From 0ca921431ae778eaed28c18fec09c09b31f03290 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Thu, 3 May 2018 11:35:10 -0400
Subject: [PATCH] Temporarily restore SHA256 and SHA384 cipher suite aliases.

https://boringssl-review.googlesource.com/27944 inadvertently caused
SHA256 and SHA384 aliases to be rejected in
SSL_CTX_set_strict_cipher_list. While this is the desired end state, in
case the removal needs to be reverted, we should probably defer this to
post-removal cleanup.

Otherwise we might update someone's "ALL:!SHA256" cipher string to
account for the removal, and then revert the removal underneath them.

Change-Id: Id516a27a2ecefb5871485d0ae18067b5bbb536bb
Reviewed-on: https://boringssl-review.googlesource.com/28004
Reviewed-by: Adam Langley <agl@google.com>
---
 ssl/ssl_cipher.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index c42a420f..8536f893 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -547,6 +547,11 @@ static const CIPHER_ALIAS kCipherAliases[] = {
     // Legacy strength classes.
     {"HIGH", ~0u, ~0u, ~0u, ~0u, 0},
     {"FIPS", ~0u, ~0u, ~0u, ~0u, 0},
+
+    // Temporary no-op aliases corresponding to removed SHA-2 legacy CBC
+    // ciphers. These should be removed after 2018-05-14.
+    {"SHA256", 0, 0, 0, 0, 0},
+    {"SHA384", 0, 0, 0, 0, 0},
 };
 
 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);