1 files changed, 72 insertions, 12 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 40374ea220..581c493a55 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.42 2017/08/09 21:27:24 claudio Exp $ */
+/* $OpenBSD: tls_config.c,v 1.43 2017/08/10 18:18:30 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -214,7 +214,7 @@ tls_config_new(void)
         */
        if (tls_config_set_dheparams(config, "none") != 0)
                goto err;
-        if (tls_config_set_ecdhecurve(config, "auto") != 0)
+        if (tls_config_set_ecdhecurves(config, "default") != 0)
                goto err;
        if (tls_config_set_ciphers(config, "secure") != 0)
                goto err;
@@ -269,6 +269,7 @@ tls_config_free(struct tls_config *config)
        free((char *)config->ca_path);
        free((char *)config->ciphers);
        free((char *)config->crl_mem);
+        free(config->ecdhecurves);
        free(config);
 }
@@ -616,22 +617,81 @@ tls_config_set_dheparams(struct tls_config *config, const char *params)
 }
 int
-tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
+tls_config_set_ecdhecurve(struct tls_config *config, const char *curve)
 {
+        if (strchr(curve, ',') != NULL || strchr(curve, ':') != NULL) {
+                tls_config_set_errorx(config, "invalid ecdhe curve '%s'",
+                    curve);
+                return (-1);
+        }
+        if (curve == NULL ||
+            strcasecmp(curve, "none") == 0 ||
+            strcasecmp(curve, "auto") == 0)
+                curve = TLS_ECDHE_CURVES;
+                
+        return tls_config_set_ecdhecurves(config, curve);
+}
+int
+tls_config_set_ecdhecurves(struct tls_config *config, const char *curves)
+{
+        int *curves_list = NULL, *curves_new;
+        size_t curves_num = 0;
+        char *cs = NULL;
+        char *p, *q;
+        int rv = -1;
        int nid;
-        if (name == NULL || strcasecmp(name, "none") == 0)
+        free(config->ecdhecurves);
-                nid = NID_undef;
+        config->ecdhecurves = NULL;
-        else if (strcasecmp(name, "auto") == 0)
+        config->ecdhecurves_len = 0;
-                nid = -1;
-        else if ((nid = OBJ_txt2nid(name)) == NID_undef) {
+        if (curves == NULL || strcasecmp(curves, "default") == 0)
-                tls_config_set_errorx(config, "invalid ecdhe curve '%s'", name);
+                curves = TLS_ECDHE_CURVES;
-                return (-1);
+        if ((cs = strdup(curves)) == NULL) {
+                tls_config_set_errorx(config, "out of memory");
+                goto err;
+        }
+        q = cs;
+        while ((p = strsep(&q, ",:")) != NULL) {
+                while (*p == ' ' || *p == '\t')
+                        p++;
+                nid = OBJ_sn2nid(p);
+                if (nid == NID_undef)
+                        nid = OBJ_ln2nid(p);
+                if (nid == NID_undef)
+                        nid = EC_curve_nist2nid(p);
+                if (nid == NID_undef) {
+                        tls_config_set_errorx(config,
+                            "invalid ecdhe curve '%s'", p);
+                        goto err;
+                }
+                if ((curves_new = reallocarray(curves_list, curves_num + 1,
+                    sizeof(int))) == NULL) {
+                        tls_config_set_errorx(config, "out of memory");
+                        goto err;
+                }
+                curves_list = curves_new;
+                curves_list[curves_num] = nid;
+                curves_num++;
        }
-        config->ecdhecurve = nid;
+        config->ecdhecurves = curves_list;
+        config->ecdhecurves_len = curves_num;
+        curves_list = NULL;
-        return (0);
+        rv = 0;
+ err:
+        free(cs);
+        free(curves_list);
+        return (rv);
 }
 int

diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 40374ea220..581c493a55 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_config.c,v 1.42 2017/08/09 21:27:24 claudio Exp $ */	1	/* $OpenBSD: tls_config.c,v 1.43 2017/08/10 18:18:30 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -214,7 +214,7 @@ tls_config_new(void)
214	*/	214	*/
215	if (tls_config_set_dheparams(config, "none") != 0)	215	if (tls_config_set_dheparams(config, "none") != 0)
216	goto err;	216	goto err;
217	if (tls_config_set_ecdhecurve(config, "auto") != 0)	217	if (tls_config_set_ecdhecurves(config, "default") != 0)
218	goto err;	218	goto err;
219	if (tls_config_set_ciphers(config, "secure") != 0)	219	if (tls_config_set_ciphers(config, "secure") != 0)
220	goto err;	220	goto err;
@@ -269,6 +269,7 @@ tls_config_free(struct tls_config *config)
269	free((char *)config->ca_path);	269	free((char *)config->ca_path);
270	free((char *)config->ciphers);	270	free((char *)config->ciphers);
271	free((char *)config->crl_mem);	271	free((char *)config->crl_mem);
		272	free(config->ecdhecurves);
272		273
273	free(config);	274	free(config);
274	}	275	}
@@ -616,22 +617,81 @@ tls_config_set_dheparams(struct tls_config config, const char params)
616	}	617	}
617		618
618	int	619	int
619	tls_config_set_ecdhecurve(struct tls_config config, const char name)	620	tls_config_set_ecdhecurve(struct tls_config config, const char curve)
620	{	621	{
		622	if (strchr(curve, ',') != NULL \|\| strchr(curve, ':') != NULL) {
		623	tls_config_set_errorx(config, "invalid ecdhe curve '%s'",
		624	curve);
		625	return (-1);
		626	}
		627
		628	if (curve == NULL \|\|
		629	strcasecmp(curve, "none") == 0 \|\|
		630	strcasecmp(curve, "auto") == 0)
		631	curve = TLS_ECDHE_CURVES;
		632
		633	return tls_config_set_ecdhecurves(config, curve);
		634	}
		635
		636	int
		637	tls_config_set_ecdhecurves(struct tls_config config, const char curves)
		638	{
		639	int curves_list = NULL, curves_new;
		640	size_t curves_num = 0;
		641	char *cs = NULL;
		642	char p, q;
		643	int rv = -1;
621	int nid;	644	int nid;
622		645
623	if (name == NULL \|\| strcasecmp(name, "none") == 0)	646	free(config->ecdhecurves);
624	nid = NID_undef;	647	config->ecdhecurves = NULL;
625	else if (strcasecmp(name, "auto") == 0)	648	config->ecdhecurves_len = 0;
626	nid = -1;	649
627	else if ((nid = OBJ_txt2nid(name)) == NID_undef) {	650	if (curves == NULL \|\| strcasecmp(curves, "default") == 0)
628	tls_config_set_errorx(config, "invalid ecdhe curve '%s'", name);	651	curves = TLS_ECDHE_CURVES;
629	return (-1);	652
		653	if ((cs = strdup(curves)) == NULL) {
		654	tls_config_set_errorx(config, "out of memory");
		655	goto err;
		656	}
		657
		658	q = cs;
		659	while ((p = strsep(&q, ",:")) != NULL) {
		660	while (p == ' ' \|\| p == '\t')
		661	p++;
		662
		663	nid = OBJ_sn2nid(p);
		664	if (nid == NID_undef)
		665	nid = OBJ_ln2nid(p);
		666	if (nid == NID_undef)
		667	nid = EC_curve_nist2nid(p);
		668	if (nid == NID_undef) {
		669	tls_config_set_errorx(config,
		670	"invalid ecdhe curve '%s'", p);
		671	goto err;
		672	}
		673
		674	if ((curves_new = reallocarray(curves_list, curves_num + 1,
		675	sizeof(int))) == NULL) {
		676	tls_config_set_errorx(config, "out of memory");
		677	goto err;
		678	}
		679	curves_list = curves_new;
		680	curves_list[curves_num] = nid;
		681	curves_num++;
630	}	682	}
631		683
632	config->ecdhecurve = nid;	684	config->ecdhecurves = curves_list;
		685	config->ecdhecurves_len = curves_num;
		686	curves_list = NULL;
633		687
634	return (0);	688	rv = 0;
		689
		690	err:
		691	free(cs);
		692	free(curves_list);
		693
		694	return (rv);
635	}	695	}
636		696
637	int	697	int