Temporarily restore SHA256 and SHA384 cipher suite aliases.

https://boringssl-review.googlesource.com/27944 inadvertently caused
SHA256 and SHA384 aliases to be rejected in
SSL_CTX_set_strict_cipher_list. While this is the desired end state, in
case the removal needs to be reverted, we should probably defer this to
post-removal cleanup.

Otherwise we might update someone's "ALL:!SHA256" cipher string to
account for the removal, and then revert the removal underneath them.

Change-Id: Id516a27a2ecefb5871485d0ae18067b5bbb536bb
Reviewed-on: https://boringssl-review.googlesource.com/28004
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2018-05-03 11:35:10 -04:00 committed by Adam Langley
parent b95d4b4cb3
commit 0ca921431a

View File

@ -547,6 +547,11 @@ static const CIPHER_ALIAS kCipherAliases[] = {
// Legacy strength classes. // Legacy strength classes.
{"HIGH", ~0u, ~0u, ~0u, ~0u, 0}, {"HIGH", ~0u, ~0u, ~0u, ~0u, 0},
{"FIPS", ~0u, ~0u, ~0u, ~0u, 0}, {"FIPS", ~0u, ~0u, ~0u, ~0u, 0},
// Temporary no-op aliases corresponding to removed SHA-2 legacy CBC
// ciphers. These should be removed after 2018-05-14.
{"SHA256", 0, 0, 0, 0, 0},
{"SHA384", 0, 0, 0, 0, 0},
}; };
static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases); static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);