only use a default curve if not already set
authorDr. Stephen Henson <steve@openssl.org>
Wed, 21 Nov 2012 16:47:25 +0000 (16:47 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 21 Nov 2012 16:47:25 +0000 (16:47 +0000)
apps/s_apps.h
apps/s_cb.c
apps/s_client.c
apps/s_server.c

index ccf06a6905a3c16947f0c4d605aae7534013f54e..30ce8830a65dad69fd34a0e08a486a1ef384bd4e 100644 (file)
@@ -199,5 +199,5 @@ void print_ssl_cert_checks(BIO *bio, SSL *s,
 int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
                        int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
-                                               STACK_OF(OPENSSL_STRING) *str);
+                               STACK_OF(OPENSSL_STRING) *str, int no_ecdhe);
 #endif
index a007899ae77aa26fc1de7e07ee59973624dabcd5..11b6ea5d99c35bcc9d9c6408785f5b99223e3f92 100644 (file)
@@ -1594,7 +1594,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
        }
 
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
-                                               STACK_OF(OPENSSL_STRING) *str)
+                               STACK_OF(OPENSSL_STRING) *str, int no_ecdhe)
        {
        int i;
        SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
@@ -1602,6 +1602,11 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                {
                const char *param = sk_OPENSSL_STRING_value(str, i);
                const char *value = sk_OPENSSL_STRING_value(str, i + 1);
+               /* If no_ecdhe or named curve already specified don't need
+                * a default.
+                */
+               if (!no_ecdhe && !strcmp(param, "-named_curve"))
+                       no_ecdhe = 1;
                if (SSL_CONF_cmd(cctx, param, value) <= 0)
                        {
                        BIO_printf(err, "Error with command: \"%s %s\"\n",
@@ -1610,5 +1615,18 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                        return 0;
                        }
                }
+       /* This is a special case to keep existing s_server functionality:
+        * if we don't have any curve specified *and* we haven't disabled
+        * ECDHE then use P-256.
+        */
+       if (!no_ecdhe)
+               {
+               if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0)
+                       {
+                       BIO_puts(err, "Error setting EC curve\n");
+                       ERR_print_errors(err);
+                       return 0;
+                       }
+               }
        return 1;
        }
index f6a28540b51e5af9ca21baf39c1a955a4e029cb2..3fcf7922b40fba4fea6a689ad5c916e9771a31c8 100644 (file)
@@ -1149,7 +1149,7 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
 
-       if (!args_ssl_call(ctx, bio_err, cctx, ssl_args))
+       if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1))
                {
                ERR_print_errors(bio_err);
                goto end;
index 5129b002dd803ecd712ff151e4ed2d58934f8a60..03675d62e4eb2e4e9d631ef506ec150c3b16f3a3 100644 (file)
@@ -963,9 +963,6 @@ int MAIN(int argc, char *argv[])
        char *vfyCApath=NULL,*vfyCAfile=NULL;
        unsigned char *context = NULL;
        char *dhfile = NULL;
-#ifndef OPENSSL_NO_ECDH
-       char *named_curve = NULL;
-#endif
        int badop=0;
        int ret=1;
        int build_chain = 0;
@@ -1703,7 +1700,7 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
 
-       if (!args_ssl_call(ctx, bio_err, cctx, ssl_args))
+       if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe))
                goto end;
 
        if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
@@ -1769,7 +1766,7 @@ bad:
                if (vpm)
                        SSL_CTX_set1_param(ctx2, vpm);
 
-               if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args))
+               if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe))
                        goto end;
                }
 
@@ -1823,58 +1820,6 @@ bad:
                }
 #endif
 
-#ifndef OPENSSL_NO_ECDH
-       if (!no_ecdhe)
-               {
-               EC_KEY *ecdh=NULL;
-
-               if (named_curve && strcmp(named_curve, "auto"))
-                       {
-                       int nid = EC_curve_nist2nid(named_curve);
-                       if (nid == NID_undef)
-                               nid = OBJ_sn2nid(named_curve);
-                       if (nid == 0)
-                               {
-                               BIO_printf(bio_err, "unknown curve name (%s)\n", 
-                                       named_curve);
-                               goto end;
-                               }
-                       ecdh = EC_KEY_new_by_curve_name(nid);
-                       if (ecdh == NULL)
-                               {
-                               BIO_printf(bio_err, "unable to create curve (%s)\n", 
-                                       named_curve);
-                               goto end;
-                               }
-                       }
-
-               if (ecdh != NULL)
-                       {
-                       BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
-                       }
-               else if (named_curve)
-                       SSL_CTX_set_ecdh_auto(ctx, 1);
-               else
-                       {
-                       BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
-                       ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-                       if (ecdh == NULL) 
-                               {
-                               BIO_printf(bio_err, "unable to create curve (nistp256)\n");
-                               goto end;
-                               }
-                       }
-               (void)BIO_flush(bio_s_out);
-
-               SSL_CTX_set_tmp_ecdh(ctx,ecdh);
-#ifndef OPENSSL_NO_TLSEXT
-               if (ctx2) 
-                       SSL_CTX_set_tmp_ecdh(ctx2,ecdh);
-#endif
-               EC_KEY_free(ecdh);
-               }
-#endif
-       
        if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
                goto end;
 #ifndef OPENSSL_NO_TLSEXT