Remove support for all 40 and 56 bit ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR: #364
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index b49f498..9ac9921 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -211,30 +211,6 @@
return 1;
}
- /*
- * Export ciphersuites may have temporary RSA keys if the public key in the
- * server certificate is longer than the maximum export strength
- */
- if ((alg_k & SSL_kRSA) && SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
- EVP_PKEY *pkey;
-
- pkey = X509_get_pubkey(s->session->peer);
- if (pkey == NULL)
- return -1;
-
- /*
- * If the public key in the certificate is shorter than or equal to the
- * maximum export strength then a temporary RSA key is not allowed
- */
- if (EVP_PKEY_bits(pkey)
- <= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
- return 0;
-
- EVP_PKEY_free(pkey);
-
- return 1;
- }
-
return 0;
}
@@ -1622,10 +1598,6 @@
save_param_start = *pkt;
-#ifndef OPENSSL_NO_RSA
- RSA_free(s->s3->peer_rsa_tmp);
- s->s3->peer_rsa_tmp = NULL;
-#endif
#ifndef OPENSSL_NO_DH
DH_free(s->s3->peer_dh_tmp);
s->s3->peer_dh_tmp = NULL;
@@ -1709,51 +1681,8 @@
/* We must check if there is a certificate */
if (alg_a & (SSL_aRSA|SSL_aDSS))
pkey = X509_get_pubkey(s->session->peer);
- } else
-#endif /* !OPENSSL_NO_SRP */
-#ifndef OPENSSL_NO_RSA
- if (alg_k & SSL_kRSA) {
- PACKET mod, exp;
- /* Temporary RSA keys only allowed in export ciphersuites */
- if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
- al = SSL_AD_UNEXPECTED_MESSAGE;
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
- goto f_err;
- }
-
- if (!PACKET_get_length_prefixed_2(pkt, &mod)
- || !PACKET_get_length_prefixed_2(pkt, &exp)) {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
-
- if ((rsa = RSA_new()) == NULL) {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- if ((rsa->n = BN_bin2bn(PACKET_data(&mod), PACKET_remaining(&mod),
- rsa->n)) == NULL
- || (rsa->e = BN_bin2bn(PACKET_data(&exp), PACKET_remaining(&exp),
- rsa->e)) == NULL) {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
- goto err;
- }
-
- /* this should be because we are using an export cipher */
- if (alg_a & SSL_aRSA)
- pkey = X509_get_pubkey(s->session->peer);
- else {
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- s->s3->peer_rsa_tmp = rsa;
- rsa = NULL;
}
-#else /* OPENSSL_NO_RSA */
- if (0) ;
-#endif
+#endif /* !OPENSSL_NO_SRP */
#ifndef OPENSSL_NO_DH
else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
PACKET prime, generator, pub_key;
@@ -1850,14 +1779,6 @@
group = EC_KEY_get0_group(ecdh);
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
- (EC_GROUP_get_degree(group) > 163)) {
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE,
- SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
- goto f_err;
- }
-
/* Next, get the encoded ECPoint */
if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
((bn_ctx = BN_CTX_new()) == NULL)) {
@@ -2445,20 +2366,16 @@
goto err;
}
- if (s->s3->peer_rsa_tmp != NULL)
- rsa = s->s3->peer_rsa_tmp;
- else {
- pkey = X509_get_pubkey(s->session->peer);
- if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
- || (pkey->pkey.rsa == NULL)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
- ERR_R_INTERNAL_ERROR);
- EVP_PKEY_free(pkey);
- goto err;
- }
- rsa = pkey->pkey.rsa;
+ pkey = X509_get_pubkey(s->session->peer);
+ if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
+ || (pkey->pkey.rsa == NULL)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
EVP_PKEY_free(pkey);
+ goto err;
}
+ rsa = pkey->pkey.rsa;
+ EVP_PKEY_free(pkey);
pms[0] = s->client_version >> 8;
pms[1] = s->client_version & 0xff;
@@ -3178,10 +3095,6 @@
int i, idx;
long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
- int pkey_bits;
-#ifndef OPENSSL_NO_RSA
- RSA *rsa;
-#endif
#ifndef OPENSSL_NO_DH
DH *dh;
#endif
@@ -3193,9 +3106,6 @@
/* we don't have a certificate */
if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
return (1);
-#ifndef OPENSSL_NO_RSA
- rsa = s->s3->peer_rsa_tmp;
-#endif
#ifndef OPENSSL_NO_DH
dh = s->s3->peer_dh_tmp;
#endif
@@ -3222,7 +3132,6 @@
}
#endif
pkey = X509_get_pubkey(s->session->peer);
- pkey_bits = EVP_PKEY_bits(pkey);
i = X509_certificate_type(s->session->peer, pkey);
EVP_PKEY_free(pkey);
@@ -3240,27 +3149,11 @@
}
#endif
#ifndef OPENSSL_NO_RSA
- if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
- if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
- !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_RSA_ENCRYPTING_CERT);
- goto f_err;
- } else if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
- if (pkey_bits <= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
- if (!has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_RSA_ENCRYPTING_CERT);
- goto f_err;
- }
- if (rsa != NULL) {
- /* server key exchange is not allowed. */
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
- }
- }
+ if (alg_k & (SSL_kRSA | SSL_kRSAPSK) &&
+ !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
+ SSL_R_MISSING_RSA_ENCRYPTING_CERT);
+ goto f_err;
}
#endif
#ifndef OPENSSL_NO_DH
@@ -3284,48 +3177,6 @@
# endif
#endif
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
- pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
-#ifndef OPENSSL_NO_RSA
- if (alg_k & SSL_kRSA) {
- if (rsa == NULL) {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
- goto f_err;
- } else if (RSA_bits(rsa) >
- SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
- /* We have a temporary RSA key but it's too large. */
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
- goto f_err;
- }
- } else
-#endif
-#ifndef OPENSSL_NO_DH
- if (alg_k & SSL_kDHE) {
- if (DH_bits(dh) >
- SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
- /* We have a temporary DH key but it's too large. */
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_DH_KEY);
- goto f_err;
- }
- } else if (alg_k & (SSL_kDHr | SSL_kDHd)) {
- /* The cert should have had an export DH key. */
- al = SSL_AD_EXPORT_RESTRICTION;
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_MISSING_EXPORT_TMP_DH_KEY);
- goto f_err;
- } else
-#endif
- {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
- SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
- goto f_err;
- }
- }
return (1);
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d4668b2..a39e288 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -315,7 +315,7 @@
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
/*
- * only send a ServerKeyExchange if DH, fortezza or RSA but we have a
+ * only send a ServerKeyExchange if DH or fortezza but we have a
* sign only certificate PSK: may send PSK identity hints For
* ECC ciphersuites, we send a serverKeyExchange message only if
* the cipher suite is either ECDH-anon or ECDHE. In other cases,
@@ -324,15 +324,6 @@
*/
if ( (alg_k & SSL_kDHE)
|| (alg_k & SSL_kECDHE)
- || ((alg_k & SSL_kRSA)
- && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
- || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
- && EVP_PKEY_size(s->cert->pkeys
- [SSL_PKEY_RSA_ENC].privatekey) *
- 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
- )
- )
- )
/*
* PSK: send ServerKeyExchange if PSK identity hint if
* provided
@@ -1723,9 +1714,6 @@
int tls_construct_server_key_exchange(SSL *s)
{
-#ifndef OPENSSL_NO_RSA
- RSA *rsa;
-#endif
#ifndef OPENSSL_NO_DH
DH *dh = NULL, *dhp;
#endif
@@ -1769,35 +1757,6 @@
if (type & (SSL_kPSK | SSL_kRSAPSK)) {
} else
#endif /* !OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_RSA
- if (type & SSL_kRSA) {
- rsa = cert->rsa_tmp;
- if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
- rsa = s->cert->rsa_tmp_cb(s,
- SSL_C_IS_EXPORT(s->s3->
- tmp.new_cipher),
- SSL_C_EXPORT_PKEYLENGTH(s->s3->
- tmp.new_cipher));
- if (rsa == NULL) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
- goto f_err;
- }
- RSA_up_ref(rsa);
- cert->rsa_tmp = rsa;
- }
- if (rsa == NULL) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- SSL_R_MISSING_TMP_RSA_KEY);
- goto f_err;
- }
- r[0] = rsa->n;
- r[1] = rsa->e;
- s->s3->tmp.use_rsa_tmp = 1;
- } else
-#endif
#ifndef OPENSSL_NO_DH
if (type & (SSL_kDHE | SSL_kDHEPSK)) {
if (s->cert->dh_tmp_auto) {
@@ -1811,11 +1770,7 @@
} else
dhp = cert->dh_tmp;
if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
- dhp = s->cert->dh_tmp_cb(s,
- SSL_C_IS_EXPORT(s->s3->
- tmp.new_cipher),
- SSL_C_EXPORT_PKEYLENGTH(s->s3->
- tmp.new_cipher));
+ dhp = s->cert->dh_tmp_cb(s, 0, 1024);
if (dhp == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
@@ -1903,13 +1858,6 @@
goto err;
}
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
- (EC_GROUP_get_degree(group) > 163)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
- goto err;
- }
-
/*
* XXX: For now, we only support ephemeral ECDH keys over named
* (not generic) curves. For supported named curves, curve_id is
@@ -2316,30 +2264,15 @@
size_t j;
/* FIX THIS UP EAY EAY EAY EAY */
- if (s->s3->tmp.use_rsa_tmp) {
- if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
- rsa = s->cert->rsa_tmp;
- /*
- * Don't do a callback because rsa_tmp should be sent already
- */
- if (rsa == NULL) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_MISSING_TMP_RSA_PKEY);
- goto f_err;
-
- }
- } else {
- pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
- if ((pkey == NULL) ||
- (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_MISSING_RSA_CERTIFICATE);
- goto f_err;
- }
- rsa = pkey->pkey.rsa;
+ pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
+ if ((pkey == NULL) ||
+ (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
+ SSL_R_MISSING_RSA_CERTIFICATE);
+ goto f_err;
}
+ rsa = pkey->pkey.rsa;
/* SSLv3 and pre-standard DTLS omit the length bytes. */
if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
