From: jsing Date: Wed, 21 Oct 2015 16:45:13 +0000 (+0000) Subject: Use SSL_CTX_set_ecdh_auto() instead of rolling our own version. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=b2bdef47793cce8a656709b8b0dfb3ec9a9e6efb;p=openbsd Use SSL_CTX_set_ecdh_auto() instead of rolling our own version. ok gilles@ --- diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index 96dfa66c580..e00f451f0a8 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.77 2015/10/16 21:13:33 sthen Exp $ */ +/* $OpenBSD: ssl.c,v 1.78 2015/10/21 16:45:13 jsing Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -90,7 +90,7 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki) ssl_set_ephemeral_key_exchange(ctx, dh); DH_free(dh); - ssl_set_ecdh_curve(ctx, SSL_ECDH_CURVE); + SSL_CTX_set_ecdh_auto(ctx, 1); *ctxp = ctx; return 1; @@ -444,31 +444,6 @@ ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh) } } -void -ssl_set_ecdh_curve(SSL_CTX *ctx, const char *curve) -{ - int nid; - EC_KEY *ecdh; - - if (curve == NULL) - curve = SSL_ECDH_CURVE; - if ((nid = OBJ_sn2nid(curve)) == 0) { - ssl_error("ssl_set_ecdh_curve"); - fatal("ssl_set_ecdh_curve: unknown curve name " - SSL_ECDH_CURVE); - } - - if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { - ssl_error("ssl_set_ecdh_curve"); - fatal("ssl_set_ecdh_curve: unable to create curve " - SSL_ECDH_CURVE); - } - - SSL_CTX_set_tmp_ecdh(ctx, ecdh); - SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); - EC_KEY_free(ecdh); -} - int ssl_load_pkey(const void *data, size_t datalen, char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr) diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h index 0bc82363f20..860eaca4b69 100644 --- a/usr.sbin/smtpd/ssl.h +++ b/usr.sbin/smtpd/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.11 2015/01/22 09:26:05 reyk Exp $ */ +/* $OpenBSD: ssl.h,v 1.12 2015/10/21 16:45:13 jsing Exp $ */ /* * Copyright (c) 2013 Gilles Chehade * @@ -16,7 +16,6 @@ */ #define SSL_CIPHERS "HIGH:!aNULL:!MD5" -#define SSL_ECDH_CURVE "prime256v1" #define SSL_SESSION_TIMEOUT 300 struct pki { @@ -49,7 +48,6 @@ int ssl_cmp(struct pki *, struct pki *); DH *get_dh1024(void); DH *get_dh_from_memory(char *, size_t); void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); -void ssl_set_ecdh_curve(SSL_CTX *, const char *); char *ssl_load_file(const char *, off_t *, mode_t); char *ssl_load_key(const char *, off_t *, char *, mode_t, const char *);