From 9dd52874d21025adc27fa6e0fedebbb805d8c398 Mon Sep 17 00:00:00 2001
From: Vladislav Grishenko <themiron@mail.ru>
Date: Tue, 5 Jun 2018 21:48:55 +0500
Subject: sstp: add ssl-dhparam option for DHE ciphers

---
 accel-pppd/ctrl/sstp/sstp.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'accel-pppd/ctrl')

diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c
index 2fc26623..aadf746a 100644
--- a/accel-pppd/ctrl/sstp/sstp.c
+++ b/accel-pppd/ctrl/sstp/sstp.c
@@ -2367,6 +2367,9 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername)
 		SSL_CTX_set_options(ssl_ctx,
 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 				SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
+#endif
+#ifndef OPENSSL_NO_DH
+				SSL_OP_SINGLE_DH_USE |
 #endif
 				SSL_OP_NO_SSLv2 |
 				SSL_OP_NO_SSLv3 |
@@ -2376,6 +2379,27 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername)
 				SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 		SSL_CTX_set_read_ahead(ssl_ctx, 1);
 
+#ifndef OPENSSL_NO_DH
+		opt = conf_get_opt("sstp", "ssl-dhparam");
+		if (opt) {
+			DH *dh;
+
+			if (BIO_read_filename(in, opt) <= 0) {
+				log_error("sstp: SSL dhparam error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
+			if (dh == NULL) {
+				log_error("sstp: SSL dhparam error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			SSL_CTX_set_tmp_dh(ssl_ctx, dh);
+			DH_free(dh);
+		}
+#endif
+
 		opt = conf_get_opt("sstp", "ssl-ciphers");
 		if (opt && SSL_CTX_set_cipher_list(ssl_ctx, opt) != 1) {
 			log_error("sstp: SSL cipher list error: %s\n", ERR_error_string(ERR_get_error(), NULL));
-- 
cgit v1.2.3