Remove DSA-based cipher suites and client auth.
DSA is not connected up to EVP, so it wouldn't work anyway. We shouldn't
advertise a cipher suite we don't support. Chrome UMA data says virtually no
handshakes end up negotiating one of these.
Change-Id: I874d934432da6318f05782ebd149432c1d1e5275
Reviewed-on: https://boringssl-review.googlesource.com/1566
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index a7287dd..7299cd2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -200,11 +200,9 @@
#define SSL_TXT_kPSK "kPSK"
#define SSL_TXT_aRSA "aRSA"
-#define SSL_TXT_aDSS "aDSS"
#define SSL_TXT_aECDSA "aECDSA"
#define SSL_TXT_aPSK "aPSK"
-#define SSL_TXT_DSS "DSS"
#define SSL_TXT_DH "DH"
#define SSL_TXT_EDH "EDH" /* same as "kEDH:-ADH" */
#define SSL_TXT_ADH "ADH"
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 950b861..fa3088c 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1365,10 +1365,6 @@
if (alg_a & SSL_aRSA)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-#ifndef OPENSSL_NO_DSA
- else if (alg_a & SSL_aDSS)
- pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
-#endif
/* else anonymous DH, so no certificate or pkey. */
s->session->sess_cert->peer_dh_tmp=dh;
@@ -2599,13 +2595,6 @@
OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_RSA_SIGNING_CERT);
goto f_err;
}
-#ifndef OPENSSL_NO_DSA
- else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
- {
- OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_DSA_SIGNING_CERT);
- goto f_err;
- }
-#endif
if ((alg_k & SSL_kRSA) &&
!(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
{
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index aa685e2..cef94b1 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -250,21 +250,6 @@
128,
128,
},
-/* Cipher 32 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
- TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES128,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
/* Cipher 33 */
{
1,
@@ -312,22 +297,6 @@
256,
},
-/* Cipher 38 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
- TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES256,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-
/* Cipher 39 */
{
1,
@@ -393,40 +362,6 @@
256,
},
- /* Cipher 40 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256,
- TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES128,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-
-
-#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
- /* Cipher 66 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
- TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_RC4,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 128,
- 128,
- },
-#endif
/* TLS v1.2 ciphersuites */
/* Cipher 67 */
@@ -445,22 +380,6 @@
128,
},
- /* Cipher 6A */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256,
- TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES256,
- SSL_SHA256,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
-
/* Cipher 6B */
{
1,
@@ -626,39 +545,6 @@
256,
},
- /* Cipher A2 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256,
- TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 128,
- 128,
- },
-
- /* Cipher A3 */
- {
- 1,
- TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384,
- TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
- SSL_kEDH,
- SSL_aDSS,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_TLSV1_2,
- SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 256,
- 256,
- },
-
/* Cipher A6 */
{
1,
@@ -2117,7 +2003,7 @@
int ret=0;
const unsigned char *sig;
size_t i, siglen;
- int have_rsa_sign = 0, have_dsa_sign = 0;
+ int have_rsa_sign = 0;
#ifndef OPENSSL_NO_ECDSA
int have_ecdsa_sign = 0;
#endif
@@ -2139,9 +2025,6 @@
have_rsa_sign = 1;
break;
- case TLSEXT_signature_dsa:
- have_dsa_sign = 1;
- break;
#ifndef OPENSSL_NO_ECDSA
case TLSEXT_signature_ecdsa:
have_ecdsa_sign = 1;
@@ -2152,10 +2035,6 @@
if (have_rsa_sign)
p[ret++]=SSL3_CT_RSA_SIGN;
-#ifndef OPENSSL_NO_DSA
- if (have_dsa_sign)
- p[ret++]=SSL3_CT_DSS_SIGN;
-#endif
#ifndef OPENSSL_NO_ECDSA
/* ECDSA certs can be used with RSA cipher suites as well
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 52382b4..d5ff24f 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2448,23 +2448,6 @@
}
}
else
-#ifndef OPENSSL_NO_DSA
- if (pkey->type == EVP_PKEY_DSA)
- {
- if (DSA_verify(pkey->save_type,
- &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
- SHA_DIGEST_LENGTH,
- CBS_data(&signature), CBS_len(&signature),
- pkey->pkey.dsa) <= 0)
- {
- /* bad signature */
- al = SSL_AD_DECRYPT_ERROR;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_verify, SSL_R_BAD_DSA_SIGNATURE);
- goto f_err;
- }
- }
- else
-#endif
#ifndef OPENSSL_NO_ECDSA
if (pkey->type == EVP_PKEY_EC)
{
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 4df96aa..d9a4def 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -213,8 +213,6 @@
/* server authentication aliases */
{0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
- {0,SSL_TXT_aDSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
- {0,SSL_TXT_DSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
{0,SSL_TXT_aNULL,0, 0,SSL_aNULL, 0,0,0,0,0,0,0},
{0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0},
{0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0},
@@ -487,23 +485,6 @@
*mac = 0;
*ssl = 0;
-#ifdef OPENSSL_NO_DSA
- *auth |= SSL_aDSS;
-#endif
-#ifdef OPENSSL_NO_DH
- *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
- *auth |= SSL_aDH;
-#endif
-#ifdef OPENSSL_NO_ECDSA
- *auth |= SSL_aECDSA;
-#endif
-#ifdef OPENSSL_NO_ECDH
- *mkey |= SSL_kECDHe|SSL_kECDHr;
- *auth |= SSL_aECDH;
-#endif
-
-
-
*enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
*enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
*enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
@@ -1414,9 +1395,6 @@
case SSL_aRSA:
au="RSA";
break;
- case SSL_aDSS:
- au="DSS";
- break;
case SSL_aNULL:
au="None";
break;
@@ -1551,8 +1529,6 @@
return SSL_TXT_RSA;
case SSL_kEDH:
switch (cipher->algorithm_auth) {
- case SSL_aDSS:
- return "DHE_" SSL_TXT_DSS;
case SSL_aRSA:
return "DHE_" SSL_TXT_RSA;
case SSL_aNULL:
@@ -1615,8 +1591,6 @@
if (alg_a & SSL_aECDSA)
return SSL_PKEY_ECC;
- else if (alg_a & SSL_aDSS)
- return SSL_PKEY_DSA_SIGN;
else if (alg_a & SSL_aRSA)
return SSL_PKEY_RSA_ENC;
return -1;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5bf2438..16b5b3d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2168,7 +2168,7 @@
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
{
CERT_PKEY *cpk;
- int rsa_enc,rsa_sign,dh_tmp,dsa_sign;
+ int rsa_enc,rsa_sign,dh_tmp;
unsigned long mask_k,mask_a;
#ifndef OPENSSL_NO_ECDSA
int have_ecc_cert, ecdsa_ok;
@@ -2194,8 +2194,6 @@
rsa_enc= cpk->valid_flags & CERT_PKEY_VALID;
cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
rsa_sign= cpk->valid_flags & CERT_PKEY_SIGN;
- cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
- dsa_sign= cpk->valid_flags & CERT_PKEY_SIGN;
cpk= &(c->pkeys[SSL_PKEY_ECC]);
#ifndef OPENSSL_NO_EC
have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID;
@@ -2220,11 +2218,6 @@
mask_a|=SSL_aRSA;
}
- if (dsa_sign)
- {
- mask_a|=SSL_aDSS;
- }
-
mask_a|=SSL_aNULL;
/* An ECC certificate may be usable for ECDSA cipher suites depending on
@@ -2355,10 +2348,7 @@
else
#endif
- if ((alg_a & SSL_aDSS) &&
- (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
- idx = SSL_PKEY_DSA_SIGN;
- else if (alg_a & SSL_aRSA)
+ if (alg_a & SSL_aRSA)
{
if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
idx = SSL_PKEY_RSA_SIGN;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c2c7f21..278fba1 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -281,10 +281,9 @@
/* Bits for algorithm_auth (server authentication) */
#define SSL_aRSA 0x00000001L /* RSA auth */
-#define SSL_aDSS 0x00000002L /* DSS auth */
-#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aECDSA 0x00000008L /* ECDSA auth*/
-#define SSL_aPSK 0x00000010L /* PSK auth */
+#define SSL_aNULL 0x00000002L /* no auth (i.e. use ADH or AECDH) */
+#define SSL_aECDSA 0x00000004L /* ECDSA auth*/
+#define SSL_aPSK 0x00000008L /* PSK auth */
/* Bits for algorithm_enc (symmetric encryption) */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index fbab382..5aa4d2c 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -720,12 +720,6 @@
#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
-#ifdef OPENSSL_NO_DSA
-#define tlsext_sigalg_dsa(md) /* */
-#else
-#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
-#endif
-
#ifdef OPENSSL_NO_ECDSA
#define tlsext_sigalg_ecdsa(md) /* */
#else
@@ -734,7 +728,6 @@
#define tlsext_sigalg(md) \
tlsext_sigalg_rsa(md) \
- tlsext_sigalg_dsa(md) \
tlsext_sigalg_ecdsa(md)
static const uint8_t tls12_sigalgs[] = {
@@ -859,7 +852,7 @@
CERT *c = s->cert;
const unsigned char *sigalgs;
size_t i, sigalgslen;
- int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
+ int have_rsa = 0, have_ecdsa = 0;
c->mask_a = 0;
c->mask_k = 0;
/* Don't allow TLS 1.2 only ciphers if we don't suppport them */
@@ -879,11 +872,6 @@
case TLSEXT_signature_rsa:
have_rsa = 1;
break;
-#ifndef OPENSSL_NO_DSA
- case TLSEXT_signature_dsa:
- have_dsa = 1;
- break;
-#endif
#ifndef OPENSSL_NO_ECDSA
case TLSEXT_signature_ecdsa:
have_ecdsa = 1;
@@ -898,10 +886,6 @@
{
c->mask_a |= SSL_aRSA;
}
- if (!have_dsa)
- {
- c->mask_a |= SSL_aDSS;
- }
if (!have_ecdsa)
{
c->mask_a |= SSL_aECDSA;
@@ -2747,7 +2731,6 @@
static const tls12_lookup tls12_sig[] = {
{EVP_PKEY_RSA, TLSEXT_signature_rsa},
- {EVP_PKEY_DSA, TLSEXT_signature_dsa},
{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
};
@@ -2830,10 +2813,6 @@
{
case TLSEXT_signature_rsa:
return SSL_PKEY_RSA_SIGN;
-#ifndef OPENSSL_NO_DSA
- case TLSEXT_signature_dsa:
- return SSL_PKEY_DSA_SIGN;
-#endif
#ifndef OPENSSL_NO_ECDSA
case TLSEXT_signature_ecdsa:
return SSL_PKEY_ECC;
@@ -3396,12 +3375,6 @@
default_nid = NID_sha1WithRSAEncryption;
break;
- case SSL_PKEY_DSA_SIGN:
- case SSL_PKEY_DH_DSA:
- rsign = TLSEXT_signature_dsa;
- default_nid = NID_dsaWithSHA1;
- break;
-
case SSL_PKEY_ECC:
rsign = TLSEXT_signature_ecdsa;
default_nid = NID_ecdsa_with_SHA1;