[openssl-commits] [openssl] master update

Mon Mar 2 01:46:05 UTC 2015

The branch master has been updated
       via  a258afaf7c0da143f15e1cf636279c7aaee7394f (commit)
      from  af674d4e20a82c2a98767b837072d7093c70b1cf (commit)


- Log -----------------------------------------------------------------
commit a258afaf7c0da143f15e1cf636279c7aaee7394f
Author: Rich Salz <rsalz at openssl.org>
Date:   Fri Feb 27 15:06:41 2015 -0500

    Remove experimental 56bit export ciphers
    
    These ciphers are removed:
        TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
        TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
        TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
        TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
    They were defined in a long-expired IETF internet-draft:
    draft-ietf-tls-56-bit-ciphersuites-01.txt
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_lib.c |   82 ----------------------------------------------------------
 ssl/tls1.h   |   19 --------------
 2 files changed, 101 deletions(-)

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ab19eeb..20ce112 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1212,88 +1212,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      },
 #endif                          /* OPENSSL_NO_CAMELLIA */
 
-#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-    /* Cipher 62 */
-    {
-     1,
-     TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-     TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
-    /* Cipher 63 */
-    {
-     1,
-     TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-     TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-     SSL_kDHE,
-     SSL_aDSS,
-     SSL_DES,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     56,
-     },
-
-    /* Cipher 64 */
-    {
-     1,
-     TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
-     TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     128,
-     },
-
-    /* Cipher 65 */
-    {
-     1,
-     TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-     TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-     SSL_kDHE,
-     SSL_aDSS,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     128,
-     },
-
-    /* Cipher 66 */
-    {
-     1,
-     TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
-     TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
-     SSL_kDHE,
-     SSL_aDSS,
-     SSL_RC4,
-     SSL_SHA1,
-     SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     128,
-     128,
-     },
-#endif
-
     /* TLS v1.2 ciphersuites */
     /* Cipher 67 */
     {
diff --git a/ssl/tls1.h b/ssl/tls1.h
index af03f13..cb14d8e 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -162,8 +162,6 @@ extern "C" {
 #  define OPENSSL_TLS_SECURITY_LEVEL 1
 # endif
 
-# define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES    0
-
 # define TLS1_VERSION                    0x0301
 # define TLS1_1_VERSION                  0x0302
 # define TLS1_2_VERSION                  0x0303
@@ -411,23 +409,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_CK_PSK_WITH_AES_128_CBC_SHA                0x0300008C
 # define TLS1_CK_PSK_WITH_AES_256_CBC_SHA                0x0300008D
 
-/*
- * Additional TLS ciphersuites from expired Internet Draft
- * draft-ietf-tls-56-bit-ciphersuites-01.txt (available if
- * TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see s3_lib.c).  We
- * actually treat them like SSL 3.0 ciphers, which we probably shouldn't.
- * Note that the first two are actually not in the IDs.
- */
-# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5          0x03000060/* not in
-                                                                    * ID */
-# define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5      0x03000061/* not in
-                                                                    * ID */
-# define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA         0x03000062
-# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA     0x03000063
-# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA          0x03000064
-# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA      0x03000065
-# define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066
-
 /* AES ciphersuites from RFC3268 */
 
 # define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
