Pull out the code that identifies if we have an ECC cipher in the cipher

list or if we are negotiating an ECC cipher in the handshake. This dedups
some of the existing code and will make the EC extension rewrites easier.

ok doug@

1 files changed, 42 insertions, 1 deletions

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index c593e7b42bc..d933acb32d1 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.161 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.162 2017/08/09 22:24:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1259,6 +1259,33 @@ ssl_get_ciphers_by_id(SSL *s)
 	return (NULL);
 }
 
+/* See if we have any ECC cipher suites. */
+int
+ssl_has_ecc_ciphers(SSL *s)
+{
+	STACK_OF(SSL_CIPHER) *ciphers;
+	unsigned long alg_k, alg_a;
+	SSL_CIPHER *cipher;
+	int i;
+
+	if (s->version == DTLS1_VERSION)
+		return 0;
+	if ((ciphers = SSL_get_ciphers(s)) == NULL)
+		return 0;
+
+	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
+		cipher = sk_SSL_CIPHER_value(ciphers, i);
+
+		alg_k = cipher->algorithm_mkey;
+		alg_a = cipher->algorithm_auth;
+
+		if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
+			return 1;
+	}
+
+	return 0;
+}
+
 /* The old interface to get the same thing as SSL_get_ciphers(). */
 const char *
 SSL_get_cipher_list(const SSL *s, int n)
@@ -2085,6 +2112,20 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	c->valid = 1;
 }
 
+/* See if this handshake is using an ECC cipher suite. */
+int
+ssl_using_ecc_cipher(SSL *s)
+{
+	unsigned long alg_a, alg_k;
+
+	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
+	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
+
+	return SSI(s)->tlsext_ecpointformatlist != NULL &&
+	    SSI(s)->tlsext_ecpointformatlist_length > 0 &&
+	    ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA));
+}
+
 int
 ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 {