Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Robert Dubner
OpenLDAP
Commits
aacec4c8
Commit
aacec4c8
authored
Aug 20, 2020
by
Howard Chu
Committed by
Quanah Gibson-Mount
Aug 21, 2020
Browse files
ITS#9054 Add support for multiple EECDH curves
Requires OpenSSL 1.0.2 or newer
parent
2d8d526a
Changes
7
Hide whitespace changes
Inline
Side-by-side
doc/man/man3/ldap_get_option.3
View file @
aacec4c8
...
...
@@ -711,7 +711,7 @@ and its contents need to be freed by the caller using
Ignored by GnuTLS and Mozilla NSS.
.TP
.B LDAP_OPT_X_TLS_ECNAME
Gets/sets the name of the curve used for
Gets/sets the name of the curve
(s)
used for
elliptic curve key exchanges.
.BR invalue
must be
...
...
doc/man/man5/ldap.conf.5
View file @
aacec4c8
...
...
@@ -345,6 +345,12 @@ Use certutil \-L to list the certificates by name:
certutil \-d /path/to/certdbdir \-L
.fi
.TP
.B TLS_ECNAME <name>
Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This option is only used for OpenSSL.
This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification.
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
stored in the
...
...
doc/man/man5/slapd-config.5
View file @
aacec4c8
...
...
@@ -923,9 +923,9 @@ When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B olcTLSECName: <name>
Specify the name of
a
curve to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This
is required to enable ECDHE algorithms in
OpenSSL.
This option is not used with GnuTLS; the curves may be
Specify the name of
the
curve
(s)
to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This
option is only used for OpenSSL.
This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification. This option is also
ignored for Mozilla NSS.
.TP
...
...
doc/man/man5/slapd.conf.5
View file @
aacec4c8
...
...
@@ -1154,9 +1154,9 @@ When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
.B TLSECName <name>
Specify the name of
a
curve to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This
is required to enable ECDHE algorithms in
OpenSSL.
This option is not used with GnuTLS; the curves may be
Specify the name of
the
curve
(s)
to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This
option is only used for OpenSSL.
This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification. This option is also
ignored for Mozilla NSS.
.TP
...
...
libraries/libldap/init.c
View file @
aacec4c8
...
...
@@ -130,6 +130,7 @@ static const struct ol_attribute {
{
0
,
ATTR_TLS
,
"TLS_RANDFILE"
,
NULL
,
LDAP_OPT_X_TLS_RANDOM_FILE
},
{
0
,
ATTR_TLS
,
"TLS_CIPHER_SUITE"
,
NULL
,
LDAP_OPT_X_TLS_CIPHER_SUITE
},
{
0
,
ATTR_TLS
,
"TLS_PROTOCOL_MIN"
,
NULL
,
LDAP_OPT_X_TLS_PROTOCOL_MIN
},
{
0
,
ATTR_TLS
,
"TLS_ECNAME"
,
NULL
,
LDAP_OPT_X_TLS_ECNAME
},
#ifdef HAVE_OPENSSL_CRL
{
0
,
ATTR_TLS
,
"TLS_CRLCHECK"
,
NULL
,
LDAP_OPT_X_TLS_CRLCHECK
},
...
...
libraries/libldap/tls2.c
View file @
aacec4c8
...
...
@@ -532,6 +532,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
case
LDAP_OPT_X_TLS_RANDOM_FILE
:
case
LDAP_OPT_X_TLS_CIPHER_SUITE
:
case
LDAP_OPT_X_TLS_DHFILE
:
case
LDAP_OPT_X_TLS_ECNAME
:
case
LDAP_OPT_X_TLS_CRLFILE
:
/* GnuTLS only */
return
ldap_pvt_tls_set_option
(
ld
,
option
,
(
void
*
)
arg
);
...
...
libraries/libldap/tls_o.c
View file @
aacec4c8
...
...
@@ -407,34 +407,30 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
DH_free
(
dh
);
}
if
(
is_server
&&
lo
->
ldo_tls_ecname
)
{
if
(
lo
->
ldo_tls_ecname
)
{
#ifdef OPENSSL_NO_EC
Debug
(
LDAP_DEBUG_ANY
,
"TLS: Elliptic Curves not supported.
\n
"
,
0
,
0
,
0
);
return
-
1
;
#else
EC_KEY
*
ecdh
;
int
nid
=
OBJ_sn2nid
(
lt
->
lt_ecname
);
if
(
nid
==
NID_undef
)
{
if
(
SSL_CTX_set1_curves_list
(
ctx
,
lt
->
lt_ecname
))
{
Debug
(
LDAP_DEBUG_ANY
,
"TLS: could not
u
se EC name `%s'.
\n
"
,
"TLS: could not se
t
EC name `%s'.
\n
"
,
lo
->
ldo_tls_ecname
,
0
,
0
);
tlso_report_error
();
return
-
1
;
}
ecdh
=
EC_KEY_new_by_curve_name
(
nid
);
if
(
ecdh
==
NULL
)
{
/*
* This is a NOP in OpenSSL 1.1.0 and later, where curves are always
* auto-negotiated.
*/
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
if
(
SSL_CTX_set_ecdh_auto
(
ctx
,
1
)
<=
0
)
{
Debug
(
LDAP_DEBUG_ANY
,
"TLS: could not generate key for EC name `%s'.
\n
"
,
lo
->
ldo_tls_ecname
,
0
,
0
);
tlso_report_error
();
return
-
1
;
"TLS: could not enable automatic EC negotiation.
\n
"
,
0
,
0
,
0
);
}
SSL_CTX_set_tmp_ecdh
(
ctx
,
ecdh
);
SSL_CTX_set_options
(
ctx
,
SSL_OP_SINGLE_ECDH_USE
);
EC_KEY_free
(
ecdh
);
#endif
#endif
/* OPENSSL_NO_EC */
}
if
(
tlso_opt_trace
)
{
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment