summaryrefslogtreecommitdiff
path: root/lib/libtls
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2015-02-07 06:19:27 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2015-02-07 06:19:27 +0000
commit9eb904175e3fac9b2a5933426135b9b864751f9f (patch)
tree02cfc70fdfe6f251d32a0957befcd00236ad33e9 /lib/libtls
parent111af29fe6a6dd57947b3a36d5abf69456075553 (diff)
Add tls_config_set_dheparams() to allow specification of the parameters to
use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@
Diffstat (limited to 'lib/libtls')
-rw-r--r--lib/libtls/Makefile5
-rw-r--r--lib/libtls/shlib_version4
-rw-r--r--lib/libtls/tls.h5
-rw-r--r--lib/libtls/tls_config.c30
-rw-r--r--lib/libtls/tls_init.311
-rw-r--r--lib/libtls/tls_internal.h5
-rw-r--r--lib/libtls/tls_server.c15
7 files changed, 53 insertions, 22 deletions
diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile
index e9559f9f955..bf7de202ffd 100644
--- a/lib/libtls/Makefile
+++ b/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.2 2015/01/22 09:29:04 reyk Exp $
+# $OpenBSD: Makefile,v 1.3 2015/02/07 06:19:26 jsing Exp $
CFLAGS+= -Wall -Werror -Wimplicit
CFLAGS+= -DLIBRESSL_INTERNAL
@@ -26,7 +26,8 @@ MLINKS+=tls_init.3 tls_config_set_ca_mem.3
MLINKS+=tls_init.3 tls_config_set_cert_file.3
MLINKS+=tls_init.3 tls_config_set_cert_mem.3
MLINKS+=tls_init.3 tls_config_set_ciphers.3
-MLINKS+=tls_init.3 tls_config_set_ecdhcurve.3
+MLINKS+=tls_init.3 tls_config_set_ecdhecurve.3
+MLINKS+=tls_init.3 tls_config_set_dheparams.3
MLINKS+=tls_init.3 tls_config_set_key_file.3
MLINKS+=tls_init.3 tls_config_set_key_mem.3
MLINKS+=tls_init.3 tls_config_set_protocols.3
diff --git a/lib/libtls/shlib_version b/lib/libtls/shlib_version
index 893819d18ff..b52599a164f 100644
--- a/lib/libtls/shlib_version
+++ b/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
-major=1
-minor=1
+major=2
+minor=0
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h
index 8dcf1257654..20e5b469019 100644
--- a/lib/libtls/tls.h
+++ b/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.3 2015/01/22 09:16:24 reyk Exp $ */
+/* $OpenBSD: tls.h,v 1.4 2015/02/07 06:19:26 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -48,7 +48,8 @@ int tls_config_set_cert_file(struct tls_config *config, const char *cert_file);
int tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
size_t len);
int tls_config_set_ciphers(struct tls_config *config, const char *ciphers);
-int tls_config_set_ecdhcurve(struct tls_config *config, const char *name);
+int tls_config_set_dheparams(struct tls_config *config, const char *params);
+int tls_config_set_ecdhecurve(struct tls_config *config, const char *name);
int tls_config_set_key_file(struct tls_config *config, const char *key_file);
int tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
size_t len);
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index 16120c5e4e3..7697fa6ee85 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.2 2015/01/22 09:16:24 reyk Exp $ */
+/* $OpenBSD: tls_config.c,v 1.3 2015/02/07 06:19:26 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -71,7 +71,8 @@ tls_config_new(void)
tls_config_free(config);
return (NULL);
}
- tls_config_set_ecdhcurve(config, "auto");
+ tls_config_set_dheparams(config, "none");
+ tls_config_set_ecdhecurve(config, "auto");
tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
tls_config_set_verify_depth(config, 6);
@@ -145,18 +146,37 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
}
int
-tls_config_set_ecdhcurve(struct tls_config *config, const char *name)
+tls_config_set_dheparams(struct tls_config *config, const char *params)
+{
+ int keylen;
+
+ if (params == NULL || strcasecmp(params, "none") == 0)
+ keylen = 0;
+ else if (strcasecmp(params, "auto") == 0)
+ keylen = -1;
+ else if (strcmp(params, "legacy"))
+ keylen = 1024;
+ else
+ return (-1);
+
+ config->dheparams = keylen;
+
+ return (0);
+}
+
+int
+tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
{
int nid;
- if (name == NULL)
+ if (name == NULL || strcasecmp(name, "none") == 0)
nid = NID_undef;
else if (strcasecmp(name, "auto") == 0)
nid = -1;
else if ((nid = OBJ_txt2nid(name)) == NID_undef)
return (-1);
- config->ecdhcurve = nid;
+ config->ecdhecurve = nid;
return (0);
}
diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3
index baff5531721..48974cb326e 100644
--- a/lib/libtls/tls_init.3
+++ b/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.8 2015/01/22 11:08:54 jmc Exp $
+.\" $OpenBSD: tls_init.3,v 1.9 2015/02/07 06:19:26 jsing Exp $
.\"
.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: January 22 2015 $
+.Dd $Mdocdate: February 7 2015 $
.Dt TLS 3
.Os
.Sh NAME
@@ -28,7 +28,8 @@
.Nm tls_config_set_cert_file ,
.Nm tls_config_set_cert_mem ,
.Nm tls_config_set_ciphers ,
-.Nm tls_config_set_ecdhcurve ,
+.Nm tls_config_set_dheparams ,
+.Nm tls_config_set_ecdhecurve ,
.Nm tls_config_set_key_file ,
.Nm tls_config_set_key_mem ,
.Nm tls_config_set_protocols ,
@@ -72,7 +73,9 @@
.Ft "int"
.Fn tls_config_set_ciphers "struct tls_config *config" "const char *ciphers"
.Ft "int"
-.Fn tls_config_set_ecdhcurve "struct tls_config *config" "const char *name"
+.Fn tls_config_set_dheparams "struct tls_config *config" "const char *params"
+.Ft "int"
+.Fn tls_config_set_ecdhecurve "struct tls_config *config" "const char *name"
.Ft "int"
.Fn tls_config_set_key_file "struct tls_config *config" "const char *key_file"
.Ft "int"
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index 9a1a180e0bf..18fcf539c35 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.7 2015/01/22 09:16:24 reyk Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.8 2015/02/07 06:19:26 jsing Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -34,7 +34,8 @@ struct tls_config {
char *cert_mem;
size_t cert_len;
const char *ciphers;
- int ecdhcurve;
+ int dheparams;
+ int ecdhecurve;
const char *key_file;
char *key_mem;
size_t key_len;
diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c
index ac44f260ac2..8d71d2790fb 100644
--- a/lib/libtls/tls_server.c
+++ b/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.3 2015/01/30 14:25:37 bluhm Exp $ */
+/* $OpenBSD: tls_server.c,v 1.4 2015/02/07 06:19:26 jsing Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -63,12 +63,17 @@ tls_configure_server(struct tls *ctx)
if (tls_configure_keypair(ctx) != 0)
goto err;
- if (ctx->config->ecdhcurve == -1) {
+ if (ctx->config->dheparams == -1)
+ SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1);
+ else if (ctx->config->dheparams == 1024)
+ SSL_CTX_set_dh_auto(ctx->ssl_ctx, 2);
+
+ if (ctx->config->ecdhecurve == -1) {
SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1);
- } else if (ctx->config->ecdhcurve != NID_undef) {
+ } else if (ctx->config->ecdhecurve != NID_undef) {
if ((ecdh_key = EC_KEY_new_by_curve_name(
- ctx->config->ecdhcurve)) == NULL) {
- tls_set_error(ctx, "failed to set ECDH curve");
+ ctx->config->ecdhecurve)) == NULL) {
+ tls_set_error(ctx, "failed to set ECDHE curve");
goto err;
}
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-23 07:22:22 +0000