added support for ECDH, new Context ctor

2025-10-16 07:23:44 +02:00 · 2016-01-19 15:19:14 +01:00
parent b5572b3e59
commit 20c772d17b
4 changed files with 318 additions and 125 deletions
--- a/NetSSL_OpenSSL/include/Poco/Net/Context.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/Context.h
@@ -104,6 +104,58 @@ public:
 		PROTO_TLSV1_1 = 0x08,
 		PROTO_TLSV1_2 = 0x10
 	};
+	
+	struct Params
+	{
+		Params();
+			/// Initializes the struct with default values.
+
+		std::string privateKeyFile;
+			/// Path to the private key file used for encryption.
+			/// Can be empty if no private key file is used.
+
+		std::string certificateFile;
+			/// Path to the certificate file (in PEM format).
+			/// If the private key and the certificate are stored in the same file, this
+			/// can be empty if privateKeyFile is given.
+			
+		std::string caLocation;
+			/// Path to the file or directory containing the CA/root certificates. 
+			/// Can be empty if the OpenSSL builtin CA certificates
+			/// are used (see loadDefaultCAs).
+
+		VerificationMode verificationMode;
+			/// Specifies whether and how peer certificates are validated.
+			/// Defaults to VERIFY_RELAXED.
+			
+		int verificationDepth;
+			/// Sets the upper limit for verification chain sizes. Verification
+			/// will fail if a certificate chain larger than this is encountered.
+			/// Defaults to 9.
+
+		bool loadDefaultCAs;
+			/// Specifies whether the builtin CA certificates from OpenSSL are used.
+			/// Defaults to false.
+	
+		std::string cipherList;
+			/// Specifies the supported ciphers in OpenSSL notation.
+			/// Defaults to "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
+			
+		std::string dhParamsFile;
+			/// Specifies a file containing Diffie-Hellman parameters.
+			/// If empty, the default parameters are used.
+
+		std::string ecdhCurve;
+			/// Specifies the name of the curve to use for ECDH, based
+			/// on the curve names specified in RFC 4492.
+			/// Defaults to "prime256v1".
+	};
+
+	Context(Usage usage, const Params& params);
+		/// Creates a Context using the given parameters.
+			/// 
+			///   * usage specifies whether the context is used by a client or server.
+			///   * params specifies the context parameters.

 	Context(
 		Usage usage,
@@ -281,9 +333,19 @@ public:
 		/// The protocols to be disabled are specified by OR-ing 
 		/// values from the Protocols enumeration, e.g.:
 		///
-		///   context.disableProtocols(PROTO_SSLV2 | PROTO_SSLV3)
+		///   context.disableProtocols(PROTO_SSLV2 | PROTO_SSLV3);

 private:
+	void init(const Params& params);
+		/// Initializes the Context with the given parameters.
+		
+	void initDH(const std::string& dhFile);
+		/// Initializes the Context with Diffie-Hellman parameters.
+		
+	void initECDH(const std::string& curve);
+		/// Initializes the Context with Elliptic-Curve Diffie-Hellman key
+		/// exchange curve parameters.
+
 	void createSSLContext();
 		/// Create a SSL_CTX object according to Context configuration.

--- a/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
@@ -95,6 +95,8 @@ class NetSSL_API SSLManager
 	///            <requireTLSv1_1>true|false</requireTLSv1_1>
 	///            <requireTLSv1_2>true|false</requireTLSv1_2>
 	///            <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2</disableProtocols>
+	///            <dhParamsFile>dh.pem</dhParamsFile>
+	///            <ecdhCurve>prime256v1</ecdhCurve>
 	///          </server|client>
 	///          <fips>false</fips>
 	///       </openSSL>
@@ -140,6 +142,10 @@ class NetSSL_API SSLManager
 	///    - requireTLSv1_2 (boolean): Require a TLSv1.2 connection.
 	///    - disableProtocols (string): A comma-separated list of protocols that should be
 	///      disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2.
+	///    - dhParamsFile (string): Specifies a file containing Diffie-Hellman parameters.
+	///      If not specified or empty, the default parameters are used.
+	///    - ecdhCurve (string): Specifies the name of the curve to use for ECDH, based
+	///      on the curve names specified in RFC 4492. Defaults to "prime256v1".
 	///    - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version 
 	///      that this library is built against supports FIPS mode.
 {
@@ -324,6 +330,8 @@ private:
 	static const std::string CFG_REQUIRE_TLSV1_1;
 	static const std::string CFG_REQUIRE_TLSV1_2;
 	static const std::string CFG_DISABLE_PROTOCOLS;
+	static const std::string CFG_DH_PARAMS_FILE;
+	static const std::string CFG_ECDH_CURVE;

 #ifdef OPENSSL_FIPS
 	static const std::string CFG_FIPS_MODE;