diff options
| author |   jsing <jsing@openbsd.org> | 2020-09-11 17:36:27 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2020-09-11 17:36:27 +0000 |
| commit | 8b316ce8bcd9067a30cb757818dad1051035dfb8 (patch) | |
| tree | a534f03f85ae6446bfc8ee799c84a2bd765ba0a1 /lib/libssl/ssl_locl.h | |
| parent | Simplify SSL_get_ciphers(). (diff) | |
| download | wireguard-openbsd-8b316ce8bcd9067a30cb757818dad1051035dfb8.tar.xz wireguard-openbsd-8b316ce8bcd9067a30cb757818dad1051035dfb8.zip | |
Remove cipher_list_by_id.
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
Diffstat (limited to 'lib/libssl/ssl_locl.h')
| -rw-r--r-- | lib/libssl/ssl_locl.h | 14 |
1 files changed, 3 insertions, 11 deletions
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index bfd0ea67337..df07ca68a67 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.289 2020/09/11 15:28:08 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.290 2020/09/11 17:36:27 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -599,9 +599,6 @@ typedef struct ssl_ctx_internal_st { CRYPTO_EX_DATA ex_data; - /* same cipher_list but sorted for lookup */ - STACK_OF(SSL_CIPHER) *cipher_list_by_id; - struct cert_st /* CERT */ *cert; /* Default values used when no per-SSL value is defined follow */ @@ -746,9 +743,6 @@ typedef struct ssl_internal_st { int hit; /* reusing a previous session */ - /* crypto */ - STACK_OF(SSL_CIPHER) *cipher_list_by_id; - /* These are the ones being used, the ones in SSL_SESSION are * the ones to be 'copied' into these ones */ int mac_flags; @@ -1127,6 +1121,7 @@ int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, uint16_t *out_ver); int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver); +int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, uint16_t max_ver); @@ -1166,13 +1161,10 @@ int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, int num); -int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, - const SSL_CIPHER * const *bp); int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, - STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted, - const char *rule_str); + STACK_OF(SSL_CIPHER) **pref, const char *rule_str); void ssl_update_cache(SSL *s, int mode); int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); |