===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/s_server.c,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- src/usr.bin/openssl/s_server.c	2019/10/04 09:47:34	1.32
+++ src/usr.bin/openssl/s_server.c	2020/04/19 17:05:55	1.33
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.32 2019/10/04 09:47:34 bcook Exp $ */
+/* $OpenBSD: s_server.c,v 1.33 2020/04/19 17:05:55 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -288,9 +288,6 @@
 	BIO_printf(bio_err, " -dpass arg    - second private key file pass phrase source\n");
 	BIO_printf(bio_err, " -dhparam arg  - DH parameter file to use, in cert file if not specified\n");
 	BIO_printf(bio_err, "                 or a default set of parameters is used\n");
-	BIO_printf(bio_err, " -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \
-	    "                 Use \"openssl ecparam -list_curves\" for all names\n" \
-	    "                 (default is nistp256).\n");
 	BIO_printf(bio_err, " -nbio         - Run with non-blocking IO\n");
 	BIO_printf(bio_err, " -nbio_test    - test with the non-blocking test bio\n");
 	BIO_printf(bio_err, " -crlf         - convert LF from terminal into CRLF\n");
@@ -333,7 +330,8 @@
 	BIO_printf(bio_err, "                 not specified (default is %s)\n", TEST_CERT2);
 	BIO_printf(bio_err, " -tlsextdebug  - hex dump of all TLS extensions received\n");
 	BIO_printf(bio_err, " -no_ticket    - disable use of RFC4507bis session tickets\n");
-	BIO_printf(bio_err," -alpn arg  - set the advertised protocols for the ALPN extension (comma-separated list)\n");
+	BIO_printf(bio_err, " -alpn arg     - set the advertised protocols for the ALPN extension (comma-separated list)\n");
+	BIO_printf(bio_err, " -groups arg   - specify EC groups (colon-separated list)\n");
 #ifndef OPENSSL_NO_SRTP
 	BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
 #endif
@@ -581,6 +579,7 @@
 	X509 *s_cert2 = NULL;
 	tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
 	const char *alpn_in = NULL;
+	const char *groups_in = NULL;
 	tlsextalpnctx alpn_ctx = { NULL, 0 };
 
 	if (single_execution) {
@@ -656,13 +655,11 @@
 			if (--argc < 1)
 				goto bad;
 			dhfile = *(++argv);
-		}
-		else if (strcmp(*argv, "-named_curve") == 0) {
+		} else if (strcmp(*argv, "-named_curve") == 0) {
 			if (--argc < 1)
 				goto bad;
 			named_curve = *(++argv);
-		}
-		else if (strcmp(*argv, "-dcertform") == 0) {
+		} else if (strcmp(*argv, "-dcertform") == 0) {
 			if (--argc < 1)
 				goto bad;
 			s_dcert_format = str2fmt(*(++argv));
@@ -831,6 +828,10 @@
 			if (--argc < 1)
 				goto bad;
 			alpn_in = *(++argv);
+		} else if (strcmp(*argv, "-groups") == 0) {
+			if (--argc < 1)
+				goto bad;
+			groups_in = *(++argv);
 		}
 #ifndef OPENSSL_NO_SRTP
 		else if (strcmp(*argv, "-use_srtp") == 0) {
@@ -1055,6 +1056,14 @@
 	if (alpn_ctx.data)
 		SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
 
+	if (groups_in != NULL) {
+		if (SSL_CTX_set1_groups_list(ctx, groups_in) != 1) {
+			BIO_printf(bio_err, "Failed to set groups '%s'\n",
+			    groups_in);
+			goto end;
+		}
+	}
+
 #ifndef OPENSSL_NO_DH
 	if (!no_dhe) {
 		DH *dh = NULL;
@@ -1108,34 +1117,21 @@
 	}
 #endif
 
-	if (!no_ecdhe) {
+	if (!no_ecdhe && named_curve != NULL) {
 		EC_KEY *ecdh = NULL;
+		int nid;
 
-		if (named_curve) {
-			int nid = OBJ_sn2nid(named_curve);
-
-			if (nid == 0) {
-				BIO_printf(bio_err, "unknown curve name (%s)\n",
-				    named_curve);
-				goto end;
-			}
-			ecdh = EC_KEY_new_by_curve_name(nid);
-			if (ecdh == NULL) {
-				BIO_printf(bio_err, "unable to create curve (%s)\n",
-				    named_curve);
-				goto end;
-			}
+		if ((nid = OBJ_sn2nid(named_curve)) == 0) {
+			BIO_printf(bio_err, "unknown curve name (%s)\n",
+			    named_curve);
+			goto end;
 		}
-		if (ecdh != NULL) {
-			BIO_printf(bio_s_out, "Setting temp ECDH parameters\n");
-		} else {
-			BIO_printf(bio_s_out, "Using default temp ECDH parameters\n");
-			ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-			if (ecdh == NULL) {
-				BIO_printf(bio_err, "unable to create curve (nistp256)\n");
-				goto end;
-			}
+		if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) {
+			BIO_printf(bio_err, "unable to create curve (%s)\n",
+			    named_curve);
+			goto end;
 		}
+		BIO_printf(bio_s_out, "Setting temp ECDH parameters\n");
 		(void) BIO_flush(bio_s_out);
 
 		SSL_CTX_set_tmp_ecdh(ctx, ecdh);