diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-10-03 14:09:10 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-10-03 14:09:10 +0000 |
| commit | 672b487f875a9a5a7c89a74950b3490a613d9c84 (patch) | |
| tree | a548cf422005f9c153a584cbc4e221f366ee1c06 | |
| parent | b9a87bb6890852e78fbfda2d3561b11194e0db8e (diff) | |
Allow "auto" to be specified as an ECDH curve name and make this the
default. This enables automatic handling of ephemeral EC keys.
Discussed with reyk@ and tedu@
| -rw-r--r-- | lib/libressl/ressl_config.c | 14 | ||||
| -rw-r--r-- | lib/libressl/ressl_server.c | 6 |
2 files changed, 13 insertions, 7 deletions
diff --git a/lib/libressl/ressl_config.c b/lib/libressl/ressl_config.c index c92886330e4..6d535e2b423 100644 --- a/lib/libressl/ressl_config.c +++ b/lib/libressl/ressl_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_config.c,v 1.12 2014/09/29 15:11:29 jsing Exp $ */ +/* $OpenBSD: ressl_config.c,v 1.13 2014/10/03 14:09:09 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -71,10 +71,9 @@ ressl_config_new(void) ressl_config_free(config); return (NULL); } + ressl_config_set_ecdhcurve(config, "auto"); ressl_config_set_protocols(config, RESSL_PROTOCOLS_DEFAULT); ressl_config_set_verify_depth(config, 6); - /* ? use function ? */ - config->ecdhcurve = NID_X9_62_prime256v1; ressl_config_verify(config); @@ -141,12 +140,17 @@ ressl_config_set_ciphers(struct ressl_config *config, const char *ciphers) int ressl_config_set_ecdhcurve(struct ressl_config *config, const char *name) { - int nid = NID_undef; + int nid; - if (name != NULL && (nid = OBJ_txt2nid(name)) == NID_undef) + if (name == NULL) + nid = NID_undef; + else if (strcasecmp(name, "auto") == 0) + nid = -1; + else if ((nid = OBJ_txt2nid(name)) == NID_undef) return (-1); config->ecdhcurve = nid; + return (0); } diff --git a/lib/libressl/ressl_server.c b/lib/libressl/ressl_server.c index 33ac8fc33dd..1d5ee2a3f93 100644 --- a/lib/libressl/ressl_server.c +++ b/lib/libressl/ressl_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_server.c,v 1.9 2014/09/29 15:31:38 jsing Exp $ */ +/* $OpenBSD: ressl_server.c,v 1.10 2014/10/03 14:09:09 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -62,7 +62,9 @@ ressl_configure_server(struct ressl *ctx) if (ressl_configure_keypair(ctx) != 0) goto err; - if (ctx->config->ecdhcurve != NID_undef) { + if (ctx->config->ecdhcurve == -1) { + SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1); + } else if (ctx->config->ecdhcurve != NID_undef) { if ((ecdh_key = EC_KEY_new_by_curve_name( ctx->config->ecdhcurve)) == NULL) { ressl_set_error(ctx, "failed to set ECDH curve"); |