Clean up the code that checks if we can choose an EC cipher suite.

The tls1_check_ec_tmp_key() function is now rather misnamed, so just inline
the code. Also, rather than running tls1_get_shared_curve() once per EC
cipher suite, we can run it once at the start of the ssl3_choose_cipher()
function.

ok bluhm@ tb@

3 files changed, 7 insertions, 16 deletions

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 6fcbbfc2c5..e1bad1ba1a 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.171 2018/10/24 18:04:50 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.172 2018/11/05 06:55:37 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2286,12 +2286,15 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
         unsigned long alg_k, alg_a, mask_k, mask_a;
         STACK_OF(SSL_CIPHER) *prio, *allow;
         SSL_CIPHER *c, *ret = NULL;
+        int can_use_ecc;
         int i, ii, ok;
         CERT *cert;
 
         /* Let's see which ciphers we can support */
         cert = s->cert;
 
+        can_use_ecc = (tls1_get_shared_curve(s) != NID_undef);
+
         /*
          * Do not set the compare functions, because this may lead to a
          * reordering by "id". We want to keep the original ordering.
@@ -2336,7 +2339,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                  * an ephemeral EC key check it.
                  */
                 if (alg_k & SSL_kECDHE)
-                        ok = ok && tls1_check_ec_tmp_key(s);
+                        ok = ok && can_use_ecc;
 
                 if (!ok)
                         continue;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 8cedc29490..b11bb4ac61 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.217 2018/11/05 03:49:44 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.218 2018/11/05 06:55:37 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1287,7 +1287,6 @@ void tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs,
     size_t *sigalgs_len);
 
 int tls1_check_ec_server_key(SSL *s);
-int tls1_check_ec_tmp_key(SSL *s);
 
 int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p,
     int *len, int maxlen);
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 30305e6b2f..b06004e88a 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.145 2018/11/05 03:49:44 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.146 2018/11/05 06:55:37 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -604,17 +604,6 @@ tls1_check_ec_server_key(SSL *s)
         return tls1_check_ec_key(s, &curve_id, &comp_id);
 }
 
-/* Check EC temporary key is compatible with client extensions. */
-int
-tls1_check_ec_tmp_key(SSL *s)
-{
-        /* Need a shared curve. */
-        if (tls1_get_shared_curve(s) != NID_undef)
-                return (1);
-
-        return (0);
-}
-
 /*
  * List of supported signature algorithms and hashes. Should make this
  * customisable at some point, for now include everything we support.