e.x25519.finish(peerKey[:32]); err != nil { - return nil, err - } - - if newhopeSecret, err = e.newhope.Finish(peerKey[32:]); err != nil { - return nil, err - } - - return append(x25519Secret, newhopeSecret[:]...), nil -} - func curveForCurveID(id CurveID) (ecdhCurve, bool) { switch id { case CurveP224: @@ -603,104 +542,6 @@ return 0 } -// cecpq1RSAKeyAgreement is like an ecdheKeyAgreement, but using the cecpq1Curve -// pseudo-curve, and without any parameters (e.g. curve name) other than the -// keys being exchanged. The signature may either be ECDSA or RSA. -type cecpq1KeyAgreement struct { - auth keyAgreementAuthentication - curve ecdhCurve - peerKey []byte -} - -func (ka *cecpq1KeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) { - ka.curve = &cecpq1Curve{} - publicKey, err := ka.curve.offer(config.rand()) - if err != nil { - return nil, err - } - - if config.Bugs.CECPQ1BadX25519Part { - publicKey[0] ^= 1 - } - if config.Bugs.CECPQ1BadNewhopePart { - publicKey[32] ^= 1 - publicKey[33] ^= 1 - publicKey[34] ^= 1 - publicKey[35] ^= 1 - } - - var params []byte - params = append(params, byte(len(publicKey)>>8)) - params = append(params, byte(len(publicKey)&0xff)) - params = append(params, publicKey[:]...) - - return ka.auth.signParameters(config, cert, clientHello, hello, params) -} - -func (ka *cecpq1KeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { - if len(ckx.ciphertext) < 2 { - return nil, errClientKeyExchange - } - peerKeyLen := int(ckx.ciphertext[0])<<8 + int(ckx.ciphertext[1]) - peerKey := ckx.ciphertext[2:] - if peerKeyLen != len(peerKey) { - return nil, errClientKeyExchange - } - return ka.curve.finish(peerKey) -} - -func (ka *cecpq1KeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error { - if len(skx.key) < 2 { - return errServerKeyExchange - } - peerKeyLen := int(skx.key[0])<<8 + int(skx.key[1]) - // Save the peer key for later. - if len(skx.key) < 2+peerKeyLen { - return errServerKeyExchange - } - ka.peerKey = skx.key[2 : 2+peerKeyLen] - if peerKeyLen != len(ka.peerKey) { - return errServerKeyExchange - } - - // Check the signature. - params := skx.key[:2+peerKeyLen] - sig := skx.key[2+peerKeyLen:] - return ka.auth.verifyParameters(config, clientHello, serverHello, cert, params, sig) -} - -func (ka *cecpq1KeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) { - curve := &cecpq1Curve{} - publicKey, preMasterSecret, err := curve.accept(config.rand(), ka.peerKey) - if err != nil { - return nil, nil, err - } - - if config.Bugs.CECPQ1BadX25519Part { - publicKey[0] ^= 1 - } - if config.Bugs.CECPQ1BadNewhopePart { - publicKey[32] ^= 1 - publicKey[33] ^= 1 - publicKey[34] ^= 1 - publicKey[35] ^= 1 - } - - ckx := new(clientKeyExchangeMsg) - ckx.ciphertext = append(ckx.ciphertext, byte(len(publicKey)>>8)) - ckx.ciphertext = append(ckx.ciphertext, byte(len(publicKey)&0xff)) - ckx.ciphertext = append(ckx.ciphertext, publicKey[:]...) - - return preMasterSecret, ckx, nil -} - -func (ka *cecpq1KeyAgreement) peerSignatureAlgorithm() signatureAlgorithm { - if auth, ok := ka.auth.(*signedKeyAgreement); ok { - return auth.peerSignatureAlgorithm - } - return 0 -} - // dheRSAKeyAgreement implements a TLS key agreement where the server generates // an ephemeral Diffie-Hellman public/private key pair and signs it. The // pre-master secret is then calculated using Diffie-Hellman.
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 15895d6..6fb94de 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go
@@ -1100,10 +1100,6 @@ {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384}, {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, {"ECDHE-RSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD}, - {"CECPQ1-RSA-CHACHA20-POLY1305-SHA256", TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256}, - {"CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256", TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256}, - {"CECPQ1-RSA-AES256-GCM-SHA384", TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384}, - {"CECPQ1-ECDSA-AES256-GCM-SHA384", TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384}, {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA}, {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA}, {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA}, @@ -2465,10 +2461,6 @@ // NULL ciphers must be explicitly enabled. flags = append(flags, "-cipher", "DEFAULT:NULL-SHA") } - if hasComponent(suite.name, "CECPQ1") { - // CECPQ1 ciphers must be explicitly enabled. - flags = append(flags, "-cipher", "DEFAULT:kCECPQ1") - } if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") { // ECDHE_PSK AES_GCM ciphers must be explicitly enabled // for now. @@ -4020,25 +4012,6 @@ shimWritesFirst: true, }) - tests = append(tests, testCase{ - name: "FalseStart-CECPQ1", - config: Config{ - MaxVersion: VersionTLS12, - CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384}, - NextProtos: []string{"foo"}, - Bugs: ProtocolBugs{ - ExpectFalseStart: true, - }, - }, - flags: []string{ - "-false-start", - "-cipher", "DEFAULT:kCECPQ1", - "-select-next-proto", "foo", - }, - shimWritesFirst: true, - resumeSession: true, - }) - // Server parses a V2ClientHello. tests = append(tests, testCase{ testType: serverTest, @@ -8133,69 +8106,6 @@ }) } -func addCECPQ1Tests() { - testCases = append(testCases, testCase{ - testType: clientTest, - name: "CECPQ1-Client-BadX25519Part", - config: Config{ - MaxVersion: VersionTLS12, - MinVersion: VersionTLS12, - CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384}, - Bugs: ProtocolBugs{ - CECPQ1BadX25519Part: true, - }, - }, - flags: []string{"-cipher", "kCECPQ1"}, - shouldFail: true, - expectedLocalError: "local error: bad record MAC", - }) - testCases = append(testCases, testCase{ - testType: clientTest, - name: "CECPQ1-Client-BadNewhopePart", - config: Config{ - MaxVersion: VersionTLS12, - MinVersion: VersionTLS12, - CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384}, - Bugs: ProtocolBugs{ - CECPQ1BadNewhopePart: true, - }, - }, - flags: []string{"-cipher", "kCECPQ1"}, - shouldFail: true, - expectedLocalError: "local error: bad record MAC", - }) - testCases = append(testCases, testCase{ - testType: serverTest, - name: "CECPQ1-Server-BadX25519Part", - config: Config{ - MaxVersion: VersionTLS12, - MinVersion: VersionTLS12, - CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384}, - Bugs: ProtocolBugs{ - CECPQ1BadX25519Part: true, - }, - }, - flags: []string{"-cipher", "kCECPQ1"}, - shouldFail: true, - expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", - }) - testCases = append(testCases, testCase{ - testType: serverTest, - name: "CECPQ1-Server-BadNewhopePart", - config: Config{ - MaxVersion: VersionTLS12, - MinVersion: VersionTLS12, - CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384}, - Bugs: ProtocolBugs{ - CECPQ1BadNewhopePart: true, - }, - }, - flags: []string{"-cipher", "kCECPQ1"}, - shouldFail: true, - expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:", - }) -} - func addDHEGroupSizeTests() { testCases = append(testCases, testCase{ name: "DHEGroupSize-Client", @@ -9952,7 +9862,6 @@ addCustomExtensionTests() addRSAClientKeyExchangeTests() addCurveTests() - addCECPQ1Tests() addDHEGroupSizeTests() addSessionTicketTests() addTLS13RecordTests()