diff options
| author | jsing <> | 2020-09-11 17:36:27 +0000 |
|---|---|---|
| committer | jsing <> | 2020-09-11 17:36:27 +0000 |
| commit | 188f2a73ec9cc4314b9998227079cccb89e8677a (patch) | |
| tree | 62dedc456145da98fc6ed3e6c1be5685fe0e1232 /src/lib/libssl/ssl_clnt.c | |
| parent | 044cfc226bee4d04817ab4f4d3a6b1d0ab4db4ed (diff) | |
| download | openbsd-188f2a73ec9cc4314b9998227079cccb89e8677a.tar.gz openbsd-188f2a73ec9cc4314b9998227079cccb89e8677a.tar.bz2 openbsd-188f2a73ec9cc4314b9998227079cccb89e8677a.zip | |
Remove cipher_list_by_id.
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index b6dcb8888d..68c7a83595 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.70 2020/07/03 04:12:50 tb Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.71 2020/09/11 17:36:27 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -802,12 +802,11 @@ ssl3_get_server_hello(SSL *s) | |||
| 802 | uint16_t server_version, cipher_suite; | 802 | uint16_t server_version, cipher_suite; |
| 803 | uint16_t min_version, max_version; | 803 | uint16_t min_version, max_version; |
| 804 | uint8_t compression_method; | 804 | uint8_t compression_method; |
| 805 | STACK_OF(SSL_CIPHER) *sk; | ||
| 806 | const SSL_CIPHER *cipher; | 805 | const SSL_CIPHER *cipher; |
| 807 | const SSL_METHOD *method; | 806 | const SSL_METHOD *method; |
| 808 | unsigned long alg_k; | 807 | unsigned long alg_k; |
| 809 | size_t outlen; | 808 | size_t outlen; |
| 810 | int i, al, ok; | 809 | int al, ok; |
| 811 | long n; | 810 | long n; |
| 812 | 811 | ||
| 813 | s->internal->first_packet = 1; | 812 | s->internal->first_packet = 1; |
| @@ -981,9 +980,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 981 | goto f_err; | 980 | goto f_err; |
| 982 | } | 981 | } |
| 983 | 982 | ||
| 984 | sk = ssl_get_ciphers_by_id(s); | 983 | if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { |
| 985 | i = sk_SSL_CIPHER_find(sk, cipher); | ||
| 986 | if (i < 0) { | ||
| 987 | /* we did not say we would use this cipher */ | 984 | /* we did not say we would use this cipher */ |
| 988 | al = SSL_AD_ILLEGAL_PARAMETER; | 985 | al = SSL_AD_ILLEGAL_PARAMETER; |
| 989 | SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); | 986 | SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); |