diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2017-09-26 16:17:44 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2017-10-06 19:09:51 +0100 |
commit | 6447e8184cf6deca233d38ab3e9c9aa6ba60e9a5 (patch) | |
tree | 598c893b8d0d442b14dc50e667177fd1c2df802b /ssl/t1_lib.c | |
parent | f48d826e33cac6f88cf41da0af9f54a287bdbadd (diff) | |
download | openssl-6447e8184cf6deca233d38ab3e9c9aa6ba60e9a5.zip openssl-6447e8184cf6deca233d38ab3e9c9aa6ba60e9a5.tar.gz openssl-6447e8184cf6deca233d38ab3e9c9aa6ba60e9a5.tar.bz2 |
Merge tls1_check_curve into tls1_check_group_id
The function tls_check_curve is only called on clients and contains
almost identical functionaity to tls1_check_group_id when called from
a client. Merge the two.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
Diffstat (limited to 'ssl/t1_lib.c')
-rw-r--r-- | ssl/t1_lib.c | 50 |
1 files changed, 19 insertions, 31 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 9582e21..bb097ed 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -268,34 +268,6 @@ static int tls1_in_list(uint16_t id, const uint16_t *list, size_t listlen) return 0; } -/* Check a curve is one of our preferences */ -int tls1_check_curve(SSL *s, const unsigned char *p, size_t len) -{ - const uint16_t *curves; - size_t num_curves; - uint16_t curve_id; - - if (len != 3 || p[0] != NAMED_CURVE_TYPE) - return 0; - curve_id = (p[1] << 8) | p[2]; - /* Check curve matches Suite B preferences */ - if (tls1_suiteb(s)) { - unsigned long cid = s->s3->tmp.new_cipher->id; - if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { - if (curve_id != TLSEXT_curve_P_256) - return 0; - } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { - if (curve_id != TLSEXT_curve_P_384) - return 0; - } else /* Should never happen */ - return 0; - } - tls1_get_supported_groups(s, &curves, &num_curves); - if (!tls1_in_list(curve_id, curves, num_curves)) - return 0; - return tls_curve_allowed(s, curve_id, SSL_SECOP_CURVE_CHECK); -} - /*- * For nmatch >= 0, return the id of the |nmatch|th shared group or 0 * if there is no match. @@ -493,7 +465,7 @@ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) } /* Check a group id matches preferences */ -static int tls1_check_group_id(SSL *s, uint16_t group_id) +int tls1_check_group_id(SSL *s, uint16_t group_id) { const uint16_t *groups; size_t groups_len; @@ -501,14 +473,30 @@ static int tls1_check_group_id(SSL *s, uint16_t group_id) if (group_id == 0) return 0; - if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) - return 0; + /* Check for Suite B compliance */ + if (tls1_suiteb(s) && s->s3->tmp.new_cipher != NULL) { + unsigned long cid = s->s3->tmp.new_cipher->id; + + if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { + if (group_id != TLSEXT_curve_P_256) + return 0; + } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) { + if (group_id != TLSEXT_curve_P_384) + return 0; + } else { + /* Should never happen */ + return 0; + } + } /* Check group is one of our preferences */ tls1_get_supported_groups(s, &groups, &groups_len); if (!tls1_in_list(group_id, groups, groups_len)) return 0; + if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) + return 0; + /* For clients, nothing more to check */ if (!s->server) return 1; |