summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2014-10-03 14:09:09 +0000
committerjsing <>2014-10-03 14:09:09 +0000
commit9f8a5da13b6653b86f949e67554dafa4591353c0 (patch)
tree6cf018dd426c014234a3ebaa517ad35b852e74d5 /src
parentf42035acfafef5f2efe92cd8eef619164f7144f2 (diff)
downloadopenbsd-9f8a5da13b6653b86f949e67554dafa4591353c0.tar.gz
openbsd-9f8a5da13b6653b86f949e67554dafa4591353c0.tar.bz2
openbsd-9f8a5da13b6653b86f949e67554dafa4591353c0.zip
Allow "auto" to be specified as an ECDH curve name and make this the
default. This enables automatic handling of ephemeral EC keys. Discussed with reyk@ and tedu@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libressl/ressl_config.c14
-rw-r--r--src/lib/libressl/ressl_server.c6
2 files changed, 13 insertions, 7 deletions
diff --git a/src/lib/libressl/ressl_config.c b/src/lib/libressl/ressl_config.c
index c92886330e..6d535e2b42 100644
--- a/src/lib/libressl/ressl_config.c
+++ b/src/lib/libressl/ressl_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ressl_config.c,v 1.12 2014/09/29 15:11:29 jsing Exp $ */ 1/* $OpenBSD: ressl_config.c,v 1.13 2014/10/03 14:09:09 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -71,10 +71,9 @@ ressl_config_new(void)
71 ressl_config_free(config); 71 ressl_config_free(config);
72 return (NULL); 72 return (NULL);
73 } 73 }
74 ressl_config_set_ecdhcurve(config, "auto");
74 ressl_config_set_protocols(config, RESSL_PROTOCOLS_DEFAULT); 75 ressl_config_set_protocols(config, RESSL_PROTOCOLS_DEFAULT);
75 ressl_config_set_verify_depth(config, 6); 76 ressl_config_set_verify_depth(config, 6);
76 /* ? use function ? */
77 config->ecdhcurve = NID_X9_62_prime256v1;
78 77
79 ressl_config_verify(config); 78 ressl_config_verify(config);
80 79
@@ -141,12 +140,17 @@ ressl_config_set_ciphers(struct ressl_config *config, const char *ciphers)
141int 140int
142ressl_config_set_ecdhcurve(struct ressl_config *config, const char *name) 141ressl_config_set_ecdhcurve(struct ressl_config *config, const char *name)
143{ 142{
144 int nid = NID_undef; 143 int nid;
145 144
146 if (name != NULL && (nid = OBJ_txt2nid(name)) == NID_undef) 145 if (name == NULL)
146 nid = NID_undef;
147 else if (strcasecmp(name, "auto") == 0)
148 nid = -1;
149 else if ((nid = OBJ_txt2nid(name)) == NID_undef)
147 return (-1); 150 return (-1);
148 151
149 config->ecdhcurve = nid; 152 config->ecdhcurve = nid;
153
150 return (0); 154 return (0);
151} 155}
152 156
diff --git a/src/lib/libressl/ressl_server.c b/src/lib/libressl/ressl_server.c
index 33ac8fc33d..1d5ee2a3f9 100644
--- a/src/lib/libressl/ressl_server.c
+++ b/src/lib/libressl/ressl_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ressl_server.c,v 1.9 2014/09/29 15:31:38 jsing Exp $ */ 1/* $OpenBSD: ressl_server.c,v 1.10 2014/10/03 14:09:09 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -62,7 +62,9 @@ ressl_configure_server(struct ressl *ctx)
62 if (ressl_configure_keypair(ctx) != 0) 62 if (ressl_configure_keypair(ctx) != 0)
63 goto err; 63 goto err;
64 64
65 if (ctx->config->ecdhcurve != NID_undef) { 65 if (ctx->config->ecdhcurve == -1) {
66 SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1);
67 } else if (ctx->config->ecdhcurve != NID_undef) {
66 if ((ecdh_key = EC_KEY_new_by_curve_name( 68 if ((ecdh_key = EC_KEY_new_by_curve_name(
67 ctx->config->ecdhcurve)) == NULL) { 69 ctx->config->ecdhcurve)) == NULL) {
68 ressl_set_error(ctx, "failed to set ECDH curve"); 70 ressl_set_error(ctx, "failed to set ECDH curve");
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 16:01:30 +0000