From 3a6c8b82e411c7114dde12df7b8110da5b0d280a Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Tue, 16 Jul 2013 13:02:17 +0000 Subject: Enable ECDHE support in httpd via a SSLECDHCurve option. This specifies the named curve to use when generating ephemeral EC keys for an ECDHE-based cipher suite, or can be set to `none' to disable. The default is to use a prime256v1 curve. yay^Wok djm@ --- usr.sbin/httpd/conf/httpd.conf | 7 ++++++- usr.sbin/httpd/conf/httpd.conf-dist | 5 +++++ usr.sbin/httpd/src/modules/ssl/mod_ssl.c | 5 ++++- usr.sbin/httpd/src/modules/ssl/mod_ssl.h | 4 +++- usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c | 23 +++++++++++++++++++++- usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c | 19 +++++++++++++++++- 6 files changed, 58 insertions(+), 5 deletions(-) diff --git a/usr.sbin/httpd/conf/httpd.conf b/usr.sbin/httpd/conf/httpd.conf index 2a9715c582b..6fa0cbc6cbf 100644 --- a/usr.sbin/httpd/conf/httpd.conf +++ b/usr.sbin/httpd/conf/httpd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: httpd.conf,v 1.27 2013/07/12 16:30:41 otto Exp $ +# $OpenBSD: httpd.conf,v 1.28 2013/07/16 13:02:16 jsing Exp $ # # Based upon the NCSA server configuration files originally by Rob McCool. # @@ -1035,6 +1035,11 @@ SSLEngine on # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP +# SSL ECDH Curve: +# Named curve to use when generating ephemeral EC keys for an +# ECDHE-based cipher suite, or `none' to disable. +SSLECDHCurve prime256v1 + # SSL Honor Cipher Order: # If on, use server's order of preference for ciphers. #SSLHonorCipherOrder on diff --git a/usr.sbin/httpd/conf/httpd.conf-dist b/usr.sbin/httpd/conf/httpd.conf-dist index e71f6169c74..b5a4c2e0aaa 100644 --- a/usr.sbin/httpd/conf/httpd.conf-dist +++ b/usr.sbin/httpd/conf/httpd.conf-dist @@ -1045,6 +1045,11 @@ SSLEngine on # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +# SSL ECDH Curve: +# Named curve to use when generating ephemeral EC keys for an +# ECDHE-based cipher suite, or `none' to disable. +SSLECDHCurve prime256v1 + # SSL Honor Cipher Order: # If on, use server's order of preference for ciphers. #SSLHonorCipherOrder on diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c index 3a50bda9b8d..01133e25485 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c @@ -74,7 +74,7 @@ * identify the module to SCCS `what' and RCS `ident' commands */ static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >"; -static char const rcsid[] = "$Id: mod_ssl.c,v 1.12 2013/07/16 11:32:05 jsing Exp $"; +static char const rcsid[] = "$Id: mod_ssl.c,v 1.13 2013/07/16 13:02:16 jsing Exp $"; /* * the table of configuration directives we provide @@ -113,6 +113,9 @@ static command_rec ssl_config_cmds[] = { AP_ALL_CMD(CipherSuite, TAKE1, "Colon-delimited list of permitted SSL Ciphers " "(`XXX:...:XXX' - see manual)") + AP_SRV_CMD(ECDHCurve, TAKE1, + "Name of ECDH curve to use for ephemeral EC keys " + "(`curve' - see manual)") AP_SRV_CMD(CertificateFile, TAKE1, "SSL Server Certificate file " "(`/path/to/file' - PEM or DER encoded)") diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h index 22c982b1401..4d88024b999 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h @@ -514,9 +514,10 @@ typedef struct { char *szCACertificateFile; char *szLogFile; char *szCipherSuite; + int nECDHCurve; + BOOL bHonorCipherOrder; FILE *fileLogFile; int nLogLevel; - BOOL bHonorCipherOrder; int nVerifyDepth; ssl_verify_t nVerifyClient; X509 *pPublicCert[SSL_AIDX_MAX]; @@ -591,6 +592,7 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *); const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *); +const char *ssl_cmd_SSLECDHCurve(cmd_parms *, char *, char *); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c index f7455783b6a..775837a1e89 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c @@ -196,8 +196,9 @@ void *ssl_config_server_create(pool *p, server_rec *s) sc->szCertificateChain = NULL; sc->szLogFile = NULL; sc->szCipherSuite = NULL; - sc->nLogLevel = SSL_LOG_NONE; + sc->nECDHCurve = NID_X9_62_prime256v1; sc->bHonorCipherOrder = UNSET; + sc->nLogLevel = SSL_LOG_NONE; sc->nVerifyDepth = UNSET; sc->nVerifyClient = SSL_CVERIFY_UNSET; sc->nSessionCacheTimeout = UNSET; @@ -253,6 +254,7 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv) cfgMergeString(szCertificateChain); cfgMergeString(szLogFile); cfgMergeString(szCipherSuite); + cfgMerge(nECDHCurve, NID_X9_62_prime256v1); cfgMergeBool(bHonorCipherOrder); cfgMerge(nLogLevel, SSL_LOG_NONE); cfgMergeInt(nVerifyDepth); @@ -544,6 +546,25 @@ const char *ssl_cmd_SSLCipherSuite( return NULL; } +const char *ssl_cmd_SSLECDHCurve( + cmd_parms *cmd, char *struct_ptr, char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + if (strcEQ(arg, "none")) { + sc->nECDHCurve = 0; + return NULL; + } + + sc->nECDHCurve = OBJ_sn2nid((const char *)arg); + if (sc->nECDHCurve == 0) { + return ap_pstrcat(cmd->pool, "SSLECDHCurve: unknown named curve '", + arg, "'", NULL); + } + + return NULL; +} + const char *ssl_cmd_SSLHonorCipherOrder( cmd_parms *cmd, char *struct_ptr, int flag) { diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c index eb95d778f79..67930cf4f1b 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_engine_init.c,v 1.30 2013/07/16 11:32:05 jsing Exp $ */ +/* $OpenBSD: ssl_engine_init.c,v 1.31 2013/07/16 13:02:16 jsing Exp $ */ /* _ _ ** _ __ ___ ___ __| | ___ ___| | mod_ssl @@ -530,6 +530,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) char *cpVHostID; EVP_PKEY *pKey; SSL_CTX *ctx; + EC_KEY *ecdhKey; STACK_OF(X509_NAME) *skCAList; ssl_asn1_t *asn1; unsigned char *ucp; @@ -641,6 +642,22 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) } } + /* + * Configure ECDH Curve + */ + if (sc->nECDHCurve > 0) { + ecdhKey = EC_KEY_new_by_curve_name(sc->nECDHCurve); + if (ecdhKey == NULL) { + ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, + "Init: (%s) Failed to create new EC key using named curve", + cpVHostID); + ssl_die(); + } + SSL_CTX_set_tmp_ecdh(ctx, ecdhKey); + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); + EC_KEY_free(ecdhKey); + } + /* * Configure Client Authentication details */ -- cgit v1.2.3