From 188f2a73ec9cc4314b9998227079cccb89e8677a Mon Sep 17 00:00:00 2001 From: jsing <> Date: Fri, 11 Sep 2020 17:36:27 +0000 Subject: Remove cipher_list_by_id. When parsing a cipher string, a cipher list is created, before being duplicated and sorted - the second copy being stored as cipher_list_by_id. This is done only so that a client can ensure that the cipher selected by a server is in the cipher list. This is pretty pointless given that most clients are short-lived and that we already had to iterate over the cipher list in order to build the client hello. Additionally, any update to the cipher list requires that cipher_list_by_id also be updated and kept in sync. Remove all of this and replace it with a simple linear scan - the overhead of duplicating and sorting the cipher list likely exceeds that of a simple linear scan over the cipher list (64 maximum, more typically ~9 or so). ok beck@ tb@ --- src/lib/libssl/ssl_clnt.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'src/lib/libssl/ssl_clnt.c') diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index b6dcb8888d..68c7a83595 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.70 2020/07/03 04:12:50 tb Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.71 2020/09/11 17:36:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -802,12 +802,11 @@ ssl3_get_server_hello(SSL *s) uint16_t server_version, cipher_suite; uint16_t min_version, max_version; uint8_t compression_method; - STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *cipher; const SSL_METHOD *method; unsigned long alg_k; size_t outlen; - int i, al, ok; + int al, ok; long n; s->internal->first_packet = 1; @@ -981,9 +980,7 @@ ssl3_get_server_hello(SSL *s) goto f_err; } - sk = ssl_get_ciphers_by_id(s); - i = sk_SSL_CIPHER_find(sk, cipher); - if (i < 0) { + if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { /* we did not say we would use this cipher */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); -- cgit v1.2.3-55-g6feb