Initial revision of ECC extension handling.

Tidy some code up.

Don't allocate a structure to handle ECC extensions when it is used for
default values.

Make supported curves configurable.

Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.

3 files changed, 53 insertions, 6 deletions

diff --git a/apps/s_cb.c b/apps/s_cb.c
index eab0a08038..141c222895 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -316,18 +316,17 @@ int ssl_print_sigalgs(BIO *out, SSL *s)
 
 int ssl_print_curves(BIO *out, SSL *s)
 	{
-	int i, ncurves, *curves;
-	ncurves = SSL_get1_curvelist(s, NULL);
+	int i, ncurves, *curves, nid;
+	const char *cname;
+	ncurves = SSL_get1_curves(s, NULL);
 	if (ncurves <= 0)
 		return 1;
 	curves = OPENSSL_malloc(ncurves * sizeof(int));
-	SSL_get1_curvelist(s, curves);
+	SSL_get1_curves(s, curves);
 
 	BIO_puts(out, "Supported Elliptic Curves: ");
 	for (i = 0; i < ncurves; i++)
 		{
-		int nid;
-		const char *cname;
 		if (i)
 			BIO_puts(out, ":");
 		nid = curves[i];
@@ -343,8 +342,20 @@ int ssl_print_curves(BIO *out, SSL *s)
 			BIO_printf(out, "%s", cname);
 			}
 		}
-	BIO_puts(out, "\n");
+	BIO_puts(out, "\nShared Elliptic curves: ");
 	OPENSSL_free(curves);
+	ncurves = SSL_get_shared_curve(s, -1);
+	for (i = 0; i < ncurves; i++)
+		{
+		if (i)
+			BIO_puts(out, ":");
+		nid = SSL_get_shared_curve(s, i);
+		cname = EC_curve_nid2nist(nid);
+		if (!cname)
+			cname = OBJ_nid2sn(nid);
+		BIO_printf(out, "%s", cname);
+		}
+	BIO_puts(out, "\n");
 	return 1;
 	}
 
diff --git a/apps/s_client.c b/apps/s_client.c
index 6870368ff1..55facead51 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -601,6 +601,7 @@ int MAIN(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 	char *servername = NULL; 
+	char *curves=NULL;
         tlsextctx tlsextcbp = 
         {NULL,0};
 # ifndef OPENSSL_NO_NEXTPROTONEG
@@ -937,6 +938,11 @@ int MAIN(int argc, char **argv)
 			servername= *(++argv);
 			/* meth=TLSv1_client_method(); */
 			}
+		else if	(strcmp(*argv,"-curves") == 0)
+			{
+			if (--argc < 1) goto bad;
+			curves= *(++argv);
+			}
 #endif
 #ifndef OPENSSL_NO_JPAKE
 		else if (strcmp(*argv,"-jpake") == 0)
@@ -1176,6 +1182,12 @@ bad:
 		}
 
 #ifndef OPENSSL_NO_TLSEXT
+	if (curves != NULL)
+		if(!SSL_CTX_set1_curves_list(ctx,curves)) {
+		BIO_printf(bio_err,"error setting curve list\n");
+		ERR_print_errors(bio_err);
+		goto end;
+	}
 	if (servername != NULL)
 		{
 		tlsextcbp.biodebug = bio_err;
diff --git a/apps/s_server.c b/apps/s_server.c
index 608f3208dc..5f1bcffb91 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -273,6 +273,7 @@ static int s_server_session_id_context = 1; /* anything will do */
 static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
 #ifndef OPENSSL_NO_TLSEXT
 static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
+static char *curves=NULL;
 #endif
 static char *s_dcert_file=NULL,*s_dkey_file=NULL;
 #ifdef FIONBIO
@@ -437,6 +438,7 @@ static void s_server_init(void)
 	s_cert_file=TEST_CERT;
 	s_key_file=NULL;
 #ifndef OPENSSL_NO_TLSEXT
+	curves=NULL;
 	s_cert_file2=TEST_CERT2;
 	s_key_file2=NULL;
 	ctx2=NULL;
@@ -1174,6 +1176,11 @@ int MAIN(int argc, char *argv[])
 				goto bad;
 				}
 			}
+		else if	(strcmp(*argv,"-curves") == 0)
+			{
+			if (--argc < 1) goto bad;
+			curves= *(++argv);
+			}
 #endif
 		else if	(strcmp(*argv,"-msg") == 0)
 			{ s_msg=1; }
@@ -1849,6 +1856,23 @@ bad:
 			}
 #endif
 		}
+#ifndef OPENSSL_NO_TLSEXT
+	if (curves)
+		{
+		if(!SSL_CTX_set1_curves_list(ctx,curves))
+			{
+			BIO_printf(bio_err,"error setting curves list\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		if(ctx2 && !SSL_CTX_set1_curves_list(ctx2,curves))
+			{
+			BIO_printf(bio_err,"error setting curves list\n");
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		}
+#endif
 	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
 	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
 		sizeof s_server_session_id_context);