[mod_openssl] enable DH and ECDH

10 years ago · 0b8365ca29
parent c15b37260a
commit 0b8365ca29
1 changed files with 156 additions and 2 deletions
--- a/src/modules/mod_openssl.c
+++ b/src/modules/mod_openssl.c
@ -47,6 +47,19 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>

+# ifndef OPENSSL_NO_DH
+#  include <openssl/dh.h>
+#  define USE_OPENSSL_DH
+static DH* load_dh_params_4096(void);
+# endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+# ifndef OPENSSL_NO_ECDH
+#  include <openssl/ecdh.h>
+#  define USE_OPENSSL_ECDH
+# endif
+#endif
+

 LI_API gboolean mod_openssl_init(liModules *mods, liModule *mod);
 LI_API gboolean mod_openssl_free(liModules *mods, liModule *mod);
@ -458,13 +471,18 @@ static gboolean openssl_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
 	GString *ipstr = NULL;
 	const char
 		*ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM",
-		*pemfile = NULL, *ca_file = NULL, *client_ca_file = NULL;
+		*pemfile = NULL, *ca_file = NULL, *client_ca_file = NULL, *dh_params_file = NULL;
 	long
-		options = SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE
+		options = SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE
 #ifdef SSL_OP_NO_COMPRESSION
 			| SSL_OP_NO_COMPRESSION
+#endif
+#ifdef USE_OPENSSL_ECDH
+			| SSL_OP_SINGLE_ECDH_USE
 #endif
 		;
+	const char
+		*ecdh_curve = "prime256v1";
 	guint
 		verify_mode = 0, verify_depth = 1;
 	gboolean
@ -505,6 +523,24 @@ static gboolean openssl_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
 				return FALSE;
 			}
 			ciphers = htval->data.string->str;
+		} else if (g_str_equal(htkey->str, "dh-params")) {
+#ifndef USE_OPENSSL_DH
+			WARNING(srv, "%s", "the openssl library in use doesn't support DH => dh-params has no effect");
+#endif
+			if (htval->type != LI_VALUE_STRING) {
+				ERROR(srv, "%s", "openssl dh-params expects a string as parameter");
+				return FALSE;
+			}
+			dh_params_file = htval->data.string->str;
+		} else if (g_str_equal(htkey->str, "ecdh-curve")) {
+#ifndef USE_OPENSSL_ECDH
+			WARNING(srv, "%s", "the openssl library in use doesn't support ECDH => ecdh-curve has no effect");
+#endif
+			if (htval->type != LI_VALUE_STRING) {
+				ERROR(srv, "%s", "openssl ecdh-curve expects a string as parameter");
+				return FALSE;
+			}
+			ecdh_curve = htval->data.string->str;
 		} else if (g_str_equal(htkey->str, "options")) {
 			guint i;

@ -588,6 +624,58 @@ static gboolean openssl_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
 		}
 	}

+#ifdef USE_OPENSSL_DH
+	{
+		DH *dh;
+		BIO *bio;
+
+		/* Support for Diffie-Hellman key exchange */
+		if (NULL != dh_params_file) {
+			/* DH parameters from file */
+			bio = BIO_new_file(dh_params_file, "r");
+			if (bio == NULL) {
+				ERROR(srv,"SSL: BIO_new_file('%s'): unable to open file", dh_params_file);
+				goto error_free_socket;
+			}
+			dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+			BIO_free(bio);
+			if (NULL == dh) {
+				ERROR(srv, "SSL: PEM_read_bio_DHparams failed (for file '%s')", dh_params_file);
+				goto error_free_socket;
+			}
+		} else {
+			dh = load_dh_params_4096();
+			if (NULL == dh) {
+				ERROR(srv, "%s", "SSL: loading default DH parameters failed");
+				goto error_free_socket;
+			}
+		}
+		SSL_CTX_set_tmp_dh(ctx->ssl_ctx, dh);
+		DH_free(dh);
+	}
+#endif
+
+#ifdef USE_OPENSSL_ECDH
+	{
+		EC_KEY *ecdh;
+		int ecdh_nid;
+
+		ecdh_nid = OBJ_sn2nid(ecdh_curve);
+		if (NID_undef == ecdh_nid) {
+			ERROR(srv, "SSL: Unknown curve name '%s'", ecdh_curve);
+			goto error_free_socket;
+		}
+
+		ecdh = EC_KEY_new_by_curve_name(ecdh_nid);
+		if (NULL == ecdh) {
+			ERROR(srv, "SSL: Unable to create curve '%s'", ecdh_curve);
+			goto error_free_socket;
+		}
+		SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh);
+		EC_KEY_free(ecdh);
+	}
+#endif
+
 	if (ca_file) {
 		if (1 != SSL_CTX_load_verify_locations(ctx->ssl_ctx, ca_file, NULL)) {
 			ERROR(srv, "SSL_CTX_load_verify_locations('%s'): %s", ca_file, ERR_error_string(ERR_get_error(), NULL));
@ -743,3 +831,69 @@ gboolean mod_openssl_free(liModules *mods, liModule *mod) {

 	return TRUE;
 }
+
+#ifdef USE_OPENSSL_DH
+static DH* load_dh_params_4096(void) {
+	static const unsigned char dh4096_p[]={
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
+		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
+		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
+		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
+		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
+		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
+		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
+		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
+		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
+		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
+		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
+		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
+		0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+		0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
+		0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
+		0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
+		0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+		0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
+		0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
+		0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
+		0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+		0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
+		0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
+		0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
+		0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+		0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
+		0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
+		0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
+		0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+		0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
+		0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
+		0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
+		0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+		0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
+		0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
+		0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
+		0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+		0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
+		0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,
+		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+		};
+	static const unsigned char dh4096_g[]={
+		0x05,
+		};
+
+	DH *dh = DH_new();
+	if (NULL == dh) return NULL;
+
+	dh->p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), NULL);
+	dh->g = BN_bin2bn(dh4096_g, sizeof(dh4096_g), NULL);
+
+	if (NULL == dh->p || NULL == dh->g) {
+		DH_free(dh);
+		return NULL;
+	}
+
+	return dh;
+}
+#endif