xfnw
/
solanum
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[openssl] support ECDHE on more than one curve when possible

This commit is contained in:
Aaron Jones 2016-04-27 16:17:33 +00:00
parent f590c59d5c
commit b1f0549361
No known key found for this signature in database
GPG Key ID: 6E854C0FAAD4CEA4
1 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
librb/src/openssl.c
View File

@ -48,6 +48,18 @@
# endif
#endif
/*
* Use SSL_CTX_set_ecdh_auto() in OpenSSL 1.0.2 only
* Use SSL_CTX_set1_curves_list() in OpenSSL 1.0.2 and above
* TODO: Merge this into the block above if LibreSSL implements them
*/
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10002000L)
# define LRB_HAVE_TLS_SET_CURVES 1
# if (OPENSSL_VERSION_NUMBER < 0x10100000L)
# define LRB_HAVE_TLS_ECDH_AUTO 1
# endif
#endif
static SSL_CTX *ssl_server_ctx;
static SSL_CTX *ssl_client_ctx;
static int librb_index = -1;
@ -315,6 +327,9 @@ rb_init_ssl(void)
int ret = 1;
char librb_data[] = "librb data";
const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
#ifdef LRB_HAVE_TLS_SET_CURVES
const char librb_curves[] = "P-521:P-384:P-256";
#endif
SSL_load_error_strings();
SSL_library_init();
librb_index = SSL_get_ex_new_index(0, librb_data, NULL, NULL, NULL);
@ -358,7 +373,16 @@ rb_init_ssl(void)
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_cipher_list(ssl_server_ctx, librb_ciphers);
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available
#ifdef LRB_HAVE_TLS_SET_CURVES
SSL_CTX_set1_curves_list(ssl_server_ctx, librb_curves);
#endif
#ifdef LRB_HAVE_TLS_ECDH_AUTO
SSL_CTX_set_ecdh_auto(ssl_server_ctx, 1);
#endif
#if !defined(LRB_HAVE_TLS_SET_CURVES) && !defined(LRB_HAVE_TLS_ECDH_AUTO)
/* Set ECDHE on OpenSSL 1.0.0 & 1.0.1, but make sure it's actually available
* (it's not by default on Solaris or Red Hat... fuck Red Hat and Oracle)
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && !defined(OPENSSL_NO_ECDH)
@ -368,6 +392,7 @@ rb_init_ssl(void)
EC_KEY_free(key);
}
#endif
#endif
#ifndef LRB_HAVE_TLS_METHOD_API
ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
@ -815,4 +840,4 @@ rb_ssl_get_cipher(rb_fde_t *F)
return SSL_CIPHER_get_name(sslciph);
}
#endif /* HAVE_OPESSL */
#endif /* HAVE_OPENSSL */