Remove client-side support for ServerKeyExchange in the RSA key exchange. Server-side support was removed in 77a942b7fedb58ae1afee042255b4b9267abebca, but client-side support was retained as it appeared NSS supported this. However, this is not the case: ssl3_HandleServerKeyExchange only allows a ServerKeyExchange message if hs.ws is in an appropriate state. ssl3_AuthCertificate only sets it to allow ServerKeyExchange if it is a key exchange that normally uses it or if is_limited is set. is_limited is only set for the export cipher suites. Thus we can safely remove this without waiting on gathering UMA data. BUG=chromium:400587 Change-Id: I9aefb742dbb2d99c13340ab48017e1ceee04bc2f Reviewed-on: https://boringssl-review.googlesource.com/2230 Reviewed-by: Adam Langley <agl@google.com>

commit: 525a0fe315282ca1840f8f9f170c8a26ce5fab2a [log] [tgz]
author: David Benjamin <davidben@chromium.org> Sat Nov 08 11:41:12 2014 -0500
committer: Adam Langley <agl@google.com> Mon Nov 10 23:00:09 2014 +0000
tree: 0df41dc8c5f2adcd7c45e14b14fa03839823cc46
parent: b4188f0c9dc835b4ecc5812f818f5da064460ab1 [diff]
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 0806d77..36f82bc 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c

@@ -1230,11 +1230,6 @@
 
 	if (s->session->sess_cert != NULL)
 		{
-		if (s->session->sess_cert->peer_rsa_tmp != NULL)
-			{
-			RSA_free(s->session->sess_cert->peer_rsa_tmp);
-			s->session->sess_cert->peer_rsa_tmp=NULL;
-			}
 		if (s->session->sess_cert->peer_dh_tmp)
 			{
 			DH_free(s->session->sess_cert->peer_dh_tmp);
@@ -1293,55 +1288,7 @@
 			}
 		}
 
-	if (alg_k & SSL_kRSA)
-		{
-		CBS rsa_modulus, rsa_exponent;
-
-		/* TODO(davidben): This was originally for export
-		 * reasons. Do we still need to support it? */
-
-		if (!CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_modulus) ||
-			CBS_len(&rsa_modulus) == 0 ||
-			!CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_exponent) ||
-			CBS_len(&rsa_exponent) == 0)
-			{
-			al = SSL_AD_DECODE_ERROR;
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
-			goto f_err;
-			}
-
-		if ((rsa=RSA_new()) == NULL)
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
-			goto err;
-			}
-
-		if (!(rsa->n = BN_bin2bn(CBS_data(&rsa_modulus),
-					CBS_len(&rsa_modulus), rsa->n)))
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
-			goto err;
-			}
-
-		if (!(rsa->e = BN_bin2bn(CBS_data(&rsa_exponent),
-					CBS_len(&rsa_exponent), rsa->e)))
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
-			goto err;
-			}
-
-		/* this should be because we are using an export cipher */
-		if (alg_a & SSL_aRSA)
-			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-		else
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_INTERNAL_ERROR);
-			goto err;
-			}
-		s->session->sess_cert->peer_rsa_tmp=rsa;
-		rsa=NULL;
-		}
-	else if (alg_k & SSL_kEDH)
+	if (alg_k & SSL_kEDH)
 		{
 		CBS dh_p, dh_g, dh_Ys;
 
@@ -1990,21 +1937,16 @@
 				goto err;
 				}
 
-			if (s->session->sess_cert->peer_rsa_tmp != NULL)
-				rsa=s->session->sess_cert->peer_rsa_tmp;
-			else
+			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+			if ((pkey == NULL) ||
+				(pkey->type != EVP_PKEY_RSA) ||
+				(pkey->pkey.rsa == NULL))
 				{
-				pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-				if ((pkey == NULL) ||
-					(pkey->type != EVP_PKEY_RSA) ||
-					(pkey->pkey.rsa == NULL))
-					{
-					OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
-					goto err;
-					}
-				rsa=pkey->pkey.rsa;
-				EVP_PKEY_free(pkey);
+				OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
+				goto err;
 				}
+			rsa=pkey->pkey.rsa;
+			EVP_PKEY_free(pkey);
 				
 			pms[0]=s->client_version>>8;
 			pms[1]=s->client_version&0xff;
@@ -2499,7 +2441,6 @@
 	long alg_k,alg_a;
 	EVP_PKEY *pkey=NULL;
 	SESS_CERT *sc;
-	RSA *rsa;
 	DH *dh;
 
 	/* we don't have a certificate */
@@ -2516,7 +2457,6 @@
 		goto err;
 		}
 
-	rsa=s->session->sess_cert->peer_rsa_tmp;
 	dh=s->session->sess_cert->peer_dh_tmp;
 
 	/* This is the passed certificate */
@@ -2551,8 +2491,7 @@
 		OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_RSA_SIGNING_CERT);
 		goto f_err;
 		}
-	if ((alg_k & SSL_kRSA) &&
-		!(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
+	if ((alg_k & SSL_kRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_ENC))
 		{
 		OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
 		goto f_err;

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index e4ded32..0141dde 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c

@@ -1381,14 +1381,12 @@
 			EVP_PKEY *ptmp;
 			int rv = 0;
 			sc = s->session->sess_cert;
-			if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp)
+			if (!sc->peer_dh_tmp && !sc->peer_ecdh_tmp)
 				return 0;
 			ptmp = EVP_PKEY_new();
 			if (!ptmp)
 				return 0;
-			if (sc->peer_rsa_tmp)
-				rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
-			else if (sc->peer_dh_tmp)
+			if (sc->peer_dh_tmp)
 				rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
 			else if (sc->peer_ecdh_tmp)
 				rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 3d56da6..50ff7fc 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -567,8 +567,6 @@
 #endif
 		}
 
-	if (sc->peer_rsa_tmp != NULL)
-		RSA_free(sc->peer_rsa_tmp);
 	if (sc->peer_dh_tmp != NULL)
 		DH_free(sc->peer_dh_tmp);
 	if (sc->peer_ecdh_tmp != NULL)

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 97169f2..a55b1e7 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c

@@ -1456,15 +1456,7 @@
  *
  * Unlike ssl_cipher_has_server_public_key, some ciphers take optional
  * ServerKeyExchanges. PSK and RSA_PSK only use the ServerKeyExchange
- * to communicate a psk_identity_hint, so it is optional.
- *
- * Also, as implemented, the RSA key exchange takes an optional
- * ServerKeyExchange containing a signed ephemeral RSA encryption key.
- *
- * TODO(davidben): Can we remove the RSA one? This is a remnant of
- * RSA_EXPORT ciphers which required this (it was used to generate an
- * ephemeral 512-bit RSA encryption key), but it's allowed for all RSA
- * ciphers. */
+ * to communicate a psk_identity_hint, so it is optional. */
 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher)
 	{
 	/* Ephemeral Diffie-Hellman key exchanges require a

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c214b91..aca7cbd 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h

@@ -537,8 +537,7 @@
 	/* Obviously we don't have the private keys of these,
 	 * so maybe we shouldn't even use the CERT_PKEY type here. */
 
-	RSA *peer_rsa_tmp; /* not used for SSL 2 */
-	DH *peer_dh_tmp; /* not used for SSL 2 */
+	DH *peer_dh_tmp;
 	EC_KEY *peer_ecdh_tmp;
 	} SESS_CERT;
 /* Structure containing decoded values of signature algorithms extension */
commit	525a0fe315282ca1840f8f9f170c8a26ce5fab2a	[log] [tgz]
author	David Benjamin <davidben@chromium.org>	Sat Nov 08 11:41:12 2014 -0500
committer	Adam Langley <agl@google.com>	Mon Nov 10 23:00:09 2014 +0000
tree	0df41dc8c5f2adcd7c45e14b14fa03839823cc46
parent	b4188f0c9dc835b4ecc5812f818f5da064460ab1 [diff]