diff options
| author |   jsing <jsing@openbsd.org> | 2017-01-24 09:03:21 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2017-01-24 09:03:21 +0000 |
| commit | 67f294b8e3587e3d09e4afc14f161cec75987629 (patch) | |
| tree | 9019f18203e1d1fafdb17a46e46b0bded040c95a /lib/libssl/ssl_lib.c | |
| parent | SVM: matching i386 commit (missing host save area pa msr) (diff) | |
| download | wireguard-openbsd-67f294b8e3587e3d09e4afc14f161cec75987629.tar.xz wireguard-openbsd-67f294b8e3587e3d09e4afc14f161cec75987629.zip | |
Add support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.
This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.
Inspired by parts of BoringSSL and OpenSSL.
ok beck@
Diffstat (limited to 'lib/libssl/ssl_lib.c')
| -rw-r--r-- | lib/libssl/ssl_lib.c | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index b9bfd7e24df..bc04ea7f9c1 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.144 2017/01/24 01:47:22 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.145 2017/01/24 09:03:21 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -336,6 +336,34 @@ SSL_new(SSL_CTX *ctx) s->internal->tlsext_ocsp_resplen = -1; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->initial_ctx = ctx; + + if (ctx->internal->tlsext_ecpointformatlist != NULL) { + s->internal->tlsext_ecpointformatlist = + calloc(ctx->internal->tlsext_ecpointformatlist_length, + sizeof(ctx->internal->tlsext_ecpointformatlist[0])); + if (s->internal->tlsext_ecpointformatlist == NULL) + goto err; + memcpy(s->internal->tlsext_ecpointformatlist, + ctx->internal->tlsext_ecpointformatlist, + ctx->internal->tlsext_ecpointformatlist_length * + sizeof(ctx->internal->tlsext_ecpointformatlist[0])); + s->internal->tlsext_ecpointformatlist_length = + ctx->internal->tlsext_ecpointformatlist_length; + } + if (ctx->internal->tlsext_supportedgroups != NULL) { + s->internal->tlsext_supportedgroups = + calloc(ctx->internal->tlsext_supportedgroups_length, + sizeof(ctx->internal->tlsext_supportedgroups)); + if (s->internal->tlsext_supportedgroups == NULL) + goto err; + memcpy(s->internal->tlsext_supportedgroups, + ctx->internal->tlsext_supportedgroups, + ctx->internal->tlsext_supportedgroups_length * + sizeof(ctx->internal->tlsext_supportedgroups[0])); + s->internal->tlsext_supportedgroups_length = + ctx->internal->tlsext_supportedgroups_length; + } + s->internal->next_proto_negotiated = NULL; if (s->ctx->internal->alpn_client_proto_list != NULL) { @@ -534,7 +562,7 @@ SSL_free(SSL *s) free(s->tlsext_hostname); SSL_CTX_free(s->initial_ctx); free(s->internal->tlsext_ecpointformatlist); - free(s->internal->tlsext_ellipticcurvelist); + free(s->internal->tlsext_supportedgroups); if (s->internal->tlsext_ocsp_exts) sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, X509_EXTENSION_free); @@ -1998,6 +2026,9 @@ SSL_CTX_free(SSL_CTX *a) ENGINE_finish(a->internal->client_cert_engine); #endif + free(a->internal->tlsext_ecpointformatlist); + free(a->internal->tlsext_supportedgroups); + free(a->internal->alpn_client_proto_list); free(a->internal); |