Drop CECPQ2b code.

The experiment which motivated CECPQ2b has concluded (although the results haven't been published yet) and the SIKE code is causing some issues for gRPC in gprc/grpc#20100. Also, this is code size that takes up space in Android etc. Change-Id: I43b0b8c420f236c0fe9b40bf2517d2fde98495d5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38384 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>
ClickHouse · Oct 18, 2019 · 7f02881 · 7f02881
1 parent 7de9498
commit 7f02881
Show file tree

Hide file tree

Showing 35 changed files with 12 additions and 7,557 deletions.
diff --git a/LICENSE b/LICENSE
@@ -181,29 +181,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
 
-The code in third_party/sike also carries the MIT license:
-
-Copyright (c) Microsoft Corporation. All rights reserved.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE
-
-
 Licenses for support code
 -------------------------
 

diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
@@ -115,7 +115,6 @@ if(${ARCH} STREQUAL "aarch64")
 
     chacha/chacha-armv8.${ASM_EXT}
     test/trampoline-armv8.${ASM_EXT}
-    third_party/sike/asm/fp-armv8.${ASM_EXT}
   )
 endif()
 
@@ -137,7 +136,6 @@ if(${ARCH} STREQUAL "x86_64")
     cipher_extra/chacha20_poly1305_x86_64.${ASM_EXT}
     hrss/asm/poly_rq_mul.S
     test/trampoline-x86_64.${ASM_EXT}
-    third_party/sike/asm/fp-x86_64.${ASM_EXT}
   )
 endif()
 
@@ -147,8 +145,6 @@ perlasm(chacha/chacha-x86.${ASM_EXT} chacha/asm/chacha-x86.pl)
 perlasm(chacha/chacha-x86_64.${ASM_EXT} chacha/asm/chacha-x86_64.pl)
 perlasm(cipher_extra/aes128gcmsiv-x86_64.${ASM_EXT} cipher_extra/asm/aes128gcmsiv-x86_64.pl)
 perlasm(cipher_extra/chacha20_poly1305_x86_64.${ASM_EXT} cipher_extra/asm/chacha20_poly1305_x86_64.pl)
-perlasm(third_party/sike/asm/fp-x86_64.${ASM_EXT} ../third_party/sike/asm/fp-x86_64.pl)
-perlasm(third_party/sike/asm/fp-armv8.${ASM_EXT} ../third_party/sike/asm/fp-armv8.pl)
 perlasm(test/trampoline-armv4.${ASM_EXT} test/asm/trampoline-armv4.pl)
 perlasm(test/trampoline-armv8.${ASM_EXT} test/asm/trampoline-armv8.pl)
 perlasm(test/trampoline-x86.${ASM_EXT} test/asm/trampoline-x86.pl)
@@ -412,11 +408,6 @@ add_library(
   x509v3/v3_sxnet.c
   x509v3/v3_utl.c
   ../third_party/fiat/curve25519.c
-  ../third_party/sike/fpx.c
-  ../third_party/sike/isogeny.c
-  ../third_party/sike/curve_params.c
-  ../third_party/sike/sike.c
-  ../third_party/sike/asm/fp_generic.c
 
   $<TARGET_OBJECTS:fipsmodule>
 
@@ -537,7 +528,6 @@ add_executable(
   x509/x509_time_test.cc
   x509v3/tab_test.cc
   x509v3/v3name_test.cc
-  ../third_party/sike/sike_test.cc
 
   $<TARGET_OBJECTS:crypto_test_data>
   $<TARGET_OBJECTS:boringssl_gtest_main>

diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h
@@ -57,7 +57,7 @@
 /* This file is generated by crypto/obj/objects.go. */
 
 
-#define NUM_NID 961
+#define NUM_NID 960
 
 static const uint8_t kObjectData[] = {
     /* NID_rsadsi */
@@ -8756,7 +8756,6 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
     {"KxANY", "kx-any", NID_kx_any, 0, NULL, 0},
     {"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0},
     {"CECPQ2", "CECPQ2", NID_CECPQ2, 0, NULL, 0},
-    {"CECPQ2b", "CECPQ2b", NID_CECPQ2b, 0, NULL, 0},
 };
 
 static const unsigned kNIDsInShortNameOrder[] = {
@@ -8819,7 +8818,6 @@ static const unsigned kNIDsInShortNameOrder[] = {
     109 /* CAST5-ECB */,
     111 /* CAST5-OFB */,
     959 /* CECPQ2 */,
-    960 /* CECPQ2b */,
     894 /* CMAC */,
     13 /* CN */,
     141 /* CRLReason */,
@@ -9725,7 +9723,6 @@ static const unsigned kNIDsInLongNameOrder[] = {
     179 /* CA Issuers */,
     785 /* CA Repository */,
     959 /* CECPQ2 */,
-    960 /* CECPQ2b */,
     131 /* Code Signing */,
     783 /* Diffie-Hellman based MAC */,
     382 /* Directory */,

diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num
@@ -948,4 +948,3 @@ auth_psk		956
 kx_any		957
 auth_any		958
 CECPQ2		959
-CECPQ2b		960
diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt
@@ -1337,9 +1337,6 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme
 # NID for CECPQ2 (no corresponding OID).
  : CECPQ2
 
-# NID for CECPQ2 (no corresponding OID).
- : CECPQ2b
-
 # See RFC 8410.
 1 3 101 112 : ED25519
 

diff --git a/include/openssl/nid.h b/include/openssl/nid.h
@@ -4237,9 +4237,6 @@ extern "C" {
 #define SN_CECPQ2 "CECPQ2"
 #define NID_CECPQ2 959
 
-#define SN_CECPQ2b "CECPQ2b"
-#define NID_CECPQ2b 960
-
 
 #if defined(__cplusplus)
 } /* extern C */

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -2231,7 +2231,6 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
 #define SSL_CURVE_SECP521R1 25
 #define SSL_CURVE_X25519 29
 #define SSL_CURVE_CECPQ2 16696
-#define SSL_CURVE_CECPQ2b 65074
 
 // SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
 // completed handshake or 0 if not applicable.

diff --git a/ssl/s3_both.cc b/ssl/s3_both.cc
@@ -660,8 +660,7 @@ class CipherScorer {
  public:
   CipherScorer(uint16_t group_id)
       : aes_is_fine_(EVP_has_aes_hardware()),
-        security_128_is_fine_(group_id != SSL_CURVE_CECPQ2 &&
-                              group_id != SSL_CURVE_CECPQ2b) {}
+        security_128_is_fine_(group_id != SSL_CURVE_CECPQ2) {}
 
   typedef std::tuple<bool, bool, bool> Score;
 

diff --git a/ssl/ssl_key_share.cc b/ssl/ssl_key_share.cc
@@ -31,7 +31,6 @@
 
 #include "internal.h"
 #include "../crypto/internal.h"
-#include "../third_party/sike/sike.h"
 
 BSSL_NAMESPACE_BEGIN
 
@@ -300,95 +299,13 @@ class CECPQ2KeyShare : public SSLKeyShare {
   HRSS_private_key hrss_private_key_;
 };
 
-class CECPQ2bKeyShare : public SSLKeyShare {
- public:
-  uint16_t GroupID() const override { return SSL_CURVE_CECPQ2b; }
-
-  bool Offer(CBB *out) override {
-    uint8_t public_x25519[32] = {0};
-    X25519_keypair(public_x25519, private_x25519_);
-    if (!SIKE_keypair(private_sike_, public_sike_)) {
-      return false;
-    }
-
-    return CBB_add_bytes(out, public_x25519, sizeof(public_x25519)) &&
-           CBB_add_bytes(out, public_sike_, sizeof(public_sike_));
-  }
-
-  bool Accept(CBB *out_public_key, Array<uint8_t> *out_secret,
-              uint8_t *out_alert, Span<const uint8_t> peer_key) override {
-    uint8_t public_x25519[32];
-    uint8_t private_x25519[32];
-    uint8_t sike_ciphertext[SIKE_CT_BYTESZ] = {0};
-
-    *out_alert = SSL_AD_INTERNAL_ERROR;
-
-    if (peer_key.size() != sizeof(public_x25519) + SIKE_PUB_BYTESZ) {
-      *out_alert = SSL_AD_DECODE_ERROR;
-      OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
-      return false;
-    }
-
-    Array<uint8_t> secret;
-    if (!secret.Init(sizeof(private_x25519_) + SIKE_SS_BYTESZ)) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-      return false;
-    }
-
-    X25519_keypair(public_x25519, private_x25519);
-    if (!X25519(secret.data(), private_x25519, peer_key.data())) {
-      *out_alert = SSL_AD_DECODE_ERROR;
-      OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
-      return false;
-    }
-
-    SIKE_encaps(secret.data() + sizeof(private_x25519_), sike_ciphertext,
-                peer_key.data() + sizeof(public_x25519));
-    *out_secret = std::move(secret);
-
-    return CBB_add_bytes(out_public_key, public_x25519,
-                         sizeof(public_x25519)) &&
-           CBB_add_bytes(out_public_key, sike_ciphertext,
-                         sizeof(sike_ciphertext));
-  }
-
-  bool Finish(Array<uint8_t> *out_secret, uint8_t *out_alert,
-              Span<const uint8_t> peer_key) override {
-    *out_alert = SSL_AD_INTERNAL_ERROR;
-
-    Array<uint8_t> secret;
-    if (!secret.Init(sizeof(private_x25519_) + SIKE_SS_BYTESZ)) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
-      return false;
-    }
-
-    if (peer_key.size() != 32 + SIKE_CT_BYTESZ ||
-        !X25519(secret.data(), private_x25519_, peer_key.data())) {
-      *out_alert = SSL_AD_DECODE_ERROR;
-      OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
-      return false;
-    }
-
-    SIKE_decaps(secret.data() + sizeof(private_x25519_), peer_key.data() + 32,
-                public_sike_, private_sike_);
-    *out_secret = std::move(secret);
-    return true;
-  }
-
- private:
-  uint8_t private_x25519_[32];
-  uint8_t private_sike_[SIKE_PRV_BYTESZ];
-  uint8_t public_sike_[SIKE_PUB_BYTESZ];
-};
-
 CONSTEXPR_ARRAY NamedGroup kNamedGroups[] = {
     {NID_secp224r1, SSL_CURVE_SECP224R1, "P-224", "secp224r1"},
     {NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256", "prime256v1"},
     {NID_secp384r1, SSL_CURVE_SECP384R1, "P-384", "secp384r1"},
     {NID_secp521r1, SSL_CURVE_SECP521R1, "P-521", "secp521r1"},
     {NID_X25519, SSL_CURVE_X25519, "X25519", "x25519"},
     {NID_CECPQ2, SSL_CURVE_CECPQ2, "CECPQ2", "CECPQ2"},
-    {NID_CECPQ2b, SSL_CURVE_CECPQ2b, "CECPQ2b", "CECPQ2b"},
 };
 
 }  // namespace
@@ -415,8 +332,6 @@ UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
       return UniquePtr<SSLKeyShare>(New<X25519KeyShare>());
     case SSL_CURVE_CECPQ2:
       return UniquePtr<SSLKeyShare>(New<CECPQ2KeyShare>());
-    case SSL_CURVE_CECPQ2b:
-      return UniquePtr<SSLKeyShare>(New<CECPQ2bKeyShare>());
     default:
       return nullptr;
   }

diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
@@ -200,7 +200,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
 }
 
 static bool is_post_quantum_group(uint16_t id) {
-  return id == SSL_CURVE_CECPQ2 || id == SSL_CURVE_CECPQ2b;
+  return id == SSL_CURVE_CECPQ2;
 }
 
 bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
@@ -151,7 +151,6 @@ const (
 	CurveP521    CurveID = 25
 	CurveX25519  CurveID = 29
 	CurveCECPQ2  CurveID = 16696
-	CurveCECPQ2b CurveID = 65074
 )
 
 // TLS Elliptic Curve Point Formats
@@ -1732,7 +1731,7 @@ func (c *Config) maxVersion(isDTLS bool) uint16 {
 	return ret
 }
 
-var defaultCurvePreferences = []CurveID{CurveCECPQ2b, CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521}
+var defaultCurvePreferences = []CurveID{CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521}
 
 func (c *Config) curvePreferences() []CurveID {
 	if c == nil || len(c.CurvePreferences) == 0 {

diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
@@ -210,7 +210,7 @@ func (hs *serverHandshakeState) readClientHello() error {
 	if config.Bugs.FailIfCECPQ2Offered {
 		for _, offeredCurve := range hs.clientHello.supportedCurves {
 			if isPqGroup(offeredCurve) {
-				return errors.New("tls: CECPQ2 or CECPQ2b was offered")
+				return errors.New("tls: CECPQ2 was offered")
 			}
 		}
 	}
@@ -1227,7 +1227,7 @@ func (hs *serverHandshakeState) processClientHello() (isResume bool, err error)
 Curves:
 	for _, curve := range hs.clientHello.supportedCurves {
 		if isPqGroup(curve) && c.vers < VersionTLS13 {
-			// CECPQ2 and CECPQ2b is TLS 1.3-only.
+			// CECPQ2 is TLS 1.3-only.
 			continue
 		}