Add support for setting the supported EC curves via

SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous SSL{_CTX}_set1_curves{_list} names. This also changes the default list of EC curves to be X25519, P-256 and P-384. If you want others (such a brainpool) you need to configure this yourself. Inspired by parts of BoringSSL and OpenSSL. ok beck@
author: jsing <> 2017-01-24 09:03:21 +0000
committer: jsing <> 2017-01-24 09:03:21 +0000
commit: 71cc331549d24c7e6a825b6aa26d8c8064dfe01a (patch)
tree: b493d9d91e40b334aae5a2cbf99981f9d4916d09 /src/lib/libssl/ssl_lib.c
parent: 17a2441804c81d4524f94ae1c3fe8adbec4a0236 (diff)
download: openbsd-71cc331549d24c7e6a825b6aa26d8c8064dfe01a.tar.gz
openbsd-71cc331549d24c7e6a825b6aa26d8c8064dfe01a.tar.bz2
openbsd-71cc331549d24c7e6a825b6aa26d8c8064dfe01a.zip
1 files changed, 33 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index b9bfd7e24d..bc04ea7f9c 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.144 2017/01/24 01:47:22 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.145 2017/01/24 09:03:21 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -336,6 +336,34 @@ SSL_new(SSL_CTX *ctx)
        s->internal->tlsext_ocsp_resplen = -1;
        CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
        s->initial_ctx = ctx;
+        if (ctx->internal->tlsext_ecpointformatlist != NULL) {
+                s->internal->tlsext_ecpointformatlist =
+                    calloc(ctx->internal->tlsext_ecpointformatlist_length,
+                        sizeof(ctx->internal->tlsext_ecpointformatlist[0]));
+                if (s->internal->tlsext_ecpointformatlist == NULL)
+                        goto err;
+                memcpy(s->internal->tlsext_ecpointformatlist,
+                    ctx->internal->tlsext_ecpointformatlist,
+                    ctx->internal->tlsext_ecpointformatlist_length *
+                    sizeof(ctx->internal->tlsext_ecpointformatlist[0]));
+                s->internal->tlsext_ecpointformatlist_length =
+                    ctx->internal->tlsext_ecpointformatlist_length;
+        }
+        if (ctx->internal->tlsext_supportedgroups != NULL) {
+                s->internal->tlsext_supportedgroups =
+                    calloc(ctx->internal->tlsext_supportedgroups_length,
+                        sizeof(ctx->internal->tlsext_supportedgroups));
+                if (s->internal->tlsext_supportedgroups == NULL)
+                        goto err;
+                memcpy(s->internal->tlsext_supportedgroups,
+                    ctx->internal->tlsext_supportedgroups,
+                    ctx->internal->tlsext_supportedgroups_length *
+                    sizeof(ctx->internal->tlsext_supportedgroups[0]));
+                s->internal->tlsext_supportedgroups_length =
+                    ctx->internal->tlsext_supportedgroups_length;
+        }
        s->internal->next_proto_negotiated = NULL;
        if (s->ctx->internal->alpn_client_proto_list != NULL) {
@@ -534,7 +562,7 @@ SSL_free(SSL *s)
        free(s->tlsext_hostname);
        SSL_CTX_free(s->initial_ctx);
        free(s->internal->tlsext_ecpointformatlist);
-        free(s->internal->tlsext_ellipticcurvelist);
+        free(s->internal->tlsext_supportedgroups);
        if (s->internal->tlsext_ocsp_exts)
                sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
                    X509_EXTENSION_free);
@@ -1998,6 +2026,9 @@ SSL_CTX_free(SSL_CTX *a)
                ENGINE_finish(a->internal->client_cert_engine);
 #endif
+        free(a->internal->tlsext_ecpointformatlist);
+        free(a->internal->tlsext_supportedgroups);
        free(a->internal->alpn_client_proto_list);
        free(a->internal);
author	jsing <>	2017-01-24 09:03:21 +0000
committer	jsing <>	2017-01-24 09:03:21 +0000
commit	71cc331549d24c7e6a825b6aa26d8c8064dfe01a (patch)
tree	b493d9d91e40b334aae5a2cbf99981f9d4916d09 /src/lib/libssl/ssl_lib.c
parent	17a2441804c81d4524f94ae1c3fe8adbec4a0236 (diff)
download	openbsd-71cc331549d24c7e6a825b6aa26d8c8064dfe01a.tar.gz openbsd-71cc331549d24c7e6a825b6aa26d8c8064dfe01a.tar.bz2 openbsd-71cc331549d24c7e6a825b6aa26d8c8064dfe01a.zip

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index b9bfd7e24d..bc04ea7f9c 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.144 2017/01/24 01:47:22 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.145 2017/01/24 09:03:21 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -336,6 +336,34 @@ SSL_new(SSL_CTX *ctx)
336	s->internal->tlsext_ocsp_resplen = -1;	336	s->internal->tlsext_ocsp_resplen = -1;
337	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);	337	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
338	s->initial_ctx = ctx;	338	s->initial_ctx = ctx;
		339
		340	if (ctx->internal->tlsext_ecpointformatlist != NULL) {
		341	s->internal->tlsext_ecpointformatlist =
		342	calloc(ctx->internal->tlsext_ecpointformatlist_length,
		343	sizeof(ctx->internal->tlsext_ecpointformatlist[0]));
		344	if (s->internal->tlsext_ecpointformatlist == NULL)
		345	goto err;
		346	memcpy(s->internal->tlsext_ecpointformatlist,
		347	ctx->internal->tlsext_ecpointformatlist,
		348	ctx->internal->tlsext_ecpointformatlist_length *
		349	sizeof(ctx->internal->tlsext_ecpointformatlist[0]));
		350	s->internal->tlsext_ecpointformatlist_length =
		351	ctx->internal->tlsext_ecpointformatlist_length;
		352	}
		353	if (ctx->internal->tlsext_supportedgroups != NULL) {
		354	s->internal->tlsext_supportedgroups =
		355	calloc(ctx->internal->tlsext_supportedgroups_length,
		356	sizeof(ctx->internal->tlsext_supportedgroups));
		357	if (s->internal->tlsext_supportedgroups == NULL)
		358	goto err;
		359	memcpy(s->internal->tlsext_supportedgroups,
		360	ctx->internal->tlsext_supportedgroups,
		361	ctx->internal->tlsext_supportedgroups_length *
		362	sizeof(ctx->internal->tlsext_supportedgroups[0]));
		363	s->internal->tlsext_supportedgroups_length =
		364	ctx->internal->tlsext_supportedgroups_length;
		365	}
		366
339	s->internal->next_proto_negotiated = NULL;	367	s->internal->next_proto_negotiated = NULL;
340		368
341	if (s->ctx->internal->alpn_client_proto_list != NULL) {	369	if (s->ctx->internal->alpn_client_proto_list != NULL) {
@@ -534,7 +562,7 @@ SSL_free(SSL *s)
534	free(s->tlsext_hostname);	562	free(s->tlsext_hostname);
535	SSL_CTX_free(s->initial_ctx);	563	SSL_CTX_free(s->initial_ctx);
536	free(s->internal->tlsext_ecpointformatlist);	564	free(s->internal->tlsext_ecpointformatlist);
537	free(s->internal->tlsext_ellipticcurvelist);	565	free(s->internal->tlsext_supportedgroups);
538	if (s->internal->tlsext_ocsp_exts)	566	if (s->internal->tlsext_ocsp_exts)
539	sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,	567	sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
540	X509_EXTENSION_free);	568	X509_EXTENSION_free);
@@ -1998,6 +2026,9 @@ SSL_CTX_free(SSL_CTX *a)
1998	ENGINE_finish(a->internal->client_cert_engine);	2026	ENGINE_finish(a->internal->client_cert_engine);
1999	#endif	2027	#endif
2000		2028
		2029	free(a->internal->tlsext_ecpointformatlist);
		2030	free(a->internal->tlsext_supportedgroups);
		2031
2001	free(a->internal->alpn_client_proto_list);	2032	free(a->internal->alpn_client_proto_list);
2002		2033
2003	free(a->internal);	2034	free(a->internal);