[sr-dev] git:4.1: tls: Add support for Elliptic-Curve Diffie-Hellman Ciphers (ECDH)

Carsten Bock carsten at ng-voice.com
Sat Mar 22 16:51:09 CET 2014


Module: sip-router
Branch: 4.1
Commit: f8430785ec9c46b2535b2d29898853ee50cc76e0
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f8430785ec9c46b2535b2d29898853ee50cc76e0

Author: Carsten Bock <carsten at ng-voice.com>
Committer: Carsten Bock <carsten at ng-voice.com>
Date:   Sat Mar 22 15:30:27 2014 +0100

tls: Add support for Elliptic-Curve Diffie-Hellman Ciphers (ECDH)

---

 modules/tls/tls_domain.c |   91 ++++++++++++++++++++++++++++++++++++++++++++++
 modules/tls/tls_mod.c    |    8 +++-
 2 files changed, 97 insertions(+), 2 deletions(-)

diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
index b832c63..a814818 100644
--- a/modules/tls/tls_domain.c
+++ b/modules/tls/tls_domain.c
@@ -42,6 +42,91 @@
 #include "tls_domain.h"
 #include "tls_cfg.h"
 
+/*
+ * ECDHE is enabled only on OpenSSL 1.0.0e and later.
+ * See http://www.openssl.org/news/secadv_20110906.txt
+ * for details.
+ */
+#ifndef OPENSSL_NO_ECDH
+static void setup_ecdh(SSL_CTX *ctx)
+{
+   EC_KEY *ecdh;
+
+   if (SSLeay() < 0x1000005fL) {
+      return;
+   }
+
+   ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+   SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+
+   EC_KEY_free(ecdh);
+}
+#endif
+
+#ifndef OPENSSL_NO_DH
+
+static unsigned char dh3072_p[] = {
+   0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+   0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+   0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+   0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+   0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+   0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+   0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+   0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+   0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+   0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
+   0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
+   0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+   0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
+   0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
+   0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
+   0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+   0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
+   0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
+   0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
+   0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+   0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
+   0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
+   0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
+   0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+   0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
+   0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
+   0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
+   0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+   0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
+   0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
+   0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
+   0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+
+};
+
+static unsigned char dh3072_g[] = { 0x02 };
+
+static void setup_dh(SSL_CTX *ctx)
+{
+   DH *dh;
+
+   dh = DH_new();
+   if (dh == NULL) {
+      return;
+   }
+
+   dh->p = BN_bin2bn(dh3072_p, sizeof(dh3072_p), NULL);
+   dh->g = BN_bin2bn(dh3072_g, sizeof(dh3072_g), NULL);
+   if (dh->p == NULL || dh->g == NULL) {
+      DH_free(dh);
+      return;
+   }
+
+   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+   SSL_CTX_set_tmp_dh(ctx, dh);
+
+   DH_free(dh);
+}
+#endif
+
 
 /**
  * @brief Create a new TLS domain structure
@@ -543,6 +628,12 @@ static int set_cipher_list(tls_domain_t* d)
 					tls_domain_str(d), cipher_list);
 			return -1;
 		}
+#ifndef OPENSSL_NO_ECDH
+                setup_ecdh(d->ctx[i]);
+#endif
+#ifndef OPENSSL_NO_DH
+                setup_dh(d->ctx[i]);
+#endif
 	}
 	return 0;
 }
diff --git a/modules/tls/tls_mod.c b/modules/tls/tls_mod.c
index b206bf6..c81a8e9 100644
--- a/modules/tls/tls_mod.c
+++ b/modules/tls/tls_mod.c
@@ -57,8 +57,6 @@
 	#error "conflict: CORE_TLS must _not_ be defined"
 #endif
 
-
-
 /*
  * FIXME:
  * - How do we ask for secret key password ? Mod_init is called after
@@ -344,6 +342,12 @@ static int mod_init(void)
 	if (tls_check_sockets(*tls_domains_cfg) < 0)
 		goto error;
 
+#ifndef OPENSSL_NO_ECDH
+	LM_INFO("With ECDH-Support!\n");
+#endif
+#ifndef OPENSSL_NO_DH
+	LM_INFO("With Diffie Hellman\n");
+#endif
 	return 0;
 error:
 	destroy_tls_h();




More information about the sr-dev mailing list