ECDHE key exchange with TLSv1

Adrian Kotelba adrian.kotelba at barbasyn.org
Thu Jan 6 00:29:37 MSK 2011


Hello,

Thanks Maxim for encouragment. Indeed, the patch was really terrible. I did
some code clean-up. Hope, it should be fine right now. The ECDH was
introduced in OpenSSL starting from version 0.9.8. There is a preprocessor
check now. Default EC curve is prime256v1.

Just to be sure, I paste the patch also here:

diff -rupN nginx-0.9.3/src/event/ngx_event_openssl.c
nginx-0.9.3p/src/event/ngx_event_openssl.c
--- nginx-0.9.3/src/event/ngx_event_openssl.c    2011-01-05
20:38:18.000000000 +0200
+++ nginx-0.9.3p/src/event/ngx_event_openssl.c    2011-01-05
20:33:55.000000000 +0200
@@ -478,6 +478,42 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_
     return NGX_OK;
 }

+ngx_int_t
+ngx_ssl_eccurve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+    EC_KEY *ecdh;
+    int  nid;
+
+    /*
+     * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
+     * from RFC 4492 section 5.1.1, or explicitely described curves over
+     * binary fields. OpenSSL only supports the "named curves", which
provide
+     * maximum interoperability.
+     */
+
+    nid = OBJ_sn2nid((const char *)name->data);
+    if (nid == 0) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "Unknown curve name (%s)", name->data);
+        return NGX_ERROR;
+    }
+
+    ecdh = EC_KEY_new_by_curve_name(nid);
+    if (ecdh == NULL) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "Unable to create curve (%s)", name->data);
+        return NGX_ERROR;
+    }
+
+    SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
+
+    EC_KEY_free(ecdh);
+#endif
+#endif
+    return NGX_OK;
+}

 ngx_int_t
 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t
flags)
diff -rupN nginx-0.9.3/src/event/ngx_event_openssl.h
nginx-0.9.3p/src/event/ngx_event_openssl.h
--- nginx-0.9.3/src/event/ngx_event_openssl.h    2011-01-05
20:38:16.000000000 +0200
+++ nginx-0.9.3p/src/event/ngx_event_openssl.h    2011-01-05
20:33:53.000000000 +0200
@@ -101,6 +101,7 @@ ngx_int_t ngx_ssl_client_certificate(ngx
 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
 ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);
 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
+ngx_int_t ngx_ssl_eccurve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
     ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t
timeout);
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
diff -rupN nginx-0.9.3/src/http/modules/ngx_http_ssl_module.c
nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.c
--- nginx-0.9.3/src/http/modules/ngx_http_ssl_module.c    2011-01-05
20:38:28.000000000 +0200
+++ nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.c    2011-01-05
21:15:29.000000000 +0200
@@ -14,7 +14,7 @@ typedef ngx_int_t (*ngx_ssl_variable_han


 #define NGX_DEFAULT_CIPHERS  "HIGH:!ADH:!MD5"
-
+#define NGX_DEFAULT_ECCURVE  "prime256v1"

 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
@@ -78,6 +78,13 @@ static ngx_command_t  ngx_http_ssl_comma
       offsetof(ngx_http_ssl_srv_conf_t, dhparam),
       NULL },

+    { ngx_string("ssl_eccurve"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, eccurve),
+      NULL },
+
     { ngx_string("ssl_protocols"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
       ngx_conf_set_bitmask_slot,
@@ -312,6 +319,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t
      *     sscf->certificate = { 0, NULL };
      *     sscf->certificate_key = { 0, NULL };
      *     sscf->dhparam = { 0, NULL };
+     *     sscf->eccurve = { 0, NULL };
      *     sscf->client_certificate = { 0, NULL };
      *     sscf->crl = { 0, NULL };
      *     sscf->ciphers = { 0, NULL };
@@ -360,6 +368,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
                          "");
     ngx_conf_merge_str_value(conf->crl, prev->crl, "");

+    ngx_conf_merge_str_value(conf->eccurve, prev->eccurve,
NGX_DEFAULT_ECCURVE);
+
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers,
NGX_DEFAULT_CIPHERS);


@@ -473,6 +483,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
         return NGX_CONF_ERROR;
     }

+    if (ngx_ssl_eccurve(cf, &conf->ssl, &conf->eccurve) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
     ngx_conf_merge_value(conf->builtin_session_cache,
                          prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);

diff -rupN nginx-0.9.3/src/http/modules/ngx_http_ssl_module.h
nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.h
--- nginx-0.9.3/src/http/modules/ngx_http_ssl_module.h    2011-01-05
20:38:37.000000000 +0200
+++ nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.h    2011-01-05
20:34:16.000000000 +0200
@@ -32,6 +32,7 @@ typedef struct {
     ngx_str_t                       certificate;
     ngx_str_t                       certificate_key;
     ngx_str_t                       dhparam;
+    ngx_str_t                       eccurve;
     ngx_str_t                       client_certificate;
     ngx_str_t                       crl;

diff -rupN nginx-0.9.3/src/mail/ngx_mail_ssl_module.c
nginx-0.9.3p/src/mail/ngx_mail_ssl_module.c
--- nginx-0.9.3/src/mail/ngx_mail_ssl_module.c    2011-01-05
20:37:52.000000000 +0200
+++ nginx-0.9.3p/src/mail/ngx_mail_ssl_module.c    2011-01-05
20:33:43.000000000 +0200
@@ -10,7 +10,7 @@


 #define NGX_DEFAULT_CIPHERS  "HIGH:!ADH:!MD5"
-
+#define NGX_DEFAULT_ECCURVE  "prime256v1"

 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void
*child);
@@ -77,6 +77,13 @@ static ngx_command_t  ngx_mail_ssl_comma
       offsetof(ngx_mail_ssl_conf_t, dhparam),
       NULL },

+    { ngx_string("ssl_eccurve"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_ssl_conf_t, eccurve),
+      NULL },
+
     { ngx_string("ssl_protocols"),
       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
       ngx_conf_set_bitmask_slot,
@@ -163,6 +170,7 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
      *     scf->certificate = { 0, NULL };
      *     scf->certificate_key = { 0, NULL };
      *     scf->dhparam = { 0, NULL };
+     *     scf->eccurve = { 0, NULL };
      *     scf->ciphers = { 0, NULL };
      *     scf->shm_zone = NULL;
      */
@@ -204,6 +212,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,

     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");

+    ngx_conf_merge_str_value(conf->eccurve, prev->eccurve,
NGX_DEFAULT_ECCURVE);
+
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers,
NGX_DEFAULT_CIPHERS);


diff -rupN nginx-0.9.3/src/mail/ngx_mail_ssl_module.h
nginx-0.9.3p/src/mail/ngx_mail_ssl_module.h
--- nginx-0.9.3/src/mail/ngx_mail_ssl_module.h    2011-01-05
20:37:52.000000000 +0200
+++ nginx-0.9.3p/src/mail/ngx_mail_ssl_module.h    2011-01-05
20:33:43.000000000 +0200
@@ -34,6 +34,7 @@ typedef struct {
     ngx_str_t        certificate;
     ngx_str_t        certificate_key;
     ngx_str_t        dhparam;
+    ngx_str_t        eccurve;

     ngx_str_t        ciphers;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx-devel/attachments/20110105/e2c10816/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch.eccurve
Type: application/octet-stream
Size: 7089 bytes
Desc: not available
URL: <http://nginx.org/pipermail/nginx-devel/attachments/20110105/e2c10816/attachment-0001.obj>


More information about the nginx-devel mailing list