Pull out the code that identifies if we have an ECC cipher in the cipher

list or if we are negotiating an ECC cipher in the handshake. This dedups some of the existing code and will make the EC extension rewrites easier. ok doug@
author: jsing <> 2017-08-09 22:24:25 +0000
committer: jsing <> 2017-08-09 22:24:25 +0000
commit: cdb6bcf3476378691e071d8d8f473d8b01283221 (patch)
tree: 1411cd5e4c68c90bc574d03deeebaaf9d6145b4d /src/lib/libssl/ssl_lib.c
parent: b172f94f665e55aa2da726f07d8a751a8f88aed8 (diff)
download: openbsd-cdb6bcf3476378691e071d8d8f473d8b01283221.tar.gz
openbsd-cdb6bcf3476378691e071d8d8f473d8b01283221.tar.bz2
openbsd-cdb6bcf3476378691e071d8d8f473d8b01283221.zip
1 files changed, 42 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index c593e7b42b..d933acb32d 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.161 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.162 2017/08/09 22:24:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1259,6 +1259,33 @@ ssl_get_ciphers_by_id(SSL *s)
        return (NULL);
 }
+/* See if we have any ECC cipher suites. */
+int
+ssl_has_ecc_ciphers(SSL *s)
+{
+        STACK_OF(SSL_CIPHER) *ciphers;
+        unsigned long alg_k, alg_a;
+        SSL_CIPHER *cipher;
+        int i;
+        if (s->version == DTLS1_VERSION)
+                return 0;
+        if ((ciphers = SSL_get_ciphers(s)) == NULL)
+                return 0;
+        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
+                cipher = sk_SSL_CIPHER_value(ciphers, i);
+                alg_k = cipher->algorithm_mkey;
+                alg_a = cipher->algorithm_auth;
+                if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
+                        return 1;
+        }
+        return 0;
+}
 /* The old interface to get the same thing as SSL_get_ciphers(). */
 const char *
 SSL_get_cipher_list(const SSL *s, int n)
@@ -2085,6 +2112,20 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        c->valid = 1;
 }
+/* See if this handshake is using an ECC cipher suite. */
+int
+ssl_using_ecc_cipher(SSL *s)
+{
+        unsigned long alg_a, alg_k;
+        alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
+        alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
+        return SSI(s)->tlsext_ecpointformatlist != NULL &&
+            SSI(s)->tlsext_ecpointformatlist_length > 0 &&
+            ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA));
+}
 int
 ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 {
author	jsing <>	2017-08-09 22:24:25 +0000
committer	jsing <>	2017-08-09 22:24:25 +0000
commit	cdb6bcf3476378691e071d8d8f473d8b01283221 (patch)
tree	1411cd5e4c68c90bc574d03deeebaaf9d6145b4d /src/lib/libssl/ssl_lib.c
parent	b172f94f665e55aa2da726f07d8a751a8f88aed8 (diff)
download	openbsd-cdb6bcf3476378691e071d8d8f473d8b01283221.tar.gz openbsd-cdb6bcf3476378691e071d8d8f473d8b01283221.tar.bz2 openbsd-cdb6bcf3476378691e071d8d8f473d8b01283221.zip

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index c593e7b42b..d933acb32d 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.161 2017/05/07 04:22:24 beck Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.162 2017/08/09 22:24:25 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1259,6 +1259,33 @@ ssl_get_ciphers_by_id(SSL *s)
1259	return (NULL);	1259	return (NULL);
1260	}	1260	}
1261		1261
		1262	/* See if we have any ECC cipher suites. */
		1263	int
		1264	ssl_has_ecc_ciphers(SSL *s)
		1265	{
		1266	STACK_OF(SSL_CIPHER) *ciphers;
		1267	unsigned long alg_k, alg_a;
		1268	SSL_CIPHER *cipher;
		1269	int i;
		1270
		1271	if (s->version == DTLS1_VERSION)
		1272	return 0;
		1273	if ((ciphers = SSL_get_ciphers(s)) == NULL)
		1274	return 0;
		1275
		1276	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
		1277	cipher = sk_SSL_CIPHER_value(ciphers, i);
		1278
		1279	alg_k = cipher->algorithm_mkey;
		1280	alg_a = cipher->algorithm_auth;
		1281
		1282	if ((alg_k & SSL_kECDHE) \|\| (alg_a & SSL_aECDSA))
		1283	return 1;
		1284	}
		1285
		1286	return 0;
		1287	}
		1288
1262	/* The old interface to get the same thing as SSL_get_ciphers(). */	1289	/* The old interface to get the same thing as SSL_get_ciphers(). */
1263	const char *	1290	const char *
1264	SSL_get_cipher_list(const SSL *s, int n)	1291	SSL_get_cipher_list(const SSL *s, int n)
@@ -2085,6 +2112,20 @@ ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
2085	c->valid = 1;	2112	c->valid = 1;
2086	}	2113	}
2087		2114
		2115	/* See if this handshake is using an ECC cipher suite. */
		2116	int
		2117	ssl_using_ecc_cipher(SSL *s)
		2118	{
		2119	unsigned long alg_a, alg_k;
		2120
		2121	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
		2122	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
		2123
		2124	return SSI(s)->tlsext_ecpointformatlist != NULL &&
		2125	SSI(s)->tlsext_ecpointformatlist_length > 0 &&
		2126	((alg_k & SSL_kECDHE) \|\| (alg_a & SSL_aECDSA));
		2127	}
		2128
2088	int	2129	int
2089	ssl_check_srvr_ecc_cert_and_alg(X509 x, SSL s)	2130	ssl_check_srvr_ecc_cert_and_alg(X509 x, SSL s)
2090	{	2131	{