Google Git
Sign in
boringssl / boringssl.git / 9d0b4bcb9245eeb00139f746f842d78650859337^! / .
commit9d0b4bcb9245eeb00139f746f842d78650859337[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Oct 07 00:34:08 2016 -0400
committerAdam Langley <agl@google.com>Sun Oct 09 17:15:49 2016 +0000
treeab2b0586168ded34dbee19d96c62a513128ac52a
parent938fa7cc845228ae690bf6b3902994d256229682 [diff]
Trim tls1_check_group_id.

This function is now only ever called as a client, so there are no peer
preferences to check against. It is also now only called on peer curves,
so it only needs to be compared against local preferences.

Change-Id: I87f5b10cf4fe5fef9a9d60aff36010634192e90c
Reviewed-on: https://boringssl-review.googlesource.com/11526
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/internal.h b/ssl/internal.h
index ef0b141..bd8d3df 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -1515,9 +1515,8 @@
                         const uint16_t **out_group_ids,
                         size_t *out_group_ids_len);
 
-/* tls1_check_group_id returns one if |group_id| is consistent with both our
- * and the peer's group preferences. Note: if called as the client, only our
- * preferences are checked; the peer (the server) does not send preferences. */
+/* tls1_check_group_id returns one if |group_id| is consistent with
+ * locally-configured group preferences. */
 int tls1_check_group_id(SSL *ssl, uint16_t group_id);
 
 /* tls1_get_shared_group sets |*out_group_id| to the first preferred shared

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 6616154..ecb8675 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -445,40 +445,17 @@
   return 0;
 }
 
-/* tls1_check_group_id returns one if |group_id| is consistent with both our
- * and the peer's group preferences. Note: if called as the client, only our
- * preferences are checked; the peer (the server) does not send preferences. */
 int tls1_check_group_id(SSL *ssl, uint16_t group_id) {
   const uint16_t *groups;
-  size_t groups_len, i, get_peer_groups;
-
-  /* Check against our list, then the peer's list. */
-  for (get_peer_groups = 0; get_peer_groups <= 1; get_peer_groups++) {
-    if (get_peer_groups && !ssl->server) {
-      /* Servers do not present a preference list so, if we are a client, only
-       * check our list. */
-      continue;
-    }
-
-    tls1_get_grouplist(ssl, get_peer_groups, &groups, &groups_len);
-    if (get_peer_groups && groups_len == 0) {
-      /* Clients are not required to send a supported_groups extension. In this
-       * case, the server is free to pick any group it likes. See RFC 4492,
-       * section 4, paragraph 3. */
-      continue;
-    }
-    for (i = 0; i < groups_len; i++) {
-      if (groups[i] == group_id) {
-        break;
-      }
-    }
-
-    if (i == groups_len) {
-      return 0;
+  size_t groups_len;
+  tls1_get_grouplist(ssl, 0 /* local groups */, &groups, &groups_len);
+  for (size_t i = 0; i < groups_len; i++) {
+    if (groups[i] == group_id) {
+      return 1;
     }
   }
 
-  return 1;
+  return 0;
 }
 
 /* List of supported signature algorithms and hashes. Should make this