File cyrus-imapd-enable-ec.patch of Package cyrus-imapd.2645

Overview Repositories Revisions Requests Users Attributes Meta

File cyrus-imapd-enable-ec.patch of Package cyrus-imapd.2645

Index: cyrus-imapd-2.3.18/imap/tls.c
===================================================================
--- cyrus-imapd-2.3.18.orig/imap/tls.c
+++ cyrus-imapd-2.3.18/imap/tls.c
@@ -631,6 +631,7 @@ int     tls_init_serverengine(const char
     const char   *CAfile;
     const char   *s_cert_file;
     const char   *s_key_file;
+    const char   *ec;
     int    requirecert;
     int    timeout;
 
@@ -667,7 +668,13 @@ int     tls_init_serverengine(const char
 	off |= SSL_OP_NO_SSLv2;
 	off |= SSL_OP_NO_SSLv3;
     }
+
     SSL_CTX_set_options(s_ctx, off);
+
+#ifdef SSL_OP_NO_COMPRESSION
+    SSL_CTX_set_options(s_ctx, SSL_OP_NO_COMPRESSION);
+#endif
+
     SSL_CTX_set_info_callback(s_ctx, (void (*)()) apps_ssl_info_callback);
 
     /* Don't use an internal session cache */
@@ -746,8 +753,19 @@ int     tls_init_serverengine(const char
 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
     /* Load DH params for DHE-* key exchanges */
     SSL_CTX_set_tmp_dh(s_ctx, load_dh_param(s_key_file, s_cert_file));
-    /* FIXME: Load ECDH params for ECDHE suites when 0.9.9 is released */
 #endif
+    /* Setup an ec - default to 224 bit EC */
+
+    ec = config_getstring(IMAPOPT_TLS_EC);
+    int openssl_nid = OBJ_sn2nid(ec);
+    if (openssl_nid != 0) {
+        EC_KEY *ecdh;
+        ecdh = EC_KEY_new_by_curve_name(openssl_nid);
+        if (ecdh != NULL) {
+           SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
+           EC_KEY_free(ecdh);
+        }
+    }
 
     verify_depth = verifydepth;
     if (askcert!=0)
Index: cyrus-imapd-2.3.18/lib/imapoptions
===================================================================
--- cyrus-imapd-2.3.18.orig/lib/imapoptions
+++ cyrus-imapd-2.3.18/lib/imapoptions
@@ -1234,6 +1234,10 @@ product version in the capabilities */
    for later reuse.  The maximum value is 1440 (24 hours), the
    default.  A value of 0 will disable session caching. */
 
+{ "tls_ec", "secp224r1", STRING }
+/* The default elliptical curve parameter.
+   For list of curves see: openssl ecparam -list_curves */
+
 { "umask", "077", STRING }
 /* The umask value used by various Cyrus IMAP programs. */
 
Index: cyrus-imapd-2.3.18/lib/imapopts.c
===================================================================
--- cyrus-imapd-2.3.18.orig/lib/imapopts.c
+++ cyrus-imapd-2.3.18/lib/imapopts.c
@@ -760,6 +760,9 @@ struct imapopt_s imapopts[] =
   { IMAPOPT_TLS_SESSION_TIMEOUT, "tls_session_timeout", 0, OPT_INT,
     {(void*)1440},
     { { NULL, IMAP_ENUM_ZERO } } },
+  { IMAPOPT_TLS_EC, "tls_ec", 0,  OPT_STRING,
+    {(void*)("secp224r1")},
+    { { NULL, IMAP_ENUM_ZERO } } },
   { IMAPOPT_UMASK, "umask", 0, OPT_STRING,
     {(void *)("077")},
     { { NULL, IMAP_ENUM_ZERO } } },
Index: cyrus-imapd-2.3.18/lib/imapopts.h
===================================================================
--- cyrus-imapd-2.3.18.orig/lib/imapopts.h
+++ cyrus-imapd-2.3.18/lib/imapopts.h
@@ -225,6 +225,7 @@ enum imapopt {
   IMAPOPT_TLS_KEY_FILE,
   IMAPOPT_TLS_REQUIRE_CERT,
   IMAPOPT_TLS_SESSION_TIMEOUT,
+  IMAPOPT_TLS_EC,
   IMAPOPT_UMASK,
   IMAPOPT_USERDENY_DB,
   IMAPOPT_USER_FOLDER_LIMIT,

Places

File cyrus-imapd-enable-ec.patch of Package cyrus-imapd.2645

Places