Remove get_cipher from SSL_METHOD.

Inline the get_cipher implementation (including the special handling
for DTLS) in ssl_cipher_collect_ciphers() (the only consumer), remove
the get_cipher member of SSL_METHOD and mop up dtls1_get_cipher().

ssl3_get_cipher() has always had a strange property of being a reverse
index, which is relied on by the cipher list ordering code, since it
currently assumes that high cipher suite values are preferable. Rather
than complicating ssl3_get_cipher() (and regress), change the iteration
order in ssl_cipher_collect_ciphers() to match what it requires. Lastly,
rename ssl3_get_cipher() to be more descriptive.

ok tb@

1 files changed, 1 insertions, 22 deletions

diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index ae6a6650ab..69db8a0df4 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.64 2022/11/26 16:08:55 tb Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.65 2024/07/23 14:40:53 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -250,27 +250,6 @@ dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
         return (ret);
 }
 
-/*
- * As it's impossible to use stream ciphers in "datagram" mode, this
- * simple filter is designed to disengage them in DTLS. Unfortunately
- * there is no universal way to identify stream SSL_CIPHER, so we have
- * to explicitly list their SSL_* codes. Currently RC4 is the only one
- * available, but if new ones emerge, they will have to be added...
- */
-const SSL_CIPHER *
-dtls1_get_cipher(unsigned int u)
-{
-        const SSL_CIPHER *cipher;
-
-        if ((cipher = ssl3_get_cipher(u)) == NULL)
-                return NULL;
-
-        if (cipher->algorithm_enc == SSL_RC4)
-                return NULL;
-
-        return cipher;
-}
-
 void
 dtls1_start_timer(SSL *s)
 {