Remove supports_cipher hook.

RC4 is gone. The only remaining exception was the dumb SSL_eNULL cipher,
which works fine in DTLS. It doesn't seem worth the trouble to retain
this special-case.

Change-Id: I31023b71192808e4d21e82109255dc4d6d381df8
Reviewed-on: https://boringssl-review.googlesource.com/22467
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2017-10-28 16:08:58 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent dca1afb326
commit 5be3a74c49
7 changed files with 20 additions and 51 deletions

View File

@ -68,10 +68,6 @@
using namespace bssl;
static bool dtls1_supports_cipher(const SSL_CIPHER *cipher) {
return cipher->algorithm_enc != SSL_eNULL;
}
static void dtls1_on_handshake_complete(SSL *ssl) {
// Stop the reply timer left by the last flight we sent.
dtls1_stop_timer(ssl);
@ -121,7 +117,6 @@ static const SSL_PROTOCOL_METHOD kDTLSProtocolMethod = {
dtls1_open_app_data,
dtls1_write_app_data,
dtls1_dispatch_alert,
dtls1_supports_cipher,
dtls1_init_message,
dtls1_finish_message,
dtls1_add_message,

View File

@ -490,14 +490,12 @@ bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
const EVP_MD *ssl_get_handshake_digest(uint16_t version,
const SSL_CIPHER *cipher);
// ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
// |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
// |ssl_cipher_preference_list_st| containing the result. It returns true on
// success and false on failure. If |strict| is true, nonsense will be
// rejected. If false, nonsense will be silently ignored. An empty result is
// considered an error regardless of |strict|.
// ssl_create_cipher_list evaluates |rule_str|. It sets |*out_cipher_list| to a
// newly-allocated |ssl_cipher_preference_list_st| containing the result. It
// returns true on success and false on failure. If |strict| is true, nonsense
// will be rejected. If false, nonsense will be silently ignored. An empty
// result is considered an error regardless of |strict|.
bool ssl_create_cipher_list(
const SSL_PROTOCOL_METHOD *ssl_method,
struct ssl_cipher_preference_list_st **out_cipher_list,
const char *rule_str, bool strict);
@ -1771,8 +1769,6 @@ struct SSL_PROTOCOL_METHOD {
int (*write_app_data)(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf,
int len);
int (*dispatch_alert)(SSL *ssl);
// supports_cipher returns whether |cipher| is supported by this protocol.
bool (*supports_cipher)(const SSL_CIPHER *cipher);
// init_message begins a new handshake message of type |type|. |cbb| is the
// root CBB to be passed into |finish_message|. |*body| is set to a child CBB
// the caller should write to. It returns true on success and false on error.

View File

@ -811,19 +811,14 @@ static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
*head = curr;
}
static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
CIPHER_ORDER *co_list,
static void ssl_cipher_collect_ciphers(CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p) {
// The set of ciphers is static, but some subset may be unsupported by
// |ssl_method|, so the list may be smaller.
size_t co_list_num = 0;
for (size_t i = 0; i < kCiphersLen; i++) {
const SSL_CIPHER *cipher = &kCiphers[i];
if (ssl_method->supports_cipher(cipher) &&
for (const SSL_CIPHER &cipher : kCiphers) {
// TLS 1.3 ciphers do not participate in this mechanism.
cipher->algorithm_mkey != SSL_kGENERIC) {
co_list[co_list_num].cipher = cipher;
if (cipher.algorithm_mkey != SSL_kGENERIC) {
co_list[co_list_num].cipher = &cipher;
co_list[co_list_num].next = NULL;
co_list[co_list_num].prev = NULL;
co_list[co_list_num].active = false;
@ -1023,8 +1018,7 @@ static bool ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
return true;
}
static bool ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
const char *rule_str,
static bool ssl_cipher_process_rulestr(const char *rule_str,
CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p, bool strict) {
uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
@ -1206,7 +1200,6 @@ static bool ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
}
bool ssl_create_cipher_list(
const SSL_PROTOCOL_METHOD *ssl_method,
struct ssl_cipher_preference_list_st **out_cipher_list,
const char *rule_str, bool strict) {
STACK_OF(SSL_CIPHER) *cipherstack = NULL;
@ -1229,7 +1222,7 @@ bool ssl_create_cipher_list(
return false;
}
ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
ssl_cipher_collect_ciphers(co_list, &head, &tail);
// Now arrange all ciphers by preference:
// TODO(davidben): Compute this order once and copy it.
@ -1288,8 +1281,8 @@ bool ssl_create_cipher_list(
// using the (possibly available) additional rules.
const char *rule_p = rule_str;
if (strncmp(rule_str, "DEFAULT", 7) == 0) {
if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
&tail, strict)) {
if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,
strict)) {
goto err;
}
rule_p += 7;
@ -1299,7 +1292,7 @@ bool ssl_create_cipher_list(
}
if (*rule_p != '\0' &&
!ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail, strict)) {
!ssl_cipher_process_rulestr(rule_p, &head, &tail, strict)) {
goto err;
}

View File

@ -1827,23 +1827,19 @@ const char *SSL_get_cipher_list(const SSL *ssl, int n) {
}
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
false /* not strict */);
return ssl_create_cipher_list(&ctx->cipher_list, str, false /* not strict */);
}
int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {
return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
true /* strict */);
return ssl_create_cipher_list(&ctx->cipher_list, str, true /* strict */);
}
int SSL_set_cipher_list(SSL *ssl, const char *str) {
return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
false /* not strict */);
return ssl_create_cipher_list(&ssl->cipher_list, str, false /* not strict */);
}
int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
true /* strict */);
return ssl_create_cipher_list(&ssl->cipher_list, str, true /* strict */);
}
const char *SSL_get_servername(const SSL *ssl, const int type) {

View File

@ -136,7 +136,7 @@ var cipherSuites = []*cipherSuite{
{TLS_PSK_WITH_RC4_128_SHA, 16, 20, noIV, pskKA, suiteNoDTLS | suitePSK, cipherRC4, macSHA1, nil},
{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
{TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, suiteNoDTLS, cipherNull, macSHA1, nil},
{TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, 0, cipherNull, macSHA1, nil},
}
func noIV(vers uint16) int {

View File

@ -1394,10 +1394,6 @@ func isTLS13Suite(suiteName string) bool {
return strings.HasPrefix(suiteName, "AEAD-")
}
func isDTLSCipher(suiteName string) bool {
return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
}
func bigFromHex(hex string) *big.Int {
ret, ok := new(big.Int).SetString(hex, 16)
if !ok {
@ -2948,10 +2944,6 @@ func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol proto
shouldClientFail = true
shouldServerFail = true
}
if !isDTLSCipher(suite.name) && protocol == dtls {
shouldClientFail = true
shouldServerFail = true
}
var sendCipherSuite uint16
var expectedServerError, expectedClientError string

View File

@ -67,8 +67,6 @@
namespace bssl {
static bool ssl3_supports_cipher(const SSL_CIPHER *cipher) { return true; }
static void ssl3_on_handshake_complete(SSL *ssl) {
// The handshake should have released its final message.
assert(!ssl->s3->has_message);
@ -113,7 +111,6 @@ static const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {
ssl3_open_app_data,
ssl3_write_app_data,
ssl3_dispatch_alert,
ssl3_supports_cipher,
ssl3_init_message,
ssl3_finish_message,
ssl3_add_message,