Remove supports_cipher hook.
RC4 is gone. The only remaining exception was the dumb SSL_eNULL cipher,
which works fine in DTLS. It doesn't seem worth the trouble to retain
this special-case.
Change-Id: I31023b71192808e4d21e82109255dc4d6d381df8
Reviewed-on: https://boringssl-review.googlesource.com/22467
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/dtls_method.cc b/ssl/dtls_method.cc
index 91a955f..d0416ad 100644
--- a/ssl/dtls_method.cc
+++ b/ssl/dtls_method.cc
@@ -68,10 +68,6 @@
using namespace bssl;
-static bool dtls1_supports_cipher(const SSL_CIPHER *cipher) {
- return cipher->algorithm_enc != SSL_eNULL;
-}
-
static void dtls1_on_handshake_complete(SSL *ssl) {
// Stop the reply timer left by the last flight we sent.
dtls1_stop_timer(ssl);
@@ -121,7 +117,6 @@
dtls1_open_app_data,
dtls1_write_app_data,
dtls1_dispatch_alert,
- dtls1_supports_cipher,
dtls1_init_message,
dtls1_finish_message,
dtls1_add_message,
diff --git a/ssl/internal.h b/ssl/internal.h
index 79bcacf..2b3335b 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -490,14 +490,12 @@
const EVP_MD *ssl_get_handshake_digest(uint16_t version,
const SSL_CIPHER *cipher);
-// ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
-// |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
-// |ssl_cipher_preference_list_st| containing the result. It returns true on
-// success and false on failure. If |strict| is true, nonsense will be
-// rejected. If false, nonsense will be silently ignored. An empty result is
-// considered an error regardless of |strict|.
+// ssl_create_cipher_list evaluates |rule_str|. It sets |*out_cipher_list| to a
+// newly-allocated |ssl_cipher_preference_list_st| containing the result. It
+// returns true on success and false on failure. If |strict| is true, nonsense
+// will be rejected. If false, nonsense will be silently ignored. An empty
+// result is considered an error regardless of |strict|.
bool ssl_create_cipher_list(
- const SSL_PROTOCOL_METHOD *ssl_method,
struct ssl_cipher_preference_list_st **out_cipher_list,
const char *rule_str, bool strict);
@@ -1771,8 +1769,6 @@
int (*write_app_data)(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf,
int len);
int (*dispatch_alert)(SSL *ssl);
- // supports_cipher returns whether |cipher| is supported by this protocol.
- bool (*supports_cipher)(const SSL_CIPHER *cipher);
// init_message begins a new handshake message of type |type|. |cbb| is the
// root CBB to be passed into |finish_message|. |*body| is set to a child CBB
// the caller should write to. It returns true on success and false on error.
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index 0c02389..35820b4 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -811,19 +811,14 @@
*head = curr;
}
-static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
- CIPHER_ORDER *co_list,
+static void ssl_cipher_collect_ciphers(CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p) {
- // The set of ciphers is static, but some subset may be unsupported by
- // |ssl_method|, so the list may be smaller.
size_t co_list_num = 0;
- for (size_t i = 0; i < kCiphersLen; i++) {
- const SSL_CIPHER *cipher = &kCiphers[i];
- if (ssl_method->supports_cipher(cipher) &&
- // TLS 1.3 ciphers do not participate in this mechanism.
- cipher->algorithm_mkey != SSL_kGENERIC) {
- co_list[co_list_num].cipher = cipher;
+ for (const SSL_CIPHER &cipher : kCiphers) {
+ // TLS 1.3 ciphers do not participate in this mechanism.
+ if (cipher.algorithm_mkey != SSL_kGENERIC) {
+ co_list[co_list_num].cipher = &cipher;
co_list[co_list_num].next = NULL;
co_list[co_list_num].prev = NULL;
co_list[co_list_num].active = false;
@@ -1023,8 +1018,7 @@
return true;
}
-static bool ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
- const char *rule_str,
+static bool ssl_cipher_process_rulestr(const char *rule_str,
CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p, bool strict) {
uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
@@ -1206,7 +1200,6 @@
}
bool ssl_create_cipher_list(
- const SSL_PROTOCOL_METHOD *ssl_method,
struct ssl_cipher_preference_list_st **out_cipher_list,
const char *rule_str, bool strict) {
STACK_OF(SSL_CIPHER) *cipherstack = NULL;
@@ -1229,7 +1222,7 @@
return false;
}
- ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
+ ssl_cipher_collect_ciphers(co_list, &head, &tail);
// Now arrange all ciphers by preference:
// TODO(davidben): Compute this order once and copy it.
@@ -1288,8 +1281,8 @@
// using the (possibly available) additional rules.
const char *rule_p = rule_str;
if (strncmp(rule_str, "DEFAULT", 7) == 0) {
- if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
- &tail, strict)) {
+ if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,
+ strict)) {
goto err;
}
rule_p += 7;
@@ -1299,7 +1292,7 @@
}
if (*rule_p != '\0' &&
- !ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail, strict)) {
+ !ssl_cipher_process_rulestr(rule_p, &head, &tail, strict)) {
goto err;
}
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 2fc6ffd..ab88134 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -1827,23 +1827,19 @@
}
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
- return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
- false /* not strict */);
+ return ssl_create_cipher_list(&ctx->cipher_list, str, false /* not strict */);
}
int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {
- return ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str,
- true /* strict */);
+ return ssl_create_cipher_list(&ctx->cipher_list, str, true /* strict */);
}
int SSL_set_cipher_list(SSL *ssl, const char *str) {
- return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
- false /* not strict */);
+ return ssl_create_cipher_list(&ssl->cipher_list, str, false /* not strict */);
}
int SSL_set_strict_cipher_list(SSL *ssl, const char *str) {
- return ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str,
- true /* strict */);
+ return ssl_create_cipher_list(&ssl->cipher_list, str, true /* strict */);
}
const char *SSL_get_servername(const SSL *ssl, const int type) {
diff --git a/ssl/test/runner/cipher_suites.go b/ssl/test/runner/cipher_suites.go
index 2681e71..39ef4ab 100644
--- a/ssl/test/runner/cipher_suites.go
+++ b/ssl/test/runner/cipher_suites.go
@@ -136,7 +136,7 @@
{TLS_PSK_WITH_RC4_128_SHA, 16, 20, noIV, pskKA, suiteNoDTLS | suitePSK, cipherRC4, macSHA1, nil},
{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
- {TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, suiteNoDTLS, cipherNull, macSHA1, nil},
+ {TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, 0, cipherNull, macSHA1, nil},
}
func noIV(vers uint16) int {
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index d34eaa6..0ce50bc 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1394,10 +1394,6 @@
return strings.HasPrefix(suiteName, "AEAD-")
}
-func isDTLSCipher(suiteName string) bool {
- return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
-}
-
func bigFromHex(hex string) *big.Int {
ret, ok := new(big.Int).SetString(hex, 16)
if !ok {
@@ -2948,10 +2944,6 @@
shouldClientFail = true
shouldServerFail = true
}
- if !isDTLSCipher(suite.name) && protocol == dtls {
- shouldClientFail = true
- shouldServerFail = true
- }
var sendCipherSuite uint16
var expectedServerError, expectedClientError string
diff --git a/ssl/tls_method.cc b/ssl/tls_method.cc
index c5b0178..4eacf64 100644
--- a/ssl/tls_method.cc
+++ b/ssl/tls_method.cc
@@ -67,8 +67,6 @@
namespace bssl {
-static bool ssl3_supports_cipher(const SSL_CIPHER *cipher) { return true; }
-
static void ssl3_on_handshake_complete(SSL *ssl) {
// The handshake should have released its final message.
assert(!ssl->s3->has_message);
@@ -113,7 +111,6 @@
ssl3_open_app_data,
ssl3_write_app_data,
ssl3_dispatch_alert,
- ssl3_supports_cipher,
ssl3_init_message,
ssl3_finish_message,
ssl3_add_message,