Remove the last of the Suite B code.
Update-Note: Suite B flags in the X.509 stack are no longer supported.
This isn't expected to affect anything but bindings wrapping unused
options.
Change-Id: Ia0770e545d34e041ab995e80ea11b4dd4a5e47ef
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53329
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index b98190d..9105b2f 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -305,127 +305,6 @@
return 0;
}
-// Check a suite B algorithm is permitted: pass in a public key and the NID
-// of its signature (or 0 if no signature). The pflags is a pointer to a
-// flags field which must contain the suite B verification flags.
-
-static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) {
- const EC_GROUP *grp = NULL;
- int curve_nid;
- if (pkey && pkey->type == EVP_PKEY_EC) {
- grp = EC_KEY_get0_group(pkey->pkey.ec);
- }
- if (!grp) {
- return X509_V_ERR_SUITE_B_INVALID_ALGORITHM;
- }
- curve_nid = EC_GROUP_get_curve_name(grp);
- // Check curve is consistent with LOS
- if (curve_nid == NID_secp384r1) { // P-384
- // Check signature algorithm is consistent with curve.
- if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA384) {
- return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
- }
- if (!(*pflags & X509_V_FLAG_SUITEB_192_LOS)) {
- return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;
- }
- // If we encounter P-384 we cannot use P-256 later
- *pflags &= ~X509_V_FLAG_SUITEB_128_LOS_ONLY;
- } else if (curve_nid == NID_X9_62_prime256v1) { // P-256
- if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA256) {
- return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
- }
- if (!(*pflags & X509_V_FLAG_SUITEB_128_LOS_ONLY)) {
- return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;
- }
- } else {
- return X509_V_ERR_SUITE_B_INVALID_CURVE;
- }
-
- return X509_V_OK;
-}
-
-int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
- unsigned long flags) {
- int rv, sign_nid;
- size_t i;
- EVP_PKEY *pk = NULL;
- unsigned long tflags;
- if (!(flags & X509_V_FLAG_SUITEB_128_LOS)) {
- return X509_V_OK;
- }
- tflags = flags;
- // If no EE certificate passed in must be first in chain
- if (x == NULL) {
- x = sk_X509_value(chain, 0);
- i = 1;
- } else {
- i = 0;
- }
-
- if (X509_get_version(x) != X509_VERSION_3) {
- rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
- // Correct error depth
- i = 0;
- goto end;
- }
-
- pk = X509_get_pubkey(x);
- // Check EE key only
- rv = check_suite_b(pk, -1, &tflags);
- if (rv != X509_V_OK) {
- // Correct error depth
- i = 0;
- goto end;
- }
- for (; i < sk_X509_num(chain); i++) {
- sign_nid = X509_get_signature_nid(x);
- x = sk_X509_value(chain, i);
- if (X509_get_version(x) != X509_VERSION_3) {
- rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
- goto end;
- }
- EVP_PKEY_free(pk);
- pk = X509_get_pubkey(x);
- rv = check_suite_b(pk, sign_nid, &tflags);
- if (rv != X509_V_OK) {
- goto end;
- }
- }
-
- // Final check: root CA signature
- rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags);
-end:
- if (pk) {
- EVP_PKEY_free(pk);
- }
- if (rv != X509_V_OK) {
- // Invalid signature or LOS errors are for previous cert
- if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM ||
- rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED) &&
- i) {
- i--;
- }
- // If we have LOS error and flags changed then we are signing P-384
- // with P-256. Use more meaninggul error.
- if (rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED && flags != tflags) {
- rv = X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256;
- }
- if (perror_depth) {
- *perror_depth = i;
- }
- }
- return rv;
-}
-
-int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) {
- int sign_nid;
- if (!(flags & X509_V_FLAG_SUITEB_128_LOS)) {
- return X509_V_OK;
- }
- sign_nid = OBJ_obj2nid(crl->crl->sig_alg->algorithm);
- return check_suite_b(pk, sign_nid, &flags);
-}
-
// Not strictly speaking an "up_ref" as a STACK doesn't have a reference
// count but it has the same effect by duping the STACK and upping the ref of
// each X509 structure.
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 16768bf..45e8322 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -168,19 +168,6 @@
case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
return "CRL path validation error";
- case X509_V_ERR_SUITE_B_INVALID_VERSION:
- return "Suite B: certificate version invalid";
- case X509_V_ERR_SUITE_B_INVALID_ALGORITHM:
- return "Suite B: invalid public key algorithm";
- case X509_V_ERR_SUITE_B_INVALID_CURVE:
- return "Suite B: invalid ECC curve";
- case X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM:
- return "Suite B: invalid signature algorithm";
- case X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED:
- return "Suite B: curve not allowed for this LOS";
- case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256:
- return "Suite B: cannot sign P-384 with P-256";
-
case X509_V_ERR_HOSTNAME_MISMATCH:
return "Hostname mismatch";
case X509_V_ERR_EMAIL_MISMATCH:
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b45797a..2e5a3c6 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -457,17 +457,6 @@
goto end;
}
- int err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
- ctx->param->flags);
- if (err != X509_V_OK) {
- ctx->error = err;
- ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
- ok = ctx->verify_cb(0, ctx);
- if (!ok) {
- goto end;
- }
- }
-
// At this point, we have a chain and need to verify it
if (ctx->verify != NULL) {
ok = ctx->verify(ctx);
@@ -1646,15 +1635,6 @@
goto err;
}
} else {
- int rv;
- rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
- if (rv != X509_V_OK) {
- ctx->error = rv;
- ok = ctx->verify_cb(0, ctx);
- if (!ok) {
- goto err;
- }
- }
// Verify CRL signature
if (X509_CRL_verify(crl, ikey) <= 0) {
ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 069df26..b9e6ab4 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -1759,11 +1759,6 @@
OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey);
OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey);
-OPENSSL_EXPORT int X509_chain_check_suiteb(int *perror_depth, X509 *x,
- STACK_OF(X509) *chain,
- unsigned long flags);
-OPENSSL_EXPORT int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk,
- unsigned long flags);
OPENSSL_EXPORT int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
@@ -2410,14 +2405,6 @@
#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
-// Suite B mode algorithm violation
-#define X509_V_ERR_SUITE_B_INVALID_VERSION 56
-#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57
-#define X509_V_ERR_SUITE_B_INVALID_CURVE 58
-#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59
-#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60
-#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
-
// Host, email and IP check errors
#define X509_V_ERR_HOSTNAME_MISMATCH 62
#define X509_V_ERR_EMAIL_MISMATCH 63
@@ -2464,12 +2451,6 @@
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
// Use trusted store first
#define X509_V_FLAG_TRUSTED_FIRST 0x8000
-// Suite B 128 bit only mode: not normally used
-#define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000
-// Suite B 192 bit only mode
-#define X509_V_FLAG_SUITEB_192_LOS 0x20000
-// Suite B 128 bit mode allowing 192 bit algorithms
-#define X509_V_FLAG_SUITEB_128_LOS 0x30000
// Allow partial chains if at least one certificate is in trusted store
#define X509_V_FLAG_PARTIAL_CHAIN 0x80000