Add support for ephemeral key exchange mechanisms, ssl_dhparam configuration option must be set (and point to a file containing a generated DH key). - kore - Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.

commit 04ee5449823a0c326d8a6f91b8b3ccdf97ed0870
parent bb9f37f029c3d6572aba5dda4848a79daed5a7d6
Author: Joris Vink <joris@coders.se>
Date:   Wed,  7 Aug 2013 16:51:39 +0200

Add support for ephemeral key exchange mechanisms, ssl_dhparam configuration option must be set (and point to a file containing a generated DH key).

Diffstat:
includes/kore.h  | 2 ++
src/config.c  | 31 +++++++++++++++++++++++++++++++
src/domain.c  | 6 ++++++

3 files changed, 39 insertions(+), 0 deletions(-)
diff --git a/includes/kore.h b/includes/kore.h
@@ -24,6 +24,7 @@
 #include <arpa/inet.h>
 
 #include <openssl/err.h>
+#include <openssl/dh.h>
 #include <openssl/ssl.h>
 
 #include <errno.h>
@@ -228,6 +229,7 @@ extern char	*kore_module_onload;
 extern char	*kore_pidfile;
 extern char	*config_file;
 extern char	*kore_ssl_cipher_list;
+extern DH	*ssl_dhparam;
 
 extern u_int8_t			nlisteners;
 extern u_int64_t		spdy_idle_time;
diff --git a/src/config.c b/src/config.c
@@ -34,6 +34,7 @@ static int		configure_certfile(char **);
 static int		configure_certkey(char **);
 static int		configure_max_connections(char **);
 static int		configure_ssl_cipher(char **);
+static int		configure_ssl_dhparam(char **);
 static int		configure_spdy_idle_time(char **);
 static void		domain_sslstart(void);
 
@@ -47,6 +48,7 @@ static struct {
 	{ "static",			configure_handler },
 	{ "dynamic",			configure_handler },
 	{ "ssl_cipher",			configure_ssl_cipher },
+	{ "ssl_dhparam",		configure_ssl_dhparam },
 	{ "spdy_idle_time",		configure_spdy_idle_time },
 	{ "domain",			configure_domain },
 	{ "chroot",			configure_chroot },
@@ -173,6 +175,35 @@ configure_ssl_cipher(char **argv)
 }
 
 static int
+configure_ssl_dhparam(char **argv)
+{
+	BIO		*bio;
+
+	if (argv[1] == NULL)
+		return (KORE_RESULT_ERROR);
+
+	if (ssl_dhparam != NULL) {
+		kore_debug("duplicate ssl_dhparam directive specified");
+		return (KORE_RESULT_ERROR);
+	}
+
+	if ((bio = BIO_new_file(argv[1], "r")) == NULL) {
+		kore_debug("%s did not exist", argv[1]);
+		return (KORE_RESULT_ERROR);
+	}
+
+	ssl_dhparam = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+	BIO_free(bio);
+
+	if (ssl_dhparam == NULL) {
+		kore_debug("PEM_read_bio_DHparams(): %s", ssl_errno_s);
+		return (KORE_RESULT_ERROR);
+	}
+
+	return (KORE_RESULT_OK);
+}
+
+static int
 configure_spdy_idle_time(char **argv)
 {
 	int		err;
diff --git a/src/domain.c b/src/domain.c
@@ -18,6 +18,7 @@
 
 struct kore_domain_h		domains;
 struct kore_domain		*primary_dom = NULL;
+DH				*ssl_dhparam = NULL;
 
 void
 kore_domain_init(void)
@@ -72,6 +73,11 @@ kore_domain_sslstart(struct kore_domain *dom)
 	if (!SSL_CTX_check_private_key(dom->ssl_ctx))
 		fatal("Public/Private key for %s do not match", dom->domain);
 
+	if (ssl_dhparam != NULL) {
+		SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
+		SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
+	}
+
 	SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
 	SSL_CTX_set_cipher_list(dom->ssl_ctx, kore_ssl_cipher_list);
 	SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);

	kore Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.
	Commits \| Files \| Refs \| README \| LICENSE \| git clone https://git.kore.io/kore.git

includes/kore.h	\|	2	++
src/config.c	\|	31	+++++++++++++++++++++++++++++++
src/domain.c	\|	6	++++++