git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan@karger.me>
	Wed, 23 Apr 2014 22:31:08 +0000 (00:31 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Fri, 25 Apr 2014 17:36:52 +0000 (19:36 +0200)
commit	609e8131427686adca9b4ed2db44db4aaa920a01
tree	4193d4fb98b7017ba2e66c0d330fac6514bf7124	tree
parent	1e3a1786a80e4afac37133ce5d6a1dcff779a4ce	commit \| diff

Add support for elliptic curve diffie-hellmann key exchange (ECDH)

This patch is based on Jan Just Keijser's patch from Feb 7, 2012.

When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the
heavy lifting. For OpenSSL builds, if a user specifies a curve using
--ecdh-curve, it first tries to override automatic selection using that
curve.

For older OpenSSL, tries the following things (in order of preference):
* When supplied, use the ecdh curve specified by the user.
* Try to extract the curve from the private key, use the same curve.
* Fall back on secp384r1 curve.

Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do
*not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be
used.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53597BEA.6080408@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8625
Signed-off-by: Gert Doering <gert@greenie.muc.de>

README.ec	[new file with mode: 0644]	blob
doc/openvpn.8		diff \| blob \| blame \| history
src/openvpn/init.c		diff \| blob \| blame \| history
src/openvpn/options.c		diff \| blob \| blame \| history
src/openvpn/options.h		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_backend.h		diff \| blob \| blame \| history
src/openvpn/ssl_openssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_polarssl.c		diff \| blob \| blame \| history