From d84c4b94a958b7cc79aad44439bed8029b3b549b Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Tue, 5 Jun 2018 22:08:55 +0500 Subject: sstp: add ECDSA certs support and ssl-ecdh-curve option for ECDHE ciphers --- accel-pppd/ctrl/sstp/sstp.c | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) (limited to 'accel-pppd/ctrl') diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index aadf746..e60d2cb 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2370,6 +2370,9 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) #endif #ifndef OPENSSL_NO_DH SSL_OP_SINGLE_DH_USE | +#endif +#ifndef OPENSSL_NO_ECDH + SSL_OP_SINGLE_ECDH_USE | #endif SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | @@ -2400,6 +2403,40 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) } #endif +#ifndef OPENSSL_NO_ECDH + opt = conf_get_opt("sstp", "ssl-ecdh-curve"); + { +#if defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_CURVES_LIST) +#ifdef SSL_CTRL_SET_ECDH_AUTO + /* not needed in OpenSSL 1.1.0+ */ + SSL_CTX_set_ecdh_auto(ssl_ctx, 1); +#endif + if (opt && SSL_CTX_set1_curves_list(ssl_ctx, opt) == 0) { + log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + goto error; + } +#else + EC_KEY *ecdh; + int nid; + + nid = OBJ_sn2nid(opt ? : "prime256v1"); + if (nid == 0) { + log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + goto error; + } + + ecdh = EC_KEY_new_by_curve_name(nid); + if (ecdh == NULL) { + log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + goto error; + } + + SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh); + EC_KEY_free(ecdh); +#endif + } +#endif + opt = conf_get_opt("sstp", "ssl-ciphers"); if (opt && SSL_CTX_set_cipher_list(ssl_ctx, opt) != 1) { log_error("sstp: SSL cipher list error: %s\n", ERR_error_string(ERR_get_error(), NULL)); -- cgit v1.2.3