Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/mono/boringssl.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/ssl/s3_lib.c
diff options
context:
space:
mode:
authorDavid Benjamin <davidben@chromium.org>2014-07-15 08:54:26 +0400
committerAdam Langley <agl@google.com>2014-07-25 01:14:08 +0400
commit060d9d2c563b3fbe00eff93e5033591504516e6c (patch)
tree7de2c146ea4bb0fb4d04d6fd6b217f47f02a1565 /ssl/s3_lib.c
parent5ffeb7c22f367ba0094c3ef886ff6ec13ed63ded (diff)
Remove support code for export cipher suites.
Now the only case where temporary RSA keys are used on the server end is non-signing keys. Change-Id: I55f6c206e798dd28548c386fdffd555ccc395477 Reviewed-on: https://boringssl-review.googlesource.com/1285 Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'ssl/s3_lib.c')
-rw-r--r--ssl/s3_lib.c262
1 files changed, 4 insertions, 258 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 34635bc2..a3053822 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -200,22 +200,6 @@ SSL_CIPHER ssl3_ciphers[]={
0,
},
-/* Cipher 03 */
- {
- 1,
- SSL3_TXT_RSA_RC4_40_MD5,
- SSL3_CK_RSA_RC4_40_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_MD5,
- SSL_SSLV3,
- SSL_EXPORT|SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 40,
- 128,
- },
-
/* Cipher 04 */
{
1,
@@ -248,22 +232,6 @@ SSL_CIPHER ssl3_ciphers[]={
128,
},
-/* Cipher 06 */
- {
- 1,
- SSL3_TXT_RSA_RC2_40_MD5,
- SSL3_CK_RSA_RC2_40_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC2,
- SSL_MD5,
- SSL_SSLV3,
- SSL_EXPORT|SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 40,
- 128,
- },
-
/* Cipher 07 */
#ifndef OPENSSL_NO_IDEA
{
@@ -282,22 +250,6 @@ SSL_CIPHER ssl3_ciphers[]={
},
#endif
-/* Cipher 08 */
- {
- 1,
- SSL3_TXT_RSA_DES_40_CBC_SHA,
- SSL3_CK_RSA_DES_40_CBC_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_EXPORT|SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 40,
- 56,
- },
-
/* Cipher 09 */
{
1,
@@ -331,21 +283,6 @@ SSL_CIPHER ssl3_ciphers[]={
},
/* The DH ciphers */
-/* Cipher 0B */
- {
- 1,
- SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
- SSL3_CK_DH_DSS_DES_40_CBC_SHA,
- SSL_kDHd,
- SSL_aDH,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_EXPORT|SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 40,
- 56,
- },
/* Cipher 0C */
{
@@ -379,22 +316,6 @@ SSL_CIPHER ssl3_ciphers[]={
168,
},
-/* Cipher 0E */
- {
- 1,
- SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
- SSL3_CK_DH_RSA_DES_40_CBC_SHA,
- SSL_kDHr,
- SSL_aDH,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_EXPORT|SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 40,
- 56,
- },
-
/* Cipher 0F */
{
1,
@@ -428,21 +349,6 @@ SSL_CIPHER ssl3_ciphers[]={
},
/* The Ephemeral DH ciphers */
-/* Cipher 11 */
- {
- 1,
- SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
- SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_EXPORT|SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 40,
- 56,
- },
/* Cipher 12 */
{
@@ -476,22 +382,6 @@ SSL_CIPHER ssl3_ciphers[]={
168,
},
-/* Cipher 14 */
- {
- 1,
- SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
- SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
- SSL_kEDH,
- SSL_aRSA,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_EXPORT|SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 40,
- 56,
- },
-
/* Cipher 15 */
{
1,
@@ -524,22 +414,6 @@ SSL_CIPHER ssl3_ciphers[]={
168,
},
-/* Cipher 17 */
- {
- 1,
- SSL3_TXT_ADH_RC4_40_MD5,
- SSL3_CK_ADH_RC4_40_MD5,
- SSL_kEDH,
- SSL_aNULL,
- SSL_RC4,
- SSL_MD5,
- SSL_SSLV3,
- SSL_EXPORT|SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 40,
- 128,
- },
-
/* Cipher 18 */
{
1,
@@ -556,22 +430,6 @@ SSL_CIPHER ssl3_ciphers[]={
128,
},
-/* Cipher 19 */
- {
- 1,
- SSL3_TXT_ADH_DES_40_CBC_SHA,
- SSL3_CK_ADH_DES_40_CBC_SHA,
- SSL_kEDH,
- SSL_aNULL,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_EXPORT|SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 40,
- 128,
- },
-
/* Cipher 1A */
{
1,
@@ -1040,105 +898,6 @@ SSL_CIPHER ssl3_ciphers[]={
#endif /* OPENSSL_NO_CAMELLIA */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
- /* New TLS Export CipherSuites from expired ID */
-#if 0
- /* Cipher 60 */
- {
- 1,
- TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
- TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_MD5,
- SSL_TLSV1,
- SSL_EXPORT|SSL_EXP56,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 128,
- },
-
- /* Cipher 61 */
- {
- 1,
- TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
- TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC2,
- SSL_MD5,
- SSL_TLSV1,
- SSL_EXPORT|SSL_EXP56,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 128,
- },
-#endif
-
- /* Cipher 62 */
- {
- 1,
- TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
- TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_DES,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_EXPORT|SSL_EXP56,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
- /* Cipher 63 */
- {
- 1,
- TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
- TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_DES,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_EXPORT|SSL_EXP56,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 56,
- },
-
- /* Cipher 64 */
- {
- 1,
- TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
- TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_EXPORT|SSL_EXP56,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 128,
- },
-
- /* Cipher 65 */
- {
- 1,
- TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
- TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
- SSL_kEDH,
- SSL_aDSS,
- SSL_RC4,
- SSL_SHA1,
- SSL_TLSV1,
- SSL_EXPORT|SSL_EXP56,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 56,
- 128,
- },
-
/* Cipher 66 */
{
1,
@@ -3490,7 +3249,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
int i,ok;
size_t cipher_index;
CERT *cert;
- unsigned long alg_k,alg_a,mask_k,mask_a,emask_k,emask_a;
+ unsigned long alg_k,alg_a,mask_k,mask_a;
/* in_group_flags will either be NULL, or will point to an array of
* bytes which indicate equal-preference groups in the |prio| stack.
* See the comment about |in_group_flags| in the
@@ -3557,8 +3316,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ssl_set_cert_masks(cert,c);
mask_k = cert->mask_k;
mask_a = cert->mask_a;
- emask_k = cert->export_mask_k;
- emask_a = cert->export_mask_a;
#ifdef KSSL_DEBUG
/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
@@ -3571,22 +3328,11 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if ((alg_a & SSL_aPSK) && s->psk_server_callback == NULL)
ok = 0;
- if (SSL_C_IS_EXPORT(c))
- {
- ok = ok && (alg_k & emask_k) && (alg_a & emask_a);
+ ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
#ifdef CIPHER_DEBUG
- printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
- (void *)c,c->name);
+ printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
+ c->name);
#endif
- }
- else
- {
- ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
-#ifdef CIPHER_DEBUG
- printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
- c->name);
-#endif
- }
#ifndef OPENSSL_NO_EC
/* if we are considering an ECC cipher suite that uses
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-03 02:43:40 +0300