Remove anonymous cipher suites.
These are the remaining untested cipher suites. Rather than add support in
runner.go, just remove them altogether. Grepping for this is a little tricky,
but nothing enables aNULL (all occurrences disable it), and all occurrences of
["ALL:] seem to be either unused or explicitly disable anonymous ciphers.
Change-Id: I4fd4b8dc6a273d6c04a26e93839641ddf738343f
Reviewed-on: https://boringssl-review.googlesource.com/4258
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 831b511..6ad8e83 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -175,8 +175,6 @@
#define SSL_TXT_HIGH "HIGH"
#define SSL_TXT_FIPS "FIPS"
-#define SSL_TXT_aNULL "aNULL"
-
#define SSL_TXT_kRSA "kRSA"
#define SSL_TXT_kDHE "kDHE"
#define SSL_TXT_kEDH "kEDH" /* same as "kDHE" */
@@ -189,14 +187,12 @@
#define SSL_TXT_aPSK "aPSK"
#define SSL_TXT_DH "DH"
-#define SSL_TXT_DHE "DHE" /* same as "kDHE:-ADH" */
+#define SSL_TXT_DHE "DHE" /* same as "kDHE" */
#define SSL_TXT_EDH "EDH" /* same as "DHE" */
-#define SSL_TXT_ADH "ADH"
#define SSL_TXT_RSA "RSA"
#define SSL_TXT_ECDH "ECDH"
-#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE:-AECDH" */
+#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE" */
#define SSL_TXT_EECDH "EECDH" /* same as "ECDHE" */
-#define SSL_TXT_AECDH "AECDH"
#define SSL_TXT_ECDSA "ECDSA"
#define SSL_TXT_PSK "PSK"
@@ -238,7 +234,7 @@
/* The following cipher list is used by default. It also is substituted when an
* application-defined cipher list string starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST "ALL"
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 01f5cbf..0f217aa 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -320,13 +320,6 @@
* don't request cert during re-negotiation: */
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
- /* never request cert in anonymous ciphersuites
- * (see section "Certificate request" in SSL 3 drafts
- * and in RFC 2246): */
- ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- /* ... except when the application insists on verification
- * (against the specs, but s3_clnt.c accepts this for SSL 3) */
- !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
/* With normal PSK Certificates and
* Certificate Requests are omitted */
(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index a6e76c9..7826bf49 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1411,15 +1411,6 @@
goto err;
}
- /* TLS does not like anon-DH with client cert */
- if (s->version > SSL3_VERSION &&
- (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request,
- SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
- goto err;
- }
-
CBS_init(&cbs, s->init_msg, n);
ca_sk = sk_X509_NAME_new(ca_dn_cmp);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index fe0e760..f67267f 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -185,16 +185,6 @@
},
- /* The Ephemeral DH ciphers */
-
- /* Cipher 18 */
- {
- 1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kDHE, SSL_aNULL,
- SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
- },
-
-
/* New AES ciphersuites */
/* Cipher 2F */
@@ -211,13 +201,6 @@
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
- /* Cipher 34 */
- {
- 1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kDHE,
- SSL_aNULL, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
- },
-
/* Cipher 35 */
{
1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA,
@@ -232,13 +215,6 @@
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
},
- /* Cipher 3A */
- {
- 1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kDHE,
- SSL_aNULL, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
- },
-
/* TLS v1.2 ciphersuites */
@@ -272,20 +248,6 @@
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256,
},
- /* Cipher 6C */
- {
- 1, TLS1_TXT_ADH_WITH_AES_128_SHA256, TLS1_CK_ADH_WITH_AES_128_SHA256,
- SSL_kDHE, SSL_aNULL, SSL_AES128, SSL_SHA256, SSL_TLSV1_2,
- SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
- },
-
- /* Cipher 6D */
- {
- 1, TLS1_TXT_ADH_WITH_AES_256_SHA256, TLS1_CK_ADH_WITH_AES_256_SHA256,
- SSL_kDHE, SSL_aNULL, SSL_AES256, SSL_SHA256, SSL_TLSV1_2,
- SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256,
- },
-
/* Cipher 8A */
{
1, TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK,
@@ -350,26 +312,6 @@
256, 256,
},
- /* Cipher A6 */
- {
- 1, TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aNULL, SSL_AES128GCM,
- SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 128, 128,
- },
-
- /* Cipher A7 */
- {
- 1, TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aNULL, SSL_AES256GCM,
- SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 256, 256,
- },
-
/* Cipher C007 */
{
1, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
@@ -417,29 +359,6 @@
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
},
- /* Cipher C016 */
- {
- 1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
- SSL_kECDHE, SSL_aNULL, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
- },
-
- /* Cipher C018 */
- {
- 1, TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aNULL, SSL_AES128,
- SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
- },
-
- /* Cipher C019 */
- {
- 1, TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aNULL, SSL_AES256,
- SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
- },
-
/* HMAC based TLS v1.2 ciphersuites from RFC5289 */
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 25482a2..eb458f2 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -414,13 +414,6 @@
* don't request cert during re-negotiation: */
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
- /* never request cert in anonymous ciphersuites
- * (see section "Certificate request" in SSL 3 drafts
- * and in RFC 2246): */
- ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- /* ... except when the application insists on verification
- * (against the specs, but s3_clnt.c accepts this for SSL 3) */
- !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
/* With normal PSK Certificates and
* Certificate Requests are omitted */
(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 5ab43e7..1253f8f 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -180,10 +180,7 @@
{
{0, SSL_TXT_ALL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
- /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
- ALL!) */
- {0, SSL_TXT_CMPDEF, 0, SSL_kDHE | SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0,
- 0},
+ /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
/* key exchange aliases
* (some of those using only a single bit here combine
@@ -203,19 +200,16 @@
/* server authentication aliases */
{0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
/* aliases combining key exchange and server authentication */
- {0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_DHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_EDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_EECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
/* symmetric encryption aliases */
@@ -1006,13 +1000,6 @@
ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), 0, 0, 0, 0, 0, CIPHER_ORD,
-1, 0, &head, &tail);
- /* Move anonymous ciphers to the end. Usually, these will remain disabled.
- * (For applications that allow them, they aren't too bad, but we prefer
- * authenticated ciphers.)
- * TODO(davidben): Remove them altogether? */
- ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
- &tail);
-
/* Now disable everything (maintaining the ordering!) */
ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
@@ -1186,10 +1173,6 @@
au = "RSA";
break;
- case SSL_aNULL:
- au = "None";
- break;
-
case SSL_aECDSA:
au = "ECDSA";
break;
@@ -1332,8 +1315,6 @@
switch (cipher->algorithm_auth) {
case SSL_aRSA:
return "DHE_RSA";
- case SSL_aNULL:
- return "DH_anon";
default:
assert(0);
return "UNKNOWN";
@@ -1347,8 +1328,6 @@
return "ECDHE_RSA";
case SSL_aPSK:
return "ECDHE_PSK";
- case SSL_aNULL:
- return "ECDH_anon";
default:
assert(0);
return "UNKNOWN";
@@ -1479,12 +1458,8 @@
* public key in the key exchange, sent in a server Certificate message.
* Otherwise it returns 0. */
int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) {
- /* Anonymous ciphers do not include a server certificate. */
- if (cipher->algorithm_auth & SSL_aNULL) {
- return 0;
- }
-
- /* Neither do PSK ciphers, except for RSA_PSK. */
+ /* PSK-authenticated ciphers do not use a public key, except for
+ * RSA_PSK. */
if ((cipher->algorithm_auth & SSL_aPSK) &&
!(cipher->algorithm_mkey & SSL_kRSA)) {
return 0;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a9d1528..1578dba 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2030,8 +2030,6 @@
mask_a |= SSL_aRSA;
}
- mask_a |= SSL_aNULL;
-
/* An ECC certificate may be usable for ECDSA cipher suites depending on the
* key usage extension and on the client's curve preferences. */
if (have_ecc_cert) {
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 6278deb..16fe2c6 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -293,9 +293,8 @@
/* Bits for algorithm_auth (server authentication) */
#define SSL_aRSA 0x00000001L /* RSA auth */
-#define SSL_aNULL 0x00000002L /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aECDSA 0x00000004L /* ECDSA auth*/
-#define SSL_aPSK 0x00000008L /* PSK auth */
+#define SSL_aECDSA 0x00000002L /* ECDSA auth*/
+#define SSL_aPSK 0x00000004L /* PSK auth */
/* Bits for algorithm_enc (symmetric encryption) */
#define SSL_3DES 0x00000001L
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 22018bb..aba758e 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -185,6 +185,8 @@
// Empty cipher lists error at SSL_CTX_set_cipher_list.
"",
"BOGUS",
+ // COMPLEMENTOFDEFAULT is empty.
+ "COMPLEMENTOFDEFAULT",
// Invalid command.
"?BAR",
// Special operators are not allowed if groups are used.
@@ -428,12 +430,9 @@
{ SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
{ SSL3_CK_RSA_RC4_128_MD5, "TLS_RSA_WITH_RC4_MD5" },
{ TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA" },
- { TLS1_CK_ADH_WITH_AES_128_SHA, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
{ TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
{ TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
- { TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
- "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
{ TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
{ TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,