Remove cipher_list_by_id. This is only used in one place where we don't take advantage of it being sorted anyway. Change-Id: If6f0d04e975db903e8a93c57c869ea4964c0be37 Reviewed-on: https://boringssl-review.googlesource.com/12062 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 449bd8c..3ddca6f 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -3787,8 +3787,6 @@ uint16_t min_version; struct ssl_cipher_preference_list_st *cipher_list; - /* same as above but sorted for lookup */ - STACK_OF(SSL_CIPHER) *cipher_list_by_id; /* cipher_list_tls10 is the list of ciphers when TLS 1.0 or greater is in * use. This only applies to server connections as, for clients, the version @@ -4090,7 +4088,6 @@ /* crypto */ struct ssl_cipher_preference_list_st *cipher_list; - STACK_OF(SSL_CIPHER) *cipher_list_by_id; /* session info */
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c index 67a4c09..d5a1003 100644 --- a/ssl/handshake_client.c +++ b/ssl/handshake_client.c
@@ -821,8 +821,6 @@ } static int ssl3_get_server_hello(SSL *ssl) { - STACK_OF(SSL_CIPHER) *sk; - const SSL_CIPHER *c; CERT *ct = ssl->cert; int al = SSL_AD_INTERNAL_ERROR; CBS server_hello, server_random, session_id; @@ -930,26 +928,19 @@ CBS_len(&session_id)); } - c = SSL_get_cipher_by_value(cipher_suite); + const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite); if (c == NULL) { /* unknown cipher */ al = SSL_AD_ILLEGAL_PARAMETER; OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED); goto f_err; } - /* If the cipher is disabled then we didn't sent it in the ClientHello, so if - * the server selected it, it's an error. */ + + /* The cipher must be allowed in the selected version and enabled. */ if ((c->algorithm_mkey & ct->mask_k) || (c->algorithm_auth & ct->mask_a) || SSL_CIPHER_get_min_version(c) > ssl3_protocol_version(ssl) || - SSL_CIPHER_get_max_version(c) < ssl3_protocol_version(ssl)) { - al = SSL_AD_ILLEGAL_PARAMETER; - OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); - goto f_err; - } - - sk = ssl_get_ciphers_by_id(ssl); - if (!sk_SSL_CIPHER_find(sk, NULL, c)) { - /* we did not say we would use this cipher */ + SSL_CIPHER_get_max_version(c) < ssl3_protocol_version(ssl) || + !sk_SSL_CIPHER_find(SSL_get_ciphers(ssl), NULL, c)) { al = SSL_AD_ILLEGAL_PARAMETER; OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); goto f_err;
diff --git a/ssl/internal.h b/ssl/internal.h index b217017..2668559 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -230,14 +230,12 @@ /* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated - * |ssl_cipher_preference_list_st| containing the result. - * |*out_cipher_list_by_id| is set to a list of selected ciphers sorted by - * id. It returns |(*out_cipher_list)->ciphers| on success and NULL on + * |ssl_cipher_preference_list_st| containing the result. It returns + * |(*out_cipher_list)->ciphers| on success and NULL on * failure. */ STACK_OF(SSL_CIPHER) * ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method, struct ssl_cipher_preference_list_st **out_cipher_list, - STACK_OF(SSL_CIPHER) **out_cipher_list_by_id, const char *rule_str); /* ssl_cipher_get_value returns the cipher suite id of |cipher|. */ @@ -1682,7 +1680,6 @@ void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k, uint32_t *out_mask_a); -STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *ssl); int ssl_verify_alarm_type(long type); int ssl3_get_finished(SSL *ssl);
diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c index 9ca7f24..33e92b1 100644 --- a/ssl/ssl_cipher.c +++ b/ssl/ssl_cipher.c
@@ -758,10 +758,6 @@ } } -static int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **a, const SSL_CIPHER **b) { - return ssl_cipher_id_cmp(*a, *b); -} - const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) { SSL_CIPHER c; @@ -1356,10 +1352,9 @@ STACK_OF(SSL_CIPHER) * ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method, struct ssl_cipher_preference_list_st **out_cipher_list, - STACK_OF(SSL_CIPHER) **out_cipher_list_by_id, const char *rule_str) { int ok; - STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL; + STACK_OF(SSL_CIPHER) *cipherstack = NULL; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; uint8_t *in_group_flags = NULL; @@ -1485,10 +1480,6 @@ OPENSSL_free(co_list); /* Not needed any longer */ co_list = NULL; - tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); - if (tmp_cipher_list == NULL) { - goto err; - } pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st)); if (!pref_list) { goto err; @@ -1507,26 +1498,12 @@ *out_cipher_list = pref_list; pref_list = NULL; - if (out_cipher_list_by_id != NULL) { - sk_SSL_CIPHER_free(*out_cipher_list_by_id); - *out_cipher_list_by_id = tmp_cipher_list; - tmp_cipher_list = NULL; - (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id, - ssl_cipher_ptr_id_cmp); - - sk_SSL_CIPHER_sort(*out_cipher_list_by_id); - } else { - sk_SSL_CIPHER_free(tmp_cipher_list); - tmp_cipher_list = NULL; - } - return cipherstack; err: OPENSSL_free(co_list); OPENSSL_free(in_group_flags); sk_SSL_CIPHER_free(cipherstack); - sk_SSL_CIPHER_free(tmp_cipher_list); if (pref_list) { OPENSSL_free(pref_list->in_group_flags); }
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b8d4549..2d5f9c3 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -276,7 +276,7 @@ } ssl_create_cipher_list(ret->method, &ret->cipher_list, - &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); + SSL_DEFAULT_CIPHER_LIST); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); @@ -348,7 +348,6 @@ lh_SSL_SESSION_free(ctx->sessions); X509_STORE_free(ctx->cert_store); ssl_cipher_preference_list_free(ctx->cipher_list); - sk_SSL_CIPHER_free(ctx->cipher_list_by_id); ssl_cipher_preference_list_free(ctx->cipher_list_tls10); ssl_cipher_preference_list_free(ctx->cipher_list_tls11); ssl_cert_free(ctx->cert); @@ -500,7 +499,6 @@ /* add extra stuff */ ssl_cipher_preference_list_free(ssl->cipher_list); - sk_SSL_CIPHER_free(ssl->cipher_list_by_id); SSL_SESSION_free(ssl->session); @@ -1573,24 +1571,6 @@ return prefs->ciphers; } -/* return a STACK of the ciphers available for the SSL and in order of - * algorithm id */ -STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *ssl) { - if (ssl == NULL) { - return NULL; - } - - if (ssl->cipher_list_by_id != NULL) { - return ssl->cipher_list_by_id; - } - - if (ssl->ctx->cipher_list_by_id != NULL) { - return ssl->ctx->cipher_list_by_id; - } - - return NULL; -} - const char *SSL_get_cipher_list(const SSL *ssl, int n) { const SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; @@ -1613,8 +1593,8 @@ } int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { - STACK_OF(SSL_CIPHER) *cipher_list = ssl_create_cipher_list( - ctx->method, &ctx->cipher_list, &ctx->cipher_list_by_id, str); + STACK_OF(SSL_CIPHER) *cipher_list = + ssl_create_cipher_list(ctx->method, &ctx->cipher_list, str); if (cipher_list == NULL) { return 0; } @@ -1629,8 +1609,8 @@ } int SSL_CTX_set_cipher_list_tls10(SSL_CTX *ctx, const char *str) { - STACK_OF(SSL_CIPHER) *cipher_list = ssl_create_cipher_list( - ctx->method, &ctx->cipher_list_tls10, NULL, str); + STACK_OF(SSL_CIPHER) *cipher_list = + ssl_create_cipher_list(ctx->method, &ctx->cipher_list_tls10, str); if (cipher_list == NULL) { return 0; } @@ -1645,8 +1625,8 @@ } int SSL_CTX_set_cipher_list_tls11(SSL_CTX *ctx, const char *str) { - STACK_OF(SSL_CIPHER) *cipher_list = ssl_create_cipher_list( - ctx->method, &ctx->cipher_list_tls11, NULL, str); + STACK_OF(SSL_CIPHER) *cipher_list = + ssl_create_cipher_list(ctx->method, &ctx->cipher_list_tls11, str); if (cipher_list == NULL) { return 0; } @@ -1661,8 +1641,8 @@ } int SSL_set_cipher_list(SSL *ssl, const char *str) { - STACK_OF(SSL_CIPHER) *cipher_list = ssl_create_cipher_list( - ssl->ctx->method, &ssl->cipher_list, &ssl->cipher_list_by_id, str); + STACK_OF(SSL_CIPHER) *cipher_list = + ssl_create_cipher_list(ssl->ctx->method, &ssl->cipher_list, str); if (cipher_list == NULL) { return 0; }