From 8ab293189552d72b08283999a617fe1bfd425eab Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sun, 19 Apr 2020 17:05:55 +0000 Subject: Add -groups option to openssl(1) s_server. This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead. ok beck@ inoguchi@ --- src/usr.bin/openssl/s_client.c | 4 +-- src/usr.bin/openssl/s_server.c | 62 ++++++++++++++++++++---------------------- 2 files changed, 31 insertions(+), 35 deletions(-) (limited to 'src') diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c index 443f00505e..02db7feac8 100644 --- a/src/usr.bin/openssl/s_client.c +++ b/src/usr.bin/openssl/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.42 2020/02/16 16:39:01 jsing Exp $ */ +/* $OpenBSD: s_client.c,v 1.43 2020/04/19 17:05:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -245,7 +245,7 @@ sc_usage(void) BIO_printf(bio_err, " -status - request certificate status from server\n"); BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err, " -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); - BIO_printf(bio_err, " -groups arg - specify EC curve groups (colon-separated list)\n"); + BIO_printf(bio_err, " -groups arg - specify EC groups (colon-separated list)\n"); #ifndef OPENSSL_NO_SRTP BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); #endif diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c index 2026e72942..65cd36c54e 100644 --- a/src/usr.bin/openssl/s_server.c +++ b/src/usr.bin/openssl/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.32 2019/10/04 09:47:34 bcook Exp $ */ +/* $OpenBSD: s_server.c,v 1.33 2020/04/19 17:05:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -288,9 +288,6 @@ sv_usage(void) BIO_printf(bio_err, " -dpass arg - second private key file pass phrase source\n"); BIO_printf(bio_err, " -dhparam arg - DH parameter file to use, in cert file if not specified\n"); BIO_printf(bio_err, " or a default set of parameters is used\n"); - BIO_printf(bio_err, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ - " Use \"openssl ecparam -list_curves\" for all names\n" \ - " (default is nistp256).\n"); BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); BIO_printf(bio_err, " -nbio_test - test with the non-blocking test bio\n"); BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n"); @@ -333,7 +330,8 @@ sv_usage(void) BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2); BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err," -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n"); + BIO_printf(bio_err, " -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n"); + BIO_printf(bio_err, " -groups arg - specify EC groups (colon-separated list)\n"); #ifndef OPENSSL_NO_SRTP BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); #endif @@ -581,6 +579,7 @@ s_server_main(int argc, char *argv[]) X509 *s_cert2 = NULL; tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; const char *alpn_in = NULL; + const char *groups_in = NULL; tlsextalpnctx alpn_ctx = { NULL, 0 }; if (single_execution) { @@ -656,13 +655,11 @@ s_server_main(int argc, char *argv[]) if (--argc < 1) goto bad; dhfile = *(++argv); - } - else if (strcmp(*argv, "-named_curve") == 0) { + } else if (strcmp(*argv, "-named_curve") == 0) { if (--argc < 1) goto bad; named_curve = *(++argv); - } - else if (strcmp(*argv, "-dcertform") == 0) { + } else if (strcmp(*argv, "-dcertform") == 0) { if (--argc < 1) goto bad; s_dcert_format = str2fmt(*(++argv)); @@ -831,6 +828,10 @@ s_server_main(int argc, char *argv[]) if (--argc < 1) goto bad; alpn_in = *(++argv); + } else if (strcmp(*argv, "-groups") == 0) { + if (--argc < 1) + goto bad; + groups_in = *(++argv); } #ifndef OPENSSL_NO_SRTP else if (strcmp(*argv, "-use_srtp") == 0) { @@ -1055,6 +1056,14 @@ s_server_main(int argc, char *argv[]) if (alpn_ctx.data) SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); + if (groups_in != NULL) { + if (SSL_CTX_set1_groups_list(ctx, groups_in) != 1) { + BIO_printf(bio_err, "Failed to set groups '%s'\n", + groups_in); + goto end; + } + } + #ifndef OPENSSL_NO_DH if (!no_dhe) { DH *dh = NULL; @@ -1108,34 +1117,21 @@ s_server_main(int argc, char *argv[]) } #endif - if (!no_ecdhe) { + if (!no_ecdhe && named_curve != NULL) { EC_KEY *ecdh = NULL; + int nid; - if (named_curve) { - int nid = OBJ_sn2nid(named_curve); - - if (nid == 0) { - BIO_printf(bio_err, "unknown curve name (%s)\n", - named_curve); - goto end; - } - ecdh = EC_KEY_new_by_curve_name(nid); - if (ecdh == NULL) { - BIO_printf(bio_err, "unable to create curve (%s)\n", - named_curve); - goto end; - } + if ((nid = OBJ_sn2nid(named_curve)) == 0) { + BIO_printf(bio_err, "unknown curve name (%s)\n", + named_curve); + goto end; } - if (ecdh != NULL) { - BIO_printf(bio_s_out, "Setting temp ECDH parameters\n"); - } else { - BIO_printf(bio_s_out, "Using default temp ECDH parameters\n"); - ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (ecdh == NULL) { - BIO_printf(bio_err, "unable to create curve (nistp256)\n"); - goto end; - } + if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { + BIO_printf(bio_err, "unable to create curve (%s)\n", + named_curve); + goto end; } + BIO_printf(bio_s_out, "Setting temp ECDH parameters\n"); (void) BIO_flush(bio_s_out); SSL_CTX_set_tmp_ecdh(ctx, ecdh); -- cgit v1.2.3-55-g6feb