[tor-commits] [tor/master] Configure SSL context to know about using P-256 for ECDHE.
nickm at torproject.org
nickm at torproject.org
Wed Dec 26 03:13:09 UTC 2012
commit bbaf4d964377f2f43625b56517ae21a80c220e7f
Author: Nick Mathewson <nickm at torproject.org>
Date: Mon Nov 26 23:19:02 2012 -0500
Configure SSL context to know about using P-256 for ECDHE.
---
src/common/tortls.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/src/common/tortls.c b/src/common/tortls.c
index af3059a..02d0951 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1224,6 +1224,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
}
SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+ SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_ECDH_USE);
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_CTX_set_options(result->ctx,
@@ -1274,6 +1275,17 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh));
crypto_dh_free(dh);
}
+#if (!defined(OPENSSL_NO_EC) && \
+ OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,0))
+ if (! is_client) {
+ EC_KEY *ec_key;
+ /* Use P-256 for ECDHE. */
+ ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ if (ec_key != NULL) /*XXXX Handle errors? */
+ SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
+ EC_KEY_free(ec_key);
+ }
+#endif
SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
always_accept_verify_cb);
/* let us realloc bufs that we're writing from */
More information about the tor-commits
mailing list