From e9fa092efca0afbf99bb575193f69e3f8a938f02 Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Fri, 18 Sep 2015 15:00:37 +0200 Subject: [PATCH] Remove ssl_put_cipher_by_char Since SSLv3, a CipherSuite is always 2 bytes. The only place where we need 3-byte ciphers is SSLv2-compatible ClientHello processing. So, remove the ssl_put_cipher_by_char indirection. Reviewed-by: Rich Salz --- ssl/s3_clnt.c | 25 +++++++++---------------- ssl/s3_srvr.c | 2 +- ssl/ssl_lib.c | 5 +++-- ssl/ssl_locl.h | 5 +++-- 4 files changed, 16 insertions(+), 21 deletions(-) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 7cfff635f0..036a531d7c 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -167,9 +167,7 @@ static int ssl_set_version(SSL *s); static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); static int ssl3_check_change(SSL *s); static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, - unsigned char *p, - int (*put_cb) (const SSL_CIPHER *, - unsigned char *)); + unsigned char *p); int ssl3_connect(SSL *s) @@ -862,7 +860,7 @@ int ssl3_client_hello(SSL *s) } /* Ciphers supported */ - i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0); + i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2])); if (i == 0) { SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); goto err; @@ -933,7 +931,7 @@ int ssl3_get_server_hello(SSL *s) PACKET pkt; unsigned char *session_id, *cipherchars; int i, al = SSL_AD_INTERNAL_ERROR, ok; - unsigned int j, ciphercharlen; + unsigned int j; long n; #ifndef OPENSSL_NO_COMP SSL_COMP *comp; @@ -1086,7 +1084,6 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } - ciphercharlen = ssl_put_cipher_by_char(s, NULL, NULL); /* * Check if we can resume the session based on external pre-shared secret. * EAP-FAST (RFC 4851) supports two types of session resumption. @@ -1104,7 +1101,7 @@ int ssl3_get_server_hello(SSL *s) SSL_CIPHER *pref_cipher = NULL; PACKET bookmark = pkt; if (!PACKET_forward(&pkt, j) - || !PACKET_get_bytes(&pkt, &cipherchars, ciphercharlen)) { + || !PACKET_get_bytes(&pkt, &cipherchars, TLS_CIPHER_LEN)) { SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); al = SSL_AD_DECODE_ERROR; goto f_err; @@ -1159,7 +1156,7 @@ int ssl3_get_server_hello(SSL *s) memcpy(s->session->session_id, session_id, j); /* j could be 0 */ } - if (!PACKET_get_bytes(&pkt, &cipherchars, ciphercharlen)) { + if (!PACKET_get_bytes(&pkt, &cipherchars, TLS_CIPHER_LEN)) { SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); al = SSL_AD_DECODE_ERROR; goto f_err; @@ -3499,9 +3496,7 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) } int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, - unsigned char *p, - int (*put_cb) (const SSL_CIPHER *, - unsigned char *)) + unsigned char *p) { int i, j = 0; SSL_CIPHER *c; @@ -3513,8 +3508,6 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, if (sk == NULL) return (0); q = p; - if (put_cb == NULL) - put_cb = s->method->put_cipher_by_char; for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { c = sk_SSL_CIPHER_value(sk, i); @@ -3529,7 +3522,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, empty_reneg_info_scsv = 0; } #endif - j = put_cb(c, p); + j = s->method->put_cipher_by_char(c, p); p += j; } /* @@ -3541,7 +3534,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, static SSL_CIPHER scsv = { 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; - j = put_cb(&scsv, p); + j = s->method->put_cipher_by_char(&scsv, p); p += j; #ifdef OPENSSL_RI_DEBUG fprintf(stderr, @@ -3552,7 +3545,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, static SSL_CIPHER scsv = { 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; - j = put_cb(&scsv, p); + j = s->method->put_cipher_by_char(&scsv, p); p += j; } } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index aea72794ef..f771bd9eee 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -3520,7 +3520,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, if(sslv2format) { n = SSLV2_CIPHER_LEN; } else { - n = ssl_put_cipher_by_char(s, NULL, NULL); + n = TLS_CIPHER_LEN; } if (n == 0 || (num % n) != 0) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e794d82058..6d1e4e8064 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1078,8 +1078,9 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) return 0; *(unsigned char **)parg = s->s3->tmp.ciphers_raw; return (int)s->s3->tmp.ciphers_rawlen; - } else - return ssl_put_cipher_by_char(s, NULL, NULL); + } else { + return TLS_CIPHER_LEN; + } case SSL_CTRL_GET_EXTMS_SUPPORT: if (!s->session || SSL_in_init(s) || s->in_handshake) return -1; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 083ced3927..32e6338adc 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -528,6 +528,9 @@ #define CERT_PRIVATE_KEY 2 */ + +/* CipherSuite length. SSLv3 and all TLS versions. */ +#define TLS_CIPHER_LEN 2 /* used to hold info on the particular ciphers used */ struct ssl_cipher_st { int valid; @@ -1641,8 +1644,6 @@ struct tls_sigalgs_st { */ # define FP_ICC (int (*)(const void *,const void *)) -# define ssl_put_cipher_by_char(ssl,ciph,ptr) \ - ((ssl)->method->put_cipher_by_char((ciph),(ptr))) /* * This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff It is a bit