Adapt the changes Joel Sing did to httpd a while ago to move to
tls_config_set_ecdhecurves() to relayd.
This removes and changes the ecdhe config in relayd.conf but I assume not
many people are setting non default values there anyway. With this diff
multipl cureves can be selected instead of just one.
--
:wq Claudio
Index: config.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/config.c,v
retrieving revision 1.33
diff -u -p -r1.33 config.c
--- config.c 14 Sep 2017 08:59:54 -0000 1.33
+++ config.c 27 Nov 2017 21:42:10 -0000
@@ -100,9 +100,9 @@ config_init(struct relayd *env)
(void)strlcpy(env->sc_proto_default.tlsciphers,
TLSCIPHERS_DEFAULT,
sizeof(env->sc_proto_default.tlsciphers));
- (void)strlcpy(env->sc_proto_default.tlsecdhcurve,
- TLSECDHCURVE_DEFAULT,
- sizeof(env->sc_proto_default.tlsecdhcurve));
+ (void)strlcpy(env->sc_proto_default.tlsecdhecurves,
+ TLSECDHECURVES_DEFAULT,
+ sizeof(env->sc_proto_default.tlsecdhecurves));
(void)strlcpy(env->sc_proto_default.tlsdhparams,
TLSDHPARAM_DEFAULT,
sizeof(env->sc_proto_default.tlsdhparams));
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.218
diff -u -p -r1.218 parse.y
--- parse.y 16 Nov 2017 14:24:34 -0000 1.218
+++ parse.y 27 Nov 2017 21:43:18 -0000
@@ -171,8 +171,8 @@ typedef struct {
%token RESPONSE RETRY QUICK RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND SESSION
%token SNMP SOCKET SPLICE SSL STICKYADDR STYLE TABLE TAG TAGGED TCP TIMEOUT TLS
%token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE
-%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDH
-%token EDH CURVE TICKETS
+%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
+%token EDH TICKETS
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> hostname interface table value optstring
@@ -1006,8 +1006,8 @@ proto : relay_proto PROTO STRING {
TAILQ_INIT(&p->rules);
(void)strlcpy(p->tlsciphers, TLSCIPHERS_DEFAULT,
sizeof(p->tlsciphers));
- (void)strlcpy(p->tlsecdhcurve, TLSECDHCURVE_DEFAULT,
- sizeof(p->tlsecdhcurve));
+ (void)strlcpy(p->tlsecdhecurves, TLSECDHECURVES_DEFAULT,
+ sizeof(p->tlsecdhecurves));
(void)strlcpy(p->tlsdhparams, TLSDHPARAM_DEFAULT,
sizeof(p->tlsdhparams));
if (last_proto_id == INT_MAX) {
@@ -1161,37 +1161,29 @@ tlsflags : SESSION TICKETS { proto->tick
}
free($3);
}
- | NO ECDH {
- (void)strlcpy(proto->tlsecdhcurve, "none",
- sizeof(proto->tlsecdhcurve));
- }
- | ECDH {
- (void)strlcpy(proto->tlsecdhcurve, "auto",
- sizeof(proto->tlsecdhcurve));
- }
- | ECDH CURVE STRING {
+ | ECDHE STRING {
struct tls_config *tls_cfg;
if ((tls_cfg = tls_config_new()) == NULL) {
yyerror("tls_config_new failed");
- free($3);
+ free($2);
YYERROR;
}
- if (tls_config_set_ecdhecurve(tls_cfg, $3) != 0) {
- yyerror("tls ecdh curve %s: %s", $3,
+ if (tls_config_set_ecdhecurves(tls_cfg, $2) != 0) {
+ yyerror("tls ecdhe %s: %s", $2,
tls_config_error(tls_cfg));
tls_config_free(tls_cfg);
- free($3);
+ free($2);
YYERROR;
}
tls_config_free(tls_cfg);
- if (strlcpy(proto->tlsecdhcurve, $3,
- sizeof(proto->tlsecdhcurve)) >=
- sizeof(proto->tlsecdhcurve)) {
- yyerror("tls ecdh truncated");
- free($3);
+ if (strlcpy(proto->tlsecdhecurves, $2,
+ sizeof(proto->tlsecdhecurves)) >=
+ sizeof(proto->tlsecdhecurves)) {
+ yyerror("tls ecdhe curves truncated");
+ free($2);
YYERROR;
}
- free($3);
+ free($2);
}
| CA FILENAME STRING {
if (strlcpy(proto->tlsca, $3,
@@ -2223,12 +2215,11 @@ lookup(char *s)
{ "ciphers", CIPHERS },
{ "code", CODE },
{ "cookie", COOKIE },
- { "curve", CURVE },
{ "demote", DEMOTE },
{ "destination", DESTINATION },
{ "digest", DIGEST },
{ "disable", DISABLE },
- { "ecdh", ECDH },
+ { "ecdhe", ECDHE },
{ "edh", EDH },
{ "error", ERROR },
{ "expect", EXPECT },
Index: relay.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.229
diff -u -p -r1.229 relay.c
--- relay.c 27 Nov 2017 17:35:49 -0000 1.229
+++ relay.c 27 Nov 2017 21:43:46 -0000
@@ -2009,9 +2009,9 @@ relay_tls_ctx_create_proto(struct protoc
sizeof(env->sc_ticket.tt_key));
}
- if (tls_config_set_ecdhecurve(tls_cfg, proto->tlsecdhcurve) != 0) {
- log_warnx("failed to set ecdh curve %s: %s",
- proto->tlsecdhcurve, tls_config_error(tls_cfg));
+ if (tls_config_set_ecdhecurves(tls_cfg, proto->tlsecdhecurves) != 0) {
+ log_warnx("failed to set ecdhe curves %s: %s",
+ proto->tlsecdhecurves, tls_config_error(tls_cfg));
return (-1);
}
Index: relayd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.179
diff -u -p -r1.179 relayd.conf.5
--- relayd.conf.5 15 Nov 2017 19:03:26 -0000 1.179
+++ relayd.conf.5 27 Nov 2017 21:45:51 -0000
@@ -932,17 +932,12 @@ Allow client-initiated renegotiation.
To mitigate a potential DoS risk,
the default is
.Ic no client-renegotiation .
-.It Ic ecdh Op Ic curve Ar name
-Set a named curve to use when generating EC keys for ECDHE-based
-cipher suites with Perfect Forward Secrecy (PFS).
-If the curve
-.Ar name
-is not specified, the default curve
-.Cm prime256v1
-will be used.
-ECDHE is enabled by default,
-but can be disabled using
-.Ic no ecdh .
+.It Ic ecdhe Ar curves
+Specify a comma separated list of elliptic curves to use for ECDHE cipher
+suites, in order of preference.
+The special value of "default" will use the default curves; see
+.Xr tls_config_set_ecdhecurves 3
+for further details.
.It Ic edh Op Ic params Ar maximum
Enable EDH-based cipher suites with Perfect Forward Secrecy (PFS) for
older clients that do not support ECDHE.
Index: relayd.h
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v
retrieving revision 1.243
diff -u -p -r1.243 relayd.h
--- relayd.h 15 Nov 2017 19:03:26 -0000 1.243
+++ relayd.h 27 Nov 2017 21:42:31 -0000
@@ -682,7 +682,7 @@ TAILQ_HEAD(relay_rules, relay_rule);
"\06cipher-server-preference\07client-renegotiation"
#define TLSCIPHERS_DEFAULT "HIGH:!aNULL"
-#define TLSECDHCURVE_DEFAULT "auto"
+#define TLSECDHECURVES_DEFAULT "default"
#define TLSDHPARAM_DEFAULT "none"
struct relay_ticket_key {
@@ -703,7 +703,7 @@ struct protocol {
u_int8_t tlsflags;
char tlsciphers[768];
char tlsdhparams[128];
- char tlsecdhcurve[128];
+ char tlsecdhecurves[128];
char tlsca[PATH_MAX];
char tlscacert[PATH_MAX];
char tlscakey[PATH_MAX];
