From 9eb904175e3fac9b2a5933426135b9b864751f9f Mon Sep 17 00:00:00 2001
From: Joel Sing <jsing@cvs.openbsd.org>
Date: Sat, 7 Feb 2015 06:19:27 +0000
Subject: Add tls_config_set_dheparams() to allow specification of the
 parameters to use for DHE. This enables the use of DHE cipher suites.

Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it
is only used to specify the curve for ephemeral ECDH.

Discussed with reyk@
---
 lib/libtls/Makefile       |  5 +++--
 lib/libtls/shlib_version  |  4 ++--
 lib/libtls/tls.h          |  5 +++--
 lib/libtls/tls_config.c   | 30 +++++++++++++++++++++++++-----
 lib/libtls/tls_init.3     | 11 +++++++----
 lib/libtls/tls_internal.h |  5 +++--
 lib/libtls/tls_server.c   | 15 ++++++++++-----
 7 files changed, 53 insertions(+), 22 deletions(-)

(limited to 'lib/libtls')

diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile
index e9559f9f955..bf7de202ffd 100644
--- a/lib/libtls/Makefile
+++ b/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.2 2015/01/22 09:29:04 reyk Exp $
+#	$OpenBSD: Makefile,v 1.3 2015/02/07 06:19:26 jsing Exp $
 
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -26,7 +26,8 @@ MLINKS+=tls_init.3 tls_config_set_ca_mem.3
 MLINKS+=tls_init.3 tls_config_set_cert_file.3
 MLINKS+=tls_init.3 tls_config_set_cert_mem.3
 MLINKS+=tls_init.3 tls_config_set_ciphers.3
-MLINKS+=tls_init.3 tls_config_set_ecdhcurve.3
+MLINKS+=tls_init.3 tls_config_set_ecdhecurve.3
+MLINKS+=tls_init.3 tls_config_set_dheparams.3
 MLINKS+=tls_init.3 tls_config_set_key_file.3
 MLINKS+=tls_init.3 tls_config_set_key_mem.3
 MLINKS+=tls_init.3 tls_config_set_protocols.3
diff --git a/lib/libtls/shlib_version b/lib/libtls/shlib_version
index 893819d18ff..b52599a164f 100644
--- a/lib/libtls/shlib_version
+++ b/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
-major=1
-minor=1
+major=2
+minor=0
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h
index 8dcf1257654..20e5b469019 100644
--- a/lib/libtls/tls.h
+++ b/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.3 2015/01/22 09:16:24 reyk Exp $ */
+/* $OpenBSD: tls.h,v 1.4 2015/02/07 06:19:26 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -48,7 +48,8 @@ int tls_config_set_cert_file(struct tls_config *config, const char *cert_file);
 int tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
     size_t len);
 int tls_config_set_ciphers(struct tls_config *config, const char *ciphers);
-int tls_config_set_ecdhcurve(struct tls_config *config, const char *name);
+int tls_config_set_dheparams(struct tls_config *config, const char *params);
+int tls_config_set_ecdhecurve(struct tls_config *config, const char *name);
 int tls_config_set_key_file(struct tls_config *config, const char *key_file);
 int tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
     size_t len);
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index 16120c5e4e3..7697fa6ee85 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.2 2015/01/22 09:16:24 reyk Exp $ */
+/* $OpenBSD: tls_config.c,v 1.3 2015/02/07 06:19:26 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -71,7 +71,8 @@ tls_config_new(void)
 		tls_config_free(config);
 		return (NULL);
 	}
-	tls_config_set_ecdhcurve(config, "auto");
+	tls_config_set_dheparams(config, "none");
+	tls_config_set_ecdhecurve(config, "auto");
 	tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
 	tls_config_set_verify_depth(config, 6);
 	
@@ -145,18 +146,37 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
 }
 
 int
-tls_config_set_ecdhcurve(struct tls_config *config, const char *name)
+tls_config_set_dheparams(struct tls_config *config, const char *params)
+{
+	int keylen;
+
+	if (params == NULL || strcasecmp(params, "none") == 0)
+		keylen = 0;
+	else if (strcasecmp(params, "auto") == 0)
+		keylen = -1;
+	else if (strcmp(params, "legacy"))
+		keylen = 1024;
+	else
+		return (-1);
+
+	config->dheparams = keylen;
+
+	return (0);
+}
+
+int
+tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
 {
 	int nid;
 
-	if (name == NULL)
+	if (name == NULL || strcasecmp(name, "none") == 0)
 		nid = NID_undef;
 	else if (strcasecmp(name, "auto") == 0)
 		nid = -1;
 	else if ((nid = OBJ_txt2nid(name)) == NID_undef)
 		return (-1);
 
-	config->ecdhcurve = nid;
+	config->ecdhecurve = nid;
 
 	return (0);
 }
diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3
index baff5531721..48974cb326e 100644
--- a/lib/libtls/tls_init.3
+++ b/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.8 2015/01/22 11:08:54 jmc Exp $
+.\" $OpenBSD: tls_init.3,v 1.9 2015/02/07 06:19:26 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 22 2015 $
+.Dd $Mdocdate: February 7 2015 $
 .Dt TLS 3
 .Os
 .Sh NAME
@@ -28,7 +28,8 @@
 .Nm tls_config_set_cert_file ,
 .Nm tls_config_set_cert_mem ,
 .Nm tls_config_set_ciphers ,
-.Nm tls_config_set_ecdhcurve ,
+.Nm tls_config_set_dheparams ,
+.Nm tls_config_set_ecdhecurve ,
 .Nm tls_config_set_key_file ,
 .Nm tls_config_set_key_mem ,
 .Nm tls_config_set_protocols ,
@@ -72,7 +73,9 @@
 .Ft "int"
 .Fn tls_config_set_ciphers "struct tls_config *config" "const char *ciphers"
 .Ft "int"
-.Fn tls_config_set_ecdhcurve "struct tls_config *config" "const char *name"
+.Fn tls_config_set_dheparams "struct tls_config *config" "const char *params"
+.Ft "int"
+.Fn tls_config_set_ecdhecurve "struct tls_config *config" "const char *name"
 .Ft "int"
 .Fn tls_config_set_key_file "struct tls_config *config" "const char *key_file"
 .Ft "int"
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index 9a1a180e0bf..18fcf539c35 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.7 2015/01/22 09:16:24 reyk Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.8 2015/02/07 06:19:26 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -34,7 +34,8 @@ struct tls_config {
 	char *cert_mem;
 	size_t cert_len;
 	const char *ciphers;
-	int ecdhcurve;
+	int dheparams;
+	int ecdhecurve;
 	const char *key_file;
 	char *key_mem;
 	size_t key_len;
diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c
index ac44f260ac2..8d71d2790fb 100644
--- a/lib/libtls/tls_server.c
+++ b/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.3 2015/01/30 14:25:37 bluhm Exp $ */
+/* $OpenBSD: tls_server.c,v 1.4 2015/02/07 06:19:26 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -63,12 +63,17 @@ tls_configure_server(struct tls *ctx)
 	if (tls_configure_keypair(ctx) != 0)
 		goto err;
 
-	if (ctx->config->ecdhcurve == -1) {
+	if (ctx->config->dheparams == -1)
+		SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1);
+	else if (ctx->config->dheparams == 1024)
+		SSL_CTX_set_dh_auto(ctx->ssl_ctx, 2);
+
+	if (ctx->config->ecdhecurve == -1) {
 		SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1);
-	} else if (ctx->config->ecdhcurve != NID_undef) {
+	} else if (ctx->config->ecdhecurve != NID_undef) {
 		if ((ecdh_key = EC_KEY_new_by_curve_name(
-		    ctx->config->ecdhcurve)) == NULL) {
-			tls_set_error(ctx, "failed to set ECDH curve");
+		    ctx->config->ecdhecurve)) == NULL) {
+			tls_set_error(ctx, "failed to set ECDHE curve");
 			goto err;
 		}
 		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
-- 
cgit v1.2.3