Remove anonymous cipher suites.

These are the remaining untested cipher suites. Rather than add support in
runner.go, just remove them altogether. Grepping for this is a little tricky,
but nothing enables aNULL (all occurrences disable it), and all occurrences of
["ALL:] seem to be either unused or explicitly disable anonymous ciphers.

Change-Id: I4fd4b8dc6a273d6c04a26e93839641ddf738343f
Reviewed-on: https://boringssl-review.googlesource.com/4258
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 831b511..6ad8e83 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -175,8 +175,6 @@
 #define SSL_TXT_HIGH "HIGH"
 #define SSL_TXT_FIPS "FIPS"
 
-#define SSL_TXT_aNULL "aNULL"
-
 #define SSL_TXT_kRSA "kRSA"
 #define SSL_TXT_kDHE "kDHE"
 #define SSL_TXT_kEDH "kEDH" /* same as "kDHE" */
@@ -189,14 +187,12 @@
 #define SSL_TXT_aPSK "aPSK"
 
 #define SSL_TXT_DH "DH"
-#define SSL_TXT_DHE "DHE" /* same as "kDHE:-ADH" */
+#define SSL_TXT_DHE "DHE" /* same as "kDHE" */
 #define SSL_TXT_EDH "EDH" /* same as "DHE" */
-#define SSL_TXT_ADH "ADH"
 #define SSL_TXT_RSA "RSA"
 #define SSL_TXT_ECDH "ECDH"
-#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE:-AECDH" */
+#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE" */
 #define SSL_TXT_EECDH "EECDH" /* same as "ECDHE" */
-#define SSL_TXT_AECDH "AECDH"
 #define SSL_TXT_ECDSA "ECDSA"
 #define SSL_TXT_PSK "PSK"
 
@@ -238,7 +234,7 @@
 
 /* The following cipher list is used by default. It also is substituted when an
  * application-defined cipher list string starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST "ALL"
 
 /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 01f5cbf..0f217aa 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -320,13 +320,6 @@
              * don't request cert during re-negotiation: */
             ((s->session->peer != NULL) &&
              (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
-            /* never request cert in anonymous ciphersuites
-             * (see section "Certificate request" in SSL 3 drafts
-             * and in RFC 2246): */
-            ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
-             /* ... except when the application insists on verification
-              * (against the specs, but s3_clnt.c accepts this for SSL 3) */
-             !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
             /* With normal PSK Certificates and
              * Certificate Requests are omitted */
             (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index a6e76c9..7826bf49 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1411,15 +1411,6 @@
     goto err;
   }
 
-  /* TLS does not like anon-DH with client cert */
-  if (s->version > SSL3_VERSION &&
-      (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
-    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-    OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request,
-                      SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
-    goto err;
-  }
-
   CBS_init(&cbs, s->init_msg, n);
 
   ca_sk = sk_X509_NAME_new(ca_dn_cmp);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index fe0e760..f67267f 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -185,16 +185,6 @@
     },
 
 
-    /* The Ephemeral DH ciphers */
-
-    /* Cipher 18 */
-    {
-     1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kDHE, SSL_aNULL,
-     SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
-    },
-
-
     /* New AES ciphersuites */
 
     /* Cipher 2F */
@@ -211,13 +201,6 @@
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
-    /* Cipher 34 */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kDHE,
-     SSL_aNULL, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
-    },
-
     /* Cipher 35 */
     {
      1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA,
@@ -232,13 +215,6 @@
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
     },
 
-    /* Cipher 3A */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kDHE,
-     SSL_aNULL, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
-    },
-
 
     /* TLS v1.2 ciphersuites */
 
@@ -272,20 +248,6 @@
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256,
     },
 
-    /* Cipher 6C */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_128_SHA256, TLS1_CK_ADH_WITH_AES_128_SHA256,
-     SSL_kDHE, SSL_aNULL, SSL_AES128, SSL_SHA256, SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
-    },
-
-    /* Cipher 6D */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_256_SHA256, TLS1_CK_ADH_WITH_AES_256_SHA256,
-     SSL_kDHE, SSL_aNULL, SSL_AES256, SSL_SHA256, SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256,
-    },
-
     /* Cipher 8A */
     {
      1, TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK,
@@ -350,26 +312,6 @@
      256, 256,
     },
 
-    /* Cipher A6 */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
-     TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aNULL, SSL_AES128GCM,
-     SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
-         SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
-     128, 128,
-    },
-
-    /* Cipher A7 */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
-     TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aNULL, SSL_AES256GCM,
-     SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
-         SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
-     256, 256,
-    },
-
     /* Cipher C007 */
     {
      1, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
@@ -417,29 +359,6 @@
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
     },
 
-    /* Cipher C016 */
-    {
-     1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
-     SSL_kECDHE, SSL_aNULL, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
-    },
-
-    /* Cipher C018 */
-    {
-     1, TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
-     TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aNULL, SSL_AES128,
-     SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
-    },
-
-    /* Cipher C019 */
-    {
-     1, TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
-     TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aNULL, SSL_AES256,
-     SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
-    },
-
 
     /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
 
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 25482a2..eb458f2 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -414,13 +414,6 @@
              * don't request cert during re-negotiation: */
             ((s->session->peer != NULL) &&
              (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
-            /* never request cert in anonymous ciphersuites
-             * (see section "Certificate request" in SSL 3 drafts
-             * and in RFC 2246): */
-            ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
-             /* ... except when the application insists on verification
-              * (against the specs, but s3_clnt.c accepts this for SSL 3) */
-             !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
             /* With normal PSK Certificates and
              * Certificate Requests are omitted */
             (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 5ab43e7..1253f8f 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -180,10 +180,7 @@
     {
      {0, SSL_TXT_ALL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
 
-     /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
-        ALL!) */
-     {0, SSL_TXT_CMPDEF, 0, SSL_kDHE | SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0,
-      0},
+     /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
 
      /* key exchange aliases
       * (some of those using only a single bit here combine
@@ -203,19 +200,16 @@
 
      /* server authentication aliases */
      {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
      {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
      {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
      {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
 
      /* aliases combining key exchange and server authentication */
-     {0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
+     {0, SSL_TXT_DHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
+     {0, SSL_TXT_EDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
+     {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0},
+     {0, SSL_TXT_EECDH, 0, SSL_kECDHE, 0, 0, 0, 0, 0, 0, 0, 0},
      {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
      {0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
 
      /* symmetric encryption aliases */
@@ -1006,13 +1000,6 @@
   ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), 0, 0, 0, 0, 0, CIPHER_ORD,
                         -1, 0, &head, &tail);
 
-  /* Move anonymous ciphers to the end.  Usually, these will remain disabled.
-   * (For applications that allow them, they aren't too bad, but we prefer
-   * authenticated ciphers.)
-   * TODO(davidben): Remove them altogether? */
-  ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
-                        &tail);
-
   /* Now disable everything (maintaining the ordering!) */
   ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
 
@@ -1186,10 +1173,6 @@
       au = "RSA";
       break;
 
-    case SSL_aNULL:
-      au = "None";
-      break;
-
     case SSL_aECDSA:
       au = "ECDSA";
       break;
@@ -1332,8 +1315,6 @@
       switch (cipher->algorithm_auth) {
         case SSL_aRSA:
           return "DHE_RSA";
-        case SSL_aNULL:
-          return "DH_anon";
         default:
           assert(0);
           return "UNKNOWN";
@@ -1347,8 +1328,6 @@
           return "ECDHE_RSA";
         case SSL_aPSK:
           return "ECDHE_PSK";
-        case SSL_aNULL:
-          return "ECDH_anon";
         default:
           assert(0);
           return "UNKNOWN";
@@ -1479,12 +1458,8 @@
  * public key in the key exchange, sent in a server Certificate message.
  * Otherwise it returns 0. */
 int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) {
-  /* Anonymous ciphers do not include a server certificate. */
-  if (cipher->algorithm_auth & SSL_aNULL) {
-    return 0;
-  }
-
-  /* Neither do PSK ciphers, except for RSA_PSK. */
+  /* PSK-authenticated ciphers do not use a public key, except for
+   * RSA_PSK. */
   if ((cipher->algorithm_auth & SSL_aPSK) &&
       !(cipher->algorithm_mkey & SSL_kRSA)) {
     return 0;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a9d1528..1578dba 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2030,8 +2030,6 @@
     mask_a |= SSL_aRSA;
   }
 
-  mask_a |= SSL_aNULL;
-
   /* An ECC certificate may be usable for ECDSA cipher suites depending on the
    * key usage extension and on the client's curve preferences. */
   if (have_ecc_cert) {
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 6278deb..16fe2c6 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -293,9 +293,8 @@
 
 /* Bits for algorithm_auth (server authentication) */
 #define SSL_aRSA 0x00000001L   /* RSA auth */
-#define SSL_aNULL 0x00000002L  /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aECDSA 0x00000004L /* ECDSA auth*/
-#define SSL_aPSK 0x00000008L   /* PSK auth */
+#define SSL_aECDSA 0x00000002L /* ECDSA auth*/
+#define SSL_aPSK 0x00000004L   /* PSK auth */
 
 /* Bits for algorithm_enc (symmetric encryption) */
 #define SSL_3DES 0x00000001L
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 22018bb..aba758e 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -185,6 +185,8 @@
   // Empty cipher lists error at SSL_CTX_set_cipher_list.
   "",
   "BOGUS",
+  // COMPLEMENTOFDEFAULT is empty.
+  "COMPLEMENTOFDEFAULT",
   // Invalid command.
   "?BAR",
   // Special operators are not allowed if groups are used.
@@ -428,12 +430,9 @@
   { SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
   { SSL3_CK_RSA_RC4_128_MD5, "TLS_RSA_WITH_RC4_MD5" },
   { TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA" },
-  { TLS1_CK_ADH_WITH_AES_128_SHA, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
   { TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
   { TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
     "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
-  { TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
-    "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
   { TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
     "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
   { TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,