Move ssl_cipher_list_to_bytes() and ssl_bytes_to_cipher_list() to

a more appropriately licenced file.  jsing and doug have rewritten
these functions (including the comments) over the past years.

ok jsing

2 files changed, 120 insertions, 116 deletions

diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 081a35ddb2..374cb6684e 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,5 +1,7 @@
-/*      $OpenBSD: ssl_ciphers.c,v 1.1 2019/01/21 10:28:52 tb Exp $ */
+/*      $OpenBSD: ssl_ciphers.c,v 1.2 2019/01/21 14:12:13 tb Exp $ */
 /*
+ * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
+ * Copyright (c) 2015-2018 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,6 +17,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <openssl/safestack.h>
+
+#include "bytestring.h"
 #include "ssl_locl.h"
 
 int
@@ -42,3 +47,116 @@ ssl_cipher_is_permitted(const SSL_CIPHER *cipher, uint16_t min_ver,
 
         return 0;
 }
+
+int
+ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
+{
+        SSL_CIPHER *cipher;
+        int num_ciphers = 0;
+        uint16_t min_vers, max_vers;
+        int i;
+
+        if (ciphers == NULL)
+                return 0;
+
+        if (!ssl_supported_version_range(s, &min_vers, &max_vers))
+                return 0;
+
+        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
+                if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
+                        return 0;
+
+                if (!ssl_cipher_is_permitted(cipher, min_vers, max_vers))
+                        continue;
+
+                if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
+                        return 0;
+
+                num_ciphers++;
+        }
+
+        /* Add SCSV if there are other ciphers and we're not renegotiating. */
+        if (num_ciphers > 0 && !s->internal->renegotiate) {
+                if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
+                        return 0;
+        }
+
+        if (!CBB_flush(cbb))
+                return 0;
+
+        return 1;
+}
+
+STACK_OF(SSL_CIPHER) *
+ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
+{
+        STACK_OF(SSL_CIPHER) *ciphers = NULL;
+        const SSL_CIPHER *cipher;
+        uint16_t cipher_value, max_version;
+        unsigned long cipher_id;
+
+        if (s->s3 != NULL)
+                S3I(s)->send_connection_binding = 0;
+
+        if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
+                SSLerror(s, ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+
+        while (CBS_len(cbs) > 0) {
+                if (!CBS_get_u16(cbs, &cipher_value)) {
+                        SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
+                        goto err;
+                }
+
+                cipher_id = SSL3_CK_ID | cipher_value;
+
+                if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) {
+                        /*
+                         * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
+                         * renegotiating.
+                         */
+                        if (s->internal->renegotiate) {
+                                SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
+                                ssl3_send_alert(s, SSL3_AL_FATAL,
+                                    SSL_AD_HANDSHAKE_FAILURE);
+
+                                goto err;
+                        }
+                        S3I(s)->send_connection_binding = 1;
+                        continue;
+                }
+
+                if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
+                        /*
+                         * TLS_FALLBACK_SCSV indicates that the client
+                         * previously tried a higher protocol version.
+                         * Fail if the current version is an unexpected
+                         * downgrade.
+                         */
+                        max_version = ssl_max_server_version(s);
+                        if (max_version == 0 || s->version < max_version) {
+                                SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
+                                if (s->s3 != NULL)
+                                        ssl3_send_alert(s, SSL3_AL_FATAL,
+                                            SSL_AD_INAPPROPRIATE_FALLBACK);
+                                goto err;
+                        }
+                        continue;
+                }
+
+                if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
+                        if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
+                                SSLerror(s, ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
+                }
+        }
+
+        return (ciphers);
+
+ err:
+        sk_SSL_CIPHER_free(ciphers);
+
+        return (NULL);
+}
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 97e0a4479d..e3ab8431ab 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.198 2019/01/21 10:32:58 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.199 2019/01/21 14:12:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1402,120 +1402,6 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
         return (buf);
 }
 
-int
-ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
-{
-        SSL_CIPHER *cipher;
-        int num_ciphers = 0;
-        uint16_t min_vers, max_vers;
-        int i;
-
-        if (ciphers == NULL)
-                return 0;
-
-        if (!ssl_supported_version_range(s, &min_vers, &max_vers))
-                return 0;
-
-        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
-                if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
-                        return 0;
-
-                if (!ssl_cipher_is_permitted(cipher, min_vers, max_vers))
-                        continue;
-
-                if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
-                        return 0;
-
-                num_ciphers++;
-        }
-
-        /* Add SCSV if there are other ciphers and we're not renegotiating. */
-        if (num_ciphers > 0 && !s->internal->renegotiate) {
-                if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
-                        return 0;
-        }
-
-        if (!CBB_flush(cbb))
-                return 0;
-
-        return 1;
-}
-
-STACK_OF(SSL_CIPHER) *
-ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
-{
-        STACK_OF(SSL_CIPHER) *ciphers = NULL;
-        const SSL_CIPHER *cipher;
-        uint16_t cipher_value, max_version;
-        unsigned long cipher_id;
-
-        if (s->s3 != NULL)
-                S3I(s)->send_connection_binding = 0;
-
-        if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-
-        while (CBS_len(cbs) > 0) {
-                if (!CBS_get_u16(cbs, &cipher_value)) {
-                        SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-                        goto err;
-                }
-
-                cipher_id = SSL3_CK_ID | cipher_value;
-
-                if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) {
-                        /*
-                         * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
-                         * renegotiating.
-                         */
-                        if (s->internal->renegotiate) {
-                                SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
-                                ssl3_send_alert(s, SSL3_AL_FATAL,
-                                    SSL_AD_HANDSHAKE_FAILURE);
-
-                                goto err;
-                        }
-                        S3I(s)->send_connection_binding = 1;
-                        continue;
-                }
-
-                if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
-                        /*
-                         * TLS_FALLBACK_SCSV indicates that the client
-                         * previously tried a higher protocol version.
-                         * Fail if the current version is an unexpected
-                         * downgrade.
-                         */
-                        max_version = ssl_max_server_version(s);
-                        if (max_version == 0 || s->version < max_version) {
-                                SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
-                                if (s->s3 != NULL)
-                                        ssl3_send_alert(s, SSL3_AL_FATAL,
-                                            SSL_AD_INAPPROPRIATE_FALLBACK);
-                                goto err;
-                        }
-                        continue;
-                }
-
-                if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
-                        if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
-                                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                                goto err;
-                        }
-                }
-        }
-
-        return (ciphers);
-
-err:
-        sk_SSL_CIPHER_free(ciphers);
-
-        return (NULL);
-}
-
-
 /*
  * Return a servername extension value if provided in Client Hello, or NULL.
  * So far, only host_name types are defined (RFC 3546).