From 0b33466b3f093db22ffefd5a1bcd81d5b5fa4991 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 22 Oct 2013 07:35:22 +0100 Subject: [PATCH] Add SSL_CONF command to set DH Parameters. (cherry picked from commit c557f921dcb20a1bf2ce75e9dc7dd164e59ec3ea) --- doc/ssl/SSL_CONF_cmd.pod | 12 ++++++++++++ ssl/ssl_conf.c | 39 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index c57bf80109..c55f63128b 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -103,6 +103,12 @@ context. This option is only supported if certificate operations are permitted. Note: if no B<-key> option is set then a private key is not loaded: it does not currently use the B<-cert> file. +=item B<-dhparam> + +Attempts to use the file B as the set of temporary DH parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. + =item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 @@ -185,6 +191,12 @@ context. This option is only supported if certificate operations are permitted. Note: if no B<-key> option is set then a private key is not loaded: it does not currently use the B file. +=item B + +Attempts to use the file B as the set of temporary DH parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. + =item B This sets the supported signature algorithms for TLS v1.2. For clients this diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index c7dd530649..e617452af2 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -389,7 +389,39 @@ static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value) rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); return rv > 0; } - +#ifndef OPENSSL_NO_DH +static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) + { + int rv = 0; + DH *dh = NULL; + BIO *in = NULL; + if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE)) + return -2; + if (cctx->ctx || cctx->ssl) + { + in = BIO_new(BIO_s_file_internal()); + if (!in) + goto end; + if (BIO_read_filename(in, value) <= 0) + goto end; + dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); + if (!dh) + goto end; + } + else + return 1; + if (cctx->ctx) + rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); + if (cctx->ssl) + rv = SSL_set_tmp_dh(cctx->ssl, dh); + end: + if (dh) + DH_free(dh); + if (in) + BIO_free(in); + return rv > 0; + } +#endif typedef struct { int (*cmd)(SSL_CONF_CTX *cctx, const char *value); @@ -417,7 +449,10 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_STRING(Protocol, NULL), SSL_CONF_CMD_STRING(Options, NULL), SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE), - SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE) + SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE), +#ifndef OPENSSL_NO_DH + SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_TYPE_FILE) +#endif }; static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) -- 2.40.0