[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Tue Dec 15 11:29:22 UTC 2015 

The branch master has been updated
       via  8caab744f5698ed2b55eca20f032540f713327fd (commit)
      from  73cd6175b970fa63c9c70d769febd91f3c7b5cdd (commit)


- Log -----------------------------------------------------------------
commit 8caab744f5698ed2b55eca20f032540f713327fd
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Dec 15 10:43:44 2015 +0000

    Fix s_server problem with no-ec
    
    s_server was trying to set the ECDH curve when no-ec was defined. This also
    highlighted the fact that the -no_ecdhe option to s_server is broken, and
    doesn't make any sense any more (ECDHE is on by default and the only way it
    can be disabled is through the cipherstring). Therefore this commit removes
    the option.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES               |  3 ++-
 apps/s_apps.h         |  2 +-
 apps/s_cb.c           | 17 +----------------
 apps/s_client.c       |  2 +-
 apps/s_server.c       | 14 ++++----------
 doc/apps/s_server.pod |  6 ------
 6 files changed, 9 insertions(+), 35 deletions(-)

diff --git a/CHANGES b/CHANGES
index a7833db..39585dc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -54,7 +54,8 @@
 
   *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
      always enabled now.  If you want to disable the support you should
-     exclude it using the list of supported ciphers.
+     exclude it using the list of supported ciphers. This also means that the
+     "-no_ecdhe" option has been removed from s_server.
      [Kurt Roeckx]
 
   *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
diff --git a/apps/s_apps.h b/apps/s_apps.h
index 55dc9f1..91faf4f 100644
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -207,7 +207,7 @@ int load_excert(SSL_EXCERT **pexc);
 void print_ssl_summary(SSL *s);
 #ifdef HEADER_SSL_H
 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
-               SSL_CTX *ctx, int no_ecdhe, int no_jpake);
+               SSL_CTX *ctx, int no_jpake);
 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
                      int crl_download);
 int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 7a4bf29..0a96166 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1195,7 +1195,7 @@ void print_ssl_summary(SSL *s)
 }
 
 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
-               SSL_CTX *ctx, int no_ecdhe, int no_jpake)
+               SSL_CTX *ctx, int no_jpake)
 {
     int i;
 
@@ -1203,9 +1203,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
     for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
         const char *flag = sk_OPENSSL_STRING_value(str, i);
         const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
-        /* If no_ecdhe or named curve already specified don't need a default. */
-        if (!no_ecdhe && strcmp(flag, "-named_curve") == 0)
-            no_ecdhe = 1;
 #ifndef OPENSSL_NO_JPAKE
         if (!no_jpake && (strcmp(flag, "-cipher") == 0)) {
             BIO_puts(bio_err, "JPAKE sets cipher to PSK\n");
@@ -1222,18 +1219,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
             return 0;
         }
     }
-    /*
-     * This is a special case to keep existing s_server functionality: if we
-     * don't have any curve specified *and* we haven't disabled ECDHE then
-     * use P-256.
-     */
-    if (!no_ecdhe) {
-        if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) {
-            BIO_puts(bio_err, "Error setting EC curve\n");
-            ERR_print_errors(bio_err);
-            return 0;
-        }
-    }
 #ifndef OPENSSL_NO_JPAKE
     if (!no_jpake) {
         if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) {
diff --git a/apps/s_client.c b/apps/s_client.c
index 5aa1adc..dbeb770 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1211,7 +1211,7 @@ int s_client_main(int argc, char **argv)
         ASYNC_init(1, 0, 0);
     }
 
-    if (!config_ctx(cctx, ssl_args, ctx, 1, jpake_secret == NULL))
+    if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL))
         goto end;
 
     if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
diff --git a/apps/s_server.c b/apps/s_server.c
index ba88bd7..698dd1c 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -804,7 +804,7 @@ typedef enum OPTION_choice {
     OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
     OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE,
     OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF,
-    OPT_QUIET, OPT_BRIEF, OPT_NO_DHE, OPT_NO_ECDHE,
+    OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
     OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
     OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
     OPT_SSL3,
@@ -949,9 +949,6 @@ OPTIONS s_server_options[] = {
 #ifndef OPENSSL_NO_DH
     {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
 #endif
-#ifndef OPENSSL_NO_EC
-    {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"},
-#endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
     {"nextprotoneg", OPT_NEXTPROTONEG, 's',
      "Set the advertised protocols for the NPN extension (comma-separated list)"},
@@ -1000,7 +997,7 @@ int s_server_main(int argc, char *argv[])
 #ifndef OPENSSL_NO_DH
     int no_dhe = 0;
 #endif
-    int no_ecdhe = 0, nocert = 0, ret = 1;
+    int nocert = 0, ret = 1;
     int noCApath = 0, noCAfile = 0;
     int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
     int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
@@ -1297,9 +1294,6 @@ int s_server_main(int argc, char *argv[])
             no_dhe = 1;
 #endif
             break;
-        case OPT_NO_ECDHE:
-            no_ecdhe = 1;
-            break;
         case OPT_NO_RESUME_EPHEMERAL:
             no_resume_ephemeral = 1;
             break;
@@ -1670,7 +1664,7 @@ int s_server_main(int argc, char *argv[])
     }
 
     ssl_ctx_add_crls(ctx, crls, 0);
-    if (!config_ctx(cctx, ssl_args, ctx, no_ecdhe, jpake_secret == NULL))
+    if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL))
         goto end;
 
     if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
@@ -1733,7 +1727,7 @@ int s_server_main(int argc, char *argv[])
         }
 
         ssl_ctx_add_crls(ctx2, crls, 0);
-        if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL))
+        if (!config_ctx(cctx, ssl_args, ctx2, jpake_secret == NULL))
             goto end;
     }
 #ifndef OPENSSL_NO_NEXTPROTONEG
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index c1a1d1a..59d600d 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -76,7 +76,6 @@ B<openssl> B<s_server>
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_dhe>]
-[B<-no_ecdhe>]
 [B<-bugs>]
 [B<-brief>]
 [B<-www>]
@@ -180,11 +179,6 @@ a static set of parameters hard coded into the s_server program will be used.
 if this option is set then no DH parameters will be loaded effectively
 disabling the ephemeral DH cipher suites.
 
-=item B<-no_ecdhe>
-
-if this option is set then no ECDH parameters will be loaded effectively
-disabling the ephemeral ECDH cipher suites.
-
 =item B<-crl_check>, B<-crl_check_all>
 
 Check the peer certificate has not been revoked by its CA.

More information about the openssl-commits mailing list