diff options
| author | jsing <> | 2015-02-07 06:19:26 +0000 |
|---|---|---|
| committer | jsing <> | 2015-02-07 06:19:26 +0000 |
| commit | 497cd6f0a725ed72f30fbe310fe0b2e7cb214019 (patch) | |
| tree | 4574673a0c17d6f4e774e9685f9dde91409dc24b /src | |
| parent | 615aea0ff56ce257fc0cdc2310084d6bbd6ad4c6 (diff) | |
| download | openbsd-497cd6f0a725ed72f30fbe310fe0b2e7cb214019.tar.gz openbsd-497cd6f0a725ed72f30fbe310fe0b2e7cb214019.tar.bz2 openbsd-497cd6f0a725ed72f30fbe310fe0b2e7cb214019.zip | |
Add tls_config_set_dheparams() to allow specification of the parameters to
use for DHE. This enables the use of DHE cipher suites.
Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it
is only used to specify the curve for ephemeral ECDH.
Discussed with reyk@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libtls/Makefile | 5 | ||||
| -rw-r--r-- | src/lib/libtls/shlib_version | 4 | ||||
| -rw-r--r-- | src/lib/libtls/tls.h | 5 | ||||
| -rw-r--r-- | src/lib/libtls/tls_config.c | 30 | ||||
| -rw-r--r-- | src/lib/libtls/tls_init.3 | 11 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 5 | ||||
| -rw-r--r-- | src/lib/libtls/tls_server.c | 15 |
7 files changed, 53 insertions, 22 deletions
diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile index e9559f9f95..bf7de202ff 100644 --- a/src/lib/libtls/Makefile +++ b/src/lib/libtls/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.2 2015/01/22 09:29:04 reyk Exp $ | 1 | # $OpenBSD: Makefile,v 1.3 2015/02/07 06:19:26 jsing Exp $ |
| 2 | 2 | ||
| 3 | CFLAGS+= -Wall -Werror -Wimplicit | 3 | CFLAGS+= -Wall -Werror -Wimplicit |
| 4 | CFLAGS+= -DLIBRESSL_INTERNAL | 4 | CFLAGS+= -DLIBRESSL_INTERNAL |
| @@ -26,7 +26,8 @@ MLINKS+=tls_init.3 tls_config_set_ca_mem.3 | |||
| 26 | MLINKS+=tls_init.3 tls_config_set_cert_file.3 | 26 | MLINKS+=tls_init.3 tls_config_set_cert_file.3 |
| 27 | MLINKS+=tls_init.3 tls_config_set_cert_mem.3 | 27 | MLINKS+=tls_init.3 tls_config_set_cert_mem.3 |
| 28 | MLINKS+=tls_init.3 tls_config_set_ciphers.3 | 28 | MLINKS+=tls_init.3 tls_config_set_ciphers.3 |
| 29 | MLINKS+=tls_init.3 tls_config_set_ecdhcurve.3 | 29 | MLINKS+=tls_init.3 tls_config_set_ecdhecurve.3 |
| 30 | MLINKS+=tls_init.3 tls_config_set_dheparams.3 | ||
| 30 | MLINKS+=tls_init.3 tls_config_set_key_file.3 | 31 | MLINKS+=tls_init.3 tls_config_set_key_file.3 |
| 31 | MLINKS+=tls_init.3 tls_config_set_key_mem.3 | 32 | MLINKS+=tls_init.3 tls_config_set_key_mem.3 |
| 32 | MLINKS+=tls_init.3 tls_config_set_protocols.3 | 33 | MLINKS+=tls_init.3 tls_config_set_protocols.3 |
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version index 893819d18f..b52599a164 100644 --- a/src/lib/libtls/shlib_version +++ b/src/lib/libtls/shlib_version | |||
| @@ -1,2 +1,2 @@ | |||
| 1 | major=1 | 1 | major=2 |
| 2 | minor=1 | 2 | minor=0 |
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index 8dcf125765..20e5b46901 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.h,v 1.3 2015/01/22 09:16:24 reyk Exp $ */ | 1 | /* $OpenBSD: tls.h,v 1.4 2015/02/07 06:19:26 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -48,7 +48,8 @@ int tls_config_set_cert_file(struct tls_config *config, const char *cert_file); | |||
| 48 | int tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, | 48 | int tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, |
| 49 | size_t len); | 49 | size_t len); |
| 50 | int tls_config_set_ciphers(struct tls_config *config, const char *ciphers); | 50 | int tls_config_set_ciphers(struct tls_config *config, const char *ciphers); |
| 51 | int tls_config_set_ecdhcurve(struct tls_config *config, const char *name); | 51 | int tls_config_set_dheparams(struct tls_config *config, const char *params); |
| 52 | int tls_config_set_ecdhecurve(struct tls_config *config, const char *name); | ||
| 52 | int tls_config_set_key_file(struct tls_config *config, const char *key_file); | 53 | int tls_config_set_key_file(struct tls_config *config, const char *key_file); |
| 53 | int tls_config_set_key_mem(struct tls_config *config, const uint8_t *key, | 54 | int tls_config_set_key_mem(struct tls_config *config, const uint8_t *key, |
| 54 | size_t len); | 55 | size_t len); |
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 16120c5e4e..7697fa6ee8 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.2 2015/01/22 09:16:24 reyk Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.3 2015/02/07 06:19:26 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -71,7 +71,8 @@ tls_config_new(void) | |||
| 71 | tls_config_free(config); | 71 | tls_config_free(config); |
| 72 | return (NULL); | 72 | return (NULL); |
| 73 | } | 73 | } |
| 74 | tls_config_set_ecdhcurve(config, "auto"); | 74 | tls_config_set_dheparams(config, "none"); |
| 75 | tls_config_set_ecdhecurve(config, "auto"); | ||
| 75 | tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); | 76 | tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); |
| 76 | tls_config_set_verify_depth(config, 6); | 77 | tls_config_set_verify_depth(config, 6); |
| 77 | 78 | ||
| @@ -145,18 +146,37 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers) | |||
| 145 | } | 146 | } |
| 146 | 147 | ||
| 147 | int | 148 | int |
| 148 | tls_config_set_ecdhcurve(struct tls_config *config, const char *name) | 149 | tls_config_set_dheparams(struct tls_config *config, const char *params) |
| 150 | { | ||
| 151 | int keylen; | ||
| 152 | |||
| 153 | if (params == NULL || strcasecmp(params, "none") == 0) | ||
| 154 | keylen = 0; | ||
| 155 | else if (strcasecmp(params, "auto") == 0) | ||
| 156 | keylen = -1; | ||
| 157 | else if (strcmp(params, "legacy")) | ||
| 158 | keylen = 1024; | ||
| 159 | else | ||
| 160 | return (-1); | ||
| 161 | |||
| 162 | config->dheparams = keylen; | ||
| 163 | |||
| 164 | return (0); | ||
| 165 | } | ||
| 166 | |||
| 167 | int | ||
| 168 | tls_config_set_ecdhecurve(struct tls_config *config, const char *name) | ||
| 149 | { | 169 | { |
| 150 | int nid; | 170 | int nid; |
| 151 | 171 | ||
| 152 | if (name == NULL) | 172 | if (name == NULL || strcasecmp(name, "none") == 0) |
| 153 | nid = NID_undef; | 173 | nid = NID_undef; |
| 154 | else if (strcasecmp(name, "auto") == 0) | 174 | else if (strcasecmp(name, "auto") == 0) |
| 155 | nid = -1; | 175 | nid = -1; |
| 156 | else if ((nid = OBJ_txt2nid(name)) == NID_undef) | 176 | else if ((nid = OBJ_txt2nid(name)) == NID_undef) |
| 157 | return (-1); | 177 | return (-1); |
| 158 | 178 | ||
| 159 | config->ecdhcurve = nid; | 179 | config->ecdhecurve = nid; |
| 160 | 180 | ||
| 161 | return (0); | 181 | return (0); |
| 162 | } | 182 | } |
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index baff553172..48974cb326 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: tls_init.3,v 1.8 2015/01/22 11:08:54 jmc Exp $ | 1 | .\" $OpenBSD: tls_init.3,v 1.9 2015/02/07 06:19:26 jsing Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> |
| 4 | .\" | 4 | .\" |
| @@ -14,7 +14,7 @@ | |||
| 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | .\" | 16 | .\" |
| 17 | .Dd $Mdocdate: January 22 2015 $ | 17 | .Dd $Mdocdate: February 7 2015 $ |
| 18 | .Dt TLS 3 | 18 | .Dt TLS 3 |
| 19 | .Os | 19 | .Os |
| 20 | .Sh NAME | 20 | .Sh NAME |
| @@ -28,7 +28,8 @@ | |||
| 28 | .Nm tls_config_set_cert_file , | 28 | .Nm tls_config_set_cert_file , |
| 29 | .Nm tls_config_set_cert_mem , | 29 | .Nm tls_config_set_cert_mem , |
| 30 | .Nm tls_config_set_ciphers , | 30 | .Nm tls_config_set_ciphers , |
| 31 | .Nm tls_config_set_ecdhcurve , | 31 | .Nm tls_config_set_dheparams , |
| 32 | .Nm tls_config_set_ecdhecurve , | ||
| 32 | .Nm tls_config_set_key_file , | 33 | .Nm tls_config_set_key_file , |
| 33 | .Nm tls_config_set_key_mem , | 34 | .Nm tls_config_set_key_mem , |
| 34 | .Nm tls_config_set_protocols , | 35 | .Nm tls_config_set_protocols , |
| @@ -72,7 +73,9 @@ | |||
| 72 | .Ft "int" | 73 | .Ft "int" |
| 73 | .Fn tls_config_set_ciphers "struct tls_config *config" "const char *ciphers" | 74 | .Fn tls_config_set_ciphers "struct tls_config *config" "const char *ciphers" |
| 74 | .Ft "int" | 75 | .Ft "int" |
| 75 | .Fn tls_config_set_ecdhcurve "struct tls_config *config" "const char *name" | 76 | .Fn tls_config_set_dheparams "struct tls_config *config" "const char *params" |
| 77 | .Ft "int" | ||
| 78 | .Fn tls_config_set_ecdhecurve "struct tls_config *config" "const char *name" | ||
| 76 | .Ft "int" | 79 | .Ft "int" |
| 77 | .Fn tls_config_set_key_file "struct tls_config *config" "const char *key_file" | 80 | .Fn tls_config_set_key_file "struct tls_config *config" "const char *key_file" |
| 78 | .Ft "int" | 81 | .Ft "int" |
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 9a1a180e0b..18fcf539c3 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.7 2015/01/22 09:16:24 reyk Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.8 2015/02/07 06:19:26 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -34,7 +34,8 @@ struct tls_config { | |||
| 34 | char *cert_mem; | 34 | char *cert_mem; |
| 35 | size_t cert_len; | 35 | size_t cert_len; |
| 36 | const char *ciphers; | 36 | const char *ciphers; |
| 37 | int ecdhcurve; | 37 | int dheparams; |
| 38 | int ecdhecurve; | ||
| 38 | const char *key_file; | 39 | const char *key_file; |
| 39 | char *key_mem; | 40 | char *key_mem; |
| 40 | size_t key_len; | 41 | size_t key_len; |
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index ac44f260ac..8d71d2790f 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_server.c,v 1.3 2015/01/30 14:25:37 bluhm Exp $ */ | 1 | /* $OpenBSD: tls_server.c,v 1.4 2015/02/07 06:19:26 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -63,12 +63,17 @@ tls_configure_server(struct tls *ctx) | |||
| 63 | if (tls_configure_keypair(ctx) != 0) | 63 | if (tls_configure_keypair(ctx) != 0) |
| 64 | goto err; | 64 | goto err; |
| 65 | 65 | ||
| 66 | if (ctx->config->ecdhcurve == -1) { | 66 | if (ctx->config->dheparams == -1) |
| 67 | SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1); | ||
| 68 | else if (ctx->config->dheparams == 1024) | ||
| 69 | SSL_CTX_set_dh_auto(ctx->ssl_ctx, 2); | ||
| 70 | |||
| 71 | if (ctx->config->ecdhecurve == -1) { | ||
| 67 | SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1); | 72 | SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1); |
| 68 | } else if (ctx->config->ecdhcurve != NID_undef) { | 73 | } else if (ctx->config->ecdhecurve != NID_undef) { |
| 69 | if ((ecdh_key = EC_KEY_new_by_curve_name( | 74 | if ((ecdh_key = EC_KEY_new_by_curve_name( |
| 70 | ctx->config->ecdhcurve)) == NULL) { | 75 | ctx->config->ecdhecurve)) == NULL) { |
| 71 | tls_set_error(ctx, "failed to set ECDH curve"); | 76 | tls_set_error(ctx, "failed to set ECDHE curve"); |
| 72 | goto err; | 77 | goto err; |
| 73 | } | 78 | } |
| 74 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); | 79 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); |