summaryrefslogtreecommitdiff
path: root/usr.sbin/smtpd/ssl.c
diff options
context:
space:
mode:
authorEric Faurot <eric@cvs.openbsd.org>2013-07-19 09:04:08 +0000
committerEric Faurot <eric@cvs.openbsd.org>2013-07-19 09:04:08 +0000
commit42dd402b7a6c585371482b73cff08c661bbd5973 (patch)
tree75575f6b9da707909995e4f9921e30e6811f6fb9 /usr.sbin/smtpd/ssl.c
parentf23dfa28ba8ed18d01ab4b3007c35ae297f021c9 (diff)
tls perfect forward secrecy with ecdhe
suggested by djm@ on hackers@, diff ok djm@
Diffstat (limited to 'usr.sbin/smtpd/ssl.c')
-rw-r--r--usr.sbin/smtpd/ssl.c27
1 files changed, 26 insertions, 1 deletions
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c
index b814f71b4a4..31a9970da8c 100644
--- a/usr.sbin/smtpd/ssl.c
+++ b/usr.sbin/smtpd/ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.c,v 1.53 2013/05/24 17:03:14 eric Exp $ */
+/* $OpenBSD: ssl.c,v 1.54 2013/07/19 09:04:06 eric Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -91,6 +91,8 @@ ssl_setup(SSL_CTX **ctxp, struct ssl *ssl)
ssl_set_ephemeral_key_exchange(ctx, dh);
DH_free(dh);
+ ssl_set_ecdh_curve(ctx);
+
*ctxp = ctx;
return 1;
@@ -407,3 +409,26 @@ ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh)
fatal("ssl_set_ephemeral_key_exchange: cannot set tmp dh");
}
}
+
+void
+ssl_set_ecdh_curve(SSL_CTX *ctx)
+{
+ int nid;
+ EC_KEY *ecdh;
+
+ if ((nid = OBJ_sn2nid(SSL_ECDH_CURVE)) == 0) {
+ ssl_error("ssl_set_ecdh_curve");
+ fatal("ssl_set_ecdh_curve: unknown curve name "
+ SSL_ECDH_CURVE);
+ }
+
+ if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) {
+ ssl_error("ssl_set_ecdh_curve");
+ fatal("ssl_set_ecdh_curve: unable to create curve "
+ SSL_ECDH_CURVE);
+ }
+
+ SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+ EC_KEY_free(ecdh);
+}