Remove remnants of export cipher suite selection. Splitting the strength mask between SSL_EXP_MASK and SSL_STRONG_MASK no longer does anything. Also remove the SSL_NOT_EXP bit and condense the strength bits. Change-Id: I9e61acdde008c3ce06bb37f78a72099fc53ed080 Reviewed-on: https://boringssl-review.googlesource.com/1757 Reviewed-by: Adam Langley <agl@google.com>

commit: 594a58e0781e06597eafc7599e9f88d5ceaeb566 [log] [tgz]
author: David Benjamin <davidben@chromium.org> Sun Sep 07 13:51:08 2014 -0400
committer: Adam Langley <agl@google.com> Mon Sep 15 21:06:24 2014 +0000
tree: 3be173843f7302e07b8be6377b9993ef9634d688
parent: d633d6303c59d7e0ea5e4014cbf546631f38ec22 [diff]
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 479b6de..5a1b48d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c

@@ -178,7 +178,7 @@
 	SSL_RC4,
 	SSL_MD5,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_MEDIUM,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF|SSL_CIPHER_ALGORITHM2_STATEFUL_AEAD,
 	128,
 	128,
@@ -194,7 +194,7 @@
 	SSL_RC4,
 	SSL_SHA1,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_MEDIUM,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -210,7 +210,7 @@
 	SSL_3DES,
 	SSL_SHA1,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	112,
 	168,
@@ -228,7 +228,7 @@
 	SSL_RC4,
 	SSL_MD5,
 	SSL_SSLV3,
-	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_MEDIUM,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -245,7 +245,7 @@
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -260,7 +260,7 @@
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -275,7 +275,7 @@
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -291,7 +291,7 @@
 	SSL_AES256,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -307,7 +307,7 @@
 	SSL_AES256,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -323,7 +323,7 @@
 	SSL_AES256,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -340,7 +340,7 @@
 	SSL_AES128,
 	SSL_SHA256,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -356,7 +356,7 @@
 	SSL_AES256,
 	SSL_SHA256,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -374,7 +374,7 @@
 	SSL_AES128,
 	SSL_SHA256,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -390,7 +390,7 @@
 	SSL_AES256,
 	SSL_SHA256,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -406,7 +406,7 @@
 	SSL_AES128,
 	SSL_SHA256,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -422,7 +422,7 @@
 	SSL_AES256,
 	SSL_SHA256,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -439,7 +439,7 @@
 	SSL_RC4,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_MEDIUM,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -455,7 +455,7 @@
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -471,7 +471,7 @@
 	SSL_AES256,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -489,7 +489,7 @@
 	SSL_AES128GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	128,
 	128,
@@ -505,7 +505,7 @@
 	SSL_AES256GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
 		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	256,
@@ -522,7 +522,7 @@
 	SSL_AES128GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	128,
 	128,
@@ -538,7 +538,7 @@
 	SSL_AES256GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
 		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	256,
@@ -555,7 +555,7 @@
 	SSL_AES128GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	128,
 	128,
@@ -571,7 +571,7 @@
 	SSL_AES256GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
 		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	256,
@@ -588,7 +588,7 @@
 	SSL_RC4,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_MEDIUM,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -604,7 +604,7 @@
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -620,7 +620,7 @@
 	SSL_AES256,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -636,7 +636,7 @@
 	SSL_RC4,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_MEDIUM,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -652,7 +652,7 @@
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -668,7 +668,7 @@
 	SSL_AES256,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -684,7 +684,7 @@
 	SSL_RC4,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_MEDIUM,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -700,7 +700,7 @@
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -716,7 +716,7 @@
 	SSL_AES256,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -735,7 +735,7 @@
 	SSL_AES128,
 	SSL_SHA256,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
 	128,
 	128,
@@ -751,7 +751,7 @@
 	SSL_AES256,
 	SSL_SHA384,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
 	256,
 	256,
@@ -767,7 +767,7 @@
 	SSL_AES128,
 	SSL_SHA256,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
 	128,
 	128,
@@ -783,7 +783,7 @@
 	SSL_AES256,
 	SSL_SHA384,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
 	256,
 	256,
@@ -801,7 +801,7 @@
 	SSL_AES128GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	128,
 	128,
@@ -817,7 +817,7 @@
 	SSL_AES256GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
 		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	256,
@@ -834,7 +834,7 @@
 	SSL_AES128GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	128,
 	128,
@@ -850,7 +850,7 @@
 	SSL_AES256GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+	SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
 		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	256,
@@ -868,7 +868,7 @@
 	SSL_AES128GCM,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH,
+	SSL_HIGH,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
 		SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
 	128,
@@ -885,7 +885,7 @@
 	SSL_CHACHA20POLY1305,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH,
+	SSL_HIGH,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
 	256,
 	0,
@@ -900,7 +900,7 @@
 	SSL_CHACHA20POLY1305,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH,
+	SSL_HIGH,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
 	256,
 	0,
@@ -915,7 +915,7 @@
 	SSL_CHACHA20POLY1305,
 	SSL_AEAD,
 	SSL_TLSV1_2,
-	SSL_NOT_EXP|SSL_HIGH,
+	SSL_HIGH,
 	SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
 	256,
 	0,

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index cf6a781..d3e1749 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c

@@ -593,9 +593,7 @@
 				continue;
 			if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
 				continue;
-			if ((algo_strength & SSL_EXP_MASK) && !(algo_strength & SSL_EXP_MASK & cp->algo_strength))
-				continue;
-			if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
+			if (algo_strength && !(algo_strength & cp->algo_strength))
 				continue;
 			}
 
@@ -922,26 +920,15 @@
 					alg_mac = ca_list[j]->algorithm_mac;
 				}
 			
-			if (ca_list[j]->algo_strength & SSL_EXP_MASK)
+			if (ca_list[j]->algo_strength)
 				{
-				if (algo_strength & SSL_EXP_MASK)
+				if (algo_strength)
 					{
-					algo_strength &= (ca_list[j]->algo_strength & SSL_EXP_MASK) | ~SSL_EXP_MASK;
-					if (!(algo_strength & SSL_EXP_MASK)) { found = 0; break; }
+					algo_strength &= ca_list[j]->algo_strength;
+					if (!algo_strength) { found = 0; break; }
 					}
 				else
-					algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK;
-				}
-
-			if (ca_list[j]->algo_strength & SSL_STRONG_MASK)
-				{
-				if (algo_strength & SSL_STRONG_MASK)
-					{
-					algo_strength &= (ca_list[j]->algo_strength & SSL_STRONG_MASK) | ~SSL_STRONG_MASK;
-					if (!(algo_strength & SSL_STRONG_MASK)) { found = 0; break; }
-					}
-				else
-					algo_strength |= ca_list[j]->algo_strength & SSL_STRONG_MASK;
+					algo_strength |= ca_list[j]->algo_strength;
 				}
 			
 			if (ca_list[j]->valid)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d833317..f9f3bed 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h

@@ -359,14 +359,9 @@
 /*
  * Cipher strength information.
  */
-#define SSL_EXP_MASK		0x00000003L
-#define SSL_STRONG_MASK		0x000001fcL
-
-#define SSL_NOT_EXP		0x00000001L
-
-#define SSL_MEDIUM		0x00000040L
-#define SSL_HIGH		0x00000080L
-#define SSL_FIPS		0x00000100L
+#define SSL_MEDIUM		0x00000001L
+#define SSL_HIGH		0x00000002L
+#define SSL_FIPS		0x00000004L
 
 /* we have used 000001ff - 23 bits left to go */
commit	594a58e0781e06597eafc7599e9f88d5ceaeb566	[log] [tgz]
author	David Benjamin <davidben@chromium.org>	Sun Sep 07 13:51:08 2014 -0400
committer	Adam Langley <agl@google.com>	Mon Sep 15 21:06:24 2014 +0000
tree	3be173843f7302e07b8be6377b9993ef9634d688
parent	d633d6303c59d7e0ea5e4014cbf546631f38ec22 [diff]