From 8caab744f5698ed2b55eca20f032540f713327fd Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 15 Dec 2015 10:43:44 +0000 Subject: Fix s_server problem with no-ec s_server was trying to set the ECDH curve when no-ec was defined. This also highlighted the fact that the -no_ecdhe option to s_server is broken, and doesn't make any sense any more (ECDHE is on by default and the only way it can be disabled is through the cipherstring). Therefore this commit removes the option. Reviewed-by: Kurt Roeckx --- apps/s_apps.h | 2 +- apps/s_cb.c | 17 +---------------- apps/s_client.c | 2 +- apps/s_server.c | 14 ++++---------- 4 files changed, 7 insertions(+), 28 deletions(-) (limited to 'apps') diff --git a/apps/s_apps.h b/apps/s_apps.h index 55dc9f1ffc..91faf4fe12 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -207,7 +207,7 @@ int load_excert(SSL_EXCERT **pexc); void print_ssl_summary(SSL *s); #ifdef HEADER_SSL_H int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, - SSL_CTX *ctx, int no_ecdhe, int no_jpake); + SSL_CTX *ctx, int no_jpake); int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download); int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, diff --git a/apps/s_cb.c b/apps/s_cb.c index 7a4bf297cc..0a9616655f 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1195,7 +1195,7 @@ void print_ssl_summary(SSL *s) } int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, - SSL_CTX *ctx, int no_ecdhe, int no_jpake) + SSL_CTX *ctx, int no_jpake) { int i; @@ -1203,9 +1203,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) { const char *flag = sk_OPENSSL_STRING_value(str, i); const char *arg = sk_OPENSSL_STRING_value(str, i + 1); - /* If no_ecdhe or named curve already specified don't need a default. */ - if (!no_ecdhe && strcmp(flag, "-named_curve") == 0) - no_ecdhe = 1; #ifndef OPENSSL_NO_JPAKE if (!no_jpake && (strcmp(flag, "-cipher") == 0)) { BIO_puts(bio_err, "JPAKE sets cipher to PSK\n"); @@ -1222,18 +1219,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, return 0; } } - /* - * This is a special case to keep existing s_server functionality: if we - * don't have any curve specified *and* we haven't disabled ECDHE then - * use P-256. - */ - if (!no_ecdhe) { - if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) { - BIO_puts(bio_err, "Error setting EC curve\n"); - ERR_print_errors(bio_err); - return 0; - } - } #ifndef OPENSSL_NO_JPAKE if (!no_jpake) { if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) { diff --git a/apps/s_client.c b/apps/s_client.c index 5aa1adc51e..dbeb770f59 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1211,7 +1211,7 @@ int s_client_main(int argc, char **argv) ASYNC_init(1, 0, 0); } - if (!config_ctx(cctx, ssl_args, ctx, 1, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, diff --git a/apps/s_server.c b/apps/s_server.c index ba88bd702a..698dd1c73b 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -804,7 +804,7 @@ typedef enum OPTION_choice { OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, - OPT_QUIET, OPT_BRIEF, OPT_NO_DHE, OPT_NO_ECDHE, + OPT_QUIET, OPT_BRIEF, OPT_NO_DHE, OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE, OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL3, @@ -949,9 +949,6 @@ OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_DH {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"}, #endif -#ifndef OPENSSL_NO_EC - {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"}, -#endif #ifndef OPENSSL_NO_NEXTPROTONEG {"nextprotoneg", OPT_NEXTPROTONEG, 's', "Set the advertised protocols for the NPN extension (comma-separated list)"}, @@ -1000,7 +997,7 @@ int s_server_main(int argc, char *argv[]) #ifndef OPENSSL_NO_DH int no_dhe = 0; #endif - int no_ecdhe = 0, nocert = 0, ret = 1; + int nocert = 0, ret = 1; int noCApath = 0, noCAfile = 0; int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; @@ -1297,9 +1294,6 @@ int s_server_main(int argc, char *argv[]) no_dhe = 1; #endif break; - case OPT_NO_ECDHE: - no_ecdhe = 1; - break; case OPT_NO_RESUME_EPHEMERAL: no_resume_ephemeral = 1; break; @@ -1670,7 +1664,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx, no_ecdhe, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, @@ -1733,7 +1727,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx2, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx2, jpake_secret == NULL)) goto end; } #ifndef OPENSSL_NO_NEXTPROTONEG -- cgit v1.2.3