From: Alan T. DeKok Date: Sun, 28 Aug 2011 14:57:23 +0000 (-0400) Subject: Enable elliptical curve cryptography X-Git-Tag: release_2_1_12~44 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1bca962eb6ff5e27518625b081947f20d34a145a;p=thirdparty%2Ffreeradius-server.git Enable elliptical curve cryptography --- diff --git a/raddb/eap.conf b/raddb/eap.conf index 4c9a661db47..3332800e823 100644 --- a/raddb/eap.conf +++ b/raddb/eap.conf @@ -283,6 +283,13 @@ # make_cert_command = "${certdir}/bootstrap" + # + # Elliptical cryptography configuration + # + # Only for OpenSSL >= 0.9.8.f + # +# ecdh_curve = "prime256v1" + # # Session resumption / fast reauthentication # cache. diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c index f60930bdcdc..c1fb1488c35 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c @@ -123,6 +123,13 @@ static CONF_PARSER module_config[] = { { "make_cert_command", PW_TYPE_STRING_PTR, offsetof(EAP_TLS_CONF, make_cert_command), NULL, NULL}, +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH + { "ecdh_curve", PW_TYPE_STRING_PTR, + offsetof(EAP_TLS_CONF, ecdh_curve), NULL, "prime256v1"}, +#endif +#endif + { "cache", PW_TYPE_SUBSECTION, 0, NULL, (const void *) cache_config }, { "verify", PW_TYPE_SUBSECTION, 0, NULL, (const void *) verify_config }, @@ -760,6 +767,38 @@ static X509_STORE *init_revocation_store(EAP_TLS_CONF *conf) } #endif /* HAVE_OPENSSL_OCSP_H */ +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH +static int set_ecdh_curve(SSL_CTX *ctx, const char *ecdh_curve) +{ + int nid; + EC_KEY *ecdh; + + if (!ecdh_curve || !*ecdh_curve) return 0; + + nid = OBJ_sn2nid(ecdh_curve); + if (!nid) { + radlog(L_ERR, "Unknown ecdh_curve \"%s\"", ecdh_curve); + return -1; + } + + ecdh = EC_KEY_new_by_curve_name(nid); + if (!ecdh) { + radlog(L_ERR, "Unable to create new curve \"%s\"", ecdh_curve); + return -1; + } + + SSL_CTX_set_tmp_ecdh(ctx, ecdh); + + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); + + EC_KEY_free(ecdh); + + return 0; +} +#endif +#endif + /* * Create Global context SSL and use it in every new session * @@ -936,6 +975,17 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf) * SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh); */ + /* + * Set eliptical curve crypto configuration. + */ +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH + if (set_ecdh_curve(ctx, conf->ecdh_curve) < 0) { + return NULL; + } +#endif +#endif + /* * set the message callback to identify the type of * message. For every new session, there can be a diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h index 3a994aaa185..ed22712c001 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h @@ -80,6 +80,11 @@ typedef struct eap_tls_conf { char *ocsp_url; #endif +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH + char *ecdh_curve; +#endif +#endif } EAP_TLS_CONF; /* This structure gets stored in arg */