From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 20 Jul 2015 06:56:01 +0000 (+0000)
Subject: - Enable ECDHE for servers.  Where available, use
X-Git-Tag: release-1.5.5rc1~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78c82246555c143ec2aeccf0d2ed02cfe76f7dce;p=thirdparty%2Funbound.git

- Enable ECDHE for servers.  Where available, use
  SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
  enable ECDHE.  Otherwise, manually offer curve p256.
  Client connections should automatically use ECDHE when available.
  (thanks Daniel Kahn Gillmor)


git-svn-id: file:///svn/unbound/trunk@3452 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/config.h.in b/config.h.in
index 723b3ad02..8e2312964 100644
--- a/config.h.in
+++ b/config.h.in
@@ -327,6 +327,9 @@
 /* Define if you have the SSL libraries installed. */
 #undef HAVE_SSL
 
+/* Define to 1 if you have the `SSL_CTX_set_ecdh_auto' function. */
+#undef HAVE_SSL_CTX_SET_ECDH_AUTO
+
 /* Define to 1 if you have the <stdarg.h> header file. */
 #undef HAVE_STDARG_H
 
diff --git a/configure b/configure
index b5539cfde..398fa1068 100755
--- a/configure
+++ b/configure
@@ -16773,7 +16773,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode SSL_CTX_set_ecdh_auto
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
diff --git a/configure.ac b/configure.ac
index 217d43276..9c71ac4ea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -577,7 +577,7 @@ else
 fi
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode SSL_CTX_set_ecdh_auto])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
diff --git a/daemon/remote.c b/daemon/remote.c
index 300b9922c..6f7888803 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -258,6 +258,23 @@ daemon_remote_create(struct config_file* cfg)
 		log_crypto_err("Error in SSL_CTX check_private_key");
 		goto setup_error;
 	}
+#ifdef SSL_CTX_SET_ECDH_AUTO
+	if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
+		log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
+	}
+#elif defined(USE_ECDSA)
+	if(1) {
+		EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+		if (!ecdh) {
+			log_crypto_err("could not find p256, not enabling ECDHE");
+		} else {
+			if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
+				log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
+			}
+			EC_KEY_free (ecdh);
+		}
+	}
+#endif
 	if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
 		log_crypto_err("Error setting up SSL_CTX verify locations");
 	setup_error:
diff --git a/doc/Changelog b/doc/Changelog
index 0b130e4a0..651d73644 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+20 July 2015: Wouter
+	- Enable ECDHE for servers.  Where available, use
+	  SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
+	  enable ECDHE.  Otherwise, manually offer curve p256.
+	  Client connections should automatically use ECDHE when available.
+	  (thanks Daniel Kahn Gillmor)
+
 18 July 2015: Willem
 	- Allow certificate chain files to allow for intermediate certificates.
 	  (thanks Daniel Kahn Gillmor)
diff --git a/testcode/petal.c b/testcode/petal.c
index e680005a7..2661c3e4d 100644
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -242,6 +242,22 @@ setup_ctx(char* key, char* cert)
 		print_exit("cannot read key");
 	if(!SSL_CTX_check_private_key(ctx))
 		print_exit("private key is not correct");
+#ifdef SSL_CTX_SET_ECDH_AUTO
+	if (!SSL_CTX_set_ecdh_auto(ctx,1))
+		if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n");
+#elif defined(USE_ECDSA)
+	if(1) {
+		EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+		if (!ecdh) {
+			if(verb>=1) printf("could not find p256, not enabling ECDHE\n");
+		} else {
+			if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
+				if(verb>=1) printf("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE\n");
+			}
+			EC_KEY_free(ecdh);
+		}
+	}
+#endif
 	if(!SSL_CTX_load_verify_locations(ctx, cert, NULL))
 		print_exit("cannot load cert verify locations");
 	return ctx;
diff --git a/util/net_help.c b/util/net_help.c
index 5ad765844..59b3f91d5 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -647,6 +647,23 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
+#ifdef SSL_CTX_SET_ECDH_AUTO
+	if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
+		log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
+	}
+#elif defined(USE_ECDSA)
+	if(1) {
+		EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+		if (!ecdh) {
+			log_crypto_err("could not find p256, not enabling ECDHE");
+		} else {
+			if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
+				log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
+			}
+			EC_KEY_free (ecdh);
+		}
+	}
+#endif
 
 	if(verifypem && verifypem[0]) {
 		if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {