Enable elliptical curve cryptography

Manual commit of 1bca962

diff --git a/raddb/modules/eap b/raddb/modules/eap
index 237d8be09575dddcb033f7687fae1e7c3571bc4f..239168ea5a3e35ed8f38f9922710f5fd859ce646 100644 (file)
--- a/raddb/modules/eap
+++ b/raddb/modules/eap
@@ -277,6 +277,13 @@
                        #
                        make_cert_command = "${certdir}/bootstrap"
 
+                       #
+                       #  Elliptical cryptography configuration
+                       #
+                       #  Only for OpenSSL >= 0.9.8.f
+                       #
+#                      ecdh_curve = "prime256v1"
+
                        #
                        #  Session resumption / fast reauthentication
                        #  cache.

diff --git a/src/include/tls.h b/src/include/tls.h
index d96a998f2011c141638d84d1a571a95c8b528ebf..519ae71487d75430decbf2b17d969fa46a857286 100644 (file)
--- a/src/include/tls.h
+++ b/src/include/tls.h
@@ -378,6 +378,11 @@ struct fr_tls_server_conf_t {
        X509_STORE      *ocsp_store;
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+       char            *ecdh_curve;
+#endif
+#endif
 };
 
 #ifdef __cplusplus

diff --git a/src/main/tls.c b/src/main/tls.c
index b544be4c31dbbdb08d0fc6248d35fe2f84b63098..857592737c3a0da4dfdff1019520536f7afe3549 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -801,6 +801,13 @@ static CONF_PARSER tls_server_config[] = {
        { "require_client_cert", PW_TYPE_BOOLEAN,
          offsetof(fr_tls_server_conf_t, require_client_cert), NULL, NULL },
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+       { "ecdh_curve", PW_TYPE_STRING_PTR,
+         offsetof(fr_tls_server_conf_t, ecdh_curve), NULL, "prime256v1"},
+#endif
+#endif
+
        { "cache", PW_TYPE_SUBSECTION, 0, NULL, (const void *) cache_config },
 
        { "verify", PW_TYPE_SUBSECTION, 0, NULL, (const void *) verify_config },
@@ -853,6 +860,13 @@ static CONF_PARSER tls_client_config[] = {
        { "check_cert_issuer", PW_TYPE_STRING_PTR,
          offsetof(fr_tls_server_conf_t, check_cert_issuer), NULL, NULL},
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+       { "ecdh_curve", PW_TYPE_STRING_PTR,
+         offsetof(fr_tls_server_conf_t, ecdh_curve), NULL, "prime256v1"},
+#endif
+#endif
+
        { NULL, -1, 0, NULL, NULL }           /* end the list */
 };
 
@@ -1486,6 +1500,38 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf)
 }
 #endif /* HAVE_OPENSSL_OCSP_H */
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+static int set_ecdh_curve(SSL_CTX *ctx, const char *ecdh_curve)
+{
+       int      nid; 
+       EC_KEY  *ecdh; 
+
+       if (!ecdh_curve || !*ecdh_curve) return 0;
+
+       nid = OBJ_sn2nid(ecdh_curve); 
+       if (!nid) { 
+               radlog(L_ERR, "Unknown ecdh_curve \"%s\"", ecdh_curve);
+               return -1;
+       }
+
+       ecdh = EC_KEY_new_by_curve_name(nid); 
+       if (!ecdh) { 
+               radlog(L_ERR, "Unable to create new curve \"%s\"", ecdh_curve);
+               return -1;
+       } 
+
+       SSL_CTX_set_tmp_ecdh(ctx, ecdh); 
+
+       SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); 
+
+       EC_KEY_free(ecdh);
+
+       return 0;
+}
+#endif
+#endif
+
 /*
  *     Create Global context SSL and use it in every new session
  *
@@ -1679,6 +1725,17 @@ load_ca:
         *      SSL_CTX_set_msg_callback(ctx, cbtls_msg);
         */
 
+       /*
+        *      Set eliptical curve crypto configuration.
+        */
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+       if (set_ecdh_curve(ctx, conf->ecdh_curve) < 0) {
+               return NULL;
+       }
+#endif
+#endif
+
        /* Set Info callback */
        SSL_CTX_set_info_callback(ctx, cbtls_info);