Commit a4352630 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Add support for automatic ECDH temporary key parameter selection. When 

enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
parent 2131ce57

CHANGES

+7 −0
Original line number Diff line number Diff line
@@ -4,6 +4,13 @@ 


 Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]



  *) Support for automatic EC temporary key parameter selection. If enabled

     the most preferred EC parameters are automatically used instead of

     hardcoded fixed parameters. Now a server just has to call:

     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically

     support ECDH and use the most appropriate parameters.

     [Steve Henson]



  *) Enhance and tidy EC curve and point format TLS extension code. Use

     static structures instead of allocation if default values are used.

     New ctrls to set curves we wish to support and to retrieve shared curves.

apps/s_cb.c

+2 −0
Original line number Diff line number Diff line
@@ -355,6 +355,8 @@ int ssl_print_curves(BIO *out, SSL *s) 
			cname = OBJ_nid2sn(nid);

		BIO_printf(out, "%s", cname);

		}

	if (ncurves == 0)

		BIO_puts(out, "NONE");

	BIO_puts(out, "\n");

	return 1;

	}

apps/s_server.c

+6 −3
Original line number Diff line number Diff line
@@ -1713,10 +1713,11 @@ bad: 
		{

		EC_KEY *ecdh=NULL;



		if (named_curve)

		if (named_curve && strcmp(named_curve, "auto"))

			{

			int nid = OBJ_sn2nid(named_curve);



			int nid = EC_curve_nist2nid(named_curve);

			if (nid == NID_undef)

				nid = OBJ_sn2nid(named_curve);

			if (nid == 0)

				{

				BIO_printf(bio_err, "unknown curve name (%s)\n",
@@ -1736,6 +1737,8 @@ bad: 
			{

			BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");

			}

		else if (named_curve)

			SSL_CTX_set_ecdh_auto(ctx, 1);

		else

			{

			BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");

ssl/s3_lib.c

+7 −1
Original line number Diff line number Diff line
@@ -3399,6 +3399,9 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 
	case SSL_CTRL_GET_SHARED_CURVE:

		return tls1_shared_curve(s, larg);



	case SSL_CTRL_SET_ECDH_AUTO:

		s->cert->ecdh_tmp_auto = larg;

		break;



	default:

		break;
@@ -3678,6 +3681,9 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 
		return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,

					&ctx->tlsext_ellipticcurvelist_length,

								parg);

	case SSL_CTRL_SET_ECDH_AUTO:

		ctx->cert->ecdh_tmp_auto = larg;

		break;

#endif /* !OPENSSL_NO_TLSEXT */



	/* A Thawte special :-) */

ssl/s3_srvr.c

+11 −2
Original line number Diff line number Diff line
@@ -1683,7 +1683,14 @@ int ssl3_send_server_key_exchange(SSL *s) 
			const EC_GROUP *group;



			ecdhp=cert->ecdh_tmp;

			if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))

			if (s->cert->ecdh_tmp_auto)

				{

				/* Get NID of first shared curve */

				int nid = tls1_shared_curve(s, 0);

				if (nid != NID_undef)

					ecdhp = EC_KEY_new_by_curve_name(nid);

				}

			else if ((ecdhp == NULL) && s->cert->ecdh_tmp_cb)

				{

				ecdhp=s->cert->ecdh_tmp_cb(s,

				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
@@ -1708,7 +1715,9 @@ int ssl3_send_server_key_exchange(SSL *s) 
				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);

				goto err;

				}

			if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)

			if (s->cert->ecdh_tmp_auto)

				ecdh = ecdhp;

			else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)

				{

				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);

				goto err;