From 188f2a73ec9cc4314b9998227079cccb89e8677a Mon Sep 17 00:00:00 2001 From: jsing <> Date: Fri, 11 Sep 2020 17:36:27 +0000 Subject: Remove cipher_list_by_id. When parsing a cipher string, a cipher list is created, before being duplicated and sorted - the second copy being stored as cipher_list_by_id. This is done only so that a client can ensure that the cipher selected by a server is in the cipher list. This is pretty pointless given that most clients are short-lived and that we already had to iterate over the cipher list in order to build the client hello. Additionally, any update to the cipher list requires that cipher_list_by_id also be updated and kept in sync. Remove all of this and replace it with a simple linear scan - the overhead of duplicating and sorting the cipher list likely exceeds that of a simple linear scan over the cipher list (64 maximum, more typically ~9 or so). ok beck@ tb@ --- src/lib/libssl/ssl_ciph.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) (limited to 'src/lib/libssl/ssl_ciph.c') diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 37417efc08..4afbcf9896 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.117 2020/04/19 14:54:14 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.118 2020/09/11 17:36:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1184,12 +1184,11 @@ ssl_aes_is_accelerated(void) STACK_OF(SSL_CIPHER) * ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, - STACK_OF(SSL_CIPHER) **cipher_list_by_id, const char *rule_str) { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; - STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; + STACK_OF(SSL_CIPHER) *cipherstack; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; @@ -1199,7 +1198,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, /* * Return with error if nothing to do. */ - if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) + if (rule_str == NULL || cipher_list == NULL) return NULL; /* @@ -1358,19 +1357,9 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, free(co_list); /* Not needed any longer */ - tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); - if (tmp_cipher_list == NULL) { - sk_SSL_CIPHER_free(cipherstack); - return NULL; - } sk_SSL_CIPHER_free(*cipher_list); *cipher_list = cipherstack; - sk_SSL_CIPHER_free(*cipher_list_by_id); - *cipher_list_by_id = tmp_cipher_list; - (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, - ssl_cipher_ptr_id_cmp); - sk_SSL_CIPHER_sort(*cipher_list_by_id); return (cipherstack); } -- cgit v1.2.3-55-g6feb