Remove the last of the Suite B code.

davidben · nebeid · commit 75c9959c6539 · 2022-09-12T13:50:03.000-04:00
Update-Note: Suite B flags in the X.509 stack are no longer supported. This isn't expected to affect anything but bindings wrapping unused options. Change-Id: Ia0770e545d34e041ab995e80ea11b4dd4a5e47ef Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53329 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> (cherry picked from commit 81587d369990f1f07f9d821c0c27f74adbaa8482)
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
@@ -305,127 +305,6 @@ int X509_check_private_key(X509 *x, const EVP_PKEY *k) {
   return 0;
 }
 
-// Check a suite B algorithm is permitted: pass in a public key and the NID
-// of its signature (or 0 if no signature). The pflags is a pointer to a
-// flags field which must contain the suite B verification flags.
-
-static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) {
-  const EC_GROUP *grp = NULL;
-  int curve_nid;
-  if (pkey && pkey->type == EVP_PKEY_EC) {
-    grp = EC_KEY_get0_group(pkey->pkey.ec);
-  }
-  if (!grp) {
-    return X509_V_ERR_SUITE_B_INVALID_ALGORITHM;
-  }
-  curve_nid = EC_GROUP_get_curve_name(grp);
-  // Check curve is consistent with LOS
-  if (curve_nid == NID_secp384r1) {  // P-384
-    // Check signature algorithm is consistent with curve.
-    if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA384) {
-      return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
-    }
-    if (!(*pflags & X509_V_FLAG_SUITEB_192_LOS)) {
-      return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;
-    }
-    // If we encounter P-384 we cannot use P-256 later
-    *pflags &= ~X509_V_FLAG_SUITEB_128_LOS_ONLY;
-  } else if (curve_nid == NID_X9_62_prime256v1) {  // P-256
-    if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA256) {
-      return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
-    }
-    if (!(*pflags & X509_V_FLAG_SUITEB_128_LOS_ONLY)) {
-      return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;
-    }
-  } else {
-    return X509_V_ERR_SUITE_B_INVALID_CURVE;
-  }
-
-  return X509_V_OK;
-}
-
-int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
-                            unsigned long flags) {
-  int rv, sign_nid;
-  size_t i;
-  EVP_PKEY *pk = NULL;
-  unsigned long tflags;
-  if (!(flags & X509_V_FLAG_SUITEB_128_LOS)) {
-    return X509_V_OK;
-  }
-  tflags = flags;
-  // If no EE certificate passed in must be first in chain
-  if (x == NULL) {
-    x = sk_X509_value(chain, 0);
-    i = 1;
-  } else {
-    i = 0;
-  }
-
-  if (X509_get_version(x) != X509_VERSION_3) {
-    rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
-    // Correct error depth
-    i = 0;
-    goto end;
-  }
-
-  pk = X509_get_pubkey(x);
-  // Check EE key only
-  rv = check_suite_b(pk, -1, &tflags);
-  if (rv != X509_V_OK) {
-    // Correct error depth
-    i = 0;
-    goto end;
-  }
-  for (; i < sk_X509_num(chain); i++) {
-    sign_nid = X509_get_signature_nid(x);
-    x = sk_X509_value(chain, i);
-    if (X509_get_version(x) != X509_VERSION_3) {
-      rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
-      goto end;
-    }
-    EVP_PKEY_free(pk);
-    pk = X509_get_pubkey(x);
-    rv = check_suite_b(pk, sign_nid, &tflags);
-    if (rv != X509_V_OK) {
-      goto end;
-    }
-  }
-
-  // Final check: root CA signature
-  rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags);
-end:
-  if (pk) {
-    EVP_PKEY_free(pk);
-  }
-  if (rv != X509_V_OK) {
-    // Invalid signature or LOS errors are for previous cert
-    if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM ||
-         rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED) &&
-        i) {
-      i--;
-    }
-    // If we have LOS error and flags changed then we are signing P-384
-    // with P-256. Use more meaninggul error.
-    if (rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED && flags != tflags) {
-      rv = X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256;
-    }
-    if (perror_depth) {
-      *perror_depth = i;
-    }
-  }
-  return rv;
-}
-
-int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) {
-  int sign_nid;
-  if (!(flags & X509_V_FLAG_SUITEB_128_LOS)) {
-    return X509_V_OK;
-  }
-  sign_nid = OBJ_obj2nid(crl->crl->sig_alg->algorithm);
-  return check_suite_b(pk, sign_nid, &flags);
-}
-
 // Not strictly speaking an "up_ref" as a STACK doesn't have a reference
 // count but it has the same effect by duping the STACK and upping the ref of
 // each X509 structure.
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
@@ -168,19 +168,6 @@ const char *X509_verify_cert_error_string(long err) {
     case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
       return "CRL path validation error";
 
-    case X509_V_ERR_SUITE_B_INVALID_VERSION:
-      return "Suite B: certificate version invalid";
-    case X509_V_ERR_SUITE_B_INVALID_ALGORITHM:
-      return "Suite B: invalid public key algorithm";
-    case X509_V_ERR_SUITE_B_INVALID_CURVE:
-      return "Suite B: invalid ECC curve";
-    case X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM:
-      return "Suite B: invalid signature algorithm";
-    case X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED:
-      return "Suite B: curve not allowed for this LOS";
-    case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256:
-      return "Suite B: cannot sign P-384 with P-256";
-
     case X509_V_ERR_HOSTNAME_MISMATCH:
       return "Hostname mismatch";
     case X509_V_ERR_EMAIL_MISMATCH:
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
@@ -457,17 +457,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) {
     goto end;
   }
 
-  int err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
-                                    ctx->param->flags);
-  if (err != X509_V_OK) {
-    ctx->error = err;
-    ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
-    ok = ctx->verify_cb(0, ctx);
-    if (!ok) {
-      goto end;
-    }
-  }
-
   // At this point, we have a chain and need to verify it
   if (ctx->verify != NULL) {
     ok = ctx->verify(ctx);
@@ -1646,15 +1635,6 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) {
         goto err;
       }
     } else {
-      int rv;
-      rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
-      if (rv != X509_V_OK) {
-        ctx->error = rv;
-        ok = ctx->verify_cb(0, ctx);
-        if (!ok) {
-          goto err;
-        }
-      }
       // Verify CRL signature
       if (X509_CRL_verify(crl, ikey) <= 0) {
         ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
@@ -1759,11 +1759,6 @@ OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
 OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey);
 
 OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey);
-OPENSSL_EXPORT int X509_chain_check_suiteb(int *perror_depth, X509 *x,
-                                           STACK_OF(X509) *chain,
-                                           unsigned long flags);
-OPENSSL_EXPORT int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk,
-                                         unsigned long flags);
 
 OPENSSL_EXPORT int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
 
@@ -2410,14 +2405,6 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
 #define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
 
-// Suite B mode algorithm violation
-#define X509_V_ERR_SUITE_B_INVALID_VERSION 56
-#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57
-#define X509_V_ERR_SUITE_B_INVALID_CURVE 58
-#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59
-#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60
-#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
-
 // Host, email and IP check errors
 #define X509_V_ERR_HOSTNAME_MISMATCH 62
 #define X509_V_ERR_EMAIL_MISMATCH 63
@@ -2464,12 +2451,6 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
 // Use trusted store first
 #define X509_V_FLAG_TRUSTED_FIRST 0x8000
-// Suite B 128 bit only mode: not normally used
-#define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000
-// Suite B 192 bit only mode
-#define X509_V_FLAG_SUITEB_192_LOS 0x20000
-// Suite B 128 bit mode allowing 192 bit algorithms
-#define X509_V_FLAG_SUITEB_128_LOS 0x30000
 
 // Allow partial chains if at least one certificate is in trusted store
 #define X509_V_FLAG_PARTIAL_CHAIN 0x80000
