[sr-dev] git:4.0: tls: Add support for Elliptic-Curve Diffie-Hellman Ciphers (ECDH)

Module: sip-router Branch: 4.0 Commit: 70908767953fd7482737aa79c8a3a9fa8b53a17e URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=7090876… Author: Carsten Bock &lt;carsten(a)ng-voice.com&gt; Committer: Carsten Bock &lt;carsten(a)ng-voice.com&gt; Date: Sat Mar 22 15:30:27 2014 +0100 tls: Add support for Elliptic-Curve Diffie-Hellman Ciphers (ECDH) --- modules/tls/tls_domain.c | 91 ++++++++++++++++++++++++++++++++++++++++++++++ modules/tls/tls_mod.c | 8 +++- 2 files changed, 97 insertions(+), 2 deletions(-) diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c index c06892c..ec89829 100644 --- a/modules/tls/tls_domain.c +++ b/modules/tls/tls_domain.c @@ -41,6 +41,91 @@ #include "tls_domain.h" #include "tls_cfg.h" +/* + * ECDHE is enabled only on OpenSSL 1.0.0e and later. + * See http://www.openssl.org/news/secadv_20110906.txt + * for details. + */ +#ifndef OPENSSL_NO_ECDH +static void setup_ecdh(SSL_CTX *ctx) +{ + EC_KEY *ecdh; + + if (SSLeay() < 0x1000005fL) { + return; + } + + ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); + SSL_CTX_set_tmp_ecdh(ctx, ecdh); + + EC_KEY_free(ecdh); +} +#endif + +#ifndef OPENSSL_NO_DH + +static unsigned char dh3072_p[] = { + 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, + 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, + 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, + 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, + 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, + 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, + 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, + 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, + 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, + 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, + 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, + 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, + 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, + 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, + 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, + 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, + 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, + 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, + 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, + 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, + 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D, + 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64, + 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57, + 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7, + 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0, + 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B, + 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73, + 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C, + 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0, + 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31, + 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20, + 0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF + +}; + +static unsigned char dh3072_g[] = { 0x02 }; + +static void setup_dh(SSL_CTX *ctx) +{ + DH *dh; + + dh = DH_new(); + if (dh == NULL) { + return; + } + + dh->p = BN_bin2bn(dh3072_p, sizeof(dh3072_p), NULL); + dh->g = BN_bin2bn(dh3072_g, sizeof(dh3072_g), NULL); + if (dh->p == NULL || dh->g == NULL) { + DH_free(dh); + return; + } + + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); + SSL_CTX_set_tmp_dh(ctx, dh); + + DH_free(dh); +} +#endif + /** * @brief Create a new TLS domain structure @@ -542,6 +627,12 @@ static int set_cipher_list(tls_domain_t* d) tls_domain_str(d), cipher_list); return -1; } +#ifndef OPENSSL_NO_ECDH + setup_ecdh(d->ctx[i]); +#endif +#ifndef OPENSSL_NO_DH + setup_dh(d->ctx[i]); +#endif } return 0; } diff --git a/modules/tls/tls_mod.c b/modules/tls/tls_mod.c index bb5d3ad..45369ec 100644 --- a/modules/tls/tls_mod.c +++ b/modules/tls/tls_mod.c @@ -78,8 +78,6 @@ #error "conflict: CORE_TLS must _not_ be defined" #endif - - /* * FIXME: * - How do we ask for secret key password ? Mod_init is called after @@ -365,6 +363,12 @@ static int mod_init(void) if (tls_check_sockets(*tls_domains_cfg) < 0) goto error; +#ifndef OPENSSL_NO_ECDH + LM_INFO("With ECDH-Support!\n"); +#endif +#ifndef OPENSSL_NO_DH + LM_INFO("With Diffie Hellman\n"); +#endif return 0; error: destroy_tls_h();