This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default.
The code uses now tls_config_set_ecdhecurves(3) so it is possible to
specify multiple curves now. If people specified curves in their config
they need to adjust their config now.
OK beck@
-/* $OpenBSD: config.c,v 1.34 2017/11/27 21:06:26 claudio Exp $ */
+/* $OpenBSD: config.c,v 1.35 2017/11/27 23:21:16 claudio Exp $ */
/*
* Copyright (c) 2011 - 2014 Reyk Floeter <reyk@openbsd.org>
(void)strlcpy(env->sc_proto_default.tlsciphers,
TLSCIPHERS_DEFAULT,
sizeof(env->sc_proto_default.tlsciphers));
- (void)strlcpy(env->sc_proto_default.tlsecdhcurve,
- TLSECDHCURVE_DEFAULT,
- sizeof(env->sc_proto_default.tlsecdhcurve));
+ (void)strlcpy(env->sc_proto_default.tlsecdhecurves,
+ TLSECDHECURVES_DEFAULT,
+ sizeof(env->sc_proto_default.tlsecdhecurves));
(void)strlcpy(env->sc_proto_default.tlsdhparams,
TLSDHPARAM_DEFAULT,
sizeof(env->sc_proto_default.tlsdhparams));
-/* $OpenBSD: parse.y,v 1.219 2017/11/27 21:06:26 claudio Exp $ */
+/* $OpenBSD: parse.y,v 1.220 2017/11/27 23:21:16 claudio Exp $ */
/*
* Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
%token RESPONSE RETRY QUICK RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND SESSION
%token SNMP SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT TLS
%token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE
-%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDH
-%token EDH CURVE TICKETS
+%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
+%token EDH TICKETS
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> hostname interface table value optstring
TAILQ_INIT(&p->rules);
(void)strlcpy(p->tlsciphers, TLSCIPHERS_DEFAULT,
sizeof(p->tlsciphers));
- (void)strlcpy(p->tlsecdhcurve, TLSECDHCURVE_DEFAULT,
- sizeof(p->tlsecdhcurve));
+ (void)strlcpy(p->tlsecdhecurves, TLSECDHECURVES_DEFAULT,
+ sizeof(p->tlsecdhecurves));
(void)strlcpy(p->tlsdhparams, TLSDHPARAM_DEFAULT,
sizeof(p->tlsdhparams));
if (last_proto_id == INT_MAX) {
}
free($3);
}
- | NO ECDH {
- (void)strlcpy(proto->tlsecdhcurve, "none",
- sizeof(proto->tlsecdhcurve));
- }
- | ECDH {
- (void)strlcpy(proto->tlsecdhcurve, "auto",
- sizeof(proto->tlsecdhcurve));
- }
- | ECDH CURVE STRING {
+ | ECDHE STRING {
struct tls_config *tls_cfg;
if ((tls_cfg = tls_config_new()) == NULL) {
yyerror("tls_config_new failed");
- free($3);
+ free($2);
YYERROR;
}
- if (tls_config_set_ecdhecurve(tls_cfg, $3) != 0) {
- yyerror("tls ecdh curve %s: %s", $3,
+ if (tls_config_set_ecdhecurves(tls_cfg, $2) != 0) {
+ yyerror("tls ecdhe %s: %s", $2,
tls_config_error(tls_cfg));
tls_config_free(tls_cfg);
- free($3);
+ free($2);
YYERROR;
}
tls_config_free(tls_cfg);
- if (strlcpy(proto->tlsecdhcurve, $3,
- sizeof(proto->tlsecdhcurve)) >=
- sizeof(proto->tlsecdhcurve)) {
- yyerror("tls ecdh truncated");
- free($3);
+ if (strlcpy(proto->tlsecdhecurves, $2,
+ sizeof(proto->tlsecdhecurves)) >=
+ sizeof(proto->tlsecdhecurves)) {
+ yyerror("tls ecdhe curves truncated");
+ free($2);
YYERROR;
}
- free($3);
+ free($2);
}
| CA FILENAME STRING {
if (strlcpy(proto->tlsca, $3,
{ "ciphers", CIPHERS },
{ "code", CODE },
{ "cookie", COOKIE },
- { "curve", CURVE },
{ "demote", DEMOTE },
{ "destination", DESTINATION },
{ "digest", DIGEST },
{ "disable", DISABLE },
- { "ecdh", ECDH },
+ { "ecdhe", ECDHE },
{ "edh", EDH },
{ "error", ERROR },
{ "expect", EXPECT },
-/* $OpenBSD: relay.c,v 1.232 2017/11/27 23:04:26 claudio Exp $ */
+/* $OpenBSD: relay.c,v 1.233 2017/11/27 23:21:16 claudio Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
sizeof(env->sc_ticket.tt_key));
}
- if (tls_config_set_ecdhecurve(tls_cfg, proto->tlsecdhcurve) != 0) {
- log_warnx("failed to set ecdh curve %s: %s",
- proto->tlsecdhcurve, tls_config_error(tls_cfg));
+ if (tls_config_set_ecdhecurves(tls_cfg, proto->tlsecdhecurves) != 0) {
+ log_warnx("failed to set ecdhe curves %s: %s",
+ proto->tlsecdhecurves, tls_config_error(tls_cfg));
return (-1);
}
-.\" $OpenBSD: relayd.conf.5,v 1.179 2017/11/15 19:03:26 benno Exp $
+.\" $OpenBSD: relayd.conf.5,v 1.180 2017/11/27 23:21:16 claudio Exp $
.\"
.\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: November 15 2017 $
+.Dd $Mdocdate: November 27 2017 $
.Dt RELAYD.CONF 5
.Os
.Sh NAME
To mitigate a potential DoS risk,
the default is
.Ic no client-renegotiation .
-.It Ic ecdh Op Ic curve Ar name
-Set a named curve to use when generating EC keys for ECDHE-based
-cipher suites with Perfect Forward Secrecy (PFS).
-If the curve
-.Ar name
-is not specified, the default curve
-.Cm prime256v1
-will be used.
-ECDHE is enabled by default,
-but can be disabled using
-.Ic no ecdh .
+.It Ic ecdhe Ar curves
+Specify a comma separated list of elliptic curves to use for ECDHE cipher
+suites, in order of preference.
+The special value of "default" will use the default curves; see
+.Xr tls_config_set_ecdhecurves 3
+for further details.
.It Ic edh Op Ic params Ar maximum
Enable EDH-based cipher suites with Perfect Forward Secrecy (PFS) for
older clients that do not support ECDHE.
-/* $OpenBSD: relayd.h,v 1.244 2017/11/27 21:06:26 claudio Exp $ */
+/* $OpenBSD: relayd.h,v 1.245 2017/11/27 23:21:16 claudio Exp $ */
/*
* Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
"\06cipher-server-preference\07client-renegotiation"
#define TLSCIPHERS_DEFAULT "HIGH:!aNULL"
-#define TLSECDHCURVE_DEFAULT "auto"
+#define TLSECDHECURVES_DEFAULT "default"
#define TLSDHPARAM_DEFAULT "none"
struct relay_ticket_key {
u_int8_t tlsflags;
char tlsciphers[768];
char tlsdhparams[128];
- char tlsecdhcurve[128];
+ char tlsecdhecurves[128];
char tlsca[PATH_MAX];
char tlscacert[PATH_MAX];
char tlscakey[PATH_MAX];
projects / openbsd / commitdiff