small patch to enable openssl's elliptic curve Diffie-Hellman
Chris Panayis
chris at movency.com
Sun Jan 20 07:48:07 EST 2013
Hi - This patch enables ECDH in openssl v1.0.1c. It selects a default
curve of: secp224r1 which can be changed in imapd.conf with a new option
"tls_ec", eg: tls_ec: secp521r1. Could someone who knows the cyrus imapd
source code please check and commit if all ok please?
Thanks
Chris
diff -rupN cyrus-imapd-2.4.17/imap/tls.c cyrus-imapd-2.4.17.f/imap/tls.c
--- cyrus-imapd-2.4.17/imap/tls.c 2012-12-01 19:57:54.000000000 +0000
+++ cyrus-imapd-2.4.17.f/imap/tls.c 2013-01-20 11:34:33.000000000 +0000
@@ -630,6 +630,7 @@ int tls_init_serverengine(const char
const char *CAfile;
const char *s_cert_file;
const char *s_key_file;
+ const char *ec;
int requirecert;
int timeout;
@@ -666,7 +667,13 @@ int tls_init_serverengine(const char
off |= SSL_OP_NO_SSLv2;
off |= SSL_OP_NO_SSLv3;
}
+
SSL_CTX_set_options(s_ctx, off);
+
+#ifdef SSL_OP_NO_COMPRESSION
+ SSL_CTX_set_options(s_ctx, SSL_OP_NO_COMPRESSION);
+#endif
+
SSL_CTX_set_info_callback(s_ctx, (void (*)()) apps_ssl_info_callback);
/* Don't use an internal session cache */
@@ -744,7 +751,22 @@ int tls_init_serverengine(const char
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
/* Load DH params for DHE-* key exchanges */
SSL_CTX_set_tmp_dh(s_ctx, load_dh_param(s_key_file, s_cert_file));
- /* FIXME: Load ECDH params for ECDHE suites when 0.9.9 is released */
+#endif
+
+#if (OPENSSL_VERSION_NUMBER >= 0x1000103fL)
+
+ /* Setup an ec - default to 224 bit EC */
+
+ ec = config_getstring(IMAPOPT_TLS_EC);
+ int openssl_nid = OBJ_sn2nid(ec);
+ if (openssl_nid != 0) {
+ EC_KEY *ecdh;
+ ecdh = EC_KEY_new_by_curve_name(openssl_nid);
+ if (ecdh != NULL) {
+ SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
+ EC_KEY_free(ecdh);
+ }
+ }
#endif
verify_depth = verifydepth;
diff -rupN cyrus-imapd-2.4.17/lib/imapoptions
cyrus-imapd-2.4.17.f/lib/imapoptions
--- cyrus-imapd-2.4.17/lib/imapoptions 2012-12-01 19:57:54.000000000
+0000
+++ cyrus-imapd-2.4.17.f/lib/imapoptions 2013-01-20
11:35:31.000000000 +0000
@@ -1350,6 +1350,10 @@ product version in the capabilities */
for later reuse. The maximum value is 1440 (24 hours), the
default. A value of 0 will disable session caching. */
+{ "tls_ec", "secp224r1", STRING }
+/* The default elliptical curve parameter.
+ For list of curves see: openssl ecparam -list_curves */
+
{ "umask", "077", STRING }
/* The umask value used by various Cyrus IMAP programs. */
diff -rupN cyrus-imapd-2.4.17/lib/imapopts.c
cyrus-imapd-2.4.17.f/lib/imapopts.c
--- cyrus-imapd-2.4.17/lib/imapopts.c 2012-12-01 19:59:51.000000000 +0000
+++ cyrus-imapd-2.4.17.f/lib/imapopts.c 2013-01-20 11:37:32.000000000
+0000
@@ -869,6 +869,9 @@ struct imapopt_s imapopts[] =
{ IMAPOPT_TLS_SESSION_TIMEOUT, "tls_session_timeout", 0, OPT_INT,
{(void*)1440},
{ { NULL, IMAP_ENUM_ZERO } } },
+ { IMAPOPT_TLS_EC, "tls_ec", 0, OPT_STRING,
+ {(void*)("secp224r1")},
+ { { NULL, IMAP_ENUM_ZERO } } },
{ IMAPOPT_UMASK, "umask", 0, OPT_STRING,
{(void *)("077")},
{ { NULL, IMAP_ENUM_ZERO } } },
diff -rupN cyrus-imapd-2.4.17/lib/imapopts.h
cyrus-imapd-2.4.17.f/lib/imapopts.h
--- cyrus-imapd-2.4.17/lib/imapopts.h 2012-12-01 19:59:51.000000000 +0000
+++ cyrus-imapd-2.4.17.f/lib/imapopts.h 2013-01-20 11:38:58.000000000
+0000
@@ -253,6 +253,7 @@ enum imapopt {
IMAPOPT_TLS_KEY_FILE,
IMAPOPT_TLS_REQUIRE_CERT,
IMAPOPT_TLS_SESSION_TIMEOUT,
+ IMAPOPT_TLS_EC,
IMAPOPT_UMASK,
IMAPOPT_USERDENY_DB,
IMAPOPT_USERDENY_DB_PATH,
More information about the Cyrus-devel
mailing list