only use a default curve if not already set

author: Dr. Stephen Henson <steve@openssl.org> 2012-11-21 16:47:25 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2012-11-21 16:47:25 +0000
commit: 191b3f0ba9d574809b8e18e6238f54525c87b8d3 (patch)
tree: 4f3ad061386afa310de36f8f2e01b8048e3407c2 /apps
parent: 46a6cec6998b84d85240dfb99af235c8a0854a31 (diff)
4 files changed, 23 insertions, 60 deletions
diff --git a/apps/s_apps.h b/apps/s_apps.h
index ccf06a6905..30ce8830a6 100644
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -199,5 +199,5 @@ void print_ssl_cert_checks(BIO *bio, SSL *s,
 int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
 			int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
-						STACK_OF(OPENSSL_STRING) *str);
+				STACK_OF(OPENSSL_STRING) *str, int no_ecdhe);
 #endif
diff --git a/apps/s_cb.c b/apps/s_cb.c
index a007899ae7..11b6ea5d99 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1594,7 +1594,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
 	}
 
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
-						STACK_OF(OPENSSL_STRING) *str)
+				STACK_OF(OPENSSL_STRING) *str, int no_ecdhe)
 	{
 	int i;
 	SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
@@ -1602,6 +1602,11 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
 		{
 		const char *param = sk_OPENSSL_STRING_value(str, i);
 		const char *value = sk_OPENSSL_STRING_value(str, i + 1);
+		/* If no_ecdhe or named curve already specified don't need
+		 * a default.
+		 */
+		if (!no_ecdhe && !strcmp(param, "-named_curve"))
+			no_ecdhe = 1;
 		if (SSL_CONF_cmd(cctx, param, value) <= 0)
 			{
 			BIO_printf(err, "Error with command: \"%s %s\"\n",
@@ -1610,5 +1615,18 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
 			return 0;
 			}
 		}
+	/* This is a special case to keep existing s_server functionality:
+	 * if we don't have any curve specified *and* we haven't disabled
+	 * ECDHE then use P-256.
+	 */
+	if (!no_ecdhe)
+		{
+		if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0)
+			{
+			BIO_puts(err, "Error setting EC curve\n");
+			ERR_print_errors(err);
+			return 0;
+			}
+		}
 	return 1;
 	}
diff --git a/apps/s_client.c b/apps/s_client.c
index f6a28540b5..3fcf7922b4 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1149,7 +1149,7 @@ bad:
 	if (vpm)
 		SSL_CTX_set1_param(ctx, vpm);
 
-	if (!args_ssl_call(ctx, bio_err, cctx, ssl_args))
+	if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
diff --git a/apps/s_server.c b/apps/s_server.c
index 5129b002dd..03675d62e4 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -963,9 +963,6 @@ int MAIN(int argc, char *argv[])
 	char *vfyCApath=NULL,*vfyCAfile=NULL;
 	unsigned char *context = NULL;
 	char *dhfile = NULL;
-#ifndef OPENSSL_NO_ECDH
-	char *named_curve = NULL;
-#endif
 	int badop=0;
 	int ret=1;
 	int build_chain = 0;
@@ -1703,7 +1700,7 @@ bad:
 	if (vpm)
 		SSL_CTX_set1_param(ctx, vpm);
 
-	if (!args_ssl_call(ctx, bio_err, cctx, ssl_args))
+	if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe))
 		goto end;
 
 	if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
@@ -1769,7 +1766,7 @@ bad:
 		if (vpm)
 			SSL_CTX_set1_param(ctx2, vpm);
 
-		if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args))
+		if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe))
 			goto end;
 		}
 
@@ -1823,58 +1820,6 @@ bad:
 		}
 #endif
 
-#ifndef OPENSSL_NO_ECDH
-	if (!no_ecdhe)
-		{
-		EC_KEY *ecdh=NULL;
-
-		if (named_curve && strcmp(named_curve, "auto"))
-			{
-			int nid = EC_curve_nist2nid(named_curve);
-			if (nid == NID_undef)
-				nid = OBJ_sn2nid(named_curve);
-			if (nid == 0)
-				{
-				BIO_printf(bio_err, "unknown curve name (%s)\n", 
-					named_curve);
-				goto end;
-				}
-			ecdh = EC_KEY_new_by_curve_name(nid);
-			if (ecdh == NULL)
-				{
-				BIO_printf(bio_err, "unable to create curve (%s)\n", 
-					named_curve);
-				goto end;
-				}
-			}
-
-		if (ecdh != NULL)
-			{
-			BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
-			}
-		else if (named_curve)
-			SSL_CTX_set_ecdh_auto(ctx, 1);
-		else
-			{
-			BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
-			ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-			if (ecdh == NULL) 
-				{
-				BIO_printf(bio_err, "unable to create curve (nistp256)\n");
-				goto end;
-				}
-			}
-		(void)BIO_flush(bio_s_out);
-
-		SSL_CTX_set_tmp_ecdh(ctx,ecdh);
-#ifndef OPENSSL_NO_TLSEXT
-		if (ctx2) 
-			SSL_CTX_set_tmp_ecdh(ctx2,ecdh);
-#endif
-		EC_KEY_free(ecdh);
-		}
-#endif
-	
 	if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
 		goto end;
 #ifndef OPENSSL_NO_TLSEXT
author	Dr. Stephen Henson <steve@openssl.org>	2012-11-21 16:47:25 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2012-11-21 16:47:25 +0000
commit	191b3f0ba9d574809b8e18e6238f54525c87b8d3 (patch)
tree	4f3ad061386afa310de36f8f2e01b8048e3407c2 /apps
parent	46a6cec6998b84d85240dfb99af235c8a0854a31 (diff)