From 191b3f0ba9d574809b8e18e6238f54525c87b8d3 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 21 Nov 2012 16:47:25 +0000 Subject: [PATCH] only use a default curve if not already set --- apps/s_apps.h | 2 +- apps/s_cb.c | 20 ++++++++++++++++- apps/s_client.c | 2 +- apps/s_server.c | 59 ++----------------------------------------------- 4 files changed, 23 insertions(+), 60 deletions(-) diff --git a/apps/s_apps.h b/apps/s_apps.h index ccf06a6905..30ce8830a6 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -199,5 +199,5 @@ void print_ssl_cert_checks(BIO *bio, SSL *s, int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, - STACK_OF(OPENSSL_STRING) *str); + STACK_OF(OPENSSL_STRING) *str, int no_ecdhe); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index a007899ae7..11b6ea5d99 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1594,7 +1594,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, } int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, - STACK_OF(OPENSSL_STRING) *str) + STACK_OF(OPENSSL_STRING) *str, int no_ecdhe) { int i; SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); @@ -1602,6 +1602,11 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, { const char *param = sk_OPENSSL_STRING_value(str, i); const char *value = sk_OPENSSL_STRING_value(str, i + 1); + /* If no_ecdhe or named curve already specified don't need + * a default. + */ + if (!no_ecdhe && !strcmp(param, "-named_curve")) + no_ecdhe = 1; if (SSL_CONF_cmd(cctx, param, value) <= 0) { BIO_printf(err, "Error with command: \"%s %s\"\n", @@ -1610,5 +1615,18 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, return 0; } } + /* This is a special case to keep existing s_server functionality: + * if we don't have any curve specified *and* we haven't disabled + * ECDHE then use P-256. + */ + if (!no_ecdhe) + { + if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) + { + BIO_puts(err, "Error setting EC curve\n"); + ERR_print_errors(err); + return 0; + } + } return 1; } diff --git a/apps/s_client.c b/apps/s_client.c index f6a28540b5..3fcf7922b4 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1149,7 +1149,7 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); - if (!args_ssl_call(ctx, bio_err, cctx, ssl_args)) + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1)) { ERR_print_errors(bio_err); goto end; diff --git a/apps/s_server.c b/apps/s_server.c index 5129b002dd..03675d62e4 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -963,9 +963,6 @@ int MAIN(int argc, char *argv[]) char *vfyCApath=NULL,*vfyCAfile=NULL; unsigned char *context = NULL; char *dhfile = NULL; -#ifndef OPENSSL_NO_ECDH - char *named_curve = NULL; -#endif int badop=0; int ret=1; int build_chain = 0; @@ -1703,7 +1700,7 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); - if (!args_ssl_call(ctx, bio_err, cctx, ssl_args)) + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) @@ -1769,7 +1766,7 @@ bad: if (vpm) SSL_CTX_set1_param(ctx2, vpm); - if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args)) + if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe)) goto end; } @@ -1823,58 +1820,6 @@ bad: } #endif -#ifndef OPENSSL_NO_ECDH - if (!no_ecdhe) - { - EC_KEY *ecdh=NULL; - - if (named_curve && strcmp(named_curve, "auto")) - { - int nid = EC_curve_nist2nid(named_curve); - if (nid == NID_undef) - nid = OBJ_sn2nid(named_curve); - if (nid == 0) - { - BIO_printf(bio_err, "unknown curve name (%s)\n", - named_curve); - goto end; - } - ecdh = EC_KEY_new_by_curve_name(nid); - if (ecdh == NULL) - { - BIO_printf(bio_err, "unable to create curve (%s)\n", - named_curve); - goto end; - } - } - - if (ecdh != NULL) - { - BIO_printf(bio_s_out,"Setting temp ECDH parameters\n"); - } - else if (named_curve) - SSL_CTX_set_ecdh_auto(ctx, 1); - else - { - BIO_printf(bio_s_out,"Using default temp ECDH parameters\n"); - ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (ecdh == NULL) - { - BIO_printf(bio_err, "unable to create curve (nistp256)\n"); - goto end; - } - } - (void)BIO_flush(bio_s_out); - - SSL_CTX_set_tmp_ecdh(ctx,ecdh); -#ifndef OPENSSL_NO_TLSEXT - if (ctx2) - SSL_CTX_set_tmp_ecdh(ctx2,ecdh); -#endif - EC_KEY_free(ecdh); - } -#endif - if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT -- 2.34.1