Remove fixed DH ciphersuites.

Remove all fixed DH ciphersuites and associated logic.

Reviewed-by: Matt Caswell <matt@openssl.org>

Author: snhenson

ssl/s3_lib.c

@@ -306,12 +306,9 @@ static const SSL_CIPHER cipher_aliases[] = {
      */
     {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0},
 
-    {0, SSL_TXT_kDHr, 0, SSL_kDHr, 0, 0, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_kDHd, 0, SSL_kDHd, 0, 0, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_kDH, 0, SSL_kDHr | SSL_kDHd, 0, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_kEDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_kDHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_DH, 0, SSL_kDHr | SSL_kDHd | SSL_kDHE, 0, 0, 0, 0, 0, 0, 0,
+    {0, SSL_TXT_DH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0,
      0},
 
     {0, SSL_TXT_kECDHr, 0, SSL_kECDHr, 0, 0, 0, 0, 0, 0, 0, 0},
@@ -334,8 +331,6 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-    /* no such ciphersuites supported! */
-    {0, SSL_TXT_aDH, 0, 0, SSL_aDH, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_aECDH, 0, 0, SSL_aECDH, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
@@ -506,8 +501,7 @@ void ssl_load_ciphers(void)
     disabled_auth_mask |= SSL_aDSS;
 #endif
 #ifdef OPENSSL_NO_DH
-    disabled_mkey_mask |= SSL_kDHr | SSL_kDHd | SSL_kDHE | SSL_kDHEPSK;
-    disabled_auth_mask |= SSL_aDH;
+    disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK;
 #endif
 #ifdef OPENSSL_NO_EC
     disabled_mkey_mask |= SSL_kECDHe | SSL_kECDHr | SSL_kECDHEPSK;
@@ -1614,12 +1608,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case SSL_kRSA:
         kx = "RSA";
         break;
-    case SSL_kDHr:
-        kx = "DH/RSA";
-        break;
-    case SSL_kDHd:
-        kx = "DH/DSS";
-        break;
     case SSL_kDHE:
         kx = "DH";
         break;
@@ -1661,9 +1649,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case SSL_aDSS:
         au = "DSS";
         break;
-    case SSL_aDH:
-        au = "DH";
-        break;
     case SSL_aECDH:
         au = "ECDH";
         break;
@@ -1980,10 +1965,6 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
         return SSL_PKEY_ECC;
     } else if (alg_a & SSL_aECDSA)
         return SSL_PKEY_ECC;
-    else if (alg_k & SSL_kDHr)
-        return SSL_PKEY_DH_RSA;
-    else if (alg_k & SSL_kDHd)
-        return SSL_PKEY_DH_DSA;
     else if (alg_a & SSL_aDSS)
         return SSL_PKEY_DSA_SIGN;
     else if (alg_a & SSL_aRSA)

ssl/ssl_ciph.c

@@ -2006,7 +2006,7 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
 #endif
     CERT *c = s->cert;
     uint32_t *pvalid = s->s3->tmp.valid_flags;
-    int rsa_enc, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
+    int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
     unsigned long mask_k, mask_a;
 #ifndef OPENSSL_NO_EC
     int have_ecc_cert, ecdsa_ok;
@@ -2026,8 +2026,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
     rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;
     rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN;
     dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN;
-    dh_rsa = pvalid[SSL_PKEY_DH_RSA] & CERT_PKEY_VALID;
-    dh_dsa = pvalid[SSL_PKEY_DH_DSA] & CERT_PKEY_VALID;
 #ifndef OPENSSL_NO_EC
     have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
 #endif
@@ -2064,15 +2062,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
     if (dh_tmp)
         mask_k |= SSL_kDHE;
 
-    if (dh_rsa)
-        mask_k |= SSL_kDHr;
-
-    if (dh_dsa)
-        mask_k |= SSL_kDHd;
-
-    if (mask_k & (SSL_kDHr | SSL_kDHd))
-        mask_a |= SSL_aDH;
-
     if (rsa_enc || rsa_sign) {
         mask_a |= SSL_aRSA;
     }

ssl/ssl_lib.c

@@ -295,32 +295,28 @@
 /* Bits for algorithm_mkey (key exchange algorithm) */
 /* RSA key exchange */
 # define SSL_kRSA                0x00000001U
-/* DH cert, RSA CA cert */
-# define SSL_kDHr                0x00000002U
-/* DH cert, DSA CA cert */
-# define SSL_kDHd                0x00000004U
 /* tmp DH key no DH cert */
-# define SSL_kDHE                0x00000008U
+# define SSL_kDHE                0x00000002U
 /* synonym */
 # define SSL_kEDH                SSL_kDHE
 /* ECDH cert, RSA CA cert */
-# define SSL_kECDHr              0x00000020U
+# define SSL_kECDHr              0x00000004U
 /* ECDH cert, ECDSA CA cert */
-# define SSL_kECDHe              0x00000040U
+# define SSL_kECDHe              0x00000008U
 /* ephemeral ECDH */
-# define SSL_kECDHE              0x00000080U
+# define SSL_kECDHE              0x00000010U
 /* synonym */
 # define SSL_kEECDH              SSL_kECDHE
 /* PSK */
-# define SSL_kPSK                0x00000100U
+# define SSL_kPSK                0x00000020U
 /* GOST key exchange */
-# define SSL_kGOST       0x00000200U
+# define SSL_kGOST               0x00000040U
 /* SRP */
-# define SSL_kSRP        0x00000400U
+# define SSL_kSRP                0x00000080U
 
-# define SSL_kRSAPSK             0x00000800U
-# define SSL_kECDHEPSK           0x00001000U
-# define SSL_kDHEPSK             0x00002000U
+# define SSL_kRSAPSK             0x00000100U
+# define SSL_kECDHEPSK           0x00000200U
+# define SSL_kDHEPSK             0x00000400U
 
 /* all PSK */
 
@@ -333,20 +329,18 @@
 # define SSL_aDSS                0x00000002U
 /* no auth (i.e. use ADH or AECDH) */
 # define SSL_aNULL               0x00000004U
-/* Fixed DH auth (kDHd or kDHr) */
-# define SSL_aDH                 0x00000008U
 /* Fixed ECDH auth (kECDHe or kECDHr) */
-# define SSL_aECDH               0x00000010U
+# define SSL_aECDH               0x00000008U
 /* ECDSA auth*/
-# define SSL_aECDSA              0x00000040U
+# define SSL_aECDSA              0x00000010U
 /* PSK auth */
-# define SSL_aPSK                0x00000080U
+# define SSL_aPSK                0x00000020U
 /* GOST R 34.10-2001 signature auth */
-# define SSL_aGOST01                     0x00000200U
+# define SSL_aGOST01             0x00000040U
 /* SRP auth */
-# define SSL_aSRP                0x00000400U
+# define SSL_aSRP                0x00000080U
 /* GOST R 34.10-2012 signature auth */
-# define SSL_aGOST12             0x00000800U
+# define SSL_aGOST12             0x00000100U
 
 /* Bits for algorithm_enc (symmetric encryption) */
 # define SSL_DES                 0x00000001U
@@ -485,13 +479,11 @@
 # define SSL_PKEY_RSA_ENC        0
 # define SSL_PKEY_RSA_SIGN       1
 # define SSL_PKEY_DSA_SIGN       2
-# define SSL_PKEY_DH_RSA         3
-# define SSL_PKEY_DH_DSA         4
-# define SSL_PKEY_ECC            5
-# define SSL_PKEY_GOST01         7
-# define SSL_PKEY_GOST12_256     8
-# define SSL_PKEY_GOST12_512     9
-# define SSL_PKEY_NUM            10
+# define SSL_PKEY_ECC            3
+# define SSL_PKEY_GOST01         4
+# define SSL_PKEY_GOST12_256     5
+# define SSL_PKEY_GOST12_512     6
+# define SSL_PKEY_NUM            7
 /*
  * Pseudo-constant. GOST cipher suites can use different certs for 1
  * SSL_CIPHER. So let's see which one we have in fact.

ssl/ssl_locl.h

@@ -171,22 +171,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
 {
     int i;
-    /*
-     * Special case for DH: check two DH certificate types for a match. This
-     * means for DH certificates we must set the certificate first.
-     */
-    if (pkey->type == EVP_PKEY_DH) {
-        X509 *x;
-        i = -1;
-        x = c->pkeys[SSL_PKEY_DH_RSA].x509;
-        if (x && X509_check_private_key(x, pkey))
-            i = SSL_PKEY_DH_RSA;
-        x = c->pkeys[SSL_PKEY_DH_DSA].x509;
-        if (i == -1 && x && X509_check_private_key(x, pkey))
-            i = SSL_PKEY_DH_DSA;
-        ERR_clear_error();
-    } else
-        i = ssl_cert_type(NULL, pkey);
+    i = ssl_cert_type(NULL, pkey);
     if (i < 0) {
         SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
         return (0);

ssl/ssl_rsa.c

@@ -2390,47 +2390,23 @@ int tls_construct_client_key_exchange(SSL *s)
     }
 #endif
 #ifndef OPENSSL_NO_DH
-    else if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd | SSL_kDHEPSK)) {
+    else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
         DH *dh_srvr, *dh_clnt;
-        if (s->s3->peer_dh_tmp != NULL)
-            dh_srvr = s->s3->peer_dh_tmp;
-        else {
-            /* we get them from the cert */
-            EVP_PKEY *spkey = NULL;
-            dh_srvr = NULL;
-            spkey = X509_get_pubkey(s->session->peer);
-            if (spkey) {
-                dh_srvr = EVP_PKEY_get1_DH(spkey);
-                EVP_PKEY_free(spkey);
-            }
-            if (dh_srvr == NULL) {
-                SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
-                       ERR_R_INTERNAL_ERROR);
-                goto err;
-            }
+        if (s->s3->peer_dh_tmp == NULL) {
+            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
+                   ERR_R_INTERNAL_ERROR);
+            goto err;
         }
-        if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
-            /* Use client certificate key */
-            EVP_PKEY *clkey = s->cert->key->privatekey;
-            dh_clnt = NULL;
-            if (clkey)
-                dh_clnt = EVP_PKEY_get1_DH(clkey);
-            if (dh_clnt == NULL) {
-                SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
-                       ERR_R_INTERNAL_ERROR);
-                goto err;
-            }
-        } else {
-            /* generate a new random key */
-            if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
-                SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
-                goto err;
-            }
-            if (!DH_generate_key(dh_clnt)) {
-                SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
-                DH_free(dh_clnt);
-                goto err;
-            }
+        dh_srvr = s->s3->peer_dh_tmp;
+        /* generate a new random key */
+        if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
+            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
+            goto err;
+        }
+        if (!DH_generate_key(dh_clnt)) {
+            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
+            DH_free(dh_clnt);
+            goto err;
         }
 
         pmslen = DH_size(dh_clnt);
@@ -2454,15 +2430,11 @@ int tls_construct_client_key_exchange(SSL *s)
         }
         pmslen = n;
 
-        if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
-            n = 0;
-        else {
-            /* send off the data */
-            n = BN_num_bytes(dh_clnt->pub_key);
-            s2n(n, p);
-            BN_bn2bin(dh_clnt->pub_key, p);
-            n += 2;
-        }
+        /* send off the data */
+        n = BN_num_bytes(dh_clnt->pub_key);
+        s2n(n, p);
+        BN_bn2bin(dh_clnt->pub_key, p);
+        n += 2;
 
         DH_free(dh_clnt);
     }
@@ -2841,7 +2813,6 @@ int tls_construct_client_verify(SSL *s)
  */
 static int ssl3_check_client_certificate(SSL *s)
 {
-    unsigned long alg_k;
     if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
         return 0;
     /* If no suitable signature algorithm can't use certificate */
@@ -2854,26 +2825,6 @@ static int ssl3_check_client_certificate(SSL *s)
     if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
         !tls1_check_chain(s, NULL, NULL, NULL, -2))
         return 0;
-    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-    /* See if we can use client certificate for fixed DH */
-    if (alg_k & (SSL_kDHr | SSL_kDHd)) {
-        int i = s->session->peer_type;
-        EVP_PKEY *clkey = NULL, *spkey = NULL;
-        clkey = s->cert->key->privatekey;
-        /* If client key not DH assume it can be used */
-        if (EVP_PKEY_id(clkey) != EVP_PKEY_DH)
-            return 1;
-        if (i >= 0)
-            spkey = X509_get_pubkey(s->session->peer);
-        if (spkey) {
-            /* Compare server and client parameters */
-            i = EVP_PKEY_cmp_parameters(clkey, spkey);
-            EVP_PKEY_free(spkey);
-            if (i != 1)
-                return 0;
-        }
-        s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
-    }
     return 1;
 }
 
@@ -3042,20 +2993,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
         al = SSL_AD_INTERNAL_ERROR;
         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
         goto f_err;
-    } else if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
-               !has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) {
-        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
-               SSL_R_MISSING_DH_RSA_CERT);
-        goto f_err;
     }
-# ifndef OPENSSL_NO_DSA
-    else if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
-             !has_bits(i, EVP_PK_DH | EVP_PKS_DSA)) {
-        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
-               SSL_R_MISSING_DH_DSA_CERT);
-        goto f_err;
-    }
-# endif
 #endif
 
     return (1);

ssl/statem/statem_clnt.c

@@ -632,17 +632,6 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
         ret = SSL_PKEY_GOST12_512;
     }
 #endif
-    else if (x && (i == EVP_PKEY_DH || i == EVP_PKEY_DHX)) {
-        /*
-         * For DH two cases: DH certificate signed with RSA and DH
-         * certificate signed with DSA.
-         */
-        i = X509_certificate_type(x, pk);
-        if (i & EVP_PKS_RSA)
-            ret = SSL_PKEY_DH_RSA;
-        else if (i & EVP_PKS_DSA)
-            ret = SSL_PKEY_DH_DSA;
-    }
 
  err:
     if (!pkey)