sstp: add ECDSA certs support and ssl-ecdh-curve option for ECDHE ciphers

1 files changed, 37 insertions, 0 deletions

diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c
index aadf746a..e60d2cb0 100644
--- a/accel-pppd/ctrl/sstp/sstp.c
+++ b/accel-pppd/ctrl/sstp/sstp.c
@@ -2371,6 +2371,9 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername)
 #ifndef OPENSSL_NO_DH
 				SSL_OP_SINGLE_DH_USE |
 #endif
+#ifndef OPENSSL_NO_ECDH
+			        SSL_OP_SINGLE_ECDH_USE |
+#endif
 				SSL_OP_NO_SSLv2 |
 				SSL_OP_NO_SSLv3 |
 				SSL_OP_NO_COMPRESSION);
@@ -2400,6 +2403,40 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername)
 		}
 #endif
 
+#ifndef OPENSSL_NO_ECDH
+		opt = conf_get_opt("sstp", "ssl-ecdh-curve");
+		{
+#if defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_CURVES_LIST)
+#ifdef SSL_CTRL_SET_ECDH_AUTO
+			/* not needed in OpenSSL 1.1.0+ */
+			SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
+#endif
+			if (opt && SSL_CTX_set1_curves_list(ssl_ctx, opt) == 0) {
+				log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+#else
+			EC_KEY *ecdh;
+			int nid;
+
+			nid = OBJ_sn2nid(opt ? : "prime256v1");
+			if (nid == 0) {
+				log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			ecdh = EC_KEY_new_by_curve_name(nid);
+			if (ecdh == NULL) {
+				log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
+			EC_KEY_free(ecdh);
+#endif
+		}
+#endif
+
 		opt = conf_get_opt("sstp", "ssl-ciphers");
 		if (opt && SSL_CTX_set_cipher_list(ssl_ctx, opt) != 1) {
 			log_error("sstp: SSL cipher list error: %s\n", ERR_error_string(ERR_get_error(), NULL));