diff options
| author | jsing <> | 2014-10-03 13:58:18 +0000 |
|---|---|---|
| committer | jsing <> | 2014-10-03 13:58:18 +0000 |
| commit | f42035acfafef5f2efe92cd8eef619164f7144f2 (patch) | |
| tree | cffe0badf760bb2604b226bec541734923e423b7 /src/lib/libssl/s3_srvr.c | |
| parent | 079e384e3438a23d2ddc504f4d34e5a46d9dd6e8 (diff) | |
| download | openbsd-f42035acfafef5f2efe92cd8eef619164f7144f2.tar.gz openbsd-f42035acfafef5f2efe92cd8eef619164f7144f2.tar.bz2 openbsd-f42035acfafef5f2efe92cd8eef619164f7144f2.zip | |
Add support for automatic ephemeral EC keys.
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index cba875a3e6..c4a8442a3e 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.85 2014/09/27 11:03:43 jsing Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.86 2014/10/03 13:58:18 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1465,9 +1465,15 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1465 | const EC_GROUP *group; | 1465 | const EC_GROUP *group; |
| 1466 | 1466 | ||
| 1467 | ecdhp = cert->ecdh_tmp; | 1467 | ecdhp = cert->ecdh_tmp; |
| 1468 | if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL) | 1468 | if (s->cert->ecdh_tmp_auto != 0) { |
| 1469 | int nid = tls1_get_shared_curve(s); | ||
| 1470 | if (nid != NID_undef) | ||
| 1471 | ecdhp = EC_KEY_new_by_curve_name(nid); | ||
| 1472 | } else if (ecdhp == NULL && | ||
| 1473 | s->cert->ecdh_tmp_cb != NULL) { | ||
| 1469 | ecdhp = s->cert->ecdh_tmp_cb(s, 0, | 1474 | ecdhp = s->cert->ecdh_tmp_cb(s, 0, |
| 1470 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); | 1475 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); |
| 1476 | } | ||
| 1471 | if (ecdhp == NULL) { | 1477 | if (ecdhp == NULL) { |
| 1472 | al = SSL_AD_HANDSHAKE_FAILURE; | 1478 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1473 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | 1479 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, |
| @@ -1482,7 +1488,9 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1482 | } | 1488 | } |
| 1483 | 1489 | ||
| 1484 | /* Duplicate the ECDH structure. */ | 1490 | /* Duplicate the ECDH structure. */ |
| 1485 | if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { | 1491 | if (s->cert->ecdh_tmp_auto != 0) { |
| 1492 | ecdh = ecdhp; | ||
| 1493 | } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { | ||
| 1486 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | 1494 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, |
| 1487 | ERR_R_ECDH_LIB); | 1495 | ERR_R_ECDH_LIB); |
| 1488 | goto err; | 1496 | goto err; |