Remove TLS_RSA_WITH_NULL_SHA
Per b/31553927, the last use of this is long gone. This cipher has been
deprecated since it was (re)-added in 2015, so it's long past time to
remove it.
Update-Note: TLS_RSA_WITH_NULL_SHA is no longer available. Nothing
should be enabling it anymore. Callers using
SSL_CTX_set_strict_cipher_list instead of SSL_CTX_set_cipher_list will
notice if they're affected very quickly, because the functino will
fail if this cipher is referenced. As a deprecated cipher suite, this
cipher was already unavailable unless explicitly named, so if your
configuration doesn't say "TLS_RSA_WITH_NULL_SHA" or "NULL-SHA", you
were not using this cipher.
Bug: b:31553927
Change-Id: Id560bb4f9b156be3650d63f4ecf7783fad5ae209
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59145
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/crypto/cipher_extra/e_tls.c b/crypto/cipher_extra/e_tls.c
index cfaf95d..00b4824 100644
--- a/crypto/cipher_extra/e_tls.c
+++ b/crypto/cipher_extra/e_tls.c
@@ -442,13 +442,6 @@
return 1;
}
-static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
- size_t key_len, size_t tag_len,
- enum evp_aead_direction_t dir) {
- return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
- EVP_sha1(), 1 /* implicit iv */);
-}
-
static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
SHA_DIGEST_LENGTH + 16, // key len (SHA1 + AES128)
16, // nonce len (IV)
@@ -551,23 +544,6 @@
aead_tls_tag_len,
};
-static const EVP_AEAD aead_null_sha1_tls = {
- SHA_DIGEST_LENGTH, // key len
- 0, // nonce len
- SHA_DIGEST_LENGTH, // overhead (SHA1)
- SHA_DIGEST_LENGTH, // max tag length
- 0, // seal_scatter_supports_extra_in
-
- NULL, // init
- aead_null_sha1_tls_init,
- aead_tls_cleanup,
- aead_tls_open,
- aead_tls_seal_scatter,
- NULL, // open_gather
- NULL, // get_iv
- aead_tls_tag_len,
-};
-
const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
return &aead_aes_128_cbc_sha1_tls;
}
@@ -591,5 +567,3 @@
const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {
return &aead_des_ede3_cbc_sha1_tls_implicit_iv;
}
-
-const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; }
diff --git a/include/openssl/aead.h b/include/openssl/aead.h
index 131cfec..2633880 100644
--- a/include/openssl/aead.h
+++ b/include/openssl/aead.h
@@ -408,8 +408,6 @@
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
-OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void);
-
// EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS
// 1.2 nonce construction.
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void);
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 0a1493d..fdea6ae 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1449,9 +1449,6 @@
//
// |SHA1|, and its alias |SHA|, match legacy cipher suites using HMAC-SHA1.
//
-// Although implemented, authentication-only ciphers match no rules and must be
-// explicitly selected by name.
-//
// Deprecated cipher rules:
//
// |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|,
diff --git a/ssl/internal.h b/ssl/internal.h
index 15ad6c2..e12b12f 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -547,8 +547,7 @@
#define SSL_AES256 0x00000004u
#define SSL_AES128GCM 0x00000008u
#define SSL_AES256GCM 0x00000010u
-#define SSL_eNULL 0x00000020u
-#define SSL_CHACHA20POLY1305 0x00000040u
+#define SSL_CHACHA20POLY1305 0x00000020u
#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index 73564b3..3833294 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -157,17 +157,6 @@
static constexpr SSL_CIPHER kCiphers[] = {
// The RSA ciphers
- // Cipher 02
- {
- SSL3_TXT_RSA_NULL_SHA,
- "TLS_RSA_WITH_NULL_SHA",
- SSL3_CK_RSA_NULL_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_eNULL,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
- },
// Cipher 0A
{
@@ -498,7 +487,6 @@
} CIPHER_ALIAS;
static const CIPHER_ALIAS kCipherAliases[] = {
- // "ALL" doesn't include eNULL. It must be explicitly enabled.
{"ALL", ~0u, ~0u, ~0u, ~0u, 0},
// The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.
@@ -599,9 +587,7 @@
*out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
}
} else if (cipher->algorithm_mac == SSL_SHA1) {
- if (cipher->algorithm_enc == SSL_eNULL) {
- *out_aead = EVP_aead_null_sha1_tls();
- } else if (cipher->algorithm_enc == SSL_3DES) {
+ if (cipher->algorithm_enc == SSL_3DES) {
if (version == TLS1_VERSION) {
*out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
*out_fixed_iv_len = 8;
@@ -866,9 +852,7 @@
!(alg_auth & cp->algorithm_auth) ||
!(alg_enc & cp->algorithm_enc) ||
!(alg_mac & cp->algorithm_mac) ||
- (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version) ||
- // The NULL cipher must be selected explicitly.
- cp->algorithm_enc == SSL_eNULL) {
+ (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
continue;
}
}
@@ -1383,8 +1367,6 @@
int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {
switch (cipher->algorithm_enc) {
- case SSL_eNULL:
- return NID_undef;
case SSL_3DES:
return NID_des_ede3_cbc;
case SSL_AES128:
@@ -1457,8 +1439,7 @@
}
int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
- cipher->algorithm_mac != SSL_AEAD;
+ return cipher->algorithm_mac != SSL_AEAD;
}
uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
@@ -1557,11 +1538,6 @@
strength_bits = 112;
break;
- case SSL_eNULL:
- alg_bits = 0;
- strength_bits = 0;
- break;
-
default:
assert(0);
alg_bits = 0;
@@ -1652,10 +1628,6 @@
enc = "ChaCha20-Poly1305";
break;
- case SSL_eNULL:
- enc="None";
- break;
-
default:
enc = "unknown";
break;
diff --git a/ssl/test/fuzzer.h b/ssl/test/fuzzer.h
index 8f73fc0..e18a820 100644
--- a/ssl/test/fuzzer.h
+++ b/ssl/test/fuzzer.h
@@ -414,7 +414,7 @@
SSL_CTX_enable_ocsp_stapling(ctx_.get());
// Enable versions and ciphers that are off by default.
- if (!SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL:NULL-SHA")) {
+ if (!SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL")) {
return false;
}
diff --git a/ssl/test/runner/cipher_suites.go b/ssl/test/runner/cipher_suites.go
index 5db5749..b86f515 100644
--- a/ssl/test/runner/cipher_suites.go
+++ b/ssl/test/runner/cipher_suites.go
@@ -127,11 +127,6 @@
{TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
- {TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, 0, cipherNull, macSHA1, nil},
-}
-
-func noIV(vers uint16) int {
- return 0
}
func ivLenChaCha20Poly1305(vers uint16) int {
@@ -364,7 +359,6 @@
// A list of the possible cipher suite ids. Taken from
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
const (
- TLS_RSA_WITH_NULL_SHA uint16 = 0x0002
TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index dde60df..745ba7d 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1850,7 +1850,6 @@
{"CHACHA20_POLY1305_SHA256", TLS_CHACHA20_POLY1305_SHA256},
{"AES_128_GCM_SHA256", TLS_AES_128_GCM_SHA256},
{"AES_256_GCM_SHA384", TLS_AES_256_GCM_SHA384},
- {"RSA_WITH_NULL_SHA", TLS_RSA_WITH_NULL_SHA},
}
func hasComponent(suiteName, component string) bool {
@@ -3673,10 +3672,6 @@
"-psk", psk,
"-psk-identity", pskIdentity)
}
- if hasComponent(suite.name, "NULL") {
- // NULL ciphers must be explicitly enabled.
- flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
- }
var shouldFail bool
if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
