Remove experimental 56bit export ciphers (a258afaf) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/s3_lib.c

+0 −82

Original line number	Diff line number	Diff line
		@@ -1212,88 +1212,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		},
		#endif /* OPENSSL_NO_CAMELLIA */

		#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
		/* Cipher 62 */
		{
		1,
		TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
		TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
		SSL_kRSA,
		SSL_aRSA,
		SSL_DES,
		SSL_SHA1,
		SSL_TLSV1,
		SSL_EXPORT \| SSL_EXP56,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		56,
		56,
		},

		/* Cipher 63 */
		{
		1,
		TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
		TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
		SSL_kDHE,
		SSL_aDSS,
		SSL_DES,
		SSL_SHA1,
		SSL_TLSV1,
		SSL_EXPORT \| SSL_EXP56,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		56,
		56,
		},

		/* Cipher 64 */
		{
		1,
		TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
		TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
		SSL_kRSA,
		SSL_aRSA,
		SSL_RC4,
		SSL_SHA1,
		SSL_TLSV1,
		SSL_EXPORT \| SSL_EXP56,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		56,
		128,
		},

		/* Cipher 65 */
		{
		1,
		TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
		TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
		SSL_kDHE,
		SSL_aDSS,
		SSL_RC4,
		SSL_SHA1,
		SSL_TLSV1,
		SSL_EXPORT \| SSL_EXP56,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		56,
		128,
		},

		/* Cipher 66 */
		{
		1,
		TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
		TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
		SSL_kDHE,
		SSL_aDSS,
		SSL_RC4,
		SSL_SHA1,
		SSL_TLSV1,
		SSL_NOT_EXP \| SSL_MEDIUM,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		128,
		128,
		},
		#endif

		/* TLS v1.2 ciphersuites */
		/* Cipher 67 */
		{

+0 −19

Original line number	Diff line number	Diff line
		@@ -162,8 +162,6 @@ extern "C" {
		# define OPENSSL_TLS_SECURITY_LEVEL 1
		# endif

		# define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0

		# define TLS1_VERSION 0x0301
		# define TLS1_1_VERSION 0x0302
		# define TLS1_2_VERSION 0x0303
		@@ -411,23 +409,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
		# define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C
		# define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D

		/*
		* Additional TLS ciphersuites from expired Internet Draft
		* draft-ietf-tls-56-bit-ciphersuites-01.txt (available if
		* TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see s3_lib.c). We
		* actually treat them like SSL 3.0 ciphers, which we probably shouldn't.
		* Note that the first two are actually not in the IDs.
		*/
		# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060/* not in
		* ID */
		# define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061/* not in
		* ID */
		# define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062
		# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063
		# define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064
		# define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065
		# define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066

		/* AES ciphersuites from RFC3268 */

		# define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F