- Enable ECDHE for servers. Where available, use

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 20 Jul 2015 06:56:01 +0000 (06:56 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 20 Jul 2015 06:56:01 +0000 (06:56 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 20 Jul 2015 06:56:01 +0000 (06:56 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 20 Jul 2015 06:56:01 +0000 (06:56 +0000)
diff --git a/config.h.in b/config.h.in

index 723b3ad0253f7f274e4b25a9af41f5900e52806e..8e231296455adcbb2586b911d52fe20533829d61 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -327,6 +327,9 @@
  /* Define if you have the SSL libraries installed. */
  #undef HAVE_SSL
  
+/* Define to 1 if you have the `SSL_CTX_set_ecdh_auto' function. */
+#undef HAVE_SSL_CTX_SET_ECDH_AUTO
+
  /* Define to 1 if you have the <stdarg.h> header file. */
  #undef HAVE_STDARG_H
  
diff --git a/configure b/configure

index b5539cfde8b2a654b884e6cbc5d2b0e4fd31cc11..398fa1068b313b548d056091cc4eb255ec6a5a72 100755 (executable)
--- a/configure
+++ b/configure
@@ -16773,7 +16773,7 @@ fi
  
  done
  
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode SSL_CTX_set_ecdh_auto
  do :
    as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
  ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
diff --git a/configure.ac b/configure.ac

index 217d4327610f007fc523aecb5a43fd3ff16a173c..9c71ac4eab383c4c8b7fe40eeef28f5fdc32f7ab 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -577,7 +577,7 @@ else
  fi
  AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
  AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode SSL_CTX_set_ecdh_auto])
  AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
  AC_INCLUDES_DEFAULT
  #ifdef HAVE_OPENSSL_ERR_H
diff --git a/daemon/remote.c b/daemon/remote.c

index 300b9922c08378ba604d7e90d67b345543412839..6f7888803a03e3ba2fb1e8175b15a76ff2361fbf 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -258,6 +258,23 @@ daemon_remote_create(struct config_file* cfg)
                 log_crypto_err("Error in SSL_CTX check_private_key");
                 goto setup_error;
         }
+#ifdef SSL_CTX_SET_ECDH_AUTO
+       if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
+               log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
+       }
+#elif defined(USE_ECDSA)
+       if(1) {
+               EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+               if (!ecdh) {
+                       log_crypto_err("could not find p256, not enabling ECDHE");
+               } else {
+                       if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
+                               log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
+                       }
+                       EC_KEY_free (ecdh);
+               }
+       }
+#endif
         if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
                 log_crypto_err("Error setting up SSL_CTX verify locations");
         setup_error:
diff --git a/doc/Changelog b/doc/Changelog

index 0b130e4a0ea19857f9223dadcab5fd88f5a85daa..651d7364453589ded7a029fee779e98ca54f8c6b 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+20 July 2015: Wouter
+       - Enable ECDHE for servers.  Where available, use
+         SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
+         enable ECDHE.  Otherwise, manually offer curve p256.
+         Client connections should automatically use ECDHE when available.
+         (thanks Daniel Kahn Gillmor)
+
  18 July 2015: Willem
         - Allow certificate chain files to allow for intermediate certificates.
           (thanks Daniel Kahn Gillmor)
diff --git a/testcode/petal.c b/testcode/petal.c

index e680005a73dc1569445a745649d6efc7eb1cb2ee..2661c3e4d1ada73867e86601cf49e43e4b518af5 100644 (file)
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -242,6 +242,22 @@ setup_ctx(char* key, char* cert)
                 print_exit("cannot read key");
         if(!SSL_CTX_check_private_key(ctx))
                 print_exit("private key is not correct");
+#ifdef SSL_CTX_SET_ECDH_AUTO
+       if (!SSL_CTX_set_ecdh_auto(ctx,1))
+               if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n");
+#elif defined(USE_ECDSA)
+       if(1) {
+               EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+               if (!ecdh) {
+                       if(verb>=1) printf("could not find p256, not enabling ECDHE\n");
+               } else {
+                       if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
+                               if(verb>=1) printf("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE\n");
+                       }
+                       EC_KEY_free(ecdh);
+               }
+       }
+#endif
         if(!SSL_CTX_load_verify_locations(ctx, cert, NULL))
                 print_exit("cannot load cert verify locations");
         return ctx;
diff --git a/util/net_help.c b/util/net_help.c

index 5ad765844a2b0152e49821d77dca008dd6836f1e..59b3f91d52c3e1487f2fb8319ce50186e21af66c 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -647,6 +647,23 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
                 SSL_CTX_free(ctx);
                 return NULL;
         }
+#ifdef SSL_CTX_SET_ECDH_AUTO
+       if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
+               log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
+       }
+#elif defined(USE_ECDSA)
+       if(1) {
+               EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+               if (!ecdh) {
+                       log_crypto_err("could not find p256, not enabling ECDHE");
+               } else {
+                       if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
+                               log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
+                       }
+                       EC_KEY_free (ecdh);
+               }
+       }
+#endif
  
         if(verifypem && verifypem[0]) {
                 if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 20 Jul 2015 06:56:01 +0000 (06:56 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 20 Jul 2015 06:56:01 +0000 (06:56 +0000)
config.h.in		patch \| blob \| blame \| history
configure		patch \| blob \| blame \| history
configure.ac		patch \| blob \| blame \| history
daemon/remote.c		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history
testcode/petal.c		patch \| blob \| blame \| history
util/net_help.c		patch \| blob \| blame \| history