22 Mar
2014
22 Mar
'14
4:33 p.m.
Module: sip-router
Branch: master
Commit: 49d318720cec2d46ae28edff4a0bddb564d32d44
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=49d3187…
Author: Carsten Bock <carsten(a)ng-voice.com>
Committer: Carsten Bock <carsten(a)ng-voice.com>
Date: Sat Mar 22 15:30:27 2014 +0100
tls: Add support for Elliptic-Curve Diffie-Hellman Ciphers (ECDH)
---
modules/tls/tls_domain.c | 91 ++++++++++++++++++++++++++++++++++++++++++++++
modules/tls/tls_mod.c | 8 +++-
2 files changed, 97 insertions(+), 2 deletions(-)
diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
index b832c63..a814818 100644
--- a/modules/tls/tls_domain.c
+++ b/modules/tls/tls_domain.c
@@ -42,6 +42,91 @@
#include "tls_domain.h"
#include "tls_cfg.h"
+/*
+ * ECDHE is enabled only on OpenSSL 1.0.0e and later.
+ * See http://www.openssl.org/news/secadv_20110906.txt
+ * for details.
+ */
+#ifndef OPENSSL_NO_ECDH
+static void setup_ecdh(SSL_CTX *ctx)
+{
+ EC_KEY *ecdh;
+
+ if (SSLeay() < 0x1000005fL) {
+ return;
+ }
+
+ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+ SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+
+ EC_KEY_free(ecdh);
+}
+#endif
+
+#ifndef OPENSSL_NO_DH
+
+static unsigned char dh3072_p[] = {
+ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+ 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+ 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+ 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+ 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+ 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+ 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+ 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+ 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+ 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
+ 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
+ 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+ 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
+ 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
+ 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
+ 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+ 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
+ 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
+ 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
+ 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+ 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
+ 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
+ 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
+ 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+ 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
+ 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
+ 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
+ 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+ 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
+ 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
+ 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
+ 0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+
+};
+
+static unsigned char dh3072_g[] = { 0x02 };
+
+static void setup_dh(SSL_CTX *ctx)
+{
+ DH *dh;
+
+ dh = DH_new();
+ if (dh == NULL) {
+ return;
+ }
+
+ dh->p = BN_bin2bn(dh3072_p, sizeof(dh3072_p), NULL);
+ dh->g = BN_bin2bn(dh3072_g, sizeof(dh3072_g), NULL);
+ if (dh->p == NULL || dh->g == NULL) {
+ DH_free(dh);
+ return;
+ }
+
+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+ SSL_CTX_set_tmp_dh(ctx, dh);
+
+ DH_free(dh);
+}
+#endif
+
/**
* @brief Create a new TLS domain structure
@@ -543,6 +628,12 @@ static int set_cipher_list(tls_domain_t* d)
tls_domain_str(d), cipher_list);
return -1;
}
+#ifndef OPENSSL_NO_ECDH
+ setup_ecdh(d->ctx[i]);
+#endif
+#ifndef OPENSSL_NO_DH
+ setup_dh(d->ctx[i]);
+#endif
}
return 0;
}
diff --git a/modules/tls/tls_mod.c b/modules/tls/tls_mod.c
index b206bf6..c81a8e9 100644
--- a/modules/tls/tls_mod.c
+++ b/modules/tls/tls_mod.c
@@ -57,8 +57,6 @@
#error "conflict: CORE_TLS must _not_ be defined"
#endif
-
-
/*
* FIXME:
* - How do we ask for secret key password ? Mod_init is called after
@@ -344,6 +342,12 @@ static int mod_init(void)
if (tls_check_sockets(*tls_domains_cfg) < 0)
goto error;
+#ifndef OPENSSL_NO_ECDH
+ LM_INFO("With ECDH-Support!\n");
+#endif
+#ifndef OPENSSL_NO_DH
+ LM_INFO("With Diffie Hellman\n");
+#endif
return 0;
error:
destroy_tls_h();
22 Mar
22 Mar
5:24 p.m.
New subject: git:master: tls: Add support for Elliptic-Curve Diffie-Hellman Ciphers ( ECDH)
On 22 Mar 2014, at 15:33, Carsten Bock <carsten(a)ng-voice.com> wrote:
tls: Add support for Elliptic-Curve Diffie-Hellman
Ciphers (ECDH)
Brilliant! Which OpenSSL version is required for this?
/O
5:24 p.m.
New subject: git:master: tls: Add support for Elliptic-Curve Diffie-Hellman Ciphers ( ECDH)
On 22 Mar 2014, at 15:33, Carsten Bock <carsten(a)ng-voice.com> wrote:
+ * ECDHE is enabled only on OpenSSL 1.0.0e and
later.
+ * See http://www.openssl.org/news/secadv_20110906.txt
+ * for details.
Found it. Maybe we should document this in the README?
/O
5:46 p.m.
New subject: git:master: tls: Add support for Elliptic-Curve Diffie-Hellman Ciphers ( ECDH)
On 22 Mar 2014, at 16:24, Olle E. Johansson <oej(a)edvina.net> wrote:
On 22 Mar 2014, at 15:33, Carsten Bock <carsten(a)ng-voice.com> wrote:
I also suggest that we backport this small patch to 4.0 and 4.1.
/O
+ * ECDHE is enabled only on OpenSSL 1.0.0e and
later.
+ * See http://www.openssl.org/news/secadv_20110906.txt
+ * for details.
Found it. Maybe we should document this in the README?
5:55 p.m.
Hi Olle,
just added note to the docs and cherry-picked it for 4.0 and 4.1.
Thanks,
Carsten
2014-03-22 16:46 GMT+01:00 Olle E. Johansson <oej(a)edvina.net>et>:
On 22 Mar 2014, at 16:24, Olle E. Johansson <oej(a)edvina.net> wrote:
--
Carsten Bock
CEO (Geschäftsführer)
ng-voice GmbH
Schomburgstr. 80
D-22767 Hamburg / Germany
http://www.ng-voice.com
mailto:carsten@ng-voice.com
Office +49 40 34927219
Fax +49 40 34927220
Sitz der Gesellschaft: Hamburg
Registergericht: Amtsgericht Hamburg, HRB 120189
Geschäftsführer: Carsten Bock
Ust-ID: DE279344284
Hier finden Sie unsere handelsrechtlichen Pflichtangaben:
http://www.ng-voice.com/imprint/
On 22 Mar 2014, at 15:33, Carsten Bock <carsten(a)ng-voice.com> wrote:
I also suggest that we backport this small patch to 4.0 and 4.1.
/O
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev + * ECDHE is enabled only on OpenSSL 1.0.0e and
later.
+ * See http://www.openssl.org/news/secadv_20110906.txt
+ * for details.
Found it. Maybe we should document this in the README?
5:58 p.m.
New subject: git:master: tls: Add support for Elliptic-Curve Diffie-Hellman Ciphers ( ECDH)
On 22 Mar 2014, at 16:55, Carsten Bock <carsten(a)ng-voice.com> wrote:
Hi Olle,
just added note to the docs and cherry-picked it for 4.0 and 4.1.
Thank you!
I used translate in Facebook to translate your german message and noticed that the
translation of "Kamailio" became "OpenSER". ;-)
/O
Thanks,
Carsten
2014-03-22 16:46 GMT+01:00 Olle E. Johansson <oej(a)edvina.net>et>:
On 22 Mar 2014, at 16:24, Olle E. Johansson <oej(a)edvina.net> wrote:
--
Carsten Bock
CEO (Geschäftsführer)
ng-voice GmbH
Schomburgstr. 80
D-22767 Hamburg / Germany
http://www.ng-voice.com
mailto:carsten@ng-voice.com
Office +49 40 34927219
Fax +49 40 34927220
Sitz der Gesellschaft: Hamburg
Registergericht: Amtsgericht Hamburg, HRB 120189
Geschäftsführer: Carsten Bock
Ust-ID: DE279344284
Hier finden Sie unsere handelsrechtlichen Pflichtangaben:
http://www.ng-voice.com/imprint/
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
On 22 Mar 2014, at 15:33, Carsten Bock <carsten(a)ng-voice.com> wrote:
I also suggest that we backport this small patch to 4.0 and 4.1.
/O
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev + * ECDHE is enabled only on OpenSSL 1.0.0e and
later.
+ * See http://www.openssl.org/news/secadv_20110906.txt
+ * for details.
Found it. Maybe we should document this in the README?
3898
days inactive
3898
days old
5 comments
2 participants
participants (2)
-
Carsten Bock -
Olle E. Johansson