summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl.h
diff options
context:
space:
mode:
authorjsing <>2017-08-10 17:18:38 +0000
committerjsing <>2017-08-10 17:18:38 +0000
commitf6039d62295a1c6b1188b531731d233d196faf0d (patch)
treeaa09a427af12b5b2e6c7178a34d25bab71b31269 /src/lib/libssl/ssl.h
parent53bebfdbe69d92a9d3e68a860900ff0ebd428792 (diff)
downloadopenbsd-f6039d62295a1c6b1188b531731d233d196faf0d.tar.gz
openbsd-f6039d62295a1c6b1188b531731d233d196faf0d.tar.bz2
openbsd-f6039d62295a1c6b1188b531731d233d196faf0d.zip
Clean up the EC key/curve configuration handling.
Over the years OpenSSL grew multiple ways of being able to specify EC keys (and/or curves) for use with ECDH and ECDHE key exchange. You could specify a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via a callback that was provided with insufficient information (SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to problems (like ECDHE not being enabled) and potential weird configuration (like being able to do ECDHE without the ephemeral part...). We no longer support ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher list. As such, permanently enable automatic EC curve selection and generation, effectively disabling all of the configuration knobs. The only exception is the SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous behaviour by configuring the curve of the given EC key as the only curve being enabled. Everything else becomes a no-op. ok beck@ doug@
Diffstat (limited to 'src/lib/libssl/ssl.h')
-rw-r--r--src/lib/libssl/ssl.h5
1 files changed, 2 insertions, 3 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index dda5192c10..e816dec83c 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl.h,v 1.129 2017/05/07 04:22:24 beck Exp $ */ 1/* $OpenBSD: ssl.h,v 1.130 2017/08/10 17:18:38 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -503,8 +503,6 @@ struct ssl_session_st {
503#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L 503#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
504/* Disallow client initiated renegotiation. */ 504/* Disallow client initiated renegotiation. */
505#define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L 505#define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L
506/* If set, always create a new key when using tmp_ecdh parameters */
507#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
508/* If set, always create a new key when using tmp_dh parameters */ 506/* If set, always create a new key when using tmp_dh parameters */
509#define SSL_OP_SINGLE_DH_USE 0x00100000L 507#define SSL_OP_SINGLE_DH_USE 0x00100000L
510/* Set on servers to choose the cipher according to the server's 508/* Set on servers to choose the cipher according to the server's
@@ -549,6 +547,7 @@ struct ssl_session_st {
549#define SSL_OP_PKCS1_CHECK_1 0x0 547#define SSL_OP_PKCS1_CHECK_1 0x0
550#define SSL_OP_PKCS1_CHECK_2 0x0 548#define SSL_OP_PKCS1_CHECK_2 0x0
551#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x0 549#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x0
550#define SSL_OP_SINGLE_ECDH_USE 0x0
552#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0 551#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
553#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0 552#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
554#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0 553#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0