From d7da60dd1b50ad2db5c3c488fe20d8b67c703233 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sun, 9 Aug 2020 16:25:54 +0000 Subject: Add P-521 to the list of curves supported by default in the client. A certain VPN provider appears to have configured their servers to only accept P-521 for TLSv1.3 key exchange. The particular VPN software in use also does not currently allow for the TLSv1.3 key share groups to be configured, which means that there is no way to easily use LibreSSL in this situation. Include P-521 in the list of curves that are supported by default in the client, in order to increase interoperability. Discussed at length with beck@, inoguchi@ and tb@. ok tb@ --- src/lib/libssl/t1_lib.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 6a2b082d02..1191f9201e 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.168 2020/07/07 19:31:11 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.169 2020/08/09 16:25:54 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -242,7 +242,14 @@ static const uint16_t eccurves_list[] = { }; #endif -static const uint16_t eccurves_default[] = { +static const uint16_t eccurves_client_default[] = { + 29, /* X25519 (29) */ + 23, /* secp256r1 (23) */ + 24, /* secp384r1 (24) */ + 25, /* secp521r1 (25) */ +}; + +static const uint16_t eccurves_server_default[] = { 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 24, /* secp384r1 (24) */ @@ -366,9 +373,15 @@ tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, *pgroups = s->internal->tlsext_supportedgroups; *pgroupslen = s->internal->tlsext_supportedgroups_length; - if (*pgroups == NULL) { - *pgroups = eccurves_default; - *pgroupslen = sizeof(eccurves_default) / 2; + if (*pgroups != NULL) + return; + + if (!s->server) { + *pgroups = eccurves_client_default; + *pgroupslen = sizeof(eccurves_client_default) / 2; + } else { + *pgroups = eccurves_server_default; + *pgroupslen = sizeof(eccurves_server_default) / 2; } } -- cgit v1.2.3-55-g6feb