diff options
| author | Eric Faurot <eric@cvs.openbsd.org> | 2013-07-19 09:04:08 +0000 |
|---|---|---|
| committer | Eric Faurot <eric@cvs.openbsd.org> | 2013-07-19 09:04:08 +0000 |
| commit | 42dd402b7a6c585371482b73cff08c661bbd5973 (patch) | |
| tree | 75575f6b9da707909995e4f9921e30e6811f6fb9 /usr.sbin | |
| parent | f23dfa28ba8ed18d01ab4b3007c35ae297f021c9 (diff) | |
tls perfect forward secrecy with ecdhe
suggested by djm@ on hackers@, diff ok djm@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/smtpd/ssl.c | 27 | ||||
| -rw-r--r-- | usr.sbin/smtpd/ssl.h | 6 |
2 files changed, 30 insertions, 3 deletions
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index b814f71b4a4..31a9970da8c 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.53 2013/05/24 17:03:14 eric Exp $ */ +/* $OpenBSD: ssl.c,v 1.54 2013/07/19 09:04:06 eric Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -91,6 +91,8 @@ ssl_setup(SSL_CTX **ctxp, struct ssl *ssl) ssl_set_ephemeral_key_exchange(ctx, dh); DH_free(dh); + ssl_set_ecdh_curve(ctx); + *ctxp = ctx; return 1; @@ -407,3 +409,26 @@ ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh) fatal("ssl_set_ephemeral_key_exchange: cannot set tmp dh"); } } + +void +ssl_set_ecdh_curve(SSL_CTX *ctx) +{ + int nid; + EC_KEY *ecdh; + + if ((nid = OBJ_sn2nid(SSL_ECDH_CURVE)) == 0) { + ssl_error("ssl_set_ecdh_curve"); + fatal("ssl_set_ecdh_curve: unknown curve name " + SSL_ECDH_CURVE); + } + + if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { + ssl_error("ssl_set_ecdh_curve"); + fatal("ssl_set_ecdh_curve: unable to create curve " + SSL_ECDH_CURVE); + } + + SSL_CTX_set_tmp_ecdh(ctx, ecdh); + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); + EC_KEY_free(ecdh); +} diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h index 640dc63f491..4cbec59458f 100644 --- a/usr.sbin/smtpd/ssl.h +++ b/usr.sbin/smtpd/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.1 2013/01/26 09:37:24 gilles Exp $ */ +/* $OpenBSD: ssl.h,v 1.2 2013/07/19 09:04:07 eric Exp $ */ /* * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org> * @@ -15,7 +15,8 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#define SSL_CIPHERS "HIGH" +#define SSL_CIPHERS "HIGH:!aNULL:!MD5" +#define SSL_ECDH_CURVE "prime256v1" #define SSL_SESSION_TIMEOUT 300 struct ssl { @@ -42,6 +43,7 @@ int ssl_cmp(struct ssl *, struct ssl *); DH *get_dh1024(void); DH *get_dh_from_memory(char *, size_t); void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); +void ssl_set_ecdh_curve(SSL_CTX *); extern int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); char *ssl_load_file(const char *, off_t *, mode_t); char *ssl_load_key(const char *, off_t *, char *); |