Commit d0595f17 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Initial revision of ECC extension handling. 

Tidy some code up.

Don't allocate a structure to handle ECC extensions when it is used for
default values.

Make supported curves configurable.

Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
parent 751e26cb

CHANGES

+7 −0
Original line number Diff line number Diff line
@@ -4,6 +4,13 @@ 


 Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]



  *) Enhance and tidy EC curve and point format TLS extension code. Use

     static structures instead of allocation if default values are used.

     New ctrls to set curves we wish to support and to retrieve shared curves.

     Print out shared curves in s_server. New options to s_server and s_client

     to set list of supported curves.

     [Steve Henson]



  *) New ctrls to retrieve supported signature algorithms and 

     supported curve values as an array of NIDs. Extend openssl utility

     to print out received values.

apps/s_cb.c

+17 −6
Original line number Diff line number Diff line
@@ -316,18 +316,17 @@ int ssl_print_sigalgs(BIO *out, SSL *s) 


int ssl_print_curves(BIO *out, SSL *s)

	{

	int i, ncurves, *curves;

	ncurves = SSL_get1_curvelist(s, NULL);

	int i, ncurves, *curves, nid;

	const char *cname;

	ncurves = SSL_get1_curves(s, NULL);

	if (ncurves <= 0)

		return 1;

	curves = OPENSSL_malloc(ncurves * sizeof(int));

	SSL_get1_curvelist(s, curves);

	SSL_get1_curves(s, curves);



	BIO_puts(out, "Supported Elliptic Curves: ");

	for (i = 0; i < ncurves; i++)

		{

		int nid;

		const char *cname;

		if (i)

			BIO_puts(out, ":");

		nid = curves[i];
@@ -343,8 +342,20 @@ int ssl_print_curves(BIO *out, SSL *s) 
			BIO_printf(out, "%s", cname);

			}

		}

	BIO_puts(out, "\n");

	BIO_puts(out, "\nShared Elliptic curves: ");

	OPENSSL_free(curves);

	ncurves = SSL_get_shared_curve(s, -1);

	for (i = 0; i < ncurves; i++)

		{

		if (i)

			BIO_puts(out, ":");

		nid = SSL_get_shared_curve(s, i);

		cname = EC_curve_nid2nist(nid);

		if (!cname)

			cname = OBJ_nid2sn(nid);

		BIO_printf(out, "%s", cname);

		}

	BIO_puts(out, "\n");

	return 1;

	}

apps/s_client.c

+12 −0
Original line number Diff line number Diff line
@@ -601,6 +601,7 @@ int MAIN(int argc, char **argv) 
#endif

#ifndef OPENSSL_NO_TLSEXT

	char *servername = NULL; 

	char *curves=NULL;

        tlsextctx tlsextcbp = 

        {NULL,0};

# ifndef OPENSSL_NO_NEXTPROTONEG
@@ -937,6 +938,11 @@ int MAIN(int argc, char **argv) 
			servername= *(++argv);

			/* meth=TLSv1_client_method(); */

			}

		else if	(strcmp(*argv,"-curves") == 0)

			{

			if (--argc < 1) goto bad;

			curves= *(++argv);

			}

#endif

#ifndef OPENSSL_NO_JPAKE

		else if (strcmp(*argv,"-jpake") == 0)
@@ -1176,6 +1182,12 @@ bad: 
		}



#ifndef OPENSSL_NO_TLSEXT

	if (curves != NULL)

		if(!SSL_CTX_set1_curves_list(ctx,curves)) {

		BIO_printf(bio_err,"error setting curve list\n");

		ERR_print_errors(bio_err);

		goto end;

	}

	if (servername != NULL)

		{

		tlsextcbp.biodebug = bio_err;

apps/s_server.c

+24 −0
Original line number Diff line number Diff line
@@ -273,6 +273,7 @@ static int s_server_session_id_context = 1; /* anything will do */ 
static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;

#ifndef OPENSSL_NO_TLSEXT

static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;

static char *curves=NULL;

#endif

static char *s_dcert_file=NULL,*s_dkey_file=NULL;

#ifdef FIONBIO
@@ -437,6 +438,7 @@ static void s_server_init(void) 
	s_cert_file=TEST_CERT;

	s_key_file=NULL;

#ifndef OPENSSL_NO_TLSEXT

	curves=NULL;

	s_cert_file2=TEST_CERT2;

	s_key_file2=NULL;

	ctx2=NULL;
@@ -1174,6 +1176,11 @@ int MAIN(int argc, char *argv[]) 
				goto bad;

				}

			}

		else if	(strcmp(*argv,"-curves") == 0)

			{

			if (--argc < 1) goto bad;

			curves= *(++argv);

			}

#endif

		else if	(strcmp(*argv,"-msg") == 0)

			{ s_msg=1; }
@@ -1849,6 +1856,23 @@ bad: 
			}

#endif

		}

#ifndef OPENSSL_NO_TLSEXT

	if (curves)

		{

		if(!SSL_CTX_set1_curves_list(ctx,curves))

			{

			BIO_printf(bio_err,"error setting curves list\n");

			ERR_print_errors(bio_err);

			goto end;

			}

		if(ctx2 && !SSL_CTX_set1_curves_list(ctx2,curves))

			{

			BIO_printf(bio_err,"error setting curves list\n");

			ERR_print_errors(bio_err);

			goto end;

			}

		}

#endif

	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);

	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,

		sizeof s_server_session_id_context);

ssl/s3_lib.c

+25 −1
Original line number Diff line number Diff line
@@ -3365,7 +3365,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 
		else

			return ssl_cert_add0_chain_cert(s->cert, (X509 *)parg);



	case SSL_CTRL_GET_CURVELIST:

	case SSL_CTRL_GET_CURVES:

		{

		unsigned char *clist;

		size_t clistlen;
@@ -3391,6 +3391,20 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 
		return (int)clistlen;

		}



	case SSL_CTRL_SET_CURVES:

		return tls1_set_curves(&s->tlsext_ellipticcurvelist,

					&s->tlsext_ellipticcurvelist_length,

								parg, larg);



	case SSL_CTRL_SET_CURVES_LIST:

		return tls1_set_curves_list(&s->tlsext_ellipticcurvelist,

					&s->tlsext_ellipticcurvelist_length,

								parg);



	case SSL_CTRL_GET_SHARED_CURVE:

		return tls1_shared_curve(s, larg);

 



	default:

		break;

		}
@@ -3659,6 +3673,16 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 
		ctx->srp_ctx.strength=larg;

		break;

#endif



	case SSL_CTRL_SET_CURVES:

		return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,

					&ctx->tlsext_ellipticcurvelist_length,

								parg, larg);



	case SSL_CTRL_SET_CURVES_LIST:

		return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,

					&ctx->tlsext_ellipticcurvelist_length,

								parg);

#endif /* !OPENSSL_NO_TLSEXT */



	/* A Thawte special :-) */