Hello,
Someone asked about selectable curves in the OpenSMTPD portable tracker,
and it turns out I had a diff for that among a few others.
The diff below adds support for the curves keyword in listener and relay
directives,
allowing to specify a curve string suitable for tls_config_set_ecdhecurves(3)
in the
same way ciphers were made selectable.
I also have a couple other diffs which I'll clean and send.
Index: mta.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/mta.c,v
retrieving revision 1.245
diff -u -p -u -p -r1.245 mta.c
--- mta.c 31 May 2023 16:51:46 -0000 1.245
+++ mta.c 12 Aug 2023 14:20:21 -0000
@@ -476,6 +476,7 @@ mta_setup_dispatcher(struct dispatcher *
struct pki *pki;
struct ca *ca;
const char *ciphers;
+ const char *curves;
uint32_t protos;
if (dispatcher->type != DISPATCHER_REMOTE)
@@ -490,6 +491,12 @@ mta_setup_dispatcher(struct dispatcher *
if (remote->tls_ciphers)
ciphers = remote->tls_ciphers;
if (ciphers && tls_config_set_ciphers(config, ciphers) == -1)
+ fatalx("%s", tls_config_error(config));
+
+ curves = env->sc_tls_curves;
+ if (remote->tls_curves)
+ curves = remote->tls_curves;
+ if (curves && tls_config_set_ecdhecurves(config, curves) == -1)
fatalx("%s", tls_config_error(config));
if (remote->tls_protocols) {
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.292
diff -u -p -u -p -r1.292 parse.y
--- parse.y 10 May 2023 07:19:49 -0000 1.292
+++ parse.y 12 Aug 2023 14:20:21 -0000
@@ -125,6 +125,7 @@ static struct listen_opts {
char *pki[PKI_MAX];
int pkicount;
char *tls_ciphers;
+ char *tls_curves;
char *tls_protocols;
char *ca;
uint16_t auth;
@@ -166,7 +167,7 @@ typedef struct {
%token ACTION ADMD ALIAS ANY ARROW AUTH AUTH_OPTIONAL
%token BACKUP BOUNCE BYPASS
-%token CA CERT CHAIN CHROOT CIPHERS COMMIT COMPRESSION CONNECT
+%token CA CERT CHAIN CHROOT CIPHERS COMMIT COMPRESSION CONNECT CURVES
%token DATA DATA_LINE DHE DISCONNECT DOMAIN
%token EHLO ENABLE ENCRYPTION ERROR EXPAND_ONLY
%token FCRDNS FILTER FOR FORWARD_ONLY FROM
@@ -527,6 +528,9 @@ SMTP LIMIT limits_smtp
| SMTP CIPHERS STRING {
conf->sc_tls_ciphers = $3;
}
+| SMTP CURVES STRING {
+ conf->sc_tls_curves = $3;
+}
| SMTP MAX_MESSAGE_SIZE size {
conf->sc_maxsize = $3;
}
@@ -765,6 +769,14 @@ HELO STRING {
dsp->u.remote.tls_ciphers = $2;
}
+| CURVES STRING {
+ if (dsp->u.remote.tls_curves) {
+ yyerror("curves already specified for this dispatcher");
+ YYERROR;
+ }
+
+ dsp->u.remote.tls_curves = $2;
+}
| PROTOCOLS STRING {
if (dsp->u.remote.tls_protocols) {
yyerror("protocols already specified for this dispatcher");
@@ -2329,6 +2341,13 @@ opt_if_listen : INET4 {
}
listen_opts.tls_ciphers = $2;
}
+ | CURVES STRING {
+ if (listen_opts.tls_curves) {
+ yyerror("curves already specified");
+ YYERROR;
+ }
+ listen_opts.tls_curves = $2;
+ }
| PROTOCOLS STRING {
if (listen_opts.tls_protocols) {
yyerror("protocols already specified");
@@ -2657,6 +2676,7 @@ lookup(char *s)
{ "commit", COMMIT },
{ "compression", COMPRESSION },
{ "connect", CONNECT },
+ { "curves", CURVES },
{ "data", DATA },
{ "data-line", DATA_LINE },
{ "dhe", DHE },
@@ -3251,6 +3271,11 @@ create_if_listener(struct listen_opts *l
if (lo->pkicount == 0 && lo->ssl)
fatalx("invalid listen option: pki required for tls/smtps");
+ if (lo->tls_ciphers && !lo->ssl)
+ fatalx("invalid listen option: ciphers requires tls/smtps");
+ if (lo->tls_curves && !lo->ssl)
+ fatalx("invalid listen option: curves requires tls/smtps");
+
flags = lo->flags;
if (lo->port) {
@@ -3324,6 +3349,11 @@ config_listener(struct listener *h, str
fatal("strdup");
}
+ if (lo->tls_curves != NULL &&
+ (h->tls_curves = strdup(lo->tls_curves)) == NULL) {
+ fatal("strdup");
+ }
+
if (lo->tls_protocols != NULL &&
(h->tls_protocols = strdup(lo->tls_protocols)) == NULL) {
fatal("strdup");
@@ -3356,7 +3386,7 @@ config_listener(struct listener *h, str
if (lo->ssl & F_STARTTLS_REQUIRE)
h->flags |= F_STARTTLS_REQUIRE;
-
+
if (h != conf->sc_sock_listener)
TAILQ_INSERT_TAIL(conf->sc_listeners, h, entry);
}
Index: smtp.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtp.c,v
retrieving revision 1.174
diff -u -p -u -p -r1.174 smtp.c
--- smtp.c 16 May 2023 17:48:52 -0000 1.174
+++ smtp.c 12 Aug 2023 14:20:21 -0000
@@ -154,6 +154,7 @@ smtp_setup_listener_tls(struct listener
static const char *dheparams[] = { "none", "auto", "legacy" };
struct tls_config *config;
const char *ciphers;
+ const char *curves;
uint32_t protos;
struct pki *pki;
struct ca *ca;
@@ -166,6 +167,12 @@ smtp_setup_listener_tls(struct listener
if (l->tls_ciphers)
ciphers = l->tls_ciphers;
if (ciphers && tls_config_set_ciphers(config, ciphers) == -1)
+ fatalx("%s", tls_config_error(config));
+
+ curves = env->sc_tls_curves;
+ if (l->tls_curves)
+ curves = l->tls_curves;
+ if (curves && tls_config_set_ecdhecurves(config, curves) == -1)
fatalx("%s", tls_config_error(config));
if (l->tls_protocols) {
Index: smtpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.265
diff -u -p -u -p -r1.265 smtpd.conf.5
--- smtpd.conf.5 19 May 2023 15:18:06 -0000 1.265
+++ smtpd.conf.5 12 Aug 2023 14:20:21 -0000
@@ -312,6 +312,12 @@ Refer to the
.Xr tls_config_set_ciphers 3
manpage for the format of
.Ar cipherstr .
+.It Cm curves Ar curvestr
+Define the list of curves that may be used for ECDHE key exchange.
+Refer to the
+.Xr tls_config_set_ecdhecurves 3
+manpage for the format of
+.Ar curvestr .
.It Cm auth Pf < Ar table Ns >
Use the mapping
.Ar table
@@ -545,6 +551,12 @@ Refer to the
.Xr tls_config_set_ciphers 3
manpage for the format of
.Ar cipherstr .
+.It Cm curves Ar curvestr
+Define the list of curves that may be used for ECDHE key exchange.
+Refer to the
+.Xr tls_config_set_ecdhecurves 3
+manpage for the format of
+.Ar curvestr .
.El
.It Ic listen on Cm socket Op Ar options
Listen for incoming SMTP connections on the Unix domain socket
Index: smtpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.h,v
retrieving revision 1.677
diff -u -p -u -p -r1.677 smtpd.h
--- smtpd.h 17 Jun 2023 08:32:48 -0000 1.677
+++ smtpd.h 12 Aug 2023 14:20:21 -0000
@@ -538,6 +538,7 @@ struct listener {
char *tls_protocols;
char *tls_ciphers;
+ char *tls_curves;
struct tls *tls;
struct pki **pki;
int pkicount;
@@ -617,6 +618,7 @@ struct smtpd {
struct dict *sc_limits_dict;
char *sc_tls_ciphers;
+ char *sc_tls_curves;
char *sc_subaddressing_delim;
@@ -1189,6 +1191,7 @@ struct dispatcher_remote {
int tls_verify;
char *tls_protocols;
char *tls_ciphers;
+ char *tls_curves;
int backup;
char *backupmx;
