kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit 04ee5449823a0c326d8a6f91b8b3ccdf97ed0870
parent bb9f37f029c3d6572aba5dda4848a79daed5a7d6
Author: Joris Vink <joris@coders.se>
Date:   Wed,  7 Aug 2013 16:51:39 +0200

Add support for ephemeral key exchange mechanisms, ssl_dhparam configuration option must be set (and point to a file containing a generated DH key).

Diffstat:
includes/kore.h | 2++
src/config.c | 31+++++++++++++++++++++++++++++++
src/domain.c | 6++++++
3 files changed, 39 insertions(+), 0 deletions(-)

diff --git a/includes/kore.h b/includes/kore.h @@ -24,6 +24,7 @@ #include <arpa/inet.h> #include <openssl/err.h> +#include <openssl/dh.h> #include <openssl/ssl.h> #include <errno.h> @@ -228,6 +229,7 @@ extern char *kore_module_onload; extern char *kore_pidfile; extern char *config_file; extern char *kore_ssl_cipher_list; +extern DH *ssl_dhparam; extern u_int8_t nlisteners; extern u_int64_t spdy_idle_time; diff --git a/src/config.c b/src/config.c @@ -34,6 +34,7 @@ static int configure_certfile(char **); static int configure_certkey(char **); static int configure_max_connections(char **); static int configure_ssl_cipher(char **); +static int configure_ssl_dhparam(char **); static int configure_spdy_idle_time(char **); static void domain_sslstart(void); @@ -47,6 +48,7 @@ static struct { { "static", configure_handler }, { "dynamic", configure_handler }, { "ssl_cipher", configure_ssl_cipher }, + { "ssl_dhparam", configure_ssl_dhparam }, { "spdy_idle_time", configure_spdy_idle_time }, { "domain", configure_domain }, { "chroot", configure_chroot }, @@ -173,6 +175,35 @@ configure_ssl_cipher(char **argv) } static int +configure_ssl_dhparam(char **argv) +{ + BIO *bio; + + if (argv[1] == NULL) + return (KORE_RESULT_ERROR); + + if (ssl_dhparam != NULL) { + kore_debug("duplicate ssl_dhparam directive specified"); + return (KORE_RESULT_ERROR); + } + + if ((bio = BIO_new_file(argv[1], "r")) == NULL) { + kore_debug("%s did not exist", argv[1]); + return (KORE_RESULT_ERROR); + } + + ssl_dhparam = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + BIO_free(bio); + + if (ssl_dhparam == NULL) { + kore_debug("PEM_read_bio_DHparams(): %s", ssl_errno_s); + return (KORE_RESULT_ERROR); + } + + return (KORE_RESULT_OK); +} + +static int configure_spdy_idle_time(char **argv) { int err; diff --git a/src/domain.c b/src/domain.c @@ -18,6 +18,7 @@ struct kore_domain_h domains; struct kore_domain *primary_dom = NULL; +DH *ssl_dhparam = NULL; void kore_domain_init(void) @@ -72,6 +73,11 @@ kore_domain_sslstart(struct kore_domain *dom) if (!SSL_CTX_check_private_key(dom->ssl_ctx)) fatal("Public/Private key for %s do not match", dom->domain); + if (ssl_dhparam != NULL) { + SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam); + SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE); + } + SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_cipher_list(dom->ssl_ctx, kore_ssl_cipher_list); SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);