Add support for ephemeral key exchange mechanisms, ssl_dhparam configuration option must be set (and point to a file containing a generated DH key).

2013-08-07 16:51:39 +02:00 · 2013-08-07 16:51:39 +02:00 · 04ee544982
parent bb9f37f029
commit 04ee544982
3 changed files with 39 additions and 0 deletions
--- a/includes/kore.h
+++ b/includes/kore.h
@ -24,6 +24,7 @@
 #include <arpa/inet.h>

 #include <openssl/err.h>
+#include <openssl/dh.h>
 #include <openssl/ssl.h>

 #include <errno.h>
@ -228,6 +229,7 @@ extern char	*kore_module_onload;
 extern char	*kore_pidfile;
 extern char	*config_file;
 extern char	*kore_ssl_cipher_list;
+extern DH	*ssl_dhparam;

 extern u_int8_t			nlisteners;
 extern u_int64_t		spdy_idle_time;
--- a/src/config.c
+++ b/src/config.c
@ -34,6 +34,7 @@ static int		configure_certfile(char **);
 static int		configure_certkey(char **);
 static int		configure_max_connections(char **);
 static int		configure_ssl_cipher(char **);
+static int		configure_ssl_dhparam(char **);
 static int		configure_spdy_idle_time(char **);
 static void		domain_sslstart(void);

@ -47,6 +48,7 @@ static struct {
 	{ "static",			configure_handler },
 	{ "dynamic",			configure_handler },
 	{ "ssl_cipher",			configure_ssl_cipher },
+	{ "ssl_dhparam",		configure_ssl_dhparam },
 	{ "spdy_idle_time",		configure_spdy_idle_time },
 	{ "domain",			configure_domain },
 	{ "chroot",			configure_chroot },
@ -172,6 +174,35 @@ configure_ssl_cipher(char **argv)
 	return (KORE_RESULT_OK);
 }

+static int
+configure_ssl_dhparam(char **argv)
+{
+	BIO		*bio;
+
+	if (argv[1] == NULL)
+		return (KORE_RESULT_ERROR);
+
+	if (ssl_dhparam != NULL) {
+		kore_debug("duplicate ssl_dhparam directive specified");
+		return (KORE_RESULT_ERROR);
+	}
+
+	if ((bio = BIO_new_file(argv[1], "r")) == NULL) {
+		kore_debug("%s did not exist", argv[1]);
+		return (KORE_RESULT_ERROR);
+	}
+
+	ssl_dhparam = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+	BIO_free(bio);
+
+	if (ssl_dhparam == NULL) {
+		kore_debug("PEM_read_bio_DHparams(): %s", ssl_errno_s);
+		return (KORE_RESULT_ERROR);
+	}
+
+	return (KORE_RESULT_OK);
+}
+
 static int
 configure_spdy_idle_time(char **argv)
 {
--- a/src/domain.c
+++ b/src/domain.c
@ -18,6 +18,7 @@

 struct kore_domain_h		domains;
 struct kore_domain		*primary_dom = NULL;
+DH				*ssl_dhparam = NULL;

 void
 kore_domain_init(void)
@ -72,6 +73,11 @@ kore_domain_sslstart(struct kore_domain *dom)
 	if (!SSL_CTX_check_private_key(dom->ssl_ctx))
 		fatal("Public/Private key for %s do not match", dom->domain);

+	if (ssl_dhparam != NULL) {
+		SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
+		SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
+	}
+
 	SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
 	SSL_CTX_set_cipher_list(dom->ssl_ctx, kore_ssl_cipher_list);
 	SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);