OpenSSL: Add openssl_ecdh_curves parameter

Some versions of OpenSSL need server support for ECDH to be explicitly
enabled, so provide a new parameter for doing so and all
SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic
selection.

Signed-off-by: Hristo Venev <hristo@venev.name>
This commit is contained in:
Hristo Venev 2017-04-20 14:40:35 +01:00 committed by Jouni Malinen
parent b98933eafc
commit 0521c6ebb3
5 changed files with 90 additions and 0 deletions

View file

@ -144,6 +144,8 @@ struct tls_config {
* @cert_id: the certificate's id when using engine
* @ca_cert_id: the CA certificate's id when using engine
* @openssl_ciphers: OpenSSL cipher configuration
* @openssl_ecdh_curves: OpenSSL ECDH curve configuration. %NULL for auto if
* supported, empty string to disable, or a colon-separated curve list.
* @flags: Parameter options (TLS_CONN_*)
* @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
* or %NULL if OCSP is not enabled
@ -187,6 +189,7 @@ struct tls_connection_params {
const char *cert_id;
const char *ca_cert_id;
const char *openssl_ciphers;
const char *openssl_ecdh_curves;
unsigned int flags;
const char *ocsp_stapling_response;

View file

@ -461,6 +461,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
}
}
if (params->openssl_ecdh_curves) {
wpa_printf(MSG_INFO,
"GnuTLS: openssl_ecdh_curves not supported");
return -1;
}
/* TODO: gnutls_certificate_set_verify_flags(xcred, flags);
* to force peer validation(?) */

View file

@ -248,6 +248,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1;
}
if (params->openssl_ecdh_curves) {
wpa_printf(MSG_INFO, "TLS: openssl_ecdh_curves not supported");
tlsv1_cred_free(cred);
return -1;
}
if (tlsv1_set_ca_cert(cred, params->ca_cert,
params->ca_cert_blob, params->ca_cert_blob_len,
params->ca_path)) {

View file

@ -4505,6 +4505,40 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1;
}
if (!params->openssl_ecdh_curves) {
#ifndef OPENSSL_IS_BORINGSSL
#ifndef OPENSSL_NO_EC
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
(OPENSSL_VERSION_NUMBER < 0x10100000L)
if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to set ECDH curves to auto");
return -1;
}
#endif /* >= 1.0.2 && < 1.1.0 */
#endif /* OPENSSL_NO_EC */
#endif /* OPENSSL_IS_BORINGSSL */
} else if (params->openssl_ecdh_curves[0]) {
#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
wpa_printf(MSG_INFO,
"OpenSSL: ECDH configuration nnot supported");
return -1;
#else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
#ifndef OPENSSL_NO_EC
if (SSL_set1_curves_list(conn->ssl,
params->openssl_ecdh_curves) != 1) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to set ECDH curves '%s'",
params->openssl_ecdh_curves);
return -1;
}
#else /* OPENSSL_NO_EC */
wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
return -1;
#endif /* OPENSSL_NO_EC */
#endif /* OPENSSL_IS_BORINGSSL */
}
if (tls_set_conn_flags(conn, params->flags,
params->openssl_ciphers) < 0)
return -1;
@ -4571,6 +4605,41 @@ int tls_global_set_params(void *tls_ctx,
return -1;
}
if (!params->openssl_ecdh_curves) {
#ifndef OPENSSL_IS_BORINGSSL
#ifndef OPENSSL_NO_EC
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
(OPENSSL_VERSION_NUMBER < 0x10100000L)
if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to set ECDH curves to auto");
return -1;
}
#endif /* >= 1.0.2 && < 1.1.0 */
#endif /* OPENSSL_NO_EC */
#endif /* OPENSSL_IS_BORINGSSL */
} else if (params->openssl_ecdh_curves[0]) {
#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
wpa_printf(MSG_INFO,
"OpenSSL: ECDH configuration nnot supported");
return -1;
#else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
#ifndef OPENSSL_NO_EC
if (SSL_CTX_set1_curves_list(ssl_ctx,
params->openssl_ecdh_curves) !=
1) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to set ECDH curves '%s'",
params->openssl_ecdh_curves);
return -1;
}
#else /* OPENSSL_NO_EC */
wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
return -1;
#endif /* OPENSSL_NO_EC */
#endif /* OPENSSL_IS_BORINGSSL */
}
#ifdef SSL_OP_NO_TICKET
if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);

View file

@ -1524,6 +1524,12 @@ int tls_global_set_params(void *tls_ctx,
return -1;
}
if (params->openssl_ecdh_curves) {
wpa_printf(MSG_INFO,
"wolfSSL: openssl_ecdh_curves not supported");
return -1;
}
#ifdef HAVE_SESSION_TICKET
/* Session ticket is off by default - can't disable once on. */
if (!(params->flags & TLS_CONN_DISABLE_SESSION_TICKET))