Remove RC4 from TLS for real.
This withdraws support for -DBORINGSSL_ENABLE_RC4_TLS, and removes the
RC4 AEADs.
Change-Id: I1321b76bfe047d180743fa46d1b81c5d70c64e81
Reviewed-on: https://boringssl-review.googlesource.com/10940
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index c3a9432..a63b8c9 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -114,9 +114,7 @@
}
int dtls1_supports_cipher(const SSL_CIPHER *cipher) {
- /* DTLS does not support stream ciphers. The NULL cipher is rejected because
- * it's not needed. */
- return cipher->algorithm_enc != SSL_RC4 && cipher->algorithm_enc != SSL_eNULL;
+ return cipher->algorithm_enc != SSL_eNULL;
}
void DTLSv1_set_initial_timeout_duration(SSL *ssl, unsigned int duration_ms) {
diff --git a/ssl/internal.h b/ssl/internal.h
index f285682..482adaa 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -182,15 +182,14 @@
#define SSL_aCERT (SSL_aRSA | SSL_aECDSA)
/* Bits for |algorithm_enc| (symmetric encryption). */
-#define SSL_3DES 0x00000001L
-#define SSL_RC4 0x00000002L
-#define SSL_AES128 0x00000004L
-#define SSL_AES256 0x00000008L
-#define SSL_AES128GCM 0x00000010L
-#define SSL_AES256GCM 0x00000020L
-#define SSL_CHACHA20POLY1305_OLD 0x00000040L
-#define SSL_eNULL 0x00000080L
-#define SSL_CHACHA20POLY1305 0x00000100L
+#define SSL_3DES 0x00000001L
+#define SSL_AES128 0x00000002L
+#define SSL_AES256 0x00000004L
+#define SSL_AES128GCM 0x00000008L
+#define SSL_AES256GCM 0x00000010L
+#define SSL_CHACHA20POLY1305_OLD 0x00000020L
+#define SSL_eNULL 0x00000040L
+#define SSL_CHACHA20POLY1305 0x00000080L
#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c
index ea274ad..55070e9 100644
--- a/ssl/ssl_cipher.c
+++ b/ssl/ssl_cipher.c
@@ -168,30 +168,6 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- /* Cipher 04 */
- {
- SSL3_TXT_RSA_RC4_128_MD5,
- SSL3_CK_RSA_RC4_128_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_MD5,
- SSL_HANDSHAKE_MAC_DEFAULT,
- },
-
- /* Cipher 05 */
- {
- SSL3_TXT_RSA_RC4_128_SHA,
- SSL3_CK_RSA_RC4_128_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
- },
-#endif
-
/* Cipher 0A */
{
SSL3_TXT_RSA_DES_192_CBC3_SHA,
@@ -299,19 +275,6 @@
/* PSK cipher suites. */
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- /* Cipher 8A */
- {
- TLS1_TXT_PSK_WITH_RC4_128_SHA,
- TLS1_CK_PSK_WITH_RC4_128_SHA,
- SSL_kPSK,
- SSL_aPSK,
- SSL_RC4,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
- },
-#endif
-
/* Cipher 8C */
{
TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
@@ -426,19 +389,6 @@
SSL_HANDSHAKE_MAC_SHA384,
},
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- /* Cipher C007 */
- {
- TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
- TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
- SSL_kECDHE,
- SSL_aECDSA,
- SSL_RC4,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
- },
-#endif
-
/* Cipher C009 */
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
@@ -461,19 +411,6 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- /* Cipher C011 */
- {
- TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
- TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
- SSL_kECDHE,
- SSL_aRSA,
- SSL_RC4,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
- },
-#endif
-
/* Cipher C013 */
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
@@ -768,7 +705,6 @@
/* symmetric encryption aliases */
{"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
- {"RC4", ~0u, ~0u, SSL_RC4, ~0u, 0},
{"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
{"AES256", ~SSL_kCECPQ1, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
{"AES", ~SSL_kCECPQ1, ~0u, SSL_AES, ~0u, 0},
@@ -790,9 +726,8 @@
{"TLSv1.2", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
/* Legacy strength classes. */
- {"MEDIUM", ~0u, ~0u, SSL_RC4, ~0u, 0},
- {"HIGH", ~SSL_kCECPQ1, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
- {"FIPS", ~SSL_kCECPQ1, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
+ {"HIGH", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
+ {"FIPS", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
};
static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
@@ -853,31 +788,6 @@
*out_fixed_iv_len = 12;
break;
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- case SSL_RC4:
- switch (cipher->algorithm_mac) {
- case SSL_MD5:
- if (version == SSL3_VERSION) {
- *out_aead = EVP_aead_rc4_md5_ssl3();
- } else {
- *out_aead = EVP_aead_rc4_md5_tls();
- }
- *out_mac_secret_len = MD5_DIGEST_LENGTH;
- break;
- case SSL_SHA1:
- if (version == SSL3_VERSION) {
- *out_aead = EVP_aead_rc4_sha1_ssl3();
- } else {
- *out_aead = EVP_aead_rc4_sha1_tls();
- }
- *out_mac_secret_len = SHA_DIGEST_LENGTH;
- break;
- default:
- return 0;
- }
- break;
-#endif
-
case SSL_AES128:
switch (cipher->algorithm_mac) {
case SSL_SHA1:
@@ -1541,17 +1451,13 @@
}
/* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
- * 3DES_EDE_CBC_SHA, RC4_128_SHA, RC4_128_MD5. */
+ * 3DES_EDE_CBC_SHA. */
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
&head, &tail);
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
&head, &tail);
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
&tail);
- ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, 0, CIPHER_ADD, -1, 0,
- &head, &tail);
- ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, 0, CIPHER_ADD, -1, 0,
- &head, &tail);
/* Temporarily enable everything else for sorting */
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
@@ -1734,13 +1640,8 @@
return (cipher->algorithm_enc & SSL_eNULL) != 0;
}
-int SSL_CIPHER_is_RC4(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_enc & SSL_RC4) != 0;
-}
-
int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
- /* Neither stream cipher nor AEAD. */
- return (cipher->algorithm_enc & (SSL_RC4 | SSL_eNULL)) == 0 &&
+ return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
cipher->algorithm_mac != SSL_AEAD;
}
@@ -1845,8 +1746,6 @@
switch (cipher->algorithm_enc) {
case SSL_3DES:
return "3DES_EDE_CBC";
- case SSL_RC4:
- return "RC4";
case SSL_AES128:
return "AES_128_CBC";
case SSL_AES256:
@@ -1925,7 +1824,6 @@
switch (cipher->algorithm_enc) {
case SSL_AES128:
case SSL_AES128GCM:
- case SSL_RC4:
alg_bits = 128;
strength_bits = 128;
break;
@@ -2020,10 +1918,6 @@
enc = "3DES(168)";
break;
- case SSL_RC4:
- enc = "RC4(128)";
- break;
-
case SSL_AES128:
enc = "AES(128)";
break;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 0978d75..49cfe27 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2793,16 +2793,6 @@
ssl, reject ? ssl_renegotiate_never : ssl_renegotiate_freely);
}
-int SSL_get_rc4_state(const SSL *ssl, const RC4_KEY **read_key,
- const RC4_KEY **write_key) {
- if (ssl->s3->aead_read_ctx == NULL || ssl->s3->aead_write_ctx == NULL) {
- return 0;
- }
-
- return EVP_AEAD_CTX_get_rc4_state(&ssl->s3->aead_read_ctx->ctx, read_key) &&
- EVP_AEAD_CTX_get_rc4_state(&ssl->s3->aead_write_ctx->ctx, write_key);
-}
-
int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
const uint8_t **out_write_iv, size_t *out_iv_len) {
if (ssl->s3->aead_read_ctx == NULL || ssl->s3->aead_write_ctx == NULL) {
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 564f0c5..8d45ace 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -154,10 +154,10 @@
// only the selected ciphers.
{
// To simplify things, banish all but {ECDHE_RSA,RSA} x
- // {CHACHA20,AES_256_CBC,AES_128_CBC,RC4} x SHA1.
+ // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
"!kEDH:!AESGCM:!3DES:!SHA256:!MD5:!SHA384:"
// Order some ciphers backwards by strength.
- "ALL:-CHACHA20:-AES256:-AES128:-RC4:-ALL:"
+ "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
// Select ECDHE ones and sort them by strength. Ties should resolve
// based on the order above.
"kECDHE:@STRENGTH:-ALL:"
@@ -168,13 +168,7 @@
{TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0},
{TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 0},
{TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD, 0},
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- {TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 0},
-#endif
{TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0},
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- {SSL3_CK_RSA_RC4_128_SHA, 0},
-#endif
{TLS1_CK_RSA_WITH_AES_128_SHA, 0},
{TLS1_CK_RSA_WITH_AES_256_SHA, 0},
},
@@ -258,9 +252,6 @@
"DEFAULT",
"ALL:!eNULL",
"ALL:!NULL",
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- "MEDIUM",
-#endif
"HIGH",
"FIPS",
"SHA",
@@ -274,9 +265,6 @@
static const char *kMustNotIncludeCECPQ1[] = {
"ALL",
"DEFAULT",
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- "MEDIUM",
-#endif
"HIGH",
"FIPS",
"SHA",
@@ -742,9 +730,6 @@
static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = {
{ SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- { SSL3_CK_RSA_RC4_128_MD5, "TLS_RSA_WITH_RC4_MD5" },
-#endif
{ TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA" },
{ TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
{ TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
@@ -759,9 +744,6 @@
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
{ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
-#ifdef BORINGSSL_ENABLE_RC4_TLS
- { TLS1_CK_PSK_WITH_RC4_128_SHA, "TLS_PSK_WITH_RC4_SHA" },
-#endif
{ TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
{ TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
@@ -1655,7 +1637,7 @@
SSL_CTX_set_max_version(ctx.get(), version);
// Our default cipher list varies by CPU capabilities, so manually place the
// ChaCha20 ciphers in front.
- if (!SSL_CTX_set_cipher_list(ctx.get(), "!RC4:CHACHA20:ALL")) {
+ if (!SSL_CTX_set_cipher_list(ctx.get(), "CHACHA20:ALL")) {
return false;
}
bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
