2 files changed, 99 insertions, 30 deletions
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 6e4eb403cd..35fa4c693c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.420 2022/08/17 18:42:13 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.421 2022/08/17 18:45:25 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1527,7 +1527,9 @@ int tls1_ec_group_id2nid(uint16_t group_id, int *out_nid);
 int tls1_ec_group_id2bits(uint16_t group_id, int *out_bits);
 int tls1_ec_nid2group_id(int nid, uint16_t *out_group_id);
 int tls1_check_group(SSL *s, uint16_t group_id);
-int tls1_get_supported_group(SSL *s, int *group_nid);
+int tls1_count_shared_groups(const SSL *ssl, size_t *out_count);
+int tls1_get_shared_group_by_index(const SSL *ssl, size_t n, int *out_nid);
+int tls1_get_supported_group(const SSL *s, int *out_nid);
 int ssl_check_clienthello_tlsext_early(SSL *s);
 int ssl_check_clienthello_tlsext_late(SSL *s);
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 049a55288d..355c9827ef 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.194 2022/08/17 18:42:13 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.195 2022/08/17 18:45:25 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -441,6 +441,100 @@ tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups,
        }
 }
+static int
+tls1_get_group_lists(const SSL *ssl, const uint16_t **pref, size_t *preflen,
+    const uint16_t **supp, size_t *supplen)
+{
+        unsigned long server_pref;
+        /* Cannot do anything on the client side. */
+        if (!ssl->server)
+                return 0;
+        server_pref = (ssl->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
+        tls1_get_group_list(ssl, (server_pref == 0), pref, preflen);
+        tls1_get_group_list(ssl, (server_pref != 0), supp, supplen);
+        return 1;
+}
+static int
+tls1_group_id_present(uint16_t group_id, const uint16_t *list, size_t list_len)
+{
+        size_t i;
+        for (i = 0; i < list_len; i++) {
+                if (group_id == list[i])
+                        return 1;
+        }
+        return 0;
+}
+int
+tls1_count_shared_groups(const SSL *ssl, size_t *out_count)
+{
+        size_t count, preflen, supplen, i;
+        const uint16_t *pref, *supp;
+        if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
+                return 0;
+        count = 0;
+        for (i = 0; i < preflen; i++) {
+                if (!tls1_group_id_present(pref[i], supp, supplen))
+                        continue;
+                if (!ssl_security_shared_group(ssl, pref[i]))
+                        continue;
+                count++;
+        }
+        *out_count = count;
+        return 1;
+}
+static int
+tls1_group_by_index(const SSL *ssl, size_t n, int *out_nid,
+    int (*ssl_security_fn)(const SSL *, uint16_t))
+{
+        size_t count, preflen, supplen, i;
+        const uint16_t *pref, *supp;
+        if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
+                return 0;
+        count = 0;
+        for (i = 0; i < preflen; i++) {
+                if (!tls1_group_id_present(pref[i], supp, supplen))
+                        continue;
+                if (!ssl_security_fn(ssl, pref[i]))
+                        continue;
+                if (count++ == n)
+                        return tls1_ec_group_id2nid(pref[i], out_nid);
+        }
+        return 0;
+}
+int
+tls1_get_shared_group_by_index(const SSL *ssl, size_t index, int *out_nid)
+{
+        return tls1_group_by_index(ssl, index, out_nid,
+            ssl_security_shared_group);
+}
+int
+tls1_get_supported_group(const SSL *ssl, int *out_nid)
+{
+        return tls1_group_by_index(ssl, 0, out_nid,
+            ssl_security_supported_group);
+}
 int
 tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
    const int *groups, size_t ngroups)
@@ -530,33 +624,6 @@ tls1_check_group(SSL *s, uint16_t group_id)
        return 0;
 }
-int
-tls1_get_supported_group(SSL *s, int *out_nid)
-{
-        size_t preflen, supplen, i, j;
-        const uint16_t *pref, *supp;
-        unsigned long server_pref;
-        /* Cannot do anything on the client side. */
-        if (s->server == 0)
-                return 0;
-        /* Return first preference supported group. */
-        server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
-        tls1_get_group_list(s, (server_pref == 0), &pref, &preflen);
-        tls1_get_group_list(s, (server_pref != 0), &supp, &supplen);
-        for (i = 0; i < preflen; i++) {
-                if (!ssl_security_supported_group(s, pref[i]))
-                        continue;
-                for (j = 0; j < supplen; j++) {
-                        if (pref[i] == supp[j])
-                                return tls1_ec_group_id2nid(pref[i], out_nid);
-                }
-        }
-        return 0;
-}
 /* For an EC key set TLS ID and required compression based on parameters. */
 static int
 tls1_set_ec_id(uint16_t *group_id, uint8_t *comp_id, EC_KEY *ec)

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 6e4eb403cd..35fa4c693c 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.420 2022/08/17 18:42:13 tb Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.421 2022/08/17 18:45:25 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1527,7 +1527,9 @@ int tls1_ec_group_id2nid(uint16_t group_id, int *out_nid);
1527	int tls1_ec_group_id2bits(uint16_t group_id, int *out_bits);	1527	int tls1_ec_group_id2bits(uint16_t group_id, int *out_bits);
1528	int tls1_ec_nid2group_id(int nid, uint16_t *out_group_id);	1528	int tls1_ec_nid2group_id(int nid, uint16_t *out_group_id);
1529	int tls1_check_group(SSL *s, uint16_t group_id);	1529	int tls1_check_group(SSL *s, uint16_t group_id);
1530	int tls1_get_supported_group(SSL s, int group_nid);	1530	int tls1_count_shared_groups(const SSL ssl, size_t out_count);
		1531	int tls1_get_shared_group_by_index(const SSL ssl, size_t n, int out_nid);
		1532	int tls1_get_supported_group(const SSL s, int out_nid);
1531		1533
1532	int ssl_check_clienthello_tlsext_early(SSL *s);	1534	int ssl_check_clienthello_tlsext_early(SSL *s);
1533	int ssl_check_clienthello_tlsext_late(SSL *s);	1535	int ssl_check_clienthello_tlsext_late(SSL *s);


diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 049a55288d..355c9827ef 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.194 2022/08/17 18:42:13 tb Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.195 2022/08/17 18:45:25 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -441,6 +441,100 @@ tls1_get_group_list(const SSL s, int client_groups, const uint16_t *pgroups,
441	}	441	}
442	}	442	}
443		443
		444	static int
		445	tls1_get_group_lists(const SSL ssl, const uint16_t pref, size_t preflen,
		446	const uint16_t *supp, size_t supplen)
		447	{
		448	unsigned long server_pref;
		449
		450	/* Cannot do anything on the client side. */
		451	if (!ssl->server)
		452	return 0;
		453
		454	server_pref = (ssl->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
		455	tls1_get_group_list(ssl, (server_pref == 0), pref, preflen);
		456	tls1_get_group_list(ssl, (server_pref != 0), supp, supplen);
		457
		458	return 1;
		459	}
		460
		461	static int
		462	tls1_group_id_present(uint16_t group_id, const uint16_t *list, size_t list_len)
		463	{
		464	size_t i;
		465
		466	for (i = 0; i < list_len; i++) {
		467	if (group_id == list[i])
		468	return 1;
		469	}
		470
		471	return 0;
		472	}
		473
		474	int
		475	tls1_count_shared_groups(const SSL ssl, size_t out_count)
		476	{
		477	size_t count, preflen, supplen, i;
		478	const uint16_t pref, supp;
		479
		480	if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
		481	return 0;
		482
		483	count = 0;
		484	for (i = 0; i < preflen; i++) {
		485	if (!tls1_group_id_present(pref[i], supp, supplen))
		486	continue;
		487
		488	if (!ssl_security_shared_group(ssl, pref[i]))
		489	continue;
		490
		491	count++;
		492	}
		493
		494	*out_count = count;
		495
		496	return 1;
		497	}
		498
		499	static int
		500	tls1_group_by_index(const SSL ssl, size_t n, int out_nid,
		501	int (ssl_security_fn)(const SSL , uint16_t))
		502	{
		503	size_t count, preflen, supplen, i;
		504	const uint16_t pref, supp;
		505
		506	if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen))
		507	return 0;
		508
		509	count = 0;
		510	for (i = 0; i < preflen; i++) {
		511	if (!tls1_group_id_present(pref[i], supp, supplen))
		512	continue;
		513
		514	if (!ssl_security_fn(ssl, pref[i]))
		515	continue;
		516
		517	if (count++ == n)
		518	return tls1_ec_group_id2nid(pref[i], out_nid);
		519	}
		520
		521	return 0;
		522	}
		523
		524	int
		525	tls1_get_shared_group_by_index(const SSL ssl, size_t index, int out_nid)
		526	{
		527	return tls1_group_by_index(ssl, index, out_nid,
		528	ssl_security_shared_group);
		529	}
		530
		531	int
		532	tls1_get_supported_group(const SSL ssl, int out_nid)
		533	{
		534	return tls1_group_by_index(ssl, 0, out_nid,
		535	ssl_security_supported_group);
		536	}
		537
444	int	538	int
445	tls1_set_groups(uint16_t *out_group_ids, size_t out_group_ids_len,	539	tls1_set_groups(uint16_t *out_group_ids, size_t out_group_ids_len,
446	const int *groups, size_t ngroups)	540	const int *groups, size_t ngroups)
@@ -530,33 +624,6 @@ tls1_check_group(SSL *s, uint16_t group_id)
530	return 0;	624	return 0;
531	}	625	}
532		626
533	int
534	tls1_get_supported_group(SSL s, int out_nid)
535	{
536	size_t preflen, supplen, i, j;
537	const uint16_t pref, supp;
538	unsigned long server_pref;
539
540	/* Cannot do anything on the client side. */
541	if (s->server == 0)
542	return 0;
543
544	/* Return first preference supported group. */
545	server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
546	tls1_get_group_list(s, (server_pref == 0), &pref, &preflen);
547	tls1_get_group_list(s, (server_pref != 0), &supp, &supplen);
548
549	for (i = 0; i < preflen; i++) {
550	if (!ssl_security_supported_group(s, pref[i]))
551	continue;
552	for (j = 0; j < supplen; j++) {
553	if (pref[i] == supp[j])
554	return tls1_ec_group_id2nid(pref[i], out_nid);
555	}
556	}
557	return 0;
558	}
559
560	/* For an EC key set TLS ID and required compression based on parameters. */	627	/* For an EC key set TLS ID and required compression based on parameters. */
561	static int	628	static int
562	tls1_set_ec_id(uint16_t group_id, uint8_t comp_id, EC_KEY *ec)	629	tls1_set_ec_id(uint16_t group_id, uint8_t comp_id, EC_KEY *ec)