Remove CECPQ1 (experimental post-quantum key agreement).
Change-Id: Ie947ab176d10feb709c6e135d5241c6cf605b8e8
Reviewed-on: https://boringssl-review.googlesource.com/12700
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num
index 3a7844c..074657a 100644
--- a/crypto/obj/obj_mac.num
+++ b/crypto/obj/obj_mac.num
@@ -946,4 +946,3 @@
dh_std_kdf 946
dh_cofactor_kdf 947
X25519 948
-cecpq1 949
diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt
index 75f2cbf..f3990d0 100644
--- a/crypto/obj/objects.txt
+++ b/crypto/obj/objects.txt
@@ -1333,6 +1333,3 @@
# NID for X25519 (no corresponding OID).
: X25519
-
-# NID for CECPQ1 (no corresponding OID)
- : cecpq1
diff --git a/fuzz/client.cc b/fuzz/client.cc
index bd0d8fa..35b122e 100644
--- a/fuzz/client.cc
+++ b/fuzz/client.cc
@@ -277,7 +277,7 @@
SSL_set_alpn_protos(client, kALPNProtocols, sizeof(kALPNProtocols));
// Enable ciphers that are off by default.
- SSL_set_cipher_list(client, "ALL:kCECPQ1:NULL-SHA");
+ SSL_set_cipher_list(client, "ALL:NULL-SHA");
BIO_write(in, buf, len);
if (SSL_do_handshake(client) == 1) {
diff --git a/fuzz/server.cc b/fuzz/server.cc
index 82affbc..7cee0c7 100644
--- a/fuzz/server.cc
+++ b/fuzz/server.cc
@@ -272,7 +272,7 @@
SSL_set_tls_channel_id_enabled(server, 1);
// Enable ciphers that are off by default.
- SSL_set_cipher_list(server, "ALL:kCECPQ1:NULL-SHA");
+ SSL_set_cipher_list(server, "ALL:NULL-SHA");
DH *dh = DH_get_1024_160(nullptr);
SSL_set_tmp_dh(server, dh);
diff --git a/include/openssl/nid.h b/include/openssl/nid.h
index 5ed44ee..d51a67c 100644
--- a/include/openssl/nid.h
+++ b/include/openssl/nid.h
@@ -4159,8 +4159,5 @@
#define SN_X25519 "X25519"
#define NID_X25519 948
-#define SN_cecpq1 "cecpq1"
-#define NID_cecpq1 949
-
#endif /* OPENSSL_HEADER_NID_H */
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 689fa82..85c1adc 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1196,9 +1196,6 @@
/* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. */
OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_CECPQ1 returns one if |cipher| uses CECPQ1. */
-OPENSSL_EXPORT int SSL_CIPHER_is_CECPQ1(const SSL_CIPHER *cipher);
-
/* SSL_CIPHER_get_min_version returns the minimum protocol version required
* for |cipher|. */
OPENSSL_EXPORT uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher);
@@ -3540,7 +3537,6 @@
#define SSL_TXT_kDHE "kDHE"
#define SSL_TXT_kEDH "kEDH"
#define SSL_TXT_kECDHE "kECDHE"
-#define SSL_TXT_kCECPQ1 "kCECPQ1"
#define SSL_TXT_kEECDH "kEECDH"
#define SSL_TXT_kPSK "kPSK"
#define SSL_TXT_aRSA "aRSA"
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index dfaf78a..54c2800 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -425,12 +425,6 @@
#define TLS1_CK_AES_256_GCM_SHA384 0x03001302
#define TLS1_CK_CHACHA20_POLY1305_SHA256 0x03001303
-/* CECPQ1 ciphersuites. These are specific to BoringSSL and not standard. */
-#define TLS1_CK_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 0x030016B7
-#define TLS1_CK_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0x030016B8
-#define TLS1_CK_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 0x030016B9
-#define TLS1_CK_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 0x030016BA
-
/* XXX
* Inconsistency alert:
* The OpenSSL names of ciphers with ephemeral DH here include the string
@@ -616,16 +610,6 @@
#define TLS1_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384"
#define TLS1_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256"
-/* CECPQ1 ciphersuites. These are specific to BoringSSL and not standard. */
-#define TLS1_TXT_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 \
- "CECPQ1-RSA-CHACHA20-POLY1305-SHA256"
-#define TLS1_TXT_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \
- "CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256"
-#define TLS1_TXT_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 \
- "CECPQ1-RSA-AES256-GCM-SHA384"
-#define TLS1_TXT_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 \
- "CECPQ1-ECDSA-AES256-GCM-SHA384"
-
#define TLS_CT_RSA_SIGN 1
#define TLS_CT_DSS_SIGN 2
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index 816255b..2603fb2 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -1274,18 +1274,6 @@
!CBS_stow(&point, &hs->peer_key, &hs->peer_key_len)) {
goto err;
}
- } else if (alg_k & SSL_kCECPQ1) {
- SSL_ECDH_CTX_init_for_cecpq1(&hs->ecdh_ctx);
- CBS key;
- if (!CBS_get_u16_length_prefixed(&server_key_exchange, &key)) {
- al = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- goto f_err;
- }
-
- if (!CBS_stow(&key, &hs->peer_key, &hs->peer_key_len)) {
- goto err;
- }
} else if (!(alg_k & SSL_kPSK)) {
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
@@ -1634,7 +1622,7 @@
!CBB_flush(&body)) {
goto err;
}
- } else if (alg_k & (SSL_kECDHE|SSL_kDHE|SSL_kCECPQ1)) {
+ } else if (alg_k & (SSL_kECDHE|SSL_kDHE)) {
/* Generate a keypair and serialize the public half. */
CBB child;
if (!SSL_ECDH_CTX_add_key(&hs->ecdh_ctx, &body, &child)) {
diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index 4686b01..7ba9946 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -724,9 +724,6 @@
mask_k |= SSL_kECDHE;
}
- /* CECPQ1 ciphers are always acceptable if supported by both sides. */
- mask_k |= SSL_kCECPQ1;
-
/* PSK requires a server callback. */
if (ssl->psk_server_callback != NULL) {
mask_k |= SSL_kPSK;
@@ -1231,12 +1228,6 @@
!SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &child)) {
goto err;
}
- } else if (alg_k & SSL_kCECPQ1) {
- SSL_ECDH_CTX_init_for_cecpq1(&hs->ecdh_ctx);
- if (!CBB_add_u16_length_prefixed(&cbb, &child) ||
- !SSL_ECDH_CTX_offer(&hs->ecdh_ctx, &child)) {
- goto err;
- }
} else {
assert(alg_k & SSL_kPSK);
}
@@ -1726,7 +1717,7 @@
OPENSSL_free(decrypt_buf);
decrypt_buf = NULL;
- } else if (alg_k & (SSL_kECDHE|SSL_kDHE|SSL_kCECPQ1)) {
+ } else if (alg_k & (SSL_kECDHE|SSL_kDHE)) {
/* Parse the ClientKeyExchange. */
CBS peer_key;
if (!SSL_ECDH_CTX_get_key(&hs->ecdh_ctx, &client_key_exchange, &peer_key) ||
diff --git a/ssl/internal.h b/ssl/internal.h
index 08ccd07..1802610 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -171,8 +171,7 @@
#define SSL_kECDHE 0x00000004L
/* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */
#define SSL_kPSK 0x00000008L
-#define SSL_kCECPQ1 0x00000010L
-#define SSL_kGENERIC 0x00000020L
+#define SSL_kGENERIC 0x00000010L
/* Bits for |algorithm_auth| (server authentication). */
#define SSL_aRSA 0x00000001L
@@ -617,9 +616,6 @@
* where the server specifies a group. It takes ownership of |params|. */
void SSL_ECDH_CTX_init_for_dhe(SSL_ECDH_CTX *ctx, DH *params);
-/* SSL_ECDH_CTX_init_for_cecpq1 sets up |ctx| for use with CECPQ1. */
-void SSL_ECDH_CTX_init_for_cecpq1(SSL_ECDH_CTX *ctx);
-
/* SSL_ECDH_CTX_cleanup releases memory associated with |ctx|. It is legal to
* call it in the zero state. */
void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx);
diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c
index 99aba72..5223721 100644
--- a/ssl/ssl_cipher.c
+++ b/ssl/ssl_cipher.c
@@ -378,52 +378,6 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* CECPQ1 (combined elliptic curve + post-quantum) suites. */
-
- /* Cipher 16B7 */
- {
- TLS1_TXT_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
- TLS1_CK_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
- SSL_kCECPQ1,
- SSL_aRSA,
- SSL_CHACHA20POLY1305,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
- },
-
- /* Cipher 16B8 */
- {
- TLS1_TXT_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- TLS1_CK_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- SSL_kCECPQ1,
- SSL_aECDSA,
- SSL_CHACHA20POLY1305,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
- },
-
- /* Cipher 16B9 */
- {
- TLS1_TXT_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
- SSL_kCECPQ1,
- SSL_aRSA,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA384,
- },
-
- /* Cipher 16BA */
- {
- TLS1_TXT_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
- SSL_kCECPQ1,
- SSL_aECDSA,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA384,
- },
-
/* Cipher C009 */
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
@@ -679,9 +633,8 @@
} CIPHER_ALIAS;
static const CIPHER_ALIAS kCipherAliases[] = {
- /* "ALL" doesn't include eNULL nor kCECPQ1. These must be explicitly
- * enabled. */
- {"ALL", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
+ /* "ALL" doesn't include eNULL. It must be explicitly enabled. */
+ {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
/* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
@@ -696,16 +649,15 @@
{"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
{"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
- {"kCECPQ1", SSL_kCECPQ1, ~0u, ~0u, ~0u, 0},
{"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
{"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
{"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
/* server authentication aliases */
- {"aRSA", ~SSL_kCECPQ1, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
- {"aECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
- {"ECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
+ {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
+ {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
+ {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
{"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
/* aliases combining key exchange and server authentication */
@@ -719,28 +671,28 @@
/* symmetric encryption aliases */
{"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
{"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
- {"AES256", ~SSL_kCECPQ1, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
- {"AES", ~SSL_kCECPQ1, ~0u, SSL_AES, ~0u, 0},
- {"AESGCM", ~SSL_kCECPQ1, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
- {"CHACHA20", ~SSL_kCECPQ1, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
+ {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
+ {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
+ {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
+ {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
0},
/* MAC aliases */
{"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0},
{"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
{"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
- {"SHA256", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA256, 0},
- {"SHA384", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA384, 0},
+ {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
+ {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
/* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
* same as "SSLv3". */
- {"SSLv3", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
- {"TLSv1", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
- {"TLSv1.2", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
+ {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
+ {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
+ {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
/* Legacy strength classes. */
- {"HIGH", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
- {"FIPS", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
+ {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
+ {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
};
static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
@@ -1574,10 +1526,6 @@
return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
}
-int SSL_CIPHER_is_CECPQ1(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_mkey & SSL_kCECPQ1) != 0;
-}
-
uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
if (cipher->algorithm_mkey == SSL_kGENERIC ||
cipher->algorithm_auth == SSL_aGENERIC) {
@@ -1640,17 +1588,6 @@
return "UNKNOWN";
}
- case SSL_kCECPQ1:
- switch (cipher->algorithm_auth) {
- case SSL_aECDSA:
- return "CECPQ1_ECDSA";
- case SSL_aRSA:
- return "CECPQ1_RSA";
- default:
- assert(0);
- return "UNKNOWN";
- }
-
case SSL_kPSK:
assert(cipher->algorithm_auth == SSL_aPSK);
return "PSK";
@@ -1814,10 +1751,6 @@
kx = "ECDH";
break;
- case SSL_kCECPQ1:
- kx = "CECPQ1";
- break;
-
case SSL_kPSK:
kx = "PSK";
break;
@@ -1962,8 +1895,7 @@
int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
/* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
if (cipher->algorithm_mkey & SSL_kDHE ||
- cipher->algorithm_mkey & SSL_kECDHE ||
- cipher->algorithm_mkey & SSL_kCECPQ1) {
+ cipher->algorithm_mkey & SSL_kECDHE) {
return 1;
}
diff --git a/ssl/ssl_ecdh.c b/ssl/ssl_ecdh.c
index bcb3af4..772a8e8 100644
--- a/ssl/ssl_ecdh.c
+++ b/ssl/ssl_ecdh.c
@@ -220,153 +220,6 @@
}
-/* Combined X25119 + New Hope (post-quantum) implementation. */
-
-typedef struct {
- uint8_t x25519_key[32];
- NEWHOPE_POLY *newhope_sk;
-} cecpq1_data;
-
-#define CECPQ1_OFFERMSG_LENGTH (32 + NEWHOPE_OFFERMSG_LENGTH)
-#define CECPQ1_ACCEPTMSG_LENGTH (32 + NEWHOPE_ACCEPTMSG_LENGTH)
-#define CECPQ1_SECRET_LENGTH (32 + SHA256_DIGEST_LENGTH)
-
-static void ssl_cecpq1_cleanup(SSL_ECDH_CTX *ctx) {
- if (ctx->data == NULL) {
- return;
- }
- cecpq1_data *data = ctx->data;
- NEWHOPE_POLY_free(data->newhope_sk);
- OPENSSL_cleanse(data, sizeof(cecpq1_data));
- OPENSSL_free(data);
-}
-
-static int ssl_cecpq1_offer(SSL_ECDH_CTX *ctx, CBB *out) {
- assert(ctx->data == NULL);
- cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));
- if (data == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- ctx->data = data;
- data->newhope_sk = NEWHOPE_POLY_new();
- if (data->newhope_sk == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
- uint8_t x25519_public_key[32];
- X25519_keypair(x25519_public_key, data->x25519_key);
-
- uint8_t newhope_offermsg[NEWHOPE_OFFERMSG_LENGTH];
- NEWHOPE_offer(newhope_offermsg, data->newhope_sk);
-
- if (!CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key)) ||
- !CBB_add_bytes(out, newhope_offermsg, sizeof(newhope_offermsg))) {
- return 0;
- }
- return 1;
-}
-
-static int ssl_cecpq1_accept(SSL_ECDH_CTX *ctx, CBB *cbb, uint8_t **out_secret,
- size_t *out_secret_len, uint8_t *out_alert,
- const uint8_t *peer_key, size_t peer_key_len) {
- if (peer_key_len != CECPQ1_OFFERMSG_LENGTH) {
- *out_alert = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
- *out_alert = SSL_AD_INTERNAL_ERROR;
-
- assert(ctx->data == NULL);
- cecpq1_data *data = OPENSSL_malloc(sizeof(cecpq1_data));
- if (data == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- data->newhope_sk = NULL;
- ctx->data = data;
-
- uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);
- if (secret == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
- /* Generate message to server, and secret key, at once. */
-
- uint8_t x25519_public_key[32];
- X25519_keypair(x25519_public_key, data->x25519_key);
- if (!X25519(secret, data->x25519_key, peer_key)) {
- *out_alert = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
- goto err;
- }
-
- uint8_t newhope_acceptmsg[NEWHOPE_ACCEPTMSG_LENGTH];
- if (!NEWHOPE_accept(secret + 32, newhope_acceptmsg, peer_key + 32,
- NEWHOPE_OFFERMSG_LENGTH)) {
- *out_alert = SSL_AD_DECODE_ERROR;
- goto err;
- }
-
- if (!CBB_add_bytes(cbb, x25519_public_key, sizeof(x25519_public_key)) ||
- !CBB_add_bytes(cbb, newhope_acceptmsg, sizeof(newhope_acceptmsg))) {
- goto err;
- }
-
- *out_secret = secret;
- *out_secret_len = CECPQ1_SECRET_LENGTH;
- return 1;
-
- err:
- OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);
- OPENSSL_free(secret);
- return 0;
-}
-
-static int ssl_cecpq1_finish(SSL_ECDH_CTX *ctx, uint8_t **out_secret,
- size_t *out_secret_len, uint8_t *out_alert,
- const uint8_t *peer_key, size_t peer_key_len) {
- if (peer_key_len != CECPQ1_ACCEPTMSG_LENGTH) {
- *out_alert = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
- *out_alert = SSL_AD_INTERNAL_ERROR;
-
- assert(ctx->data != NULL);
- cecpq1_data *data = ctx->data;
-
- uint8_t *secret = OPENSSL_malloc(CECPQ1_SECRET_LENGTH);
- if (secret == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
- if (!X25519(secret, data->x25519_key, peer_key)) {
- *out_alert = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
- goto err;
- }
-
- if (!NEWHOPE_finish(secret + 32, data->newhope_sk, peer_key + 32,
- NEWHOPE_ACCEPTMSG_LENGTH)) {
- *out_alert = SSL_AD_DECODE_ERROR;
- goto err;
- }
-
- *out_secret = secret;
- *out_secret_len = CECPQ1_SECRET_LENGTH;
- return 1;
-
- err:
- OPENSSL_cleanse(secret, CECPQ1_SECRET_LENGTH);
- OPENSSL_free(secret);
- return 0;
-}
-
-
/* Legacy DHE-based implementation. */
static void ssl_dhe_cleanup(SSL_ECDH_CTX *ctx) {
@@ -446,16 +299,6 @@
CBB_add_u16_length_prefixed,
};
-static const SSL_ECDH_METHOD kCECPQ1Method = {
- NID_undef, 0, "",
- ssl_cecpq1_cleanup,
- ssl_cecpq1_offer,
- ssl_cecpq1_accept,
- ssl_cecpq1_finish,
- CBS_get_u16_length_prefixed,
- CBB_add_u16_length_prefixed,
-};
-
static const SSL_ECDH_METHOD kMethods[] = {
{
NID_X9_62_prime256v1,
@@ -576,12 +419,6 @@
ctx->data = params;
}
-void SSL_ECDH_CTX_init_for_cecpq1(SSL_ECDH_CTX *ctx) {
- SSL_ECDH_CTX_cleanup(ctx);
-
- ctx->method = &kCECPQ1Method;
-}
-
void SSL_ECDH_CTX_cleanup(SSL_ECDH_CTX *ctx) {
if (ctx->method == NULL) {
return;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ad4d1b2..f3610a5 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2658,8 +2658,7 @@
(ssl->s3->alpn_selected != NULL ||
ssl->s3->next_proto_negotiated != NULL) &&
cipher != NULL &&
- (cipher->algorithm_mkey == SSL_kECDHE ||
- cipher->algorithm_mkey == SSL_kCECPQ1) &&
+ cipher->algorithm_mkey == SSL_kECDHE &&
cipher->algorithm_mac == SSL_AEAD;
}
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index ad4d1f4..af02e44 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -274,30 +274,6 @@
"TLSv1.2",
};
-static const char *kMustNotIncludeCECPQ1[] = {
- "ALL",
- "DEFAULT",
- "HIGH",
- "FIPS",
- "SHA",
- "SHA1",
- "SHA256",
- "SHA384",
- "RSA",
- "SSLv3",
- "TLSv1",
- "TLSv1.2",
- "aRSA",
- "RSA",
- "aECDSA",
- "ECDSA",
- "AES",
- "AES128",
- "AES256",
- "AESGCM",
- "CHACHA20",
-};
-
static const CurveTest kCurveTests[] = {
{
"P-256",
@@ -395,24 +371,6 @@
return true;
}
-static bool TestRuleDoesNotIncludeCECPQ1(const char *rule) {
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
- if (!ctx) {
- return false;
- }
- if (!SSL_CTX_set_cipher_list(ctx.get(), rule)) {
- fprintf(stderr, "Error: cipher rule '%s' failed\n", rule);
- return false;
- }
- for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
- if (SSL_CIPHER_is_CECPQ1(sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i))) {
- fprintf(stderr, "Error: cipher rule '%s' includes CECPQ1\n",rule);
- return false;
- }
- }
- return true;
-}
-
static bool TestCipherRules() {
for (const CipherTest &test : kCipherTests) {
if (!TestCipherRule(test)) {
@@ -438,12 +396,6 @@
}
}
- for (const char *rule : kMustNotIncludeCECPQ1) {
- if (!TestRuleDoesNotIncludeCECPQ1(rule)) {
- return false;
- }
- }
-
return true;
}
diff --git a/ssl/test/runner/cipher_suites.go b/ssl/test/runner/cipher_suites.go
index a997016..fe283eb 100644
--- a/ssl/test/runner/cipher_suites.go
+++ b/ssl/test/runner/cipher_suites.go
@@ -48,9 +48,6 @@
// client indicates that it supports ECC with a curve and point format
// that we're happy with.
suiteECDHE = 1 << iota
- // suiteCECPQ1 indicates that the cipher suite uses the
- // experimental, temporary, and non-standard CECPQ1 key agreement.
- suiteCECPQ1
// suiteECDSA indicates that the cipher suite involves an ECDSA
// signature and therefore may only be selected when the server's
// certificate is ECDSA. If this is not set then the cipher suite is
@@ -125,10 +122,6 @@
{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
- {TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, cecpq1RSAKA, suiteCECPQ1 | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
- {TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, cecpq1ECDSAKA, suiteCECPQ1 | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
- {TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, cecpq1RSAKA, suiteCECPQ1 | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
- {TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, cecpq1ECDSAKA, suiteCECPQ1 | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, dheRSAKA, suiteTLS12, nil, nil, aeadAESGCM},
{TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, dheRSAKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
{TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil},
@@ -425,15 +418,6 @@
}
}
-func cecpq1ECDSAKA(version uint16) keyAgreement {
- return &cecpq1KeyAgreement{
- auth: &signedKeyAgreement{
- keyType: keyTypeECDSA,
- version: version,
- },
- }
-}
-
func ecdheRSAKA(version uint16) keyAgreement {
return &ecdheKeyAgreement{
auth: &signedKeyAgreement{
@@ -443,15 +427,6 @@
}
}
-func cecpq1RSAKA(version uint16) keyAgreement {
- return &cecpq1KeyAgreement{
- auth: &signedKeyAgreement{
- keyType: keyTypeRSA,
- version: version,
- },
- }
-}
-
func dheRSAKA(version uint16) keyAgreement {
return &dheKeyAgreement{
auth: &signedKeyAgreement{
@@ -549,8 +524,4 @@
TLS_AES_128_GCM_SHA256 uint16 = 0x1301
TLS_AES_256_GCM_SHA384 uint16 = 0x1302
TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
- TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0x16b7
- TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0x16b8
- TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x16b9
- TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0x16ba
)
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 9fbf5dc..f5fedb0 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -1025,14 +1025,6 @@
// reject extensions on intermediate certificates.
ExpectNoExtensionsOnIntermediate bool
- // CECPQ1BadX25519Part corrupts the X25519 part of a CECPQ1 key exchange, as
- // a trivial proof that it is actually used.
- CECPQ1BadX25519Part bool
-
- // CECPQ1BadNewhopePart corrupts the Newhope part of a CECPQ1 key exchange,
- // as a trivial proof that it is actually used.
- CECPQ1BadNewhopePart bool
-
// RecordPadding is the number of bytes of padding to add to each
// encrypted record in TLS 1.3.
RecordPadding int
diff --git a/ssl/test/runner/fuzzer_mode.json b/ssl/test/runner/fuzzer_mode.json
index 24f3bd6..cb2befa 100644
--- a/ssl/test/runner/fuzzer_mode.json
+++ b/ssl/test/runner/fuzzer_mode.json
@@ -11,8 +11,6 @@
"*-BadRecord": "Fuzzer mode has no bad packets.",
"BadRSAClientKeyExchange*": "Fuzzer mode does not notice a bad premaster secret.",
- "CECPQ1-*-BadNewhopePart": "Fuzzer mode does not notice a bad premaster secret.",
- "CECPQ1-*-BadX25519Part": "Fuzzer mode does not notice a bad premaster secret.",
"TrailingMessageData-TLS13-ServerHello": "Fuzzer mode will not read the peer's alert as a MAC error",
"UnexpectedUnencryptedExtension-Client-TLS13": "Fuzzer mode will not read the peer's alert as a MAC error",
diff --git a/ssl/test/runner/key_agreement.go b/ssl/test/runner/key_agreement.go
index 271a9d1..8aa9118 100644
--- a/ssl/test/runner/key_agreement.go
+++ b/ssl/test/runner/key_agreement.go
@@ -17,7 +17,6 @@
"math/big"
"./curve25519"
- "./newhope"
)
type keyType int
@@ -282,66 +281,6 @@
return out[:], nil
}
-// cecpq1Curve is combined elliptic curve (X25519) and post-quantum (new hope) key
-// agreement.
-type cecpq1Curve struct {
- x25519 *x25519ECDHCurve
- newhope *newhope.Poly
-}
-
-func (e *cecpq1Curve) offer(rand io.Reader) (publicKey []byte, err error) {
- var x25519OfferMsg, newhopeOfferMsg []byte
-
- e.x25519 = new(x25519ECDHCurve)
- if x25519OfferMsg, err = e.x25519.offer(rand); err != nil {
- return nil, err
- }
-
- newhopeOfferMsg, e.newhope = newhope.Offer(rand)
-
- return append(x25519OfferMsg, newhopeOfferMsg[:]...), nil
-}
-
-func (e *cecpq1Curve) accept(rand io.Reader, peerKey []byte) (publicKey []byte, preMasterSecret []byte, err error) {
- if len(peerKey) != 32+newhope.OfferMsgLen {
- return nil, nil, errors.New("cecpq1: invalid offer message")
- }
-
- var x25519AcceptMsg, newhopeAcceptMsg []byte
- var x25519Secret []byte
- var newhopeSecret newhope.Key
-
- x25519 := new(x25519ECDHCurve)
- if x25519AcceptMsg, x25519Secret, err = x25519.accept(rand, peerKey[:32]); err != nil {
- return nil, nil, err
- }
-
- if newhopeSecret, newhopeAcceptMsg, err = newhope.Accept(rand, peerKey[32:]); err != nil {
- return nil, nil, err
- }
-
- return append(x25519AcceptMsg, newhopeAcceptMsg[:]...), append(x25519Secret, newhopeSecret[:]...), nil
-}
-
-func (e *cecpq1Curve) finish(peerKey []byte) (preMasterSecret []byte, err error) {
- if len(peerKey) != 32+newhope.AcceptMsgLen {
- return nil, errors.New("cecpq1: invalid accept message")
- }
-
- var x25519Secret []byte
- var newhopeSecret newhope.Key
-
- if x25519Secret, err = e.x25519.finish(peerKey[:32]); err != nil {
- return nil, err
- }
-
- if newhopeSecret, err = e.newhope.Finish(peerKey[32:]); err != nil {
- return nil, err
- }
-
- return append(x25519Secret, newhopeSecret[:]...), nil
-}
-
func curveForCurveID(id CurveID) (ecdhCurve, bool) {
switch id {
case CurveP224:
@@ -603,104 +542,6 @@
return 0
}
-// cecpq1RSAKeyAgreement is like an ecdheKeyAgreement, but using the cecpq1Curve
-// pseudo-curve, and without any parameters (e.g. curve name) other than the
-// keys being exchanged. The signature may either be ECDSA or RSA.
-type cecpq1KeyAgreement struct {
- auth keyAgreementAuthentication
- curve ecdhCurve
- peerKey []byte
-}
-
-func (ka *cecpq1KeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
- ka.curve = &cecpq1Curve{}
- publicKey, err := ka.curve.offer(config.rand())
- if err != nil {
- return nil, err
- }
-
- if config.Bugs.CECPQ1BadX25519Part {
- publicKey[0] ^= 1
- }
- if config.Bugs.CECPQ1BadNewhopePart {
- publicKey[32] ^= 1
- publicKey[33] ^= 1
- publicKey[34] ^= 1
- publicKey[35] ^= 1
- }
-
- var params []byte
- params = append(params, byte(len(publicKey)>>8))
- params = append(params, byte(len(publicKey)&0xff))
- params = append(params, publicKey[:]...)
-
- return ka.auth.signParameters(config, cert, clientHello, hello, params)
-}
-
-func (ka *cecpq1KeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
- if len(ckx.ciphertext) < 2 {
- return nil, errClientKeyExchange
- }
- peerKeyLen := int(ckx.ciphertext[0])<<8 + int(ckx.ciphertext[1])
- peerKey := ckx.ciphertext[2:]
- if peerKeyLen != len(peerKey) {
- return nil, errClientKeyExchange
- }
- return ka.curve.finish(peerKey)
-}
-
-func (ka *cecpq1KeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {
- if len(skx.key) < 2 {
- return errServerKeyExchange
- }
- peerKeyLen := int(skx.key[0])<<8 + int(skx.key[1])
- // Save the peer key for later.
- if len(skx.key) < 2+peerKeyLen {
- return errServerKeyExchange
- }
- ka.peerKey = skx.key[2 : 2+peerKeyLen]
- if peerKeyLen != len(ka.peerKey) {
- return errServerKeyExchange
- }
-
- // Check the signature.
- params := skx.key[:2+peerKeyLen]
- sig := skx.key[2+peerKeyLen:]
- return ka.auth.verifyParameters(config, clientHello, serverHello, cert, params, sig)
-}
-
-func (ka *cecpq1KeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {
- curve := &cecpq1Curve{}
- publicKey, preMasterSecret, err := curve.accept(config.rand(), ka.peerKey)
- if err != nil {
- return nil, nil, err
- }
-
- if config.Bugs.CECPQ1BadX25519Part {
- publicKey[0] ^= 1
- }
- if config.Bugs.CECPQ1BadNewhopePart {
- publicKey[32] ^= 1
- publicKey[33] ^= 1
- publicKey[34] ^= 1
- publicKey[35] ^= 1
- }
-
- ckx := new(clientKeyExchangeMsg)
- ckx.ciphertext = append(ckx.ciphertext, byte(len(publicKey)>>8))
- ckx.ciphertext = append(ckx.ciphertext, byte(len(publicKey)&0xff))
- ckx.ciphertext = append(ckx.ciphertext, publicKey[:]...)
-
- return preMasterSecret, ckx, nil
-}
-
-func (ka *cecpq1KeyAgreement) peerSignatureAlgorithm() signatureAlgorithm {
- if auth, ok := ka.auth.(*signedKeyAgreement); ok {
- return auth.peerSignatureAlgorithm
- }
- return 0
-}
-
// dheRSAKeyAgreement implements a TLS key agreement where the server generates
// an ephemeral Diffie-Hellman public/private key pair and signs it. The
// pre-master secret is then calculated using Diffie-Hellman.
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 15895d6..6fb94de 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1100,10 +1100,6 @@
{"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
{"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
{"ECDHE-RSA-CHACHA20-POLY1305-OLD", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD},
- {"CECPQ1-RSA-CHACHA20-POLY1305-SHA256", TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256},
- {"CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256", TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
- {"CECPQ1-RSA-AES256-GCM-SHA384", TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
- {"CECPQ1-ECDSA-AES256-GCM-SHA384", TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384},
{"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
{"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
{"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
@@ -2465,10 +2461,6 @@
// NULL ciphers must be explicitly enabled.
flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
}
- if hasComponent(suite.name, "CECPQ1") {
- // CECPQ1 ciphers must be explicitly enabled.
- flags = append(flags, "-cipher", "DEFAULT:kCECPQ1")
- }
if hasComponent(suite.name, "ECDHE-PSK") && hasComponent(suite.name, "GCM") {
// ECDHE_PSK AES_GCM ciphers must be explicitly enabled
// for now.
@@ -4020,25 +4012,6 @@
shimWritesFirst: true,
})
- tests = append(tests, testCase{
- name: "FalseStart-CECPQ1",
- config: Config{
- MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
- NextProtos: []string{"foo"},
- Bugs: ProtocolBugs{
- ExpectFalseStart: true,
- },
- },
- flags: []string{
- "-false-start",
- "-cipher", "DEFAULT:kCECPQ1",
- "-select-next-proto", "foo",
- },
- shimWritesFirst: true,
- resumeSession: true,
- })
-
// Server parses a V2ClientHello.
tests = append(tests, testCase{
testType: serverTest,
@@ -8133,69 +8106,6 @@
})
}
-func addCECPQ1Tests() {
- testCases = append(testCases, testCase{
- testType: clientTest,
- name: "CECPQ1-Client-BadX25519Part",
- config: Config{
- MaxVersion: VersionTLS12,
- MinVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
- Bugs: ProtocolBugs{
- CECPQ1BadX25519Part: true,
- },
- },
- flags: []string{"-cipher", "kCECPQ1"},
- shouldFail: true,
- expectedLocalError: "local error: bad record MAC",
- })
- testCases = append(testCases, testCase{
- testType: clientTest,
- name: "CECPQ1-Client-BadNewhopePart",
- config: Config{
- MaxVersion: VersionTLS12,
- MinVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
- Bugs: ProtocolBugs{
- CECPQ1BadNewhopePart: true,
- },
- },
- flags: []string{"-cipher", "kCECPQ1"},
- shouldFail: true,
- expectedLocalError: "local error: bad record MAC",
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "CECPQ1-Server-BadX25519Part",
- config: Config{
- MaxVersion: VersionTLS12,
- MinVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
- Bugs: ProtocolBugs{
- CECPQ1BadX25519Part: true,
- },
- },
- flags: []string{"-cipher", "kCECPQ1"},
- shouldFail: true,
- expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "CECPQ1-Server-BadNewhopePart",
- config: Config{
- MaxVersion: VersionTLS12,
- MinVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384},
- Bugs: ProtocolBugs{
- CECPQ1BadNewhopePart: true,
- },
- },
- flags: []string{"-cipher", "kCECPQ1"},
- shouldFail: true,
- expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
- })
-}
-
func addDHEGroupSizeTests() {
testCases = append(testCases, testCase{
name: "DHEGroupSize-Client",
@@ -9952,7 +9862,6 @@
addCustomExtensionTests()
addRSAClientKeyExchangeTests()
addCurveTests()
- addCECPQ1Tests()
addDHEGroupSizeTests()
addSessionTicketTests()
addTLS13RecordTests()
