Merge pull request #52 from themiron/sstp

sstp: add ECDSA certs support and DH/ECDH config options

3 files changed, 69 insertions, 0 deletions

diff --git a/accel-pppd/accel-ppp.conf b/accel-pppd/accel-ppp.conf
index 1d38ea15..f28a3aa7 100644
--- a/accel-pppd/accel-ppp.conf
+++ b/accel-pppd/accel-ppp.conf
@@ -112,6 +112,8 @@ verbose=1
 #cert-hash-sha1=
 #cert-hash-sha256=
 #accept=ssl,proxy
+#ssl-dhparam=/etc/ssl/dhparam.pem
+#ssl-ecdh-curve=prime256v1
 #ssl-ciphers=DEFAULT
 #ssl-prefer-server-ciphers=0
 #ssl-ca-file=/etc/ssl/sstp-ca.crt
diff --git a/accel-pppd/accel-ppp.conf.5 b/accel-pppd/accel-ppp.conf.5
index 4c1bee76..9ccac7d5 100644
--- a/accel-pppd/accel-ppp.conf.5
+++ b/accel-pppd/accel-ppp.conf.5
@@ -681,6 +681,12 @@ Specifies incoming connection acceptance mode.
 .B proxy
 - enable PROXY protocol 1 & 2 support.
 .TP
+.BI "ssl-dhparam=" pemfile
+Specifies a file with DH parameters for DHE ciphers.
+.TP
+.BI "ssl-ecdh-curve=" string
+Specifies a curves for ECDHE ciphers. Value is specified in the format understood by the OpenSSL library.
+.TP
 .BI "ssl-ciphers=" string
 Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library.
 .TP
diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c
index 2fc26623..e60d2cb0 100644
--- a/accel-pppd/ctrl/sstp/sstp.c
+++ b/accel-pppd/ctrl/sstp/sstp.c
@@ -2368,6 +2368,12 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername)
 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 				SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
 #endif
+#ifndef OPENSSL_NO_DH
+				SSL_OP_SINGLE_DH_USE |
+#endif
+#ifndef OPENSSL_NO_ECDH
+			        SSL_OP_SINGLE_ECDH_USE |
+#endif
 				SSL_OP_NO_SSLv2 |
 				SSL_OP_NO_SSLv3 |
 				SSL_OP_NO_COMPRESSION);
@@ -2376,6 +2382,61 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername)
 				SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 		SSL_CTX_set_read_ahead(ssl_ctx, 1);
 
+#ifndef OPENSSL_NO_DH
+		opt = conf_get_opt("sstp", "ssl-dhparam");
+		if (opt) {
+			DH *dh;
+
+			if (BIO_read_filename(in, opt) <= 0) {
+				log_error("sstp: SSL dhparam error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
+			if (dh == NULL) {
+				log_error("sstp: SSL dhparam error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			SSL_CTX_set_tmp_dh(ssl_ctx, dh);
+			DH_free(dh);
+		}
+#endif
+
+#ifndef OPENSSL_NO_ECDH
+		opt = conf_get_opt("sstp", "ssl-ecdh-curve");
+		{
+#if defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_CURVES_LIST)
+#ifdef SSL_CTRL_SET_ECDH_AUTO
+			/* not needed in OpenSSL 1.1.0+ */
+			SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
+#endif
+			if (opt && SSL_CTX_set1_curves_list(ssl_ctx, opt) == 0) {
+				log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+#else
+			EC_KEY *ecdh;
+			int nid;
+
+			nid = OBJ_sn2nid(opt ? : "prime256v1");
+			if (nid == 0) {
+				log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			ecdh = EC_KEY_new_by_curve_name(nid);
+			if (ecdh == NULL) {
+				log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
+			EC_KEY_free(ecdh);
+#endif
+		}
+#endif
+
 		opt = conf_get_opt("sstp", "ssl-ciphers");
 		if (opt && SSL_CTX_set_cipher_list(ssl_ctx, opt) != 1) {
 			log_error("sstp: SSL cipher list error: %s\n", ERR_error_string(ERR_get_error(), NULL));