uhttpd: Use elliptic curve keys by default

Instead of generating a RSA key pair generate an elliptic curve key pair
by default. Elliptic curve signatures are much faster than RSA
signatures with mbedtls on MIPS BE hardware.

I measured these numbers with mbedtls 2.9.0 on a Lantiq xrx200 SoC with
a 500 MHz MIPS BE CPU:
 * RSA-2048                 :  143.700000  public/s
 * RSA-2048                 :  1.300000 private/s

 * ECDSA-secp384r1          :  7.600000 verify/s
 * ECDSA-secp384r1          :  27.900000 sign/s
 * ECDSA-secp256r1          :  12.300000 verify/s
 * ECDSA-secp256r1          :  41.000000 sign/s
 * ECDSA-secp256k1          :  11.400000 verify/s
 * ECDSA-secp256k1          :  39.000000 sign/s

The TLS server needs one signature or public key operation per
handshake.

ECDSA keys are support by all modern browsers starting with:
 * Internet Explorer 7
 * Firefox 2
 * Opera 8 (with TLS 1.1 enabled)
 * Google Chrome v5.0.342.0
 * Safari 2.1
 * Mobile Safari for iOS 4.0
 * Android 3.0 (Honeycomb) and later
 * Windows Phone 7
Source: https://support.cloudflare.com/hc/en-us/articles/203041594-What-browsers-work-with-Cloudflare-s-SSL-certificates-

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/package/network/services/uhttpd/files/uhttpd.init b/package/network/services/uhttpd/files/uhttpd.init
index dc496b3e28295e330969a4fa764673cfa3270eb1..0a4697f354d81a85fcd2a8338ccbda3fd1a783ba 100755 (executable)
--- a/package/network/services/uhttpd/files/uhttpd.init
+++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -35,7 +35,7 @@ generate_keys() {
        local cfg="$1"
        local key="$2"
        local crt="$3"
-       local days bits country state location commonname
+       local days bits country state location commonname type curve
 
        config_get days       "$cfg" days
        config_get bits       "$cfg" bits
@@ -43,6 +43,8 @@ generate_keys() {
        config_get state      "$cfg" state
        config_get location   "$cfg" location
        config_get commonname "$cfg" commonname
+       config_get type       "$cfg" type
+       config_get curve      "$cfg" curve
 
        # Prefer px5g for certificate generation (existence evaluated last)
        local GENKEY_CMD=""
@@ -50,8 +52,17 @@ generate_keys() {
        [ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256 -outform der -nodes"
        [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
        [ -n "$GENKEY_CMD" ] && {
+               case "$type" in
+                       rsa)
+                               GENKEY_CMD=$GENKEY_CMD"-newkey rsa:${bits:-2048} "
+                       ;;
+                       ecdsa|*)
+                               GENKEY_CMD=$GENKEY_CMD"-newkey ec:${curve:-secp256r1} "
+                       ;;
+               esac
+
                $GENKEY_CMD \
-                       -days ${days:-730} -newkey rsa:${bits:-2048} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
+                       -days ${days:-730} -keyout "${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
                        -subj /C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${commonname:-OpenWrt}$UNIQUEID"/CN="${commonname:-OpenWrt}"
                sync
                mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"