From 6861a5a72a0bd87259b9e40bd0a0f7c85fd11e9c Mon Sep 17 00:00:00 2001 From: jsing <> Date: Tue, 23 Jul 2024 14:40:54 +0000 Subject: Remove get_cipher from SSL_METHOD. Inline the get_cipher implementation (including the special handling for DTLS) in ssl_cipher_collect_ciphers() (the only consumer), remove the get_cipher member of SSL_METHOD and mop up dtls1_get_cipher(). ssl3_get_cipher() has always had a strange property of being a reverse index, which is relied on by the cipher list ordering code, since it currently assumes that high cipher suite values are preferable. Rather than complicating ssl3_get_cipher() (and regress), change the iteration order in ssl_cipher_collect_ciphers() to match what it requires. Lastly, rename ssl3_get_cipher() to be more descriptive. ok tb@ --- src/lib/libssl/ssl_ciph.c | 47 ++++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 25 deletions(-) (limited to 'src/lib/libssl/ssl_ciph.c') diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index dce141101d..2478d70eac 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.146 2024/07/22 14:47:15 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.147 2024/07/23 14:40:53 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -576,22 +576,6 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, *head = curr; } -/* XXX beck: remove this in a followon to removing GOST */ -static void -ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, - unsigned long *enc, unsigned long *mac, unsigned long *ssl) -{ - *mkey = 0; - *auth = 0; - *enc = 0; - *mac = 0; - *ssl = 0; - -#ifdef SSL_FORBID_ENULL - *enc |= SSL_eNULL; -#endif -} - static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers, unsigned long disabled_mkey, unsigned long disabled_auth, @@ -608,10 +592,15 @@ ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers, * a linked list with at most num entries. */ - /* Get the initial list of ciphers */ + /* + * Get the initial list of ciphers, iterating backwards over the + * cipher list - the list is ordered by cipher value and we currently + * hope that ciphers with higher cipher values are preferable... + */ co_list_num = 0; /* actual count of ciphers */ - for (i = 0; i < num_of_ciphers; i++) { - c = ssl_method->get_cipher(i); + for (i = num_of_ciphers - 1; i >= 0; i--) { + c = ssl3_get_cipher_by_index(i); + /* * Drop any invalid ciphers and any which use unavailable * algorithms. @@ -1153,11 +1142,19 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, if (rule_str == NULL || cipher_list == NULL) goto err; - /* - * To reduce the work to do we only want to process the compiled - * in algorithms, so we first get the mask of disabled ciphers. - */ - ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl); + disabled_mkey = 0; + disabled_auth = 0; + disabled_enc = 0; + disabled_mac = 0; + disabled_ssl = 0; + +#ifdef SSL_FORBID_ENULL + disabled_enc |= SSL_eNULL; +#endif + + /* DTLS cannot be used with stream ciphers. */ + if (ssl_method->dtls) + disabled_enc |= SSL_RC4; /* * Now we have to collect the available ciphers from the compiled -- cgit v1.2.3-55-g6feb