From 609e8131427686adca9b4ed2db44db4aaa920a01 Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Thu, 24 Apr 2014 00:31:08 +0200 Subject: Add support for elliptic curve diffie-hellmann key exchange (ECDH) This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the heavy lifting. For OpenSSL builds, if a user specifies a curve using --ecdh-curve, it first tries to override automatic selection using that curve. For older OpenSSL, tries the following things (in order of preference): * When supplied, use the ecdh curve specified by the user. * Try to extract the curve from the private key, use the same curve. * Fall back on secp384r1 curve. Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do *not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be used. Signed-off-by: Steffan Karger Acked-by: Arne Schwabe Message-Id: <53597BEA.6080408@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8625 Signed-off-by: Gert Doering --- src/openvpn/options.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src/openvpn/options.c') diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4af2974..40210e6 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -854,6 +854,7 @@ init_options (struct options *o, const bool init_gc) o->renegotiate_seconds = 3600; o->handshake_window = 60; o->transition_window = 3600; + o->ecdh_curve = NULL; #ifdef ENABLE_X509ALTUSERNAME o->x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif @@ -6516,6 +6517,16 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->show_tls_ciphers = true; } + else if (streq (p[0], "show-curves")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->show_curves = true; + } + else if (streq (p[0], "ecdh-curve") && p[1]) + { + VERIFY_PERMISSION (OPT_P_CRYPTO); + options->ecdh_curve= p[1]; + } else if (streq (p[0], "tls-server")) { VERIFY_PERMISSION (OPT_P_GENERAL); -- cgit