upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Enable ECDHE for servers. Where available, use

Browse source 
SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
  enable ECDHE.  Otherwise, manually offer curve p256.
  Client connections should automatically use ECDHE when available.
  (thanks Daniel Kahn Gillmor)


git-svn-id: file:///svn/unbound/trunk@3452 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2015-07-20 06:56:01 +00:00
parent fa20564699
commit 78c8224655
7 changed files with 62 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config.h.in
View file

@ -327,6 +327,9 @@
/* Define if you have the SSL libraries installed. */ /* Define if you have the SSL libraries installed. */
#undef HAVE_SSL #undef HAVE_SSL
/* Define to 1 if you have the `SSL_CTX_set_ecdh_auto' function. */
#undef HAVE_SSL_CTX_SET_ECDH_AUTO
/* Define to 1 if you have the <stdarg.h> header file. */ /* Define to 1 if you have the <stdarg.h> header file. */
#undef HAVE_STDARG_H #undef HAVE_STDARG_H

2
configure vendored
View file

@ -16773,7 +16773,7 @@ fi
done done
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode SSL_CTX_set_ecdh_auto
do : do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

2
configure.ac
View file

@ -577,7 +577,7 @@ else
fi fi
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode]) AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode SSL_CTX_set_ecdh_auto])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [ AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
AC_INCLUDES_DEFAULT AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H #ifdef HAVE_OPENSSL_ERR_H

17
daemon/remote.c
View file

@ -258,6 +258,23 @@ daemon_remote_create(struct config_file* cfg)
log_crypto_err("Error in SSL_CTX check_private_key"); log_crypto_err("Error in SSL_CTX check_private_key");
goto setup_error; goto setup_error;
} }
#ifdef SSL_CTX_SET_ECDH_AUTO
if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
}
#elif defined(USE_ECDSA)
if(1) {
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
if (!ecdh) {
log_crypto_err("could not find p256, not enabling ECDHE");
} else {
if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
}
EC_KEY_free (ecdh);
}
}
#endif
if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) { if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
log_crypto_err("Error setting up SSL_CTX verify locations"); log_crypto_err("Error setting up SSL_CTX verify locations");
setup_error: setup_error:

7
doc/Changelog
View file

@ -1,3 +1,10 @@
20 July 2015: Wouter
- Enable ECDHE for servers. Where available, use
SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
enable ECDHE. Otherwise, manually offer curve p256.
Client connections should automatically use ECDHE when available.
(thanks Daniel Kahn Gillmor)
18 July 2015: Willem 18 July 2015: Willem
- Allow certificate chain files to allow for intermediate certificates. - Allow certificate chain files to allow for intermediate certificates.
(thanks Daniel Kahn Gillmor) (thanks Daniel Kahn Gillmor)

16
testcode/petal.c
View file

@ -242,6 +242,22 @@ setup_ctx(char* key, char* cert)
print_exit("cannot read key"); print_exit("cannot read key");
if(!SSL_CTX_check_private_key(ctx)) if(!SSL_CTX_check_private_key(ctx))
print_exit("private key is not correct"); print_exit("private key is not correct");
#ifdef SSL_CTX_SET_ECDH_AUTO
if (!SSL_CTX_set_ecdh_auto(ctx,1))
if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n");
#elif defined(USE_ECDSA)
if(1) {
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
if (!ecdh) {
if(verb>=1) printf("could not find p256, not enabling ECDHE\n");
} else {
if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
if(verb>=1) printf("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE\n");
}
EC_KEY_free(ecdh);
}
}
#endif
if(!SSL_CTX_load_verify_locations(ctx, cert, NULL)) if(!SSL_CTX_load_verify_locations(ctx, cert, NULL))
print_exit("cannot load cert verify locations"); print_exit("cannot load cert verify locations");
return ctx; return ctx;

17
util/net_help.c
View file

@ -647,6 +647,23 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
return NULL; return NULL;
} }
#ifdef SSL_CTX_SET_ECDH_AUTO
if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
}
#elif defined(USE_ECDSA)
if(1) {
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
if (!ecdh) {
log_crypto_err("could not find p256, not enabling ECDHE");
} else {
if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) {
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
}
EC_KEY_free (ecdh);
}
}
#endif
if(verifypem && verifypem[0]) { if(verifypem && verifypem[0]) {
if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {