diff options
author | Adam Langley <agl@google.com> | 2015-06-15 13:51:03 -0700 |
---|---|---|
committer | Kenny Root <kroot@google.com> | 2015-06-15 15:49:51 -0700 |
commit | 4bae3aba0494da7c4e3c1b28ff978eb38e6323e6 (patch) | |
tree | ecf049c0e56fdf2b7d414b2fcafa8b190b65e2cd /src | |
parent | dbfa1800f3b4f00609142853f43897e760eb33c2 (diff) | |
download | external_boringssl-4bae3aba0494da7c4e3c1b28ff978eb38e6323e6.zip external_boringssl-4bae3aba0494da7c4e3c1b28ff978eb38e6323e6.tar.gz external_boringssl-4bae3aba0494da7c4e3c1b28ff978eb38e6323e6.tar.bz2 |
Drop ECDHE-PSK-AES-128-GCM.
This is the best PSK cipher suite, but it's non-standard and nobody is
using it. Trivial to bring back in the future if we have need of it.
(Note that this is a no-op in Android because Android had already
disabled this cipher suite.)
(This is a cherry-pick of BoringSSL's 1feb42a2.)
(cherry picked from commit a4be71cee108bfed76ddb37552b7e48945d91b49)
Bug: 21522548
Change-Id: I2a051724500341053595f59e755349544da63ce5
Diffstat (limited to 'src')
-rw-r--r-- | src/include/openssl/tls1.h | 7 | ||||
-rw-r--r-- | src/ssl/ssl_cipher.c | 13 | ||||
-rw-r--r-- | src/ssl/ssl_test.cc | 2 | ||||
-rw-r--r-- | src/ssl/test/runner/runner.go | 1 |
4 files changed, 0 insertions, 23 deletions
diff --git a/src/include/openssl/tls1.h b/src/include/openssl/tls1.h index e085e15..999a5ca 100644 --- a/src/include/openssl/tls1.h +++ b/src/include/openssl/tls1.h @@ -512,9 +512,6 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_key_cb( #define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CC14 #define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CC15 -/* Non-standard ECDHE PSK ciphersuites */ -#define TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256 0x0300CAFE - /* XXX * Inconsistency alert: * The OpenSSL names of ciphers with ephemeral DH here include the string @@ -676,10 +673,6 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_key_cb( "ECDHE-ECDSA-CHACHA20-POLY1305" #define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" -/* Non-standard ECDHE PSK ciphersuites */ -#define TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256 \ - "ECDHE-PSK-AES128-GCM-SHA256" - #define TLS_CT_RSA_SIGN 1 #define TLS_CT_DSS_SIGN 2 #define TLS_CT_RSA_FIXED_DH 3 diff --git a/src/ssl/ssl_cipher.c b/src/ssl/ssl_cipher.c index 5e617b1..2f1548a 100644 --- a/src/ssl/ssl_cipher.c +++ b/src/ssl/ssl_cipher.c @@ -429,20 +429,7 @@ const SSL_CIPHER kCiphers[] = { 256, 256, }, - #if !defined(ANDROID) - /* ECDH PSK ciphersuites */ - - /* Cipher CAFE */ - { - TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256, - TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aPSK, - SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH, - SSL_HANDSHAKE_MAC_SHA256 | - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, - 128, 128, - }, - { TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, SSL_kECDHE, SSL_aRSA, diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc index b29d28c..decf893 100644 --- a/src/ssl/ssl_test.cc +++ b/src/ssl/ssl_test.cc @@ -507,8 +507,6 @@ static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = { "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" }, { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" }, - { TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256, - "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" }, }; static bool TestCipherGetRFCName(void) { diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go index bd03cb1..f60d8ba 100644 --- a/src/ssl/test/runner/runner.go +++ b/src/ssl/test/runner/runner.go @@ -1615,7 +1615,6 @@ var testCipherSuites = []struct { {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384}, {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256}, {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA}, - {"ECDHE-PSK-AES128-GCM-SHA256", TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256}, {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256}, |