Remove SSL_CTX_set_ed25519_enabled.
We never ended up using this, and callers can still configure
SSL_CTX_set_verify_algorithm_prefs to enable Ed25519 on the receiving
side. (On the sending side, this API was never needed because it's a
function of what certificate you configure.) This was just a way to
tweak the default without requiring callers restate the order.
Change-Id: I38d7f91d85430f37fc7e278d77466e78a0cbfa0d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/39848
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index b0b16c5..6713d52 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2518,12 +2518,6 @@
// reference to |store| will be taken.
OPENSSL_EXPORT int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store);
-// SSL_CTX_set_ed25519_enabled configures whether |ctx| advertises support for
-// the Ed25519 signature algorithm when using the default preference list. It is
-// disabled by default and may be enabled if the certificate verifier supports
-// Ed25519.
-OPENSSL_EXPORT void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled);
-
// SSL_CTX_set_verify_algorithm_prefs configures |ctx| to use |prefs| as the
// preference list when verifying signatures from the peer's long-term key. It
// returns one on zero on error. |prefs| should not include the internal-only
diff --git a/ssl/internal.h b/ssl/internal.h
index 836153f..932dd0c 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -3309,9 +3309,6 @@
// protocols from the peer.
bool allow_unknown_alpn_protos : 1;
- // ed25519_enabled is whether Ed25519 is advertised in the handshake.
- bool ed25519_enabled : 1;
-
// false_start_allowed_without_alpn is whether False Start (if
// |SSL_MODE_ENABLE_FALSE_START| is enabled) is allowed without ALPN.
bool false_start_allowed_without_alpn : 1;
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 4764000..3cebfe0 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -564,7 +564,6 @@
channel_id_enabled(false),
grease_enabled(false),
allow_unknown_alpn_protos(false),
- ed25519_enabled(false),
false_start_allowed_without_alpn(false),
ignore_tls13_downgrade(false),
handoff(false),
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 2b8e941..5fdfec2 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -413,7 +413,6 @@
// algorithms for verifying.
static const uint16_t kVerifySignatureAlgorithms[] = {
// List our preferred algorithms first.
- SSL_SIGN_ED25519,
SSL_SIGN_ECDSA_SECP256R1_SHA256,
SSL_SIGN_RSA_PSS_RSAE_SHA256,
SSL_SIGN_RSA_PKCS1_SHA256,
@@ -455,41 +454,15 @@
SSL_SIGN_RSA_PKCS1_SHA1,
};
-struct SSLSignatureAlgorithmList {
- bool Next(uint16_t *out) {
- while (!list.empty()) {
- uint16_t sigalg = list[0];
- list = list.subspan(1);
- if (skip_ed25519 && sigalg == SSL_SIGN_ED25519) {
- continue;
- }
- *out = sigalg;
- return true;
- }
- return false;
+static Span<const uint16_t> tls12_get_verify_sigalgs(const SSL_HANDSHAKE *hs) {
+ if (hs->config->verify_sigalgs.empty()) {
+ return Span<const uint16_t>(kVerifySignatureAlgorithms);
}
-
- Span<const uint16_t> list;
- bool skip_ed25519 = false;
-};
-
-static SSLSignatureAlgorithmList tls12_get_verify_sigalgs(
- const SSL_HANDSHAKE *hs) {
- SSL *const ssl = hs->ssl;
- SSLSignatureAlgorithmList ret;
- if (!hs->config->verify_sigalgs.empty()) {
- ret.list = hs->config->verify_sigalgs;
- } else {
- ret.list = kVerifySignatureAlgorithms;
- ret.skip_ed25519 = !ssl->ctx->ed25519_enabled;
- }
- return ret;
+ return hs->config->verify_sigalgs;
}
bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {
- SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(hs);
- uint16_t sigalg;
- while (list.Next(&sigalg)) {
+ for (uint16_t sigalg : tls12_get_verify_sigalgs(hs)) {
if (!CBB_add_u16(out, sigalg)) {
return false;
}
@@ -499,9 +472,7 @@
bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,
uint16_t sigalg) {
- SSLSignatureAlgorithmList list = tls12_get_verify_sigalgs(hs);
- uint16_t verify_sigalg;
- while (list.Next(&verify_sigalg)) {
+ for (uint16_t verify_sigalg : tls12_get_verify_sigalgs(hs)) {
if (verify_sigalg == sigalg) {
return true;
}
@@ -3871,7 +3842,3 @@
*out_len = CBS_len(&cbs);
return 1;
}
-
-void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled) {
- ctx->ed25519_enabled = !!enabled;
-}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 4ea2f95..86aa61e 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4880,7 +4880,7 @@
flags: []string{
"-cert-file", path.Join(*resourceDir, ed25519CertificateFile),
"-key-file", path.Join(*resourceDir, ed25519KeyFile),
- "-enable-ed25519",
+ "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
},
})
@@ -9720,7 +9720,7 @@
UseLegacySigningAlgorithm: signatureEd25519,
},
},
- flags: []string{"-enable-ed25519"},
+ flags: []string{"-verify-prefs", strconv.Itoa(int(signatureEd25519))},
shouldFail: true,
expectedError: ":PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE:",
})
@@ -9749,7 +9749,7 @@
},
},
flags: []string{
- "-enable-ed25519",
+ "-verify-prefs", strconv.Itoa(int(signatureEd25519)),
"-require-any-client-certificate",
},
shouldFail: true,
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index c9163fa..c7be4a4 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -128,7 +128,6 @@
{"-no-op-extra-handshake", &TestConfig::no_op_extra_handshake},
{"-handshake-twice", &TestConfig::handshake_twice},
{"-allow-unknown-alpn-protos", &TestConfig::allow_unknown_alpn_protos},
- {"-enable-ed25519", &TestConfig::enable_ed25519},
{"-use-custom-verify-callback", &TestConfig::use_custom_verify_callback},
{"-allow-false-start-without-alpn",
&TestConfig::allow_false_start_without_alpn},
@@ -1259,10 +1258,6 @@
SSL_CTX_set_allow_unknown_alpn_protos(ssl_ctx.get(), 1);
}
- if (enable_ed25519) {
- SSL_CTX_set_ed25519_enabled(ssl_ctx.get(), 1);
- }
-
if (!verify_prefs.empty()) {
std::vector<uint16_t> u16s(verify_prefs.begin(), verify_prefs.end());
if (!SSL_CTX_set_verify_algorithm_prefs(ssl_ctx.get(), u16s.data(),
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index 24211bb..0974a16 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@@ -152,7 +152,6 @@
bool no_op_extra_handshake = false;
bool handshake_twice = false;
bool allow_unknown_alpn_protos = false;
- bool enable_ed25519 = false;
bool use_custom_verify_callback = false;
std::string expect_msg_callback;
bool allow_false_start_without_alpn = false;
diff --git a/tool/client.cc b/tool/client.cc
index d175ba3..31378d6 100644
--- a/tool/client.cc
+++ b/tool/client.cc
@@ -137,9 +137,6 @@
"file to read from for early data.",
},
{
- "-ed25519", kBooleanArgument, "Advertise Ed25519 support",
- },
- {
"-http-tunnel", kOptionalArgument,
"An HTTP proxy server to tunnel the TCP connection through",
},
@@ -531,10 +528,6 @@
SSL_CTX_set_early_data_enabled(ctx.get(), 1);
}
- if (args_map.count("-ed25519") != 0) {
- SSL_CTX_set_ed25519_enabled(ctx.get(), 1);
- }
-
if (args_map.count("-debug") != 0) {
SSL_CTX_set_info_callback(ctx.get(), InfoCallback);
}