From: Alan T. DeKok Date: Sun, 28 Aug 2011 20:08:25 +0000 (-0400) Subject: Enable elliptical curve cryptography X-Git-Tag: release_3_0_0_beta0~661 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f178f5d4527ef336c7fd90d05eb3467f3fb0d7b2;p=thirdparty%2Ffreeradius-server.git Enable elliptical curve cryptography Manual commit of 1bca962 --- diff --git a/raddb/modules/eap b/raddb/modules/eap index 237d8be0957..239168ea5a3 100644 --- a/raddb/modules/eap +++ b/raddb/modules/eap @@ -277,6 +277,13 @@ # make_cert_command = "${certdir}/bootstrap" + # + # Elliptical cryptography configuration + # + # Only for OpenSSL >= 0.9.8.f + # +# ecdh_curve = "prime256v1" + # # Session resumption / fast reauthentication # cache. diff --git a/src/include/tls.h b/src/include/tls.h index d96a998f201..519ae71487d 100644 --- a/src/include/tls.h +++ b/src/include/tls.h @@ -378,6 +378,11 @@ struct fr_tls_server_conf_t { X509_STORE *ocsp_store; #endif +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH + char *ecdh_curve; +#endif +#endif }; #ifdef __cplusplus diff --git a/src/main/tls.c b/src/main/tls.c index b544be4c31d..857592737c3 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -801,6 +801,13 @@ static CONF_PARSER tls_server_config[] = { { "require_client_cert", PW_TYPE_BOOLEAN, offsetof(fr_tls_server_conf_t, require_client_cert), NULL, NULL }, +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH + { "ecdh_curve", PW_TYPE_STRING_PTR, + offsetof(fr_tls_server_conf_t, ecdh_curve), NULL, "prime256v1"}, +#endif +#endif + { "cache", PW_TYPE_SUBSECTION, 0, NULL, (const void *) cache_config }, { "verify", PW_TYPE_SUBSECTION, 0, NULL, (const void *) verify_config }, @@ -853,6 +860,13 @@ static CONF_PARSER tls_client_config[] = { { "check_cert_issuer", PW_TYPE_STRING_PTR, offsetof(fr_tls_server_conf_t, check_cert_issuer), NULL, NULL}, +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH + { "ecdh_curve", PW_TYPE_STRING_PTR, + offsetof(fr_tls_server_conf_t, ecdh_curve), NULL, "prime256v1"}, +#endif +#endif + { NULL, -1, 0, NULL, NULL } /* end the list */ }; @@ -1486,6 +1500,38 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf) } #endif /* HAVE_OPENSSL_OCSP_H */ +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH +static int set_ecdh_curve(SSL_CTX *ctx, const char *ecdh_curve) +{ + int nid; + EC_KEY *ecdh; + + if (!ecdh_curve || !*ecdh_curve) return 0; + + nid = OBJ_sn2nid(ecdh_curve); + if (!nid) { + radlog(L_ERR, "Unknown ecdh_curve \"%s\"", ecdh_curve); + return -1; + } + + ecdh = EC_KEY_new_by_curve_name(nid); + if (!ecdh) { + radlog(L_ERR, "Unable to create new curve \"%s\"", ecdh_curve); + return -1; + } + + SSL_CTX_set_tmp_ecdh(ctx, ecdh); + + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); + + EC_KEY_free(ecdh); + + return 0; +} +#endif +#endif + /* * Create Global context SSL and use it in every new session * @@ -1679,6 +1725,17 @@ load_ca: * SSL_CTX_set_msg_callback(ctx, cbtls_msg); */ + /* + * Set eliptical curve crypto configuration. + */ +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_ECDH + if (set_ecdh_curve(ctx, conf->ecdh_curve) < 0) { + return NULL; + } +#endif +#endif + /* Set Info callback */ SSL_CTX_set_info_callback(ctx, cbtls_info);