Remove supports_cipher hook.

RC4 is gone. The only remaining exception was the dumb SSL_eNULL cipher, which works fine in DTLS. It doesn't seem worth the trouble to retain this special-case. Change-Id: I31023b71192808e4d21e82109255dc4d6d381df8 Reviewed-on: https://boringssl-review.googlesource.com/22467 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 年前 · 5be3a74c49
--- a/ssl/dtls_method.cc
+++ b/ssl/dtls_method.cc
@@ -68,10 +68,6 @@

 using namespace bssl;

 static bool dtls1_supports_cipher(const SSL_CIPHER *cipher) {
  return cipher->algorithm_enc != SSL_eNULL;
 }

 static void dtls1_on_handshake_complete(SSL *ssl) {
  // Stop the reply timer left by the last flight we sent.
  dtls1_stop_timer(ssl);
@@ -121,7 +117,6 @@ static const SSL_PROTOCOL_METHOD kDTLSProtocolMethod = {
    dtls1_open_app_data,
    dtls1_write_app_data,
    dtls1_dispatch_alert,
    dtls1_supports_cipher,
    dtls1_init_message,
    dtls1_finish_message,
    dtls1_add_message,
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -490,14 +490,12 @@ bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
 const EVP_MD *ssl_get_handshake_digest(uint16_t version,
                                       const SSL_CIPHER *cipher);

 // ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
 // |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
 // |ssl_cipher_preference_list_st| containing the result. It returns true on
 // success and false on failure. If |strict| is true, nonsense will be
 // rejected. If false, nonsense will be silently ignored. An empty result is
 // considered an error regardless of |strict|.
 // ssl_create_cipher_list evaluates |rule_str|. It sets |*out_cipher_list| to a
 // newly-allocated |ssl_cipher_preference_list_st| containing the result. It
 // returns true on success and false on failure. If |strict| is true, nonsense
 // will be rejected. If false, nonsense will be silently ignored. An empty
 // result is considered an error regardless of |strict|.
 bool ssl_create_cipher_list(
    const SSL_PROTOCOL_METHOD *ssl_method,
    struct ssl_cipher_preference_list_st **out_cipher_list,
    const char *rule_str, bool strict);

@@ -1771,8 +1769,6 @@ struct SSL_PROTOCOL_METHOD {
  int (*write_app_data)(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf,
                        int len);
  int (*dispatch_alert)(SSL *ssl);
  // supports_cipher returns whether |cipher| is supported by this protocol.
  bool (*supports_cipher)(const SSL_CIPHER *cipher);
  // init_message begins a new handshake message of type |type|. |cbb| is the
  // root CBB to be passed into |finish_message|. |*body| is set to a child CBB
  // the caller should write to. It returns true on success and false on error.
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -811,19 +811,14 @@ static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
  *head = curr;
 }

 static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
                                       CIPHER_ORDER *co_list,
 static void ssl_cipher_collect_ciphers(CIPHER_ORDER *co_list,
                                       CIPHER_ORDER **head_p,
                                       CIPHER_ORDER **tail_p) {
  // The set of ciphers is static, but some subset may be unsupported by
  // |ssl_method|, so the list may be smaller.
  size_t co_list_num = 0;
  for (size_t i = 0; i < kCiphersLen; i++) {
    const SSL_CIPHER *cipher = &kCiphers[i];
    if (ssl_method->supports_cipher(cipher) &&
        // TLS 1.3 ciphers do not participate in this mechanism.
        cipher->algorithm_mkey != SSL_kGENERIC) {
      co_list[co_list_num].cipher = cipher;
  for (const SSL_CIPHER &cipher : kCiphers) {
    // TLS 1.3 ciphers do not participate in this mechanism.
    if (cipher.algorithm_mkey != SSL_kGENERIC) {
      co_list[co_list_num].cipher = &cipher;
      co_list[co_list_num].next = NULL;
      co_list[co_list_num].prev = NULL;
      co_list[co_list_num].active = false;
@@ -1023,8 +1018,7 @@ static bool ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
  return true;
 }

 static bool ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
                                       const char *rule_str,
 static bool ssl_cipher_process_rulestr(const char *rule_str,
                                       CIPHER_ORDER **head_p,
                                       CIPHER_ORDER **tail_p, bool strict) {
  uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
@@ -1206,7 +1200,6 @@ static bool ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
 }

 bool ssl_create_cipher_list(
    const SSL_PROTOCOL_METHOD *ssl_method,
    struct ssl_cipher_preference_list_st **out_cipher_list,
    const char *rule_str, bool strict) {
  STACK_OF(SSL_CIPHER) *cipherstack = NULL;
@@ -1229,7 +1222,7 @@ bool ssl_create_cipher_list(
    return false;
  }

  ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
  ssl_cipher_collect_ciphers(co_list, &head, &tail);

  // Now arrange all ciphers by preference:
  // TODO(davidben): Compute this order once and copy it.
@@ -1288,8 +1281,8 @@ bool ssl_create_cipher_list(
  // using the (possibly available) additional rules.
  const char *rule_p = rule_str;
  if (strncmp(rule_str, "DEFAULT", 7) == 0) {
    if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
                                    &tail, strict)) {
    if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,
                                    strict)) {
      goto err;
    }
    rule_p += 7;
@@ -1299,7 +1292,7 @@ bool ssl_create_cipher_list(
  }

  if (*rule_p != '\0' &&
      !ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail, strict)) {
      !ssl_cipher_process_rulestr(rule_p, &head, &tail, strict)) {
    goto err;
  }

--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -1827,23 +1827,19 @@ const char *SSL_get_cipher_list(const SSL *ssl, int n) {
 }

 int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
  return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
                                false /* not strict */);
  return ssl_create_cipher_list(&ctx->cipher_list, str, false /* not strict */);
 }

 int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {
  return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
                                true /* strict */);
  return ssl_create_cipher_list(&ctx->cipher_list, str, true /* strict */);
 }

 int SSL_set_cipher_list(SSL *ssl, const char *str) {
  return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
                                false /* not strict */);
  return ssl_create_cipher_list(&ssl->cipher_list, str, false /* not strict */);
 }

 int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
  return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
                                true /* strict */);
  return ssl_create_cipher_list(&ssl->cipher_list, str, true /* strict */);
 }

 const char *SSL_get_servername(const SSL *ssl, const int type) {
--- a/ssl/test/runner/cipher_suites.go
+++ b/ssl/test/runner/cipher_suites.go
@@ -136,7 +136,7 @@ var cipherSuites = []*cipherSuite{
 	{TLS_PSK_WITH_RC4_128_SHA, 16, 20, noIV, pskKA, suiteNoDTLS | suitePSK, cipherRC4, macSHA1, nil},
 	{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
 	{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
 	{TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, suiteNoDTLS, cipherNull, macSHA1, nil},
 	{TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, 0, cipherNull, macSHA1, nil},
 }

 func noIV(vers uint16) int {
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1394,10 +1394,6 @@ func isTLS13Suite(suiteName string) bool {
 	return strings.HasPrefix(suiteName, "AEAD-")
 }

 func isDTLSCipher(suiteName string) bool {
 	return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
 }

 func bigFromHex(hex string) *big.Int {
 	ret, ok := new(big.Int).SetString(hex, 16)
 	if !ok {
@@ -2948,10 +2944,6 @@ func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol proto
 		shouldClientFail = true
 		shouldServerFail = true
 	}
 	if !isDTLSCipher(suite.name) && protocol == dtls {
 		shouldClientFail = true
 		shouldServerFail = true
 	}

 	var sendCipherSuite uint16
 	var expectedServerError, expectedClientError string
--- a/ssl/tls_method.cc
+++ b/ssl/tls_method.cc
@@ -67,8 +67,6 @@

 namespace bssl {

 static bool ssl3_supports_cipher(const SSL_CIPHER *cipher) { return true; }

 static void ssl3_on_handshake_complete(SSL *ssl) {
  // The handshake should have released its final message.
  assert(!ssl->s3->has_message);
@@ -113,7 +111,6 @@ static const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {
    ssl3_open_app_data,
    ssl3_write_app_data,
    ssl3_dispatch_alert,
    ssl3_supports_cipher,
    ssl3_init_message,
    ssl3_finish_message,
    ssl3_add_message,