commit 3b903f252a1d7972ad9d16fa19fd3863dda725b2
author David Benjamin <davidben@google.com> Fri Sep 29 18:44:56 2017 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Wed Nov 01 16:45:06 2017 +0000
tree 79f21ae32ad5a666e74065e36d599058bb28b49d
parent 5be3a74c49ec30873cd435e3f71e3eba95096a89

Move the SSL_eNULL special-case into the matching function.

This avoids needing to keep track of which rules do and don't need it.

Change-Id: Id086b0622305f7f4acd3892f5d24d8e0c970febb
Reviewed-on: https://boringssl-review.googlesource.com/22468
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/ssl_cipher.cc

diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index 35820b4..87dc7cd 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -578,7 +578,7 @@
 
 static const CIPHER_ALIAS kCipherAliases[] = {
     // "ALL" doesn't include eNULL. It must be explicitly enabled.
-    {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
+    {"ALL", ~0u, ~0u, ~0u, ~0u, 0},
 
     // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.
 
@@ -594,7 +594,7 @@
     {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
 
     // server authentication aliases
-    {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
+    {"aRSA", ~0u, SSL_aRSA, ~0u, ~0u, 0},
     {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
     {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
     {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
@@ -602,7 +602,7 @@
     // aliases combining key exchange and server authentication
     {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
     {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
-    {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
+    {"RSA", SSL_kRSA, SSL_aRSA, ~0u, ~0u, 0},
     {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
 
     // symmetric encryption aliases
@@ -614,20 +614,20 @@
     {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
 
     // MAC aliases
-    {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
-    {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
+    {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0},
+    {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0},
     {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
     {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
 
     // Legacy protocol minimum version aliases. "TLSv1" is intentionally the
     // same as "SSLv3".
-    {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
-    {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
-    {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
+    {"SSLv3", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
+    {"TLSv1", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
+    {"TLSv1.2", ~0u, ~0u, ~0u, ~0u, TLS1_2_VERSION},
 
     // Legacy strength classes.
-    {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
-    {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
+    {"HIGH", ~0u, ~0u, ~0u, ~0u, 0},
+    {"FIPS", ~0u, ~0u, ~0u, ~0u, 0},
 };
 
 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
@@ -918,7 +918,9 @@
           !(alg_auth & cp->algorithm_auth) ||
           !(alg_enc & cp->algorithm_enc) ||
           !(alg_mac & cp->algorithm_mac) ||
-          (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
+          (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version) ||
+          // The NULL cipher must be selected explicitly.
+          cp->algorithm_enc == SSL_eNULL) {
         continue;
       }
     }