diff options
author | Eric Faurot <eric@cvs.openbsd.org> | 2013-07-19 09:04:08 +0000 |
---|---|---|
committer | Eric Faurot <eric@cvs.openbsd.org> | 2013-07-19 09:04:08 +0000 |
commit | 42dd402b7a6c585371482b73cff08c661bbd5973 (patch) | |
tree | 75575f6b9da707909995e4f9921e30e6811f6fb9 /usr.sbin/smtpd/ssl.c | |
parent | f23dfa28ba8ed18d01ab4b3007c35ae297f021c9 (diff) |
tls perfect forward secrecy with ecdhe
suggested by djm@ on hackers@, diff ok djm@
Diffstat (limited to 'usr.sbin/smtpd/ssl.c')
-rw-r--r-- | usr.sbin/smtpd/ssl.c | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index b814f71b4a4..31a9970da8c 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.53 2013/05/24 17:03:14 eric Exp $ */ +/* $OpenBSD: ssl.c,v 1.54 2013/07/19 09:04:06 eric Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -91,6 +91,8 @@ ssl_setup(SSL_CTX **ctxp, struct ssl *ssl) ssl_set_ephemeral_key_exchange(ctx, dh); DH_free(dh); + ssl_set_ecdh_curve(ctx); + *ctxp = ctx; return 1; @@ -407,3 +409,26 @@ ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh) fatal("ssl_set_ephemeral_key_exchange: cannot set tmp dh"); } } + +void +ssl_set_ecdh_curve(SSL_CTX *ctx) +{ + int nid; + EC_KEY *ecdh; + + if ((nid = OBJ_sn2nid(SSL_ECDH_CURVE)) == 0) { + ssl_error("ssl_set_ecdh_curve"); + fatal("ssl_set_ecdh_curve: unknown curve name " + SSL_ECDH_CURVE); + } + + if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { + ssl_error("ssl_set_ecdh_curve"); + fatal("ssl_set_ecdh_curve: unable to create curve " + SSL_ECDH_CURVE); + } + + SSL_CTX_set_tmp_ecdh(ctx, ecdh); + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); + EC_KEY_free(ecdh); +} |