diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2018-11-05 06:55:38 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2018-11-05 06:55:38 +0000 |
| commit | e9c5bac4afb9fd1f6772b4825718ed4928320f2d (patch) | |
| tree | c3db8cedcab5740266107a84df0557992ef8340d /lib | |
| parent | db137872e51127cbb7a1d5cafb4ce13466cf5feb (diff) | |
Clean up the code that checks if we can choose an EC cipher suite.
The tls1_check_ec_tmp_key() function is now rather misnamed, so just inline
the code. Also, rather than running tls1_get_shared_curve() once per EC
cipher suite, we can run it once at the start of the ssl3_choose_cipher()
function.
ok bluhm@ tb@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/s3_lib.c | 7 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 3 | ||||
| -rw-r--r-- | lib/libssl/t1_lib.c | 13 |
3 files changed, 7 insertions, 16 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 6fcbbfc2c56..e1bad1ba1ad 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.171 2018/10/24 18:04:50 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.172 2018/11/05 06:55:37 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2286,12 +2286,15 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, unsigned long alg_k, alg_a, mask_k, mask_a; STACK_OF(SSL_CIPHER) *prio, *allow; SSL_CIPHER *c, *ret = NULL; + int can_use_ecc; int i, ii, ok; CERT *cert; /* Let's see which ciphers we can support */ cert = s->cert; + can_use_ecc = (tls1_get_shared_curve(s) != NID_undef); + /* * Do not set the compare functions, because this may lead to a * reordering by "id". We want to keep the original ordering. @@ -2336,7 +2339,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * an ephemeral EC key check it. */ if (alg_k & SSL_kECDHE) - ok = ok && tls1_check_ec_tmp_key(s); + ok = ok && can_use_ecc; if (!ok) continue; diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 8cedc294907..b11bb4ac616 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.217 2018/11/05 03:49:44 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.218 2018/11/05 06:55:37 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1287,7 +1287,6 @@ void tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, size_t *sigalgs_len); int tls1_check_ec_server_key(SSL *s); -int tls1_check_ec_tmp_key(SSL *s); int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 30305e6b2f9..b06004e88a9 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.145 2018/11/05 03:49:44 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.146 2018/11/05 06:55:37 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -604,17 +604,6 @@ tls1_check_ec_server_key(SSL *s) return tls1_check_ec_key(s, &curve_id, &comp_id); } -/* Check EC temporary key is compatible with client extensions. */ -int -tls1_check_ec_tmp_key(SSL *s) -{ - /* Need a shared curve. */ - if (tls1_get_shared_curve(s) != NID_undef) - return (1); - - return (0); -} - /* * List of supported signature algorithms and hashes. Should make this * customisable at some point, for now include everything we support. |