summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--lib/libssl/ssl_lib.c43
-rw-r--r--lib/libssl/ssl_locl.h4
-rw-r--r--lib/libssl/t1_lib.c39
3 files changed, 52 insertions, 34 deletions
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index c593e7b42bc..d933acb32d1 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.161 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.162 2017/08/09 22:24:25 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1259,6 +1259,33 @@ ssl_get_ciphers_by_id(SSL *s)
return (NULL);
}
+/* See if we have any ECC cipher suites. */
+int
+ssl_has_ecc_ciphers(SSL *s)
+{
+ STACK_OF(SSL_CIPHER) *ciphers;
+ unsigned long alg_k, alg_a;
+ SSL_CIPHER *cipher;
+ int i;
+
+ if (s->version == DTLS1_VERSION)
+ return 0;
+ if ((ciphers = SSL_get_ciphers(s)) == NULL)
+ return 0;
+
+ for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
+ cipher = sk_SSL_CIPHER_value(ciphers, i);
+
+ alg_k = cipher->algorithm_mkey;
+ alg_a = cipher->algorithm_auth;
+
+ if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
+ return 1;
+ }
+
+ return 0;
+}
+
/* The old interface to get the same thing as SSL_get_ciphers(). */
const char *
SSL_get_cipher_list(const SSL *s, int n)
@@ -2085,6 +2112,20 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
c->valid = 1;
}
+/* See if this handshake is using an ECC cipher suite. */
+int
+ssl_using_ecc_cipher(SSL *s)
+{
+ unsigned long alg_a, alg_k;
+
+ alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
+ alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
+
+ return SSI(s)->tlsext_ecpointformatlist != NULL &&
+ SSI(s)->tlsext_ecpointformatlist_length > 0 &&
+ ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA));
+}
+
int
ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
{
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 0d489204710..f98ce681a24 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.182 2017/07/24 17:10:31 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.183 2017/08/09 22:24:25 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1127,6 +1127,7 @@ DH *ssl_get_auto_dh(SSL *s);
int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
+int ssl_has_ecc_ciphers(SSL *s);
int ssl_verify_alarm_type(long type);
void ssl_load_ciphers(void);
@@ -1312,6 +1313,7 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
int tls1_alert_code(int code);
int ssl_ok(SSL *s);
+int ssl_using_ecc_cipher(SSL *s);
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
int tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index b061bd11006..ea44e7579a8 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.122 2017/07/24 17:39:43 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.123 2017/08/09 22:24:25 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -679,28 +679,11 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
{
int extdatalen = 0;
unsigned char *ret = p;
- int using_ecc = 0;
+ int using_ecc;
size_t len;
CBB cbb;
- /* See if we support any ECC ciphersuites. */
- if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION) {
- STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
- unsigned long alg_k, alg_a;
- int i;
-
- for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
- SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
-
- alg_k = c->algorithm_mkey;
- alg_a = c->algorithm_auth;
-
- if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) {
- using_ecc = 1;
- break;
- }
- }
- }
+ using_ecc = ssl_has_ecc_ciphers(s);
ret += 2;
if (ret >= limit)
@@ -954,16 +937,12 @@ unsigned char *
ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
{
int using_ecc, extdatalen = 0;
- unsigned long alg_a, alg_k;
unsigned char *ret = p;
int next_proto_neg_seen;
size_t len;
CBB cbb;
- alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
- alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
- using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) &&
- SSI(s)->tlsext_ecpointformatlist != NULL;
+ using_ecc = ssl_using_ecc_cipher(s);
ret += 2;
if (ret >= limit)
@@ -1809,13 +1788,9 @@ ssl_check_serverhello_tlsext(SSL *s)
* suite, then if server returns an EC point formats lists extension
* it must contain uncompressed.
*/
- unsigned long alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
- unsigned long alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
- if ((s->internal->tlsext_ecpointformatlist != NULL) &&
- (s->internal->tlsext_ecpointformatlist_length > 0) &&
- (SSI(s)->tlsext_ecpointformatlist != NULL) &&
- (SSI(s)->tlsext_ecpointformatlist_length > 0) &&
- ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
+ if (ssl_using_ecc_cipher(s) &&
+ s->internal->tlsext_ecpointformatlist != NULL &&
+ s->internal->tlsext_ecpointformatlist_length > 0) {
/* we are using an ECC cipher */
size_t i;
unsigned char *list;
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-13 09:23:17 +0000