Now that ssl_bytes_to_cipher_list is uninteresting, it can be an implementation detail of ssl3_choose_cipher. This removes a tiny amount of duplicated TLS 1.2 / TLS 1.3 code. Change-Id: I116a6bb08bbc43da573d4b7b5626c556e1a7452d Reviewed-on: https://boringssl-review.googlesource.com/10221 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>kris/onging/CECPQ3_patch15
@@ -553,7 +553,6 @@ int ssl_client_cipher_list_contains_cipher( | |||||
static int ssl3_get_client_hello(SSL *ssl) { | static int ssl3_get_client_hello(SSL *ssl) { | ||||
int al = SSL_AD_INTERNAL_ERROR, ret = -1; | int al = SSL_AD_INTERNAL_ERROR, ret = -1; | ||||
const SSL_CIPHER *c; | const SSL_CIPHER *c; | ||||
STACK_OF(SSL_CIPHER) *ciphers = NULL; | |||||
SSL_SESSION *session = NULL; | SSL_SESSION *session = NULL; | ||||
if (ssl->state == SSL3_ST_SR_CLNT_HELLO_A) { | if (ssl->state == SSL3_ST_SR_CLNT_HELLO_A) { | ||||
@@ -729,32 +728,13 @@ static int ssl3_get_client_hello(SSL *ssl) { | |||||
goto f_err; | goto f_err; | ||||
} | } | ||||
ciphers = ssl_parse_client_cipher_list(&client_hello); | |||||
if (ciphers == NULL) { | |||||
goto err; | |||||
} | |||||
/* If it is a hit, check that the cipher is in the list. */ | /* If it is a hit, check that the cipher is in the list. */ | ||||
if (ssl->session != NULL) { | |||||
size_t j; | |||||
int found_cipher = 0; | |||||
uint32_t id = ssl->session->cipher->id; | |||||
for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) { | |||||
c = sk_SSL_CIPHER_value(ciphers, j); | |||||
if (c->id == id) { | |||||
found_cipher = 1; | |||||
break; | |||||
} | |||||
} | |||||
if (!found_cipher) { | |||||
/* we need to have the cipher in the cipher list if we are asked to reuse | |||||
* it */ | |||||
al = SSL_AD_ILLEGAL_PARAMETER; | |||||
OPENSSL_PUT_ERROR(SSL, SSL_R_REQUIRED_CIPHER_MISSING); | |||||
goto f_err; | |||||
} | |||||
if (ssl->session != NULL && | |||||
!ssl_client_cipher_list_contains_cipher( | |||||
&client_hello, (uint16_t)ssl->session->cipher->id)) { | |||||
al = SSL_AD_ILLEGAL_PARAMETER; | |||||
OPENSSL_PUT_ERROR(SSL, SSL_R_REQUIRED_CIPHER_MISSING); | |||||
goto f_err; | |||||
} | } | ||||
/* Only null compression is supported. */ | /* Only null compression is supported. */ | ||||
@@ -792,13 +772,14 @@ static int ssl3_get_client_hello(SSL *ssl) { | |||||
goto err; | goto err; | ||||
} | } | ||||
} | } | ||||
c = ssl3_choose_cipher(ssl, ciphers, ssl_get_cipher_preferences(ssl)); | |||||
c = ssl3_choose_cipher(ssl, &client_hello, ssl_get_cipher_preferences(ssl)); | |||||
if (c == NULL) { | if (c == NULL) { | ||||
al = SSL_AD_HANDSHAKE_FAILURE; | al = SSL_AD_HANDSHAKE_FAILURE; | ||||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); | ||||
goto f_err; | goto f_err; | ||||
} | } | ||||
ssl->s3->new_session->cipher = c; | ssl->s3->new_session->cipher = c; | ||||
ssl->s3->tmp.new_cipher = c; | ssl->s3->tmp.new_cipher = c; | ||||
@@ -837,7 +818,6 @@ static int ssl3_get_client_hello(SSL *ssl) { | |||||
} | } | ||||
err: | err: | ||||
sk_SSL_CIPHER_free(ciphers); | |||||
SSL_SESSION_free(session); | SSL_SESSION_free(session); | ||||
return ret; | return ret; | ||||
} | } | ||||
@@ -1306,8 +1306,8 @@ int ssl3_write_app_data(SSL *ssl, const void *buf, int len); | |||||
int ssl3_write_bytes(SSL *ssl, int type, const void *buf, int len); | int ssl3_write_bytes(SSL *ssl, int type, const void *buf, int len); | ||||
int ssl3_output_cert_chain(SSL *ssl); | int ssl3_output_cert_chain(SSL *ssl); | ||||
const SSL_CIPHER *ssl3_choose_cipher( | const SSL_CIPHER *ssl3_choose_cipher( | ||||
SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, | |||||
struct ssl_cipher_preference_list_st *srvr); | |||||
SSL *ssl, const struct ssl_early_callback_ctx *client_hello, | |||||
const struct ssl_cipher_preference_list_st *srvr); | |||||
int ssl3_new(SSL *ssl); | int ssl3_new(SSL *ssl); | ||||
void ssl3_free(SSL *ssl); | void ssl3_free(SSL *ssl); | ||||
@@ -248,8 +248,8 @@ struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(SSL *ssl) { | |||||
} | } | ||||
const SSL_CIPHER *ssl3_choose_cipher( | const SSL_CIPHER *ssl3_choose_cipher( | ||||
SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, | |||||
struct ssl_cipher_preference_list_st *server_pref) { | |||||
SSL *ssl, const struct ssl_early_callback_ctx *client_hello, | |||||
const struct ssl_cipher_preference_list_st *server_pref) { | |||||
const SSL_CIPHER *c, *ret = NULL; | const SSL_CIPHER *c, *ret = NULL; | ||||
STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow; | STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow; | ||||
size_t i; | size_t i; | ||||
@@ -265,6 +265,11 @@ const SSL_CIPHER *ssl3_choose_cipher( | |||||
* such value exists yet. */ | * such value exists yet. */ | ||||
int group_min = -1; | int group_min = -1; | ||||
STACK_OF(SSL_CIPHER) *clnt = ssl_parse_client_cipher_list(client_hello); | |||||
if (clnt == NULL) { | |||||
return NULL; | |||||
} | |||||
if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { | if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { | ||||
prio = srvr; | prio = srvr; | ||||
in_group_flags = server_pref->in_group_flags; | in_group_flags = server_pref->in_group_flags; | ||||
@@ -317,6 +322,7 @@ const SSL_CIPHER *ssl3_choose_cipher( | |||||
} | } | ||||
} | } | ||||
sk_SSL_CIPHER_free(clnt); | |||||
return ret; | return ret; | ||||
} | } | ||||
@@ -166,14 +166,8 @@ static enum ssl_hs_wait_t do_process_client_hello(SSL *ssl, SSL_HANDSHAKE *hs) { | |||||
} | } | ||||
} | } | ||||
STACK_OF(SSL_CIPHER) *ciphers = ssl_parse_client_cipher_list(&client_hello); | |||||
if (ciphers == NULL) { | |||||
return ssl_hs_error; | |||||
} | |||||
const SSL_CIPHER *cipher = | const SSL_CIPHER *cipher = | ||||
ssl3_choose_cipher(ssl, ciphers, ssl_get_cipher_preferences(ssl)); | |||||
sk_SSL_CIPHER_free(ciphers); | |||||
ssl3_choose_cipher(ssl, &client_hello, ssl_get_cipher_preferences(ssl)); | |||||
if (cipher == NULL) { | if (cipher == NULL) { | ||||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); | ||||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); | ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); | ||||