generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add SSL_CONF command to set DH Parameters.

Browse Source
This commit is contained in:
Dr. Stephen Henson 2013-10-22 07:35:22 +01:00
parent abf840e4f7
commit c557f921dc
2 changed files with 49 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/ssl/SSL_CONF_cmd.pod
View File

@ -103,6 +103,12 @@ context. This option is only supported if certificate operations
are permitted. Note: if no B<-key> option is set then a private key is are permitted. Note: if no B<-key> option is set then a private key is
not loaded: it does not currently use the B<-cert> file. not loaded: it does not currently use the B<-cert> file.
=item B<-dhparam>
Attempts to use the file B<value> as the set of temporary DH parameters for
the appropriate context. This option is only supported if certificate
operations are permitted.
=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> =item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
@ -185,6 +191,12 @@ context. This option is only supported if certificate operations
are permitted. Note: if no B<-key> option is set then a private key is are permitted. Note: if no B<-key> option is set then a private key is
not loaded: it does not currently use the B<Certificate> file. not loaded: it does not currently use the B<Certificate> file.
=item B<DHParameters>
Attempts to use the file B<value> as the set of temporary DH parameters for
the appropriate context. This option is only supported if certificate
operations are permitted.
=item B<SignatureAlgorithms> =item B<SignatureAlgorithms>
This sets the supported signature algorithms for TLS v1.2. For clients this This sets the supported signature algorithms for TLS v1.2. For clients this

39
ssl/ssl_conf.c
View File

@ -388,7 +388,39 @@ static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value)
rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM); rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM);
return rv > 0; return rv > 0;
} }
#ifndef OPENSSL_NO_DH
static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
{
int rv = 0;
DH *dh = NULL;
BIO *in = NULL;
if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
return -2;
if (cctx->ctx || cctx->ssl)
{
in = BIO_new(BIO_s_file_internal());
if (!in)
goto end;
if (BIO_read_filename(in, value) <= 0)
goto end;
dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
if (!dh)
goto end;
}
else
return 1;
if (cctx->ctx)
rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh);
if (cctx->ssl)
rv = SSL_set_tmp_dh(cctx->ssl, dh);
end:
if (dh)
DH_free(dh);
if (in)
BIO_free(in);
return rv > 0;
}
#endif
typedef struct typedef struct
{ {
int (*cmd)(SSL_CONF_CTX *cctx, const char *value); int (*cmd)(SSL_CONF_CTX *cctx, const char *value);
@ -416,7 +448,10 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD_STRING(Protocol, NULL), SSL_CONF_CMD_STRING(Protocol, NULL),
SSL_CONF_CMD_STRING(Options, NULL), SSL_CONF_CMD_STRING(Options, NULL),
SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE), SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE),
SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE) SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE),
#ifndef OPENSSL_NO_DH
SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_TYPE_FILE)
#endif
}; };
static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)