Browse Source

[mod_openssl] enable DH and ECDH

personal/stbuehler/wip
Stefan Bühler 9 years ago
parent
commit
0b8365ca29
  1. 158
      src/modules/mod_openssl.c

158
src/modules/mod_openssl.c

@ -47,6 +47,19 @@
#include <openssl/err.h>
#include <openssl/rand.h>
# ifndef OPENSSL_NO_DH
# include <openssl/dh.h>
# define USE_OPENSSL_DH
static DH* load_dh_params_4096(void);
# endif
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
# ifndef OPENSSL_NO_ECDH
# include <openssl/ecdh.h>
# define USE_OPENSSL_ECDH
# endif
#endif
LI_API gboolean mod_openssl_init(liModules *mods, liModule *mod);
LI_API gboolean mod_openssl_free(liModules *mods, liModule *mod);
@ -458,13 +471,18 @@ static gboolean openssl_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
GString *ipstr = NULL;
const char
*ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM",
*pemfile = NULL, *ca_file = NULL, *client_ca_file = NULL;
*pemfile = NULL, *ca_file = NULL, *client_ca_file = NULL, *dh_params_file = NULL;
long
options = SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE
options = SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE
#ifdef SSL_OP_NO_COMPRESSION
| SSL_OP_NO_COMPRESSION
#endif
#ifdef USE_OPENSSL_ECDH
| SSL_OP_SINGLE_ECDH_USE
#endif
;
const char
*ecdh_curve = "prime256v1";
guint
verify_mode = 0, verify_depth = 1;
gboolean
@ -505,6 +523,24 @@ static gboolean openssl_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
return FALSE;
}
ciphers = htval->data.string->str;
} else if (g_str_equal(htkey->str, "dh-params")) {
#ifndef USE_OPENSSL_DH
WARNING(srv, "%s", "the openssl library in use doesn't support DH => dh-params has no effect");
#endif
if (htval->type != LI_VALUE_STRING) {
ERROR(srv, "%s", "openssl dh-params expects a string as parameter");
return FALSE;
}
dh_params_file = htval->data.string->str;
} else if (g_str_equal(htkey->str, "ecdh-curve")) {
#ifndef USE_OPENSSL_ECDH
WARNING(srv, "%s", "the openssl library in use doesn't support ECDH => ecdh-curve has no effect");
#endif
if (htval->type != LI_VALUE_STRING) {
ERROR(srv, "%s", "openssl ecdh-curve expects a string as parameter");
return FALSE;
}
ecdh_curve = htval->data.string->str;
} else if (g_str_equal(htkey->str, "options")) {
guint i;
@ -588,6 +624,58 @@ static gboolean openssl_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
}
}
#ifdef USE_OPENSSL_DH
{
DH *dh;
BIO *bio;
/* Support for Diffie-Hellman key exchange */
if (NULL != dh_params_file) {
/* DH parameters from file */
bio = BIO_new_file(dh_params_file, "r");
if (bio == NULL) {
ERROR(srv,"SSL: BIO_new_file('%s'): unable to open file", dh_params_file);
goto error_free_socket;
}
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (NULL == dh) {
ERROR(srv, "SSL: PEM_read_bio_DHparams failed (for file '%s')", dh_params_file);
goto error_free_socket;
}
} else {
dh = load_dh_params_4096();
if (NULL == dh) {
ERROR(srv, "%s", "SSL: loading default DH parameters failed");
goto error_free_socket;
}
}
SSL_CTX_set_tmp_dh(ctx->ssl_ctx, dh);
DH_free(dh);
}
#endif
#ifdef USE_OPENSSL_ECDH
{
EC_KEY *ecdh;
int ecdh_nid;
ecdh_nid = OBJ_sn2nid(ecdh_curve);
if (NID_undef == ecdh_nid) {
ERROR(srv, "SSL: Unknown curve name '%s'", ecdh_curve);
goto error_free_socket;
}
ecdh = EC_KEY_new_by_curve_name(ecdh_nid);
if (NULL == ecdh) {
ERROR(srv, "SSL: Unable to create curve '%s'", ecdh_curve);
goto error_free_socket;
}
SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh);
EC_KEY_free(ecdh);
}
#endif
if (ca_file) {
if (1 != SSL_CTX_load_verify_locations(ctx->ssl_ctx, ca_file, NULL)) {
ERROR(srv, "SSL_CTX_load_verify_locations('%s'): %s", ca_file, ERR_error_string(ERR_get_error(), NULL));
@ -743,3 +831,69 @@ gboolean mod_openssl_free(liModules *mods, liModule *mod) {
return TRUE;
}
#ifdef USE_OPENSSL_DH
static DH* load_dh_params_4096(void) {
static const unsigned char dh4096_p[]={
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
};
static const unsigned char dh4096_g[]={
0x05,
};
DH *dh = DH_new();
if (NULL == dh) return NULL;
dh->p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), NULL);
dh->g = BN_bin2bn(dh4096_g, sizeof(dh4096_g), NULL);
if (NULL == dh->p || NULL == dh->g) {
DH_free(dh);
return NULL;
}
return dh;
}
#endif

Loading…
Cancel
Save