From 71cc331549d24c7e6a825b6aa26d8c8064dfe01a Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Tue, 24 Jan 2017 09:03:21 +0000
Subject: Add support for setting the supported EC curves via
 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
 SSL{_CTX}_set1_curves{_list} names.

This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.

Inspired by parts of BoringSSL and OpenSSL.

ok beck@
---
 src/lib/libssl/ssl_lib.c | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

(limited to 'src/lib/libssl/ssl_lib.c')

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index b9bfd7e24d..bc04ea7f9c 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.144 2017/01/24 01:47:22 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.145 2017/01/24 09:03:21 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -336,6 +336,34 @@ SSL_new(SSL_CTX *ctx)
 	s->internal->tlsext_ocsp_resplen = -1;
 	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
 	s->initial_ctx = ctx;
+
+	if (ctx->internal->tlsext_ecpointformatlist != NULL) {
+		s->internal->tlsext_ecpointformatlist =
+		    calloc(ctx->internal->tlsext_ecpointformatlist_length,
+			sizeof(ctx->internal->tlsext_ecpointformatlist[0]));
+		if (s->internal->tlsext_ecpointformatlist == NULL)
+			goto err;
+		memcpy(s->internal->tlsext_ecpointformatlist,
+		    ctx->internal->tlsext_ecpointformatlist,
+		    ctx->internal->tlsext_ecpointformatlist_length *
+		    sizeof(ctx->internal->tlsext_ecpointformatlist[0]));
+		s->internal->tlsext_ecpointformatlist_length =
+		    ctx->internal->tlsext_ecpointformatlist_length;
+	}
+	if (ctx->internal->tlsext_supportedgroups != NULL) {
+		s->internal->tlsext_supportedgroups =
+		    calloc(ctx->internal->tlsext_supportedgroups_length,
+			sizeof(ctx->internal->tlsext_supportedgroups));
+		if (s->internal->tlsext_supportedgroups == NULL)
+			goto err;
+		memcpy(s->internal->tlsext_supportedgroups,
+		    ctx->internal->tlsext_supportedgroups,
+		    ctx->internal->tlsext_supportedgroups_length *
+		    sizeof(ctx->internal->tlsext_supportedgroups[0]));
+		s->internal->tlsext_supportedgroups_length =
+		    ctx->internal->tlsext_supportedgroups_length;
+	}
+
 	s->internal->next_proto_negotiated = NULL;
 
 	if (s->ctx->internal->alpn_client_proto_list != NULL) {
@@ -534,7 +562,7 @@ SSL_free(SSL *s)
 	free(s->tlsext_hostname);
 	SSL_CTX_free(s->initial_ctx);
 	free(s->internal->tlsext_ecpointformatlist);
-	free(s->internal->tlsext_ellipticcurvelist);
+	free(s->internal->tlsext_supportedgroups);
 	if (s->internal->tlsext_ocsp_exts)
 		sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
 		    X509_EXTENSION_free);
@@ -1998,6 +2026,9 @@ SSL_CTX_free(SSL_CTX *a)
 		ENGINE_finish(a->internal->client_cert_engine);
 #endif
 
+	free(a->internal->tlsext_ecpointformatlist);
+	free(a->internal->tlsext_supportedgroups);
+
 	free(a->internal->alpn_client_proto_list);
 
 	free(a->internal);
-- 
cgit v1.2.3-55-g6feb