Loading CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -13,6 +13,11 @@ pages. This work was developed in partnership with Intel Corp. [Matt Caswell] *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is always enabled now. If you want to disable the support you should exclude it using the list of supported ciphers. [Kurt Roeckx] *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls SSL_{CTX_}set1_curves() which can set a list. [Kurt Roeckx] Loading doc/ssl/SSL_CTX_set1_curves.pod +3 −25 Original line number Diff line number Diff line Loading @@ -3,8 +3,7 @@ =head1 NAME SSL_CTX_set1_curves, SSL_CTX_set1_curves_list, SSL_set1_curves, SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve, SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto - EC supported curve functions SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve - EC supported curve functions =head1 SYNOPSIS Loading @@ -19,9 +18,6 @@ SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto - EC supported curve functions int SSL_get1_curves(SSL *ssl, int *curves); int SSL_get_shared_curve(SSL *s, int n); int SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int onoff); int SSL_set_ecdh_auto(SSL *s, int onoff); =head1 DESCRIPTION SSL_CTX_set1_curves() sets the supported curves for B<ctx> to B<clistlen> Loading Loading @@ -52,11 +48,6 @@ most applications will only be interested in the first shared curve so B<n> is normally set to zero. If the value B<n> is out of range, NID_undef is returned. SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() set automatic curve selection for server B<ctx> or B<ssl> to B<onoff>. If B<onoff> is 1 then the highest preference curve is automatically used for ECDH temporary keys used during key exchange. All these functions are implemented as macros. =head1 NOTES Loading @@ -65,23 +56,10 @@ If an application wishes to make use of several of these functions for configuration purposes either on a command line or in a file it should consider using the SSL_CONF interface instead of manually parsing options. The functions SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() can be used to make a server always choose the most appropriate curve for a client. If set it will override any temporary ECDH parameters set by a server. Previous versions of OpenSSL could effectively only use a single ECDH curve set using a function such as SSL_CTX_set_ecdh_tmp(). Newer applications should just call: SSL_CTX_set_ecdh_auto(ctx, 1); and they will automatically support ECDH using the most appropriate shared curve. =head1 RETURN VALUES SSL_CTX_set1_curves(), SSL_CTX_set1_curves_list(), SSL_set1_curves(), SSL_set1_curves_list(), SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() return 1 for success and 0 for failure. SSL_CTX_set1_curves(), SSL_CTX_set1_curves_list(), SSL_set1_curves() and SSL_set1_curves_list(), return 1 for success and 0 for failure. SSL_get1_curves() returns the number of curves, which may be zero. Loading include/openssl/ssl.h +0 −5 Original line number Diff line number Diff line Loading @@ -1202,7 +1202,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_SET_CURVES 91 # define SSL_CTRL_SET_CURVES_LIST 92 # define SSL_CTRL_GET_SHARED_CURVE 93 # define SSL_CTRL_SET_ECDH_AUTO 94 # define SSL_CTRL_SET_SIGALGS 97 # define SSL_CTRL_SET_SIGALGS_LIST 98 # define SSL_CTRL_CERT_FLAGS 99 Loading Loading @@ -1335,10 +1334,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl(ctx,SSL_CTRL_SET_CURVES_LIST,0,(char *)s) # define SSL_get_shared_curve(s, n) \ SSL_ctrl(s,SSL_CTRL_GET_SHARED_CURVE,n,NULL) # define SSL_CTX_set_ecdh_auto(ctx, onoff) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) # define SSL_set_ecdh_auto(s, onoff) \ SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) # define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)slist) # define SSL_CTX_set1_sigalgs_list(ctx, s) \ Loading ssl/s3_lib.c +0 −8 Original line number Diff line number Diff line Loading @@ -4256,11 +4256,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_SHARED_CURVE: return tls1_shared_curve(s, larg); # ifndef OPENSSL_NO_EC case SSL_CTRL_SET_ECDH_AUTO: s->cert->ecdh_tmp_auto = larg; return 1; # endif #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); Loading Loading @@ -4611,9 +4606,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, parg); case SSL_CTRL_SET_ECDH_AUTO: ctx->cert->ecdh_tmp_auto = larg; return 1; #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); Loading ssl/ssl_cert.c +0 −4 Original line number Diff line number Diff line Loading @@ -231,10 +231,6 @@ CERT *ssl_cert_dup(CERT *cert) ret->dh_tmp_auto = cert->dh_tmp_auto; #endif #ifndef OPENSSL_NO_EC ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; #endif for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; CERT_PKEY *rpk = ret->pkeys + i; Loading Loading
CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -13,6 +13,11 @@ pages. This work was developed in partnership with Intel Corp. [Matt Caswell] *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is always enabled now. If you want to disable the support you should exclude it using the list of supported ciphers. [Kurt Roeckx] *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls SSL_{CTX_}set1_curves() which can set a list. [Kurt Roeckx] Loading
doc/ssl/SSL_CTX_set1_curves.pod +3 −25 Original line number Diff line number Diff line Loading @@ -3,8 +3,7 @@ =head1 NAME SSL_CTX_set1_curves, SSL_CTX_set1_curves_list, SSL_set1_curves, SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve, SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto - EC supported curve functions SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve - EC supported curve functions =head1 SYNOPSIS Loading @@ -19,9 +18,6 @@ SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto - EC supported curve functions int SSL_get1_curves(SSL *ssl, int *curves); int SSL_get_shared_curve(SSL *s, int n); int SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int onoff); int SSL_set_ecdh_auto(SSL *s, int onoff); =head1 DESCRIPTION SSL_CTX_set1_curves() sets the supported curves for B<ctx> to B<clistlen> Loading Loading @@ -52,11 +48,6 @@ most applications will only be interested in the first shared curve so B<n> is normally set to zero. If the value B<n> is out of range, NID_undef is returned. SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() set automatic curve selection for server B<ctx> or B<ssl> to B<onoff>. If B<onoff> is 1 then the highest preference curve is automatically used for ECDH temporary keys used during key exchange. All these functions are implemented as macros. =head1 NOTES Loading @@ -65,23 +56,10 @@ If an application wishes to make use of several of these functions for configuration purposes either on a command line or in a file it should consider using the SSL_CONF interface instead of manually parsing options. The functions SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() can be used to make a server always choose the most appropriate curve for a client. If set it will override any temporary ECDH parameters set by a server. Previous versions of OpenSSL could effectively only use a single ECDH curve set using a function such as SSL_CTX_set_ecdh_tmp(). Newer applications should just call: SSL_CTX_set_ecdh_auto(ctx, 1); and they will automatically support ECDH using the most appropriate shared curve. =head1 RETURN VALUES SSL_CTX_set1_curves(), SSL_CTX_set1_curves_list(), SSL_set1_curves(), SSL_set1_curves_list(), SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() return 1 for success and 0 for failure. SSL_CTX_set1_curves(), SSL_CTX_set1_curves_list(), SSL_set1_curves() and SSL_set1_curves_list(), return 1 for success and 0 for failure. SSL_get1_curves() returns the number of curves, which may be zero. Loading
include/openssl/ssl.h +0 −5 Original line number Diff line number Diff line Loading @@ -1202,7 +1202,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_SET_CURVES 91 # define SSL_CTRL_SET_CURVES_LIST 92 # define SSL_CTRL_GET_SHARED_CURVE 93 # define SSL_CTRL_SET_ECDH_AUTO 94 # define SSL_CTRL_SET_SIGALGS 97 # define SSL_CTRL_SET_SIGALGS_LIST 98 # define SSL_CTRL_CERT_FLAGS 99 Loading Loading @@ -1335,10 +1334,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl(ctx,SSL_CTRL_SET_CURVES_LIST,0,(char *)s) # define SSL_get_shared_curve(s, n) \ SSL_ctrl(s,SSL_CTRL_GET_SHARED_CURVE,n,NULL) # define SSL_CTX_set_ecdh_auto(ctx, onoff) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) # define SSL_set_ecdh_auto(s, onoff) \ SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) # define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)slist) # define SSL_CTX_set1_sigalgs_list(ctx, s) \ Loading
ssl/s3_lib.c +0 −8 Original line number Diff line number Diff line Loading @@ -4256,11 +4256,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_SHARED_CURVE: return tls1_shared_curve(s, larg); # ifndef OPENSSL_NO_EC case SSL_CTRL_SET_ECDH_AUTO: s->cert->ecdh_tmp_auto = larg; return 1; # endif #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); Loading Loading @@ -4611,9 +4606,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, parg); case SSL_CTRL_SET_ECDH_AUTO: ctx->cert->ecdh_tmp_auto = larg; return 1; #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); Loading
ssl/ssl_cert.c +0 −4 Original line number Diff line number Diff line Loading @@ -231,10 +231,6 @@ CERT *ssl_cert_dup(CERT *cert) ret->dh_tmp_auto = cert->dh_tmp_auto; #endif #ifndef OPENSSL_NO_EC ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; #endif for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; CERT_PKEY *rpk = ret->pkeys + i; Loading
Dr. Stephen Henson <steve@openssl.org>Dr. Stephen Henson <steve@openssl.org>