commit 7e06de5d2d1b53c57c0c81e8d6ba4122b64cf626
author Matthew Braithwaite <mab@google.com> Mon Apr 10 15:52:14 2017 -0700
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Tue Apr 11 23:41:31 2017 +0000
tree 3c83743c185bcb8805e719000137181bbc0b5af1
parent cb3af3e9c1ddf69d3f96f9f59d57e8e4375a7e78

Really remove DHE ciphersuites from TLS.

This follows up on cedc6f18 by removing support for the
-DBORINGSSL_ENABLE_DHE_TLS compile flag, and the code needed to
support it.

Change-Id: I53b6aa7a0eddd23ace8b770edb2a31b18ba2ce26
Reviewed-on: https://boringssl-review.googlesource.com/14886
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/ssl_test.cc

diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 17ad4e4..3296c17 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -126,16 +126,10 @@
     // ECDHE_RSA.
     {
         "ALL:-kECDHE:"
-#ifdef BORINGSSL_ENABLE_DHE_TLS
-        "-kDHE:"
-#endif
         "-kRSA:-ALL:"
         "AESGCM+AES128+aRSA",
         {
             {TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0},
-#ifdef BORINGSSL_ENABLE_DHE_TLS
-            {TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 0},
-#endif
             {TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
         },
         false,
@@ -188,9 +182,6 @@
     {
         // To simplify things, banish all but {ECDHE_RSA,RSA} x
         // {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1.
-#ifdef BORINGSSL_ENABLE_DHE_TLS
-        "!kEDH:"
-#endif
         "!AESGCM:!3DES:!SHA256:!SHA384:"
         // Order some ciphers backwards by strength.
         "ALL:-CHACHA20:-AES256:-AES128:-ALL:"
@@ -800,11 +791,6 @@
 static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = {
     {SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
     {TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"},
-#ifdef BORINGSSL_ENABLE_DHE_TLS
-    {TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
-    {TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
-     "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"},
-#endif
     {TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"},
     {TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
@@ -1850,12 +1836,7 @@
   bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
   // Our default cipher list varies by CPU capabilities, so manually place the
   // ChaCha20 ciphers in front.
-  const char* cipher_list =
-#ifdef BORINGSSL_ENABLE_DHE_TLS
-      "!DHE:CHACHA20:ALL";
-#else
-      "CHACHA20:ALL";
-#endif
+  const char* cipher_list = "CHACHA20:ALL";
   if (!ctx ||
       // SSLv3 is off by default.
       !SSL_CTX_set_min_proto_version(ctx.get(), SSL3_VERSION) ||