[openssl.org #3179] Feature Request: Set Preference List for EC Curves in Client

2014-06-27 Thread Stephen Henson via RT 
As indicate feature already present in OpenSSL 1.0.2, ticket resolved.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3179] Feature Request: Set Preference List for EC Curves in Client

2013-11-24 Thread noloa...@gmail.com via RT 
ssl_prepare_clienthello_tlsext has the following in t1_lib.c around line 1690.

pref_list[] is hard coded and includes some weaker curves. For
example, pref_list[] include NID_secp160r2, which offers 80-bits of
security.

It would be nice to be able to replace the hard coded list with a list
that includes curves with 112-bits or 128-bits of security or higher.
For example, a user may want to use NID_secp224r1 or NID_secp256r1
(and above).

It looks like it would be fairly easy ot create the list by
copy/pasting and trimming exiting code:

static int my_pref_list[] =
{
NID_sect571r1, /* sect571r1 (14) */
NID_sect571k1, /* sect571k1 (13) */
NID_secp521r1, /* secp521r1 (25) */
NID_sect409k1, /* sect409k1 (11) */
NID_sect409r1, /* sect409r1 (12) */
NID_secp384r1, /* secp384r1 (24) */
NID_sect283k1, /* sect283k1 (9) */
NID_sect283r1, /* sect283r1 (10) */
NID_secp256k1, /* secp256k1 (22) */
NID_X9_62_prime256v1, /* secp256r1 (23) */
NID_sect239k1, /* sect239k1 (8) */
NID_sect233k1, /* sect233k1 (6) */
NID_sect233r1, /* sect233r1 (7) */
NID_secp224k1, /* secp224k1 (20) */
NID_secp224r1, /* secp224r1 (21) */
};

Users would need a way to wire the modified list into
ssl_prepare_clienthello_tlsext, but OpenSSL appears to lack the the
ability.

**

int ssl_prepare_clienthello_tlsext(SSL* ssl)
{
  ...
  /* Line 1690 */
  /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
  if (s-tlsext_ellipticcurvelist != NULL)
OPENSSL_free(s-tlsext_ellipticcurvelist);
  s-tlsext_ellipticcurvelist_length =
sizeof(pref_list)/sizeof(pref_list[0]) * 2;
  if ((s-tlsext_ellipticcurvelist =
   OPENSSL_malloc(s-tlsext_ellipticcurvelist_length)) == NULL)
{
  s-tlsext_ellipticcurvelist_length = 0;
  SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
  return -1;
}
  for (i = 0, j = s-tlsext_ellipticcurvelist; (unsigned int)i 
   sizeof(pref_list)/sizeof(pref_list[0]); i++)
{
  int id = tls1_ec_nid2curve_id(pref_list[i]);
  s2n(id,j);
}
...

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3179] Feature Request: Set Preference List for EC Curves in Client

2013-11-24 Thread Stephen Henson via RT 
On Sun Nov 24 22:00:30 2013, noloa...@gmail.com wrote:
 ssl_prepare_clienthello_tlsext has the following in t1_lib.c around
 line 1690.

 pref_list[] is hard coded and includes some weaker curves. For
 example, pref_list[] include NID_secp160r2, which offers 80-bits of
 security.

 It would be nice to be able to replace the hard coded list with a list
 that includes curves with 112-bits or 128-bits of security or higher.
 For example, a user may want to use NID_secp224r1 or NID_secp256r1
 (and above).


Support for this is already in OpenSSL 1.0.2. See:

http://www.openssl.org/docs/ssl/SSL_CTX_set1_curves.html

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org