Enable elliptical curve cryptography

diff --git a/raddb/eap.conf b/raddb/eap.conf
index 4c9a661db47119387541bf9bbd6216449a8d54c9..3332800e823a608f24b90d0022240695c79d901c 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -283,6 +283,13 @@
                        #
                        make_cert_command = "${certdir}/bootstrap"
 
+                       #
+                       #  Elliptical cryptography configuration
+                       #
+                       #  Only for OpenSSL >= 0.9.8.f
+                       #
+#                      ecdh_curve = "prime256v1"
+
                        #
                        #  Session resumption / fast reauthentication
                        #  cache.

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index f60930bdcdc0f1be5c20f4a49bf635779798e92a..c1fb1488c35e8dc5ee98bd4d7eef399e7a7b8de3 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -123,6 +123,13 @@ static CONF_PARSER module_config[] = {
        { "make_cert_command", PW_TYPE_STRING_PTR,
          offsetof(EAP_TLS_CONF, make_cert_command), NULL, NULL},
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+       { "ecdh_curve", PW_TYPE_STRING_PTR,
+         offsetof(EAP_TLS_CONF, ecdh_curve), NULL, "prime256v1"},
+#endif
+#endif
+
        { "cache", PW_TYPE_SUBSECTION, 0, NULL, (const void *) cache_config },
 
        { "verify", PW_TYPE_SUBSECTION, 0, NULL, (const void *) verify_config },
@@ -760,6 +767,38 @@ static X509_STORE *init_revocation_store(EAP_TLS_CONF *conf)
 }
 #endif /* HAVE_OPENSSL_OCSP_H */
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+static int set_ecdh_curve(SSL_CTX *ctx, const char *ecdh_curve)
+{
+       int      nid; 
+       EC_KEY  *ecdh; 
+
+       if (!ecdh_curve || !*ecdh_curve) return 0;
+
+       nid = OBJ_sn2nid(ecdh_curve); 
+       if (!nid) { 
+               radlog(L_ERR, "Unknown ecdh_curve \"%s\"", ecdh_curve);
+               return -1;
+       }
+
+       ecdh = EC_KEY_new_by_curve_name(nid); 
+       if (!ecdh) { 
+               radlog(L_ERR, "Unable to create new curve \"%s\"", ecdh_curve);
+               return -1;
+       } 
+
+       SSL_CTX_set_tmp_ecdh(ctx, ecdh); 
+
+       SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); 
+
+       EC_KEY_free(ecdh);
+
+       return 0;
+}
+#endif
+#endif
+
 /*
  *     Create Global context SSL and use it in every new session
  *
@@ -936,6 +975,17 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
         *      SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
         */
 
+       /*
+        *      Set eliptical curve crypto configuration.
+        */
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+       if (set_ecdh_curve(ctx, conf->ecdh_curve) < 0) {
+               return NULL;
+       }
+#endif
+#endif
+
        /*
         *      set the message callback to identify the type of
         *      message.  For every new session, there can be a

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
index 3a994aaa185e0a5d3472a85813c4fac210845003..ed22712c0018589be4e9fc249ab9e626740c1a44 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
@@ -80,6 +80,11 @@ typedef struct eap_tls_conf {
        char            *ocsp_url;
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+       char            *ecdh_curve;
+#endif
+#endif
 } EAP_TLS_CONF;
 
 /* This structure gets stored in arg */