Move ssl_cipher_list_to_bytes() and ssl_bytes_to_cipher_list() to

a more appropriately licenced file. jsing and doug have rewritten these functions (including the comments) over the past years. ok jsing
author: tb <> 2019-01-21 14:12:13 +0000
committer: tb <> 2019-01-21 14:12:13 +0000
commit: d21bff07f89718efaa729372134210287d078760 (patch)
tree: d91d57f8604ae0900294a1f1c728b95211726bcd /src/lib/libssl/ssl_lib.c
parent: f21a3bd76c1dc4754f327f6fce96c1c3de33219e (diff)
download: openbsd-d21bff07f89718efaa729372134210287d078760.tar.gz
openbsd-d21bff07f89718efaa729372134210287d078760.tar.bz2
openbsd-d21bff07f89718efaa729372134210287d078760.zip
1 files changed, 1 insertions, 115 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 97e0a4479d..e3ab8431ab 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.198 2019/01/21 10:32:58 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.199 2019/01/21 14:12:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1402,120 +1402,6 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
        return (buf);
 }
-int
-ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
-{
-        SSL_CIPHER *cipher;
-        int num_ciphers = 0;
-        uint16_t min_vers, max_vers;
-        int i;
-        if (ciphers == NULL)
-                return 0;
-        if (!ssl_supported_version_range(s, &min_vers, &max_vers))
-                return 0;
-        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
-                if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
-                        return 0;
-                if (!ssl_cipher_is_permitted(cipher, min_vers, max_vers))
-                        continue;
-                if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
-                        return 0;
-                num_ciphers++;
-        }
-        /* Add SCSV if there are other ciphers and we're not renegotiating. */
-        if (num_ciphers > 0 && !s->internal->renegotiate) {
-                if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
-                        return 0;
-        }
-        if (!CBB_flush(cbb))
-                return 0;
-        return 1;
-}
-STACK_OF(SSL_CIPHER) *
-ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
-{
-        STACK_OF(SSL_CIPHER) *ciphers = NULL;
-        const SSL_CIPHER *cipher;
-        uint16_t cipher_value, max_version;
-        unsigned long cipher_id;
-        if (s->s3 != NULL)
-                S3I(s)->send_connection_binding = 0;
-        if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        while (CBS_len(cbs) > 0) {
-                if (!CBS_get_u16(cbs, &cipher_value)) {
-                        SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-                        goto err;
-                }
-                cipher_id = SSL3_CK_ID | cipher_value;
-                if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) {
-                        /*
-                         * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
-                         * renegotiating.
-                         */
-                        if (s->internal->renegotiate) {
-                                SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
-                                ssl3_send_alert(s, SSL3_AL_FATAL,
-                                    SSL_AD_HANDSHAKE_FAILURE);
-                                goto err;
-                        }
-                        S3I(s)->send_connection_binding = 1;
-                        continue;
-                }
-                if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
-                        /*
-                         * TLS_FALLBACK_SCSV indicates that the client
-                         * previously tried a higher protocol version.
-                         * Fail if the current version is an unexpected
-                         * downgrade.
-                         */
-                        max_version = ssl_max_server_version(s);
-                        if (max_version == 0 || s->version < max_version) {
-                                SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
-                                if (s->s3 != NULL)
-                                        ssl3_send_alert(s, SSL3_AL_FATAL,
-                                            SSL_AD_INAPPROPRIATE_FALLBACK);
-                                goto err;
-                        }
-                        continue;
-                }
-                if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
-                        if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
-                                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                                goto err;
-                        }
-                }
-        }
-        return (ciphers);
-err:
-        sk_SSL_CIPHER_free(ciphers);
-        return (NULL);
-}
 /*
 * Return a servername extension value if provided in Client Hello, or NULL.
 * So far, only host_name types are defined (RFC 3546).
author	tb <>	2019-01-21 14:12:13 +0000
committer	tb <>	2019-01-21 14:12:13 +0000
commit	d21bff07f89718efaa729372134210287d078760 (patch)
tree	d91d57f8604ae0900294a1f1c728b95211726bcd /src/lib/libssl/ssl_lib.c
parent	f21a3bd76c1dc4754f327f6fce96c1c3de33219e (diff)
download	openbsd-d21bff07f89718efaa729372134210287d078760.tar.gz openbsd-d21bff07f89718efaa729372134210287d078760.tar.bz2 openbsd-d21bff07f89718efaa729372134210287d078760.zip

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 97e0a4479d..e3ab8431ab 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.198 2019/01/21 10:32:58 tb Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.199 2019/01/21 14:12:13 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1402,120 +1402,6 @@ SSL_get_shared_ciphers(const SSL s, char buf, int len)
1402	return (buf);	1402	return (buf);
1403	}	1403	}
1404		1404
1405	int
1406	ssl_cipher_list_to_bytes(SSL s, STACK_OF(SSL_CIPHER) ciphers, CBB *cbb)
1407	{
1408	SSL_CIPHER *cipher;
1409	int num_ciphers = 0;
1410	uint16_t min_vers, max_vers;
1411	int i;
1412
1413	if (ciphers == NULL)
1414	return 0;
1415
1416	if (!ssl_supported_version_range(s, &min_vers, &max_vers))
1417	return 0;
1418
1419	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1420	if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
1421	return 0;
1422
1423	if (!ssl_cipher_is_permitted(cipher, min_vers, max_vers))
1424	continue;
1425
1426	if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
1427	return 0;
1428
1429	num_ciphers++;
1430	}
1431
1432	/* Add SCSV if there are other ciphers and we're not renegotiating. */
1433	if (num_ciphers > 0 && !s->internal->renegotiate) {
1434	if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
1435	return 0;
1436	}
1437
1438	if (!CBB_flush(cbb))
1439	return 0;
1440
1441	return 1;
1442	}
1443
1444	STACK_OF(SSL_CIPHER) *
1445	ssl_bytes_to_cipher_list(SSL s, CBS cbs)
1446	{
1447	STACK_OF(SSL_CIPHER) *ciphers = NULL;
1448	const SSL_CIPHER *cipher;
1449	uint16_t cipher_value, max_version;
1450	unsigned long cipher_id;
1451
1452	if (s->s3 != NULL)
1453	S3I(s)->send_connection_binding = 0;
1454
1455	if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
1456	SSLerror(s, ERR_R_MALLOC_FAILURE);
1457	goto err;
1458	}
1459
1460	while (CBS_len(cbs) > 0) {
1461	if (!CBS_get_u16(cbs, &cipher_value)) {
1462	SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
1463	goto err;
1464	}
1465
1466	cipher_id = SSL3_CK_ID \| cipher_value;
1467
1468	if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) {
1469	/*
1470	* TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
1471	* renegotiating.
1472	*/
1473	if (s->internal->renegotiate) {
1474	SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1475	ssl3_send_alert(s, SSL3_AL_FATAL,
1476	SSL_AD_HANDSHAKE_FAILURE);
1477
1478	goto err;
1479	}
1480	S3I(s)->send_connection_binding = 1;
1481	continue;
1482	}
1483
1484	if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
1485	/*
1486	* TLS_FALLBACK_SCSV indicates that the client
1487	* previously tried a higher protocol version.
1488	* Fail if the current version is an unexpected
1489	* downgrade.
1490	*/
1491	max_version = ssl_max_server_version(s);
1492	if (max_version == 0 \|\| s->version < max_version) {
1493	SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
1494	if (s->s3 != NULL)
1495	ssl3_send_alert(s, SSL3_AL_FATAL,
1496	SSL_AD_INAPPROPRIATE_FALLBACK);
1497	goto err;
1498	}
1499	continue;
1500	}
1501
1502	if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
1503	if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
1504	SSLerror(s, ERR_R_MALLOC_FAILURE);
1505	goto err;
1506	}
1507	}
1508	}
1509
1510	return (ciphers);
1511
1512	err:
1513	sk_SSL_CIPHER_free(ciphers);
1514
1515	return (NULL);
1516	}
1517
1518
1519	/*	1405	/*
1520	* Return a servername extension value if provided in Client Hello, or NULL.	1406	* Return a servername extension value if provided in Client Hello, or NULL.
1521	* So far, only host_name types are defined (RFC 3546).	1407	* So far, only host_name types are defined (RFC 3546).