commit 2e839244b078205ff677ada3fb83cf9d60ef055b
author Adam Langley <agl@google.com> Thu Jan 19 15:12:44 2017 -0800
committer Adam Langley <agl@google.com> Thu Jan 19 23:27:54 2017 +0000
tree e50b48ffa81be15780c8df81934ab59dcbfbf4a9
parent 532201040573945094f443670de95d1b96e94896

Remove old ChaCha20-Poly1305 AEAD.

Before RFC 7539 we had a ChaCha20-Poly1305 cipher suite that had a 64/64
nonce/counter split (as DJB's original ChaCha20 did). RFC 7539 changed
that to 96/32 and we've supported both for some time.

This change removes the old version and the TLS cipher suites that used
it.

BUG=chromium:682816

Change-Id: I2345d6db83441691fe0c1ab6d7c6da4d24777849
Reviewed-on: https://boringssl-review.googlesource.com/13203
Reviewed-by: Adam Langley <agl@google.com>

ssl/ssl_cipher.c

diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c
index 7ca79ab..480304f 100644
--- a/ssl/ssl_cipher.c
+++ b/ssl/ssl_cipher.c
@@ -542,28 +542,6 @@
 
     /* ChaCha20-Poly1305 cipher suites. */
 
-#if !defined(BORINGSSL_ANDROID_SYSTEM)
-    {
-     TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD,
-     TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD,
-     SSL_kECDHE,
-     SSL_aRSA,
-     SSL_CHACHA20POLY1305_OLD,
-     SSL_AEAD,
-     SSL_HANDSHAKE_MAC_SHA256,
-    },
-
-    {
-     TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD,
-     TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD,
-     SSL_kECDHE,
-     SSL_aECDSA,
-     SSL_CHACHA20POLY1305_OLD,
-     SSL_AEAD,
-     SSL_HANDSHAKE_MAC_SHA256,
-    },
-#endif
-
     /* Cipher CCA8 */
     {
      TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
@@ -674,8 +652,7 @@
     {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
     {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
     {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
-    {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
-     0},
+    {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
 
     /* MAC aliases */
     {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
@@ -732,11 +709,6 @@
     } else if (cipher->algorithm_enc == SSL_AES256GCM) {
       *out_aead = EVP_aead_aes_256_gcm();
       *out_fixed_iv_len = 4;
-#if !defined(BORINGSSL_ANDROID_SYSTEM)
-    } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305_OLD) {
-      *out_aead = EVP_aead_chacha20_poly1305_old();
-      *out_fixed_iv_len = 0;
-#endif
     } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
       *out_aead = EVP_aead_chacha20_poly1305();
       *out_fixed_iv_len = 12;
@@ -1244,29 +1216,6 @@
       multi = 1;
     }
 
-    /* If one of the CHACHA20_POLY1305 variants is selected, include the other
-     * as well. They have the same name to avoid requiring changes in
-     * configuration. Apply this transformation late so that the cipher name
-     * still behaves as an exact name and not an alias in multipart rules.
-     *
-     * This is temporary and will be removed when the pre-standard construction
-     * is removed. */
-    if (cipher_id == TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD ||
-        cipher_id == TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) {
-      cipher_id = 0;
-      alg_mkey = SSL_kECDHE;
-      alg_auth = SSL_aRSA;
-      alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
-      alg_mac = SSL_AEAD;
-    } else if (cipher_id == TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD ||
-               cipher_id == TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) {
-      cipher_id = 0;
-      alg_mkey = SSL_kECDHE;
-      alg_auth = SSL_aECDSA;
-      alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
-      alg_mac = SSL_AEAD;
-    }
-
     /* Ok, we have the rule, now apply it. */
     if (rule == CIPHER_SPECIAL) {
       /* special command */
@@ -1349,13 +1298,9 @@
                           &head, &tail);
     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
                           -1, 0, &head, &tail);
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
-                          CIPHER_ADD, -1, 0, &head, &tail);
   } else {
     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
                           -1, 0, &head, &tail);
-    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
-                          CIPHER_ADD, -1, 0, &head, &tail);
     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
                           &head, &tail);
     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
@@ -1504,8 +1449,7 @@
 }
 
 int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
-  return (cipher->algorithm_enc &
-          (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD)) != 0;
+  return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
 }
 
 int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
@@ -1622,7 +1566,6 @@
     case SSL_AES256GCM:
       return "AES_256_GCM";
     case SSL_CHACHA20POLY1305:
-    case SSL_CHACHA20POLY1305_OLD:
       return "CHACHA20_POLY1305";
       break;
     default:
@@ -1700,9 +1643,6 @@
 
     case SSL_AES256:
     case SSL_AES256GCM:
-#if !defined(BORINGSSL_ANDROID_SYSTEM)
-    case SSL_CHACHA20POLY1305_OLD:
-#endif
     case SSL_CHACHA20POLY1305:
       alg_bits = 256;
       strength_bits = 256;
@@ -1808,10 +1748,6 @@
       enc = "AESGCM(256)";
       break;
 
-    case SSL_CHACHA20POLY1305_OLD:
-      enc = "ChaCha20-Poly1305-Old";
-      break;
-
     case SSL_CHACHA20POLY1305:
       enc = "ChaCha20-Poly1305";
       break;