Remove single-DES cipher suites.
This also removes the 'LOW' strength class.
Change-Id: Iffd2356dadb4a4875c1547a613d51061101358fd
Reviewed-on: https://boringssl-review.googlesource.com/1562
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 9ccb445..40a1f63 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -188,7 +188,6 @@
/* These are used to specify which ciphers to use and not to use */
-#define SSL_TXT_LOW "LOW"
#define SSL_TXT_MEDIUM "MEDIUM"
#define SSL_TXT_HIGH "HIGH"
#define SSL_TXT_FIPS "FIPS"
@@ -224,7 +223,6 @@
#define SSL_TXT_ECDSA "ECDSA"
#define SSL_TXT_PSK "PSK"
-#define SSL_TXT_DES "DES"
#define SSL_TXT_3DES "3DES"
#define SSL_TXT_RC4 "RC4"
#define SSL_TXT_AES128 "AES128"
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 1cf0150..bd8761e 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -200,22 +200,6 @@
128,
},
-/* Cipher 09 */
- {
- 1,
- SSL3_TXT_RSA_DES_64_CBC_SHA,
- SSL3_CK_RSA_DES_64_CBC_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
/* Cipher 0A */
{
1,
@@ -232,74 +216,8 @@
168,
},
-/* The DH ciphers */
-
-/* Cipher 0C */
- {
- 1,
- SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
- SSL3_CK_DH_DSS_DES_64_CBC_SHA,
- SSL_kDHd,
- SSL_aDH,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
-/* Cipher 0F */
- {
- 1,
- SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
- SSL3_CK_DH_RSA_DES_64_CBC_SHA,
- SSL_kDHr,
- SSL_aDH,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
/* The Ephemeral DH ciphers */
-/* Cipher 12 */
- {
- 1,
- SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
- SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
-/* Cipher 15 */
- {
- 1,
- SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
- SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
- SSL_kEDH,
- SSL_aRSA,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
/* Cipher 18 */
{
1,
@@ -316,22 +234,6 @@
128,
},
-/* Cipher 1A */
- {
- 1,
- SSL3_TXT_ADH_DES_64_CBC_SHA,
- SSL3_CK_ADH_DES_64_CBC_SHA,
- SSL_kEDH,
- SSL_aNULL,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP|SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
/* New AES ciphersuites */
/* Cipher 2F */
{
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index b0fcb97..4c4419d 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -147,12 +147,11 @@
#include "ssl_locl.h"
-#define SSL_ENC_DES_IDX 0
-#define SSL_ENC_3DES_IDX 1
-#define SSL_ENC_RC4_IDX 2
-#define SSL_ENC_AES128_IDX 3
-#define SSL_ENC_AES256_IDX 4
-#define SSL_ENC_NUM_IDX 5
+#define SSL_ENC_3DES_IDX 0
+#define SSL_ENC_RC4_IDX 1
+#define SSL_ENC_AES128_IDX 2
+#define SSL_ENC_AES256_IDX 3
+#define SSL_ENC_NUM_IDX 4
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]= { 0 };
@@ -239,7 +238,6 @@
/* symmetric encryption aliases */
- {0,SSL_TXT_DES,0, 0,0,SSL_DES, 0,0,0,0,0,0},
{0,SSL_TXT_3DES,0, 0,0,SSL_3DES, 0,0,0,0,0,0},
{0,SSL_TXT_RC4,0, 0,0,SSL_RC4, 0,0,0,0,0,0},
{0,SSL_TXT_AES128,0, 0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0},
@@ -261,7 +259,6 @@
{0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
/* strength classes */
- {0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0},
{0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0},
{0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0},
/* FIPS 140-2 approved ciphersuite */
@@ -270,7 +267,6 @@
void ssl_load_ciphers(void)
{
- ssl_cipher_methods[SSL_ENC_DES_IDX]= EVP_des_cbc();
ssl_cipher_methods[SSL_ENC_3DES_IDX]= EVP_des_ede3_cbc();
ssl_cipher_methods[SSL_ENC_RC4_IDX]= EVP_rc4();
ssl_cipher_methods[SSL_ENC_AES128_IDX]= EVP_aes_128_cbc();
@@ -345,9 +341,6 @@
switch (c->algorithm_enc)
{
- case SSL_DES:
- i=SSL_ENC_DES_IDX;
- break;
case SSL_3DES:
i=SSL_ENC_3DES_IDX;
break;
@@ -519,7 +512,6 @@
- *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
*enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
*enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
*enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
@@ -1467,9 +1459,6 @@
switch (alg_enc)
{
- case SSL_DES:
- enc="DES(56)";
- break;
case SSL_3DES:
enc="3DES(168)";
break;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index ff2c96f..0f6cebc 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -294,14 +294,13 @@
/* Bits for algorithm_enc (symmetric encryption) */
-#define SSL_DES 0x00000001L
-#define SSL_3DES 0x00000002L
-#define SSL_RC4 0x00000004L
-#define SSL_AES128 0x00000008L
-#define SSL_AES256 0x00000010L
-#define SSL_AES128GCM 0x00000020L
-#define SSL_AES256GCM 0x00000040L
-#define SSL_CHACHA20POLY1305 0x00000080L
+#define SSL_3DES 0x00000001L
+#define SSL_RC4 0x00000002L
+#define SSL_AES128 0x00000004L
+#define SSL_AES256 0x00000008L
+#define SSL_AES128GCM 0x00000010L
+#define SSL_AES256GCM 0x00000020L
+#define SSL_CHACHA20POLY1305 0x00000040L
#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
@@ -372,7 +371,6 @@
#define SSL_NOT_EXP 0x00000001L
-#define SSL_LOW 0x00000020L
#define SSL_MEDIUM 0x00000040L
#define SSL_HIGH 0x00000080L
#define SSL_FIPS 0x00000100L
