From 53af341ab4ddf76dd1e37a37e28a8fecbe0461a5 Mon Sep 17 00:00:00 2001 From: reyk <> Date: Wed, 27 Aug 2014 10:46:53 +0000 Subject: Add the API function ressl_config_set_ecdhcurve(config, name) to set a non-standard ECDH curve by name or to disable it by passing NULL. OK jsing@ --- src/lib/libressl/ressl.h | 3 ++- src/lib/libressl/ressl_config.c | 15 ++++++++++++++- src/lib/libressl/ressl_internal.h | 3 ++- src/lib/libressl/ressl_server.c | 17 +++++++++++------ 4 files changed, 29 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/lib/libressl/ressl.h b/src/lib/libressl/ressl.h index 46672d97cb..ebd589313b 100644 --- a/src/lib/libressl/ressl.h +++ b/src/lib/libressl/ressl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl.h,v 1.12 2014/08/15 16:55:32 tedu Exp $ */ +/* $OpenBSD: ressl.h,v 1.13 2014/08/27 10:46:53 reyk Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -37,6 +37,7 @@ void ressl_config_set_cert_file(struct ressl_config *config, char *cert_file); void ressl_config_set_cert_mem(struct ressl_config *config, char *cert, size_t len); void ressl_config_set_ciphers(struct ressl_config *config, char *ciphers); +int ressl_config_set_ecdhcurve(struct ressl_config *config, const char *); void ressl_config_set_key_file(struct ressl_config *config, char *key_file); void ressl_config_set_key_mem(struct ressl_config *config, char *key, size_t len); diff --git a/src/lib/libressl/ressl_config.c b/src/lib/libressl/ressl_config.c index 133ef81b02..aa353be01f 100644 --- a/src/lib/libressl/ressl_config.c +++ b/src/lib/libressl/ressl_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_config.c,v 1.7 2014/08/06 01:54:01 jsing Exp $ */ +/* $OpenBSD: ressl_config.c,v 1.8 2014/08/27 10:46:53 reyk Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -28,6 +28,7 @@ struct ressl_config ressl_config_default = { .ca_file = _PATH_SSL_CA_FILE, .ca_path = NULL, .ciphers = NULL, + .ecdhcurve = NID_X9_62_prime256v1, .verify = 1, .verify_depth = 6, }; @@ -82,6 +83,18 @@ ressl_config_set_ciphers(struct ressl_config *config, char *ciphers) config->ciphers = ciphers; } +int +ressl_config_set_ecdhcurve(struct ressl_config *config, const char *name) +{ + int nid = NID_undef; + + if (name != NULL && (nid = OBJ_txt2nid(name)) == NID_undef) + return (-1); + + config->ecdhcurve = nid; + return (0); +} + void ressl_config_set_key_file(struct ressl_config *config, char *key_file) { diff --git a/src/lib/libressl/ressl_internal.h b/src/lib/libressl/ressl_internal.h index 3f667526ad..02dded3e7e 100644 --- a/src/lib/libressl/ressl_internal.h +++ b/src/lib/libressl/ressl_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_internal.h,v 1.9 2014/08/06 01:54:01 jsing Exp $ */ +/* $OpenBSD: ressl_internal.h,v 1.10 2014/08/27 10:46:53 reyk Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -32,6 +32,7 @@ struct ressl_config { char *cert_mem; size_t cert_len; const char *ciphers; + int ecdhcurve; const char *key_file; char *key_mem; size_t key_len; diff --git a/src/lib/libressl/ressl_server.c b/src/lib/libressl/ressl_server.c index 7b812bfd27..24b54ad0d0 100644 --- a/src/lib/libressl/ressl_server.c +++ b/src/lib/libressl/ressl_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_server.c,v 1.6 2014/08/05 12:46:16 jsing Exp $ */ +/* $OpenBSD: ressl_server.c,v 1.7 2014/08/27 10:46:53 reyk Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -69,11 +69,16 @@ ressl_configure_server(struct ressl *ctx) } } - if ((ecdh_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)) == NULL) - goto err; - SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key); - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); - EC_KEY_free(ecdh_key); + if (ctx->config->ecdhcurve != NID_undef) { + if ((ecdh_key = EC_KEY_new_by_curve_name( + ctx->config->ecdhcurve)) == NULL) { + ressl_set_error(ctx, "failed to set ECDH curve"); + goto err; + } + SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key); + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); + EC_KEY_free(ecdh_key); + } return (0); -- cgit v1.2.3-55-g6feb