From 6947abc46581e19432245e0ce409d468fb702c7d Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 5 Nov 2018 06:55:37 +0000
Subject: Clean up the code that checks if we can choose an EC cipher suite.

The tls1_check_ec_tmp_key() function is now rather misnamed, so just inline
the code. Also, rather than running tls1_get_shared_curve() once per EC
cipher suite, we can run it once at the start of the ssl3_choose_cipher()
function.

ok bluhm@ tb@
---
 src/lib/libssl/s3_lib.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src/lib/libssl/s3_lib.c')

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 6fcbbfc2c5..e1bad1ba1a 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.171 2018/10/24 18:04:50 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.172 2018/11/05 06:55:37 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2286,12 +2286,15 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 	unsigned long alg_k, alg_a, mask_k, mask_a;
 	STACK_OF(SSL_CIPHER) *prio, *allow;
 	SSL_CIPHER *c, *ret = NULL;
+	int can_use_ecc;
 	int i, ii, ok;
 	CERT *cert;
 
 	/* Let's see which ciphers we can support */
 	cert = s->cert;
 
+	can_use_ecc = (tls1_get_shared_curve(s) != NID_undef);
+
 	/*
 	 * Do not set the compare functions, because this may lead to a
 	 * reordering by "id". We want to keep the original ordering.
@@ -2336,7 +2339,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		 * an ephemeral EC key check it.
 		 */
 		if (alg_k & SSL_kECDHE)
-			ok = ok && tls1_check_ec_tmp_key(s);
+			ok = ok && can_use_ecc;
 
 		if (!ok)
 			continue;
-- 
cgit v1.2.3-55-g6feb