void Context::initECDH(const std::string& curve) { #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef OPENSSL_NO_ECDH int nid = 0; if (!curve.empty()) { nid = OBJ_sn2nid(curve.c_str()); } else { nid = OBJ_sn2nid("prime256v1"); } if (nid == 0) { throw SSLContextException("Unknown ECDH curve name", curve); } EC_KEY* ecdh = EC_KEY_new_by_curve_name(nid); if (!ecdh) { throw SSLContextException("Cannot create ECDH curve"); } SSL_CTX_set_tmp_ecdh(_pSSLContext, ecdh); SSL_CTX_set_options(_pSSLContext, SSL_OP_SINGLE_ECDH_USE); EC_KEY_free(ecdh); #endif #endif }
void listen_sslctx_setup_2(void* ctxt) { #ifdef HAVE_SSL SSL_CTX* ctx = (SSL_CTX*)ctxt; (void)ctx; #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO if(!SSL_CTX_set_ecdh_auto(ctx,1)) { log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); } #elif defined(USE_ECDSA) if(1) { EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); if (!ecdh) { log_crypto_err("could not find p256, not enabling ECDHE"); } else { if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) { log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE"); } EC_KEY_free (ecdh); } } #endif #else (void)ctxt; #endif /* HAVE_SSL */ }
static int set_curve(lua_State *L) { long ret; SSL_CTX *ctx = lsec_checkcontext(L, 1); const char *str = luaL_checkstring(L, 2); EC_KEY *key = find_ec_key(str); if (!key) { lua_pushboolean(L, 0); lua_pushfstring(L, "elliptic curve %s not supported", str); return 2; } ret = SSL_CTX_set_tmp_ecdh(ctx, key); /* SSL_CTX_set_tmp_ecdh takes its own reference */ EC_KEY_free(key); if (!ret) { lua_pushboolean(L, 0); lua_pushfstring(L, "error setting elliptic curve (%s)", ERR_reason_error_string(ERR_get_error())); return 2; } lua_pushboolean(L, 1); return 1; }
/* ECDH temporary parameters */ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) { int rv = 1; EC_KEY *ecdh; int nid; /* Ignore values supported by 1.0.2 for the automatic selection */ if ((cctx->flags & SSL_CONF_FLAG_FILE) && strcasecmp(value, "+automatic") == 0) return 1; if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && strcmp(value, "auto") == 0) return 1; nid = EC_curve_nist2nid(value); if (nid == NID_undef) nid = OBJ_sn2nid(value); if (nid == 0) return 0; ecdh = EC_KEY_new_by_curve_name(nid); if (!ecdh) return 0; if (cctx->ctx) rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh); else if (cctx->ssl) rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh); EC_KEY_free(ecdh); return rv > 0; }
static int lws_context_ssl_init_ecdh_curve(struct lws_context_creation_info *info, struct lws_vhost *vhost) { #ifdef LWS_HAVE_OPENSSL_ECDH_H EC_KEY *ecdh; int ecdh_nid; const char *ecdh_curve = "prime256v1"; if (info->ecdh_curve) ecdh_curve = info->ecdh_curve; ecdh_nid = OBJ_sn2nid(ecdh_curve); if (NID_undef == ecdh_nid) { lwsl_err("SSL: Unknown curve name '%s'", ecdh_curve); return 1; } ecdh = EC_KEY_new_by_curve_name(ecdh_nid); if (NULL == ecdh) { lwsl_err("SSL: Unable to create curve '%s'", ecdh_curve); return 1; } SSL_CTX_set_tmp_ecdh(vhost->ssl_ctx, ecdh); EC_KEY_free(ecdh); SSL_CTX_set_options(vhost->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); lwsl_notice(" SSL ECDH curve '%s'\n", ecdh_curve); #else lwsl_notice(" OpenSSL doesn't support ECDH\n"); #endif return 0; }
VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) { VALUE obj; SSL_CTX* ctx; SSL* ssl; ms_conn* conn = engine_alloc(self, &obj); ID sym_key = rb_intern("key"); VALUE key = rb_funcall(mini_ssl_ctx, sym_key, 0); ID sym_cert = rb_intern("cert"); VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0); ID sym_ca = rb_intern("ca"); VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0); ID sym_verify_mode = rb_intern("verify_mode"); VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0); ctx = SSL_CTX_new(SSLv23_server_method()); conn->ctx = ctx; SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(cert)); SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM); if (!NIL_P(ca)) { SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL); } SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH"); DH *dh = get_dh1024(); SSL_CTX_set_tmp_dh(ctx, dh); #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_secp521r1); if (ecdh) { SSL_CTX_set_tmp_ecdh(ctx, ecdh); EC_KEY_free(ecdh); } #endif ssl = SSL_new(ctx); conn->ssl = ssl; SSL_set_app_data(ssl, NULL); if (NIL_P(verify_mode)) { /* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */ } else { SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback); } SSL_set_bio(ssl, conn->read, conn->write); SSL_set_accept_state(ssl); return obj; }
/* * Set ECDH parameters for generating ephemeral Elliptic Curve DH * keys. This is much simpler than the DH parameters, as we just * need to provide the name of the curve to OpenSSL. */ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart) { #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh; int nid; nid = OBJ_sn2nid(SSLECDHCurve); if (!nid) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("ECDH: unrecognized curve name: %s", SSLECDHCurve))); return false; } ecdh = EC_KEY_new_by_curve_name(nid); if (!ecdh) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("ECDH: could not create key"))); return false; } SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_tmp_ecdh(context, ecdh); EC_KEY_free(ecdh); #endif return true; }
static int swSSL_set_ecdh_curve(SSL_CTX* ssl_context) { #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh; /* * Elliptic-Curve Diffie-Hellman parameters are either "named curves" * from RFC 4492 section 5.1.1, or explicitly described curves over * binary fields. OpenSSL only supports the "named curves", which provide * maximum interoperability. */ int nid = OBJ_sn2nid(SW_SSL_ECDH_CURVE); if (nid == 0) { swWarn("Unknown curve name \"%s\"", SW_SSL_ECDH_CURVE); return SW_ERR; } ecdh = EC_KEY_new_by_curve_name(nid); if (ecdh == NULL) { swWarn("Unable to create curve \"%s\"", SW_SSL_ECDH_CURVE); return SW_ERR; } SSL_CTX_set_options(ssl_context, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_tmp_ecdh(ssl_context, ecdh); EC_KEY_free(ecdh); #endif #endif return SW_OK; }
int ribs_ssl_set_options(SSL_CTX *ssl_ctx, char *cipher_list) { /* bugs */ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); /* almost all bugs */ SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); /* disable SSLv2 per RFC 6176 */ SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); /* disable SSLv3. goodbye IE6 */ SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION); SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); /* ciphers */ if (!cipher_list) cipher_list = _HTTP_SERVER_SSL_CIPHERS; SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); if (0 == SSL_CTX_set_cipher_list(ssl_ctx, cipher_list)) return LOGGER_ERROR("failed to initialize SSL:cipher_list"), -1; /* DH 2048 bits */ SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_DH_USE); DH *dh = DH_new(); dh->p = get_rfc3526_prime_2048(NULL); BN_dec2bn(&dh->g, "2"); if (0 == SSL_CTX_set_tmp_dh(ssl_ctx, dh)) return LOGGER_ERROR("failed to initialize SSL:dh"), -1; DH_free(dh); /* Ecliptic Curve DH */ SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_ECDH_USE); EC_KEY *ecdh = EC_KEY_new_by_curve_name(OBJ_sn2nid("prime256v1")); if (ecdh == NULL) return LOGGER_ERROR("failed to initialize SSL:edch"), -1; SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh); EC_KEY_free(ecdh); return 0; }
/** setup SSL context */ static SSL_CTX* setup_ctx(char* key, char* cert) { SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); if(!ctx) print_exit("out of memory"); (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) print_exit("cannot read cert"); if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) print_exit("cannot read key"); if(!SSL_CTX_check_private_key(ctx)) print_exit("private key is not correct"); #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO if (!SSL_CTX_set_ecdh_auto(ctx,1)) if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n"); #elif defined(USE_ECDSA) if(1) { EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); if (!ecdh) { if(verb>=1) printf("could not find p256, not enabling ECDHE\n"); } else { if (1 != SSL_CTX_set_tmp_ecdh (ctx, ecdh)) { if(verb>=1) printf("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE\n"); } EC_KEY_free(ecdh); } } #endif if(!SSL_CTX_load_verify_locations(ctx, cert, NULL)) print_exit("cannot load cert verify locations"); return ctx; }
void SSLContext::setServerECCurve(const std::string& curveName) { bool validCall = false; #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef OPENSSL_NO_ECDH validCall = true; #endif #endif if (!validCall) { throw std::runtime_error("Elliptic curve encryption not allowed"); } EC_KEY* ecdh = nullptr; int nid; /* * Elliptic-Curve Diffie-Hellman parameters are either "named curves" * from RFC 4492 section 5.1.1, or explicitly described curves over * binary fields. OpenSSL only supports the "named curves", which provide * maximum interoperability. */ nid = OBJ_sn2nid(curveName.c_str()); if (nid == 0) { LOG(FATAL) << "Unknown curve name:" << curveName.c_str(); return; } ecdh = EC_KEY_new_by_curve_name(nid); if (ecdh == nullptr) { LOG(FATAL) << "Unable to create curve:" << curveName.c_str(); return; } SSL_CTX_set_tmp_ecdh(ctx_, ecdh); EC_KEY_free(ecdh); }
static int tls_init_ecdh_curve(void) { #ifdef SSL_CTRL_SET_ECDH_AUTO SSL_CTX_ctrl(tls_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); return 0; #else # ifndef SSL_OP_SINGLE_ECDH_USE errno = ENOTSUP; return -1; # else const char *curve_name; EC_KEY *curve; int nid; curve_name = TLS_DEFAULT_ECDH_CURVE; if ((nid = OBJ_sn2nid(curve_name)) == NID_undef) { logfile(LOG_INFO, "Curve [%s] not supported", curve_name); errno = ENOTSUP; return -1; } if ((curve = EC_KEY_new_by_curve_name(nid)) == NULL) { logfile(LOG_INFO, "Curve [%s] is not usable", curve_name); errno = ENOTSUP; return -1; } SSL_CTX_set_options(tls_ctx, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_tmp_ecdh(tls_ctx, curve); EC_KEY_free(curve); return 0; # endif #endif }
CAMLprim value ocaml_ssl_ctx_init_ec_from_named_curve(value context, value curve_name) { CAMLparam2(context, curve_name); EC_KEY *ecdh = NULL; int nid = 0; SSL_CTX *ctx = Ctx_val(context); char *ec_curve_name = String_val(curve_name); if(*ec_curve_name == 0) caml_raise_constant(*caml_named_value("ssl_exn_ec_curve_error")); nid = OBJ_sn2nid(ec_curve_name); if(nid == 0){ caml_raise_constant(*caml_named_value("ssl_exn_ec_curve_error")); } caml_enter_blocking_section(); ecdh = EC_KEY_new_by_curve_name(nid); if(ecdh != NULL){ if(SSL_CTX_set_tmp_ecdh(ctx,ecdh) != 1){ caml_leave_blocking_section(); caml_raise_constant(*caml_named_value("ssl_exn_ec_curve_error")); } SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); caml_leave_blocking_section(); EC_KEY_free(ecdh); } else{ caml_leave_blocking_section(); caml_raise_constant(*caml_named_value("ssl_exn_ec_curve_error")); } CAMLreturn(Val_unit); }
void ssl_set_ecdh_curve(SSL_CTX *ctx, const char *curve) { #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef OPENSSL_NO_ECDH int nid; EC_KEY *ecdh; if (curve == NULL) curve = SSL_ECDH_CURVE; if ((nid = OBJ_sn2nid(curve)) == 0) { ssl_error("ssl_set_ecdh_curve"); fatal("ssl_set_ecdh_curve: unknown curve name %s", curve); } if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { ssl_error("ssl_set_ecdh_curve"); fatal("ssl_set_ecdh_curve: unable to create curve %s", curve); } SSL_CTX_set_tmp_ecdh(ctx, ecdh); SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); EC_KEY_free(ecdh); #endif #endif }
int init_ssl(void *ssl_context, void *user_data) { /* Add application specific SSL initialization */ struct ssl_ctx_st *ctx = (struct ssl_ctx_st *)ssl_context; #ifdef USE_SSL_DH /* example from https://github.com/civetweb/civetweb/issues/347 */ DH *dh = get_dh2236(); if (!dh) return -1; if (1 != SSL_CTX_set_tmp_dh(ctx, dh)) return -1; DH_free(dh); EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (!ecdh) return -1; if (1 != SSL_CTX_set_tmp_ecdh(ctx, ecdh)) return -1; EC_KEY_free(ecdh); printf("ECDH ciphers initialized\n"); #endif return 0; }
/* ECDH temporary parameters */ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) { int onoff = -1, rv = 1; if (!(cctx->flags & SSL_CONF_FLAG_SERVER)) return -2; if (cctx->flags & SSL_CONF_FLAG_FILE) { if (*value == '+') { onoff = 1; value++; } if (*value == '-') { onoff = 0; value++; } if (!strcasecmp(value, "automatic")) { if (onoff == -1) onoff = 1; } else if (onoff != -1) return 0; } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { if (!strcmp(value, "auto")) onoff = 1; } if (onoff != -1) { if (cctx->ctx) rv = SSL_CTX_set_ecdh_auto(cctx->ctx, onoff); else if (cctx->ssl) rv = SSL_set_ecdh_auto(cctx->ssl, onoff); } else { EC_KEY *ecdh; int nid; nid = EC_curve_nist2nid(value); if (nid == NID_undef) nid = OBJ_sn2nid(value); if (nid == 0) return 0; ecdh = EC_KEY_new_by_curve_name(nid); if (!ecdh) return 0; if (cctx->ctx) rv = SSL_CTX_set_tmp_ecdh(cctx->ctx, ecdh); else if (cctx->ssl) rv = SSL_set_tmp_ecdh(cctx->ssl, ecdh); EC_KEY_free(ecdh); } return rv > 0; }
bool OpenSSLServer::privateInit() { SSL_CTX_set_tmp_rsa_callback( m_ctx, tmp_rsa_callback ); SSL_CTX_set_tmp_dh_callback( m_ctx, tmp_dh_callback ); SSL_CTX_set_tmp_ecdh( m_ctx, EC_KEY_new_by_curve_name( NID_sect163r2 ) ); SSL_CTX_set_options( m_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE ); return true; }
SSL_CTX* SSLListener::initSSLContext() { SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_tmp_ecdh(ctx,ecdh); EC_KEY_free(ecdh); SSL_CTX_set_default_verify_paths(ctx); return ctx; };
/* init_ssl() * * inputs - nothing * output - nothing * side effects - setups SSL context. */ static void ssl_init(void) { #ifdef HAVE_LIBCRYPTO SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); if (!(ConfigServerInfo.server_ctx = SSL_CTX_new(SSLv23_server_method()))) { const char *s = ERR_lib_error_string(ERR_get_error()); fprintf(stderr, "ERROR: Could not initialize the SSL Server context -- %s\n", s); ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the SSL Server context -- %s", s); exit(EXIT_FAILURE); return; /* Not reached */ } SSL_CTX_set_options(ConfigServerInfo.server_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET); SSL_CTX_set_options(ConfigServerInfo.server_ctx, SSL_OP_SINGLE_DH_USE|SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_verify(ConfigServerInfo.server_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, always_accept_verify_cb); SSL_CTX_set_session_cache_mode(ConfigServerInfo.server_ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_cipher_list(ConfigServerInfo.server_ctx, "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL"); #if OPENSSL_VERSION_NUMBER >= 0x009080FFL && !defined(OPENSSL_NO_ECDH) { EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (key) { SSL_CTX_set_tmp_ecdh(ConfigServerInfo.server_ctx, key); EC_KEY_free(key); } } SSL_CTX_set_options(ConfigServerInfo.server_ctx, SSL_OP_SINGLE_ECDH_USE); #endif if (!(ConfigServerInfo.client_ctx = SSL_CTX_new(SSLv23_client_method()))) { const char *s = ERR_lib_error_string(ERR_get_error()); fprintf(stderr, "ERROR: Could not initialize the SSL Client context -- %s\n", s); ilog(LOG_TYPE_IRCD, "ERROR: Could not initialize the SSL Client context -- %s", s); exit(EXIT_FAILURE); return; /* Not reached */ } SSL_CTX_set_options(ConfigServerInfo.client_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET); SSL_CTX_set_options(ConfigServerInfo.client_ctx, SSL_OP_SINGLE_DH_USE); SSL_CTX_set_verify(ConfigServerInfo.client_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, always_accept_verify_cb); SSL_CTX_set_session_cache_mode(ConfigServerInfo.client_ctx, SSL_SESS_CACHE_OFF); #endif /* HAVE_LIBCRYPTO */ }
static void setup_ecc_key(SSL_CTX *ssl_ctx) { int nid = NID_X9_62_prime256v1; EC_KEY *key = EC_KEY_new_by_curve_name(nid); if (key == NULL) { fprintf(stderr, "Failed to create curve \"%s\"\n", OBJ_nid2sn(nid)); return; } SSL_CTX_set_tmp_ecdh(ssl_ctx, key); EC_KEY_free(key); }
void OpenSSLSetupECDH(SSL_CTX *ctx) { EC_KEY* ecdh; ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); //ecdh = EC_KEY_new_by_curve_name( NID_secp384r1); { SSL_CTX_set_tmp_ecdh(ctx, ecdh); EC_KEY_free(ecdh); } }
static pthread_t start_server(const char *ciphersuite, const char *certificate) { SSL_CTX *ctx; start("Initializing server"); if ((ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) fail("Unable to initialize SSL context:\n%s", ERR_error_string(ERR_get_error(), NULL)); /* Cipher suite */ if (SSL_CTX_set_cipher_list(ctx, ciphersuite) != 1) fail("Unable to set cipher list to %s:\n%s", ciphersuite, ERR_error_string(ERR_get_error(), NULL)); /* Certificate */ if (SSL_CTX_use_certificate_chain_file(ctx, certificate) <= 0) fail("Unable to use given certificate:\n%s", ERR_error_string(ERR_get_error(), NULL)); if (SSL_CTX_use_PrivateKey_file(ctx, certificate, SSL_FILETYPE_PEM) <= 0) fail("Unable to use given key file:\n%s", ERR_error_string(ERR_get_error(), NULL)); /* DH */ DH *dh; BIO *bio; bio = BIO_new_file(certificate, "r"); if (!bio) fail("Unable to read certificate:\n%s", ERR_error_string(ERR_get_error(), NULL)); dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); if (dh) { SSL_CTX_set_tmp_dh(ctx, dh); DH_free(dh); } /* ECDH */ EC_KEY *ecdh = NULL; ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_tmp_ecdh(ctx,ecdh); EC_KEY_free(ecdh); pthread_t threadid; if (pthread_create(&threadid, NULL, &server_thread, ctx)) fail("Unable to create server thread"); return threadid; }
int tls_configure_server(struct tls *ctx) { EC_KEY *ecdh_key; unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH]; if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { tls_set_error(ctx, "ssl context failure"); goto err; } if (tls_configure_ssl(ctx) != 0) goto err; if (tls_configure_keypair(ctx) != 0) goto err; if (ctx->config->dheparams == -1) SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1); else if (ctx->config->dheparams == 1024) SSL_CTX_set_dh_auto(ctx->ssl_ctx, 2); if (ctx->config->ecdhecurve == -1) { SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1); } else if (ctx->config->ecdhecurve != NID_undef) { if ((ecdh_key = EC_KEY_new_by_curve_name( ctx->config->ecdhecurve)) == NULL) { tls_set_error(ctx, "failed to set ECDHE curve"); goto err; } SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key); EC_KEY_free(ecdh_key); } /* * Set session ID context to a random value. We don't support * persistent caching of sessions so it is OK to set a temporary * session ID context that is valid during run time. */ arc4random_buf(sid, sizeof(sid)); if (!SSL_CTX_set_session_id_context(ctx->ssl_ctx, sid, sizeof(sid))) { tls_set_error(ctx, "failed to set session id context"); goto err; } return (0); err: return (-1); }
static void setup_ecdh(SSL_CTX *ctx) { EC_KEY *ecdh; if (SSLeay() < 0x1000005fL) { return; } ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_tmp_ecdh(ctx, ecdh); EC_KEY_free(ecdh); }
static void bb_assign_ssl(struct bb_acceptor *acceptor, struct bb_virtualhost *vhost) { if (!acceptor->ctx) return; char *certificate = blastbeat.ssl_certificate; if (vhost->ssl_certificate) certificate = vhost->ssl_certificate; char *key = blastbeat.ssl_key; if (vhost->ssl_key) key = vhost->ssl_key; if (!certificate) { fprintf(stderr,"you have not specified a valid SSL certificate\n"); exit(1); } if (!key) { fprintf(stderr,"you have not specified a valid SSL key\n"); exit(1); } if (SSL_CTX_use_certificate_file(acceptor->ctx, certificate, SSL_FILETYPE_PEM) <= 0) { fprintf(stderr, "unable to assign ssl certificate %s\n", certificate); exit(1); } BIO *bio = BIO_new_file(certificate, "r"); if (bio) { DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); if (dh) { SSL_CTX_set_tmp_dh(acceptor->ctx, dh); DH_free(dh); #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef OPENSSL_NO_ECDH #ifdef NID_X9_62_prime256v1 EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_tmp_ecdh(acceptor->ctx, ecdh); EC_KEY_free(ecdh); #endif #endif #endif } } if (SSL_CTX_use_PrivateKey_file(acceptor->ctx, key, SSL_FILETYPE_PEM) <= 0) { fprintf(stderr, "unable to assign key file %s\n", key); exit(1); } }
int rb_init_ssl(void) { int ret = 1; char libratbox_data[] = "libratbox data"; SSL_load_error_strings(); SSL_library_init(); libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL); ssl_server_ctx = SSL_CTX_new(SSLv23_server_method()); if(ssl_server_ctx == NULL) { rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s", get_ssl_error(ERR_get_error())); ret = 0; } /* Disable SSLv2, make the client use our settings */ SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE #ifdef SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_DH_USE #endif ); SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb); SSL_CTX_set_session_id_context(ssl_server_ctx, (const unsigned char *)"libratbox", 9); SSL_CTX_set_cipher_list(ssl_server_ctx, "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL"); /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks and bastardise their OpenSSL for stupid reasons... */ #if (OPENSSL_VERSION_NUMBER >= 0x10000000) && defined(NID_secp384r1) EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1); if (key) { SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key); EC_KEY_free(key); } #ifdef SSL_OP_SINGLE_ECDH_USE SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE); #endif #endif ssl_client_ctx = SSL_CTX_new(TLSv1_client_method()); if(ssl_client_ctx == NULL) { rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s", get_ssl_error(ERR_get_error())); ret = 0; } return ret; }
/* Openssl supports setting ecdh curves by default from version 1.1.0. For lower versions, this is the recommended approach. Returns 1 on success, 0 on failure. */ static long TrySetECDHNamedCurve(SSL_CTX* ctx) { long result = 0; #ifdef SSL_CTX_set_ecdh_auto result = SSL_CTX_set_ecdh_auto(ctx, 1); #else EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ecdh != nullptr) { result = SSL_CTX_set_tmp_ecdh(ctx, ecdh); EC_KEY_free(ecdh); } #endif return result; }
int SslContext::initECDH() { #if OPENSSL_VERSION_NUMBER >= 0x10001000L #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh; ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ecdh == NULL) return LS_FAIL; SSL_CTX_set_tmp_ecdh(m_pCtx, ecdh); EC_KEY_free(ecdh); SSL_CTX_set_options(m_pCtx, SSL_OP_SINGLE_ECDH_USE); #endif #endif return 0; }
NOEXPORT int init_ecdh(SERVICE_OPTIONS *section) { EC_KEY *ecdh; s_log(LOG_DEBUG, "ECDH initialization"); ecdh=EC_KEY_new_by_curve_name(section->curve); if(!ecdh) { sslerror("EC_KEY_new_by_curve_name"); s_log(LOG_ERR, "Cannot create curve %s", OBJ_nid2ln(section->curve)); return 1; /* FAILED */ } SSL_CTX_set_tmp_ecdh(section->ctx, ecdh); EC_KEY_free(ecdh); s_log(LOG_DEBUG, "ECDH initialized with curve %s", OBJ_nid2ln(section->curve)); return 0; /* OK */ }
static int lws_context_ssl_init_ecdh(struct lws_vhost *vhost) { #ifdef LWS_SSL_SERVER_WITH_ECDH_CERT EC_KEY *EC_key = NULL; EVP_PKEY *pkey; int KeyType; X509 *x; if (!lws_check_opt(vhost->context->options, LWS_SERVER_OPTION_SSL_ECDH)) return 0; lwsl_notice(" Using ECDH certificate support\n"); /* Get X509 certificate from ssl context */ x = sk_X509_value(vhost->ssl_ctx->extra_certs, 0); if (!x) { lwsl_err("%s: x is NULL\n", __func__); return 1; } /* Get the public key from certificate */ pkey = X509_get_pubkey(x); if (!pkey) { lwsl_err("%s: pkey is NULL\n", __func__); return 1; } /* Get the key type */ KeyType = EVP_PKEY_type(pkey->type); if (EVP_PKEY_EC != KeyType) { lwsl_notice("Key type is not EC\n"); return 0; } /* Get the key */ EC_key = EVP_PKEY_get1_EC_KEY(pkey); /* Set ECDH parameter */ if (!EC_key) { lwsl_err("%s: ECDH key is NULL \n", __func__); return 1; } SSL_CTX_set_tmp_ecdh(vhost->ssl_ctx, EC_key); EC_KEY_free(EC_key); #endif return 0; }