From 6947abc46581e19432245e0ce409d468fb702c7d Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 5 Nov 2018 06:55:37 +0000
Subject: Clean up the code that checks if we can choose an EC cipher suite.

The tls1_check_ec_tmp_key() function is now rather misnamed, so just inline
the code. Also, rather than running tls1_get_shared_curve() once per EC
cipher suite, we can run it once at the start of the ssl3_choose_cipher()
function.

ok bluhm@ tb@
---
 src/lib/libssl/s3_lib.c   |  7 +++++--
 src/lib/libssl/ssl_locl.h |  3 +--
 src/lib/libssl/t1_lib.c   | 13 +------------
 3 files changed, 7 insertions(+), 16 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 6fcbbfc2c5..e1bad1ba1a 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.171 2018/10/24 18:04:50 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.172 2018/11/05 06:55:37 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2286,12 +2286,15 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 	unsigned long alg_k, alg_a, mask_k, mask_a;
 	STACK_OF(SSL_CIPHER) *prio, *allow;
 	SSL_CIPHER *c, *ret = NULL;
+	int can_use_ecc;
 	int i, ii, ok;
 	CERT *cert;
 
 	/* Let's see which ciphers we can support */
 	cert = s->cert;
 
+	can_use_ecc = (tls1_get_shared_curve(s) != NID_undef);
+
 	/*
 	 * Do not set the compare functions, because this may lead to a
 	 * reordering by "id". We want to keep the original ordering.
@@ -2336,7 +2339,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		 * an ephemeral EC key check it.
 		 */
 		if (alg_k & SSL_kECDHE)
-			ok = ok && tls1_check_ec_tmp_key(s);
+			ok = ok && can_use_ecc;
 
 		if (!ok)
 			continue;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 8cedc29490..b11bb4ac61 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.217 2018/11/05 03:49:44 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.218 2018/11/05 06:55:37 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1287,7 +1287,6 @@ void tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs,
     size_t *sigalgs_len);
 
 int tls1_check_ec_server_key(SSL *s);
-int tls1_check_ec_tmp_key(SSL *s);
 
 int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p,
     int *len, int maxlen);
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 30305e6b2f..b06004e88a 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.145 2018/11/05 03:49:44 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.146 2018/11/05 06:55:37 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -604,17 +604,6 @@ tls1_check_ec_server_key(SSL *s)
 	return tls1_check_ec_key(s, &curve_id, &comp_id);
 }
 
-/* Check EC temporary key is compatible with client extensions. */
-int
-tls1_check_ec_tmp_key(SSL *s)
-{
-	/* Need a shared curve. */
-	if (tls1_get_shared_curve(s) != NID_undef)
-		return (1);
-
-	return (0);
-}
-
 /*
  * List of supported signature algorithms and hashes. Should make this
  * customisable at some point, for now include everything we support.
-- 
cgit v1.2.3-55-g6feb