Commit 6977e8ee authored by Kurt Roeckx's avatar Kurt Roeckx
Browse files

Make SSL_{CTX}_set_tmp_ecdh() call SSL_{CTX_}set1_curves() 



SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it.  On
the other hand SSL_{CTX_}set1_curves() allows you to set a list of curves, but
only when SSL_{CTX_}set_ecdh_auto() was called to turn it on.

Reviewed-by: default avatarDr. Stephen Henson <steve@openssl.org>
parent 6f78b9e8

CHANGES

+4 −0
Original line number Diff line number Diff line
@@ -13,6 +13,10 @@ 
     pages. This work was developed in partnership with Intel Corp.

     [Matt Caswell]



  *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls

     SSL_{CTX_}set1_curves() which can set a list.

     [Kurt Roeckx]



  *) Remove support for SSL_{CTX_}set_tmp_ecdh_callback().  You should set the

     curve you want to support using SSL_{CTX_}set1_curves().

     [Kurt Roeckx]

ssl/s3_lib.c

+25 −32
Original line number Diff line number Diff line
@@ -4072,27 +4072,24 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 
#ifndef OPENSSL_NO_EC

    case SSL_CTRL_SET_TMP_ECDH:

        {

            EC_KEY *ecdh = NULL;

            const EC_GROUP *group = NULL;

            int nid;



            if (parg == NULL) {

                SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);

                return (ret);

            }

            if (!EC_KEY_up_ref((EC_KEY *)parg)) {

                SSLerr(SSL_F_SSL3_CTRL, ERR_R_ECDH_LIB);

                return (ret);

            }

            ecdh = (EC_KEY *)parg;

            if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) {

                if (!EC_KEY_generate_key(ecdh)) {

                    EC_KEY_free(ecdh);

                    SSLerr(SSL_F_SSL3_CTRL, ERR_R_ECDH_LIB);

                    return (ret);

                return 0;

            }

            group = EC_KEY_get0_group((const EC_KEY *)parg);

            if (group == NULL) {

                SSLerr(SSL_F_SSL3_CTRL, EC_R_MISSING_PARAMETERS);

                return 0;

            }

            EC_KEY_free(s->cert->ecdh_tmp);

            s->cert->ecdh_tmp = ecdh;

            ret = 1;

            nid = EC_GROUP_get_curve_name(group);

            if (nid == NID_undef)

                return 0;

            return tls1_set_curves(&s->tlsext_ellipticcurvelist,

                                   &s->tlsext_ellipticcurvelist_length,

                                   &nid, 1);

        }

        break;

#endif                          /* !OPENSSL_NO_EC */
@@ -4522,28 +4519,24 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 
#ifndef OPENSSL_NO_EC

    case SSL_CTRL_SET_TMP_ECDH:

        {

            EC_KEY *ecdh = NULL;

            const EC_GROUP *group = NULL;

            int nid;



            if (parg == NULL) {

                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_ECDH_LIB);

                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_PASSED_NULL_PARAMETER);

                return 0;

            }

            ecdh = EC_KEY_dup((EC_KEY *)parg);

            if (ecdh == NULL) {

                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_EC_LIB);

            group = EC_KEY_get0_group((const EC_KEY *)parg);

            if (group == NULL) {

                SSLerr(SSL_F_SSL3_CTX_CTRL, EC_R_MISSING_PARAMETERS);

                return 0;

            }

            if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) {

                if (!EC_KEY_generate_key(ecdh)) {

                    EC_KEY_free(ecdh);

                    SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_ECDH_LIB);

            nid = EC_GROUP_get_curve_name(group);

            if (nid == NID_undef)

                return 0;

                }

            }



            EC_KEY_free(cert->ecdh_tmp);

            cert->ecdh_tmp = ecdh;

            return 1;

            return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,

                                   &ctx->tlsext_ellipticcurvelist_length,

                                   &nid, 1);

        }

        /* break; */

#endif                          /* !OPENSSL_NO_EC */

ssl/ssl_cert.c

+0 −10
Original line number Diff line number Diff line
@@ -232,13 +232,6 @@ CERT *ssl_cert_dup(CERT *cert) 
#endif



#ifndef OPENSSL_NO_EC

    if (cert->ecdh_tmp) {

        ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);

        if (ret->ecdh_tmp == NULL) {

            SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);

            goto err;

        }

    }

    ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;

#endif
@@ -394,9 +387,6 @@ void ssl_cert_free(CERT *c) 
#ifndef OPENSSL_NO_DH

    DH_free(c->dh_tmp);

#endif

#ifndef OPENSSL_NO_EC

    EC_KEY_free(c->ecdh_tmp);

#endif



    ssl_cert_clear_certs(c);

    OPENSSL_free(c->conf_sigalgs);

ssl/ssl_lib.c

+1 −1
Original line number Diff line number Diff line
@@ -2037,7 +2037,7 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) 
#endif



#ifndef OPENSSL_NO_EC

    have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_auto);

    have_ecdh_tmp = c->ecdh_tmp_auto;

#endif

    cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);

    rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;

ssl/ssl_locl.h

+0 −1
Original line number Diff line number Diff line
@@ -1569,7 +1569,6 @@ typedef struct cert_st { 
    int dh_tmp_auto;

# endif

# ifndef OPENSSL_NO_EC

    EC_KEY *ecdh_tmp;

    /* Select ECDH parameters automatically */

    int ecdh_tmp_auto;

# endif