Temporarily restore SHA256 and SHA384 cipher suite aliases.

https://boringssl-review.googlesource.com/27944 inadvertently caused SHA256 and SHA384 aliases to be rejected in SSL_CTX_set_strict_cipher_list. While this is the desired end state, in case the removal needs to be reverted, we should probably defer this to post-removal cleanup. Otherwise we might update someone's "ALL:!SHA256" cipher string to account for the removal, and then revert the removal underneath them. Change-Id: Id516a27a2ecefb5871485d0ae18067b5bbb536bb Reviewed-on: https://boringssl-review.googlesource.com/28004 Reviewed-by: Adam Langley <agl@google.com>
2018-05-03 11:35:10 -04:00 · 2018-05-03 11:35:10 -04:00 · 0ca921431a
commit 0ca921431a
parent b95d4b4cb3
1 changed files with 5 additions and 0 deletions
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@ -547,6 +547,11 @@ static const CIPHER_ALIAS kCipherAliases[] = {
    // Legacy strength classes.
    {"HIGH", ~0u, ~0u, ~0u, ~0u, 0},
    {"FIPS", ~0u, ~0u, ~0u, ~0u, 0},
+
+    // Temporary no-op aliases corresponding to removed SHA-2 legacy CBC
+    // ciphers. These should be removed after 2018-05-14.
+    {"SHA256", 0, 0, 0, 0, 0},
+    {"SHA384", 0, 0, 0, 0, 0},
 };

 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);