1 files changed, 80 insertions, 0 deletions

diff --git a/src/ssl_params.c b/src/ssl_params.c
new file mode 100644
index 0000000..d3a49d0
--- /dev/null
+++ b/src/ssl_params.c
@@ -0,0 +1,80 @@
+/**
+  @file  ssl_params.c
+  @author web, bergmann
+  @brief setup RSA, DH, ECDH 
+*/
+#include "ucspissl.h"
+
+int ssl_params_rsa(SSL_CTX *ctx,int len)
+{
+  RSA *rsa;
+  long res;
+  BIGNUM *e;
+
+  /* check if ephemeral RSA key is actually needed */
+  if (!SSL_CTX_need_tmp_RSA(ctx)) return 1;
+
+  if (len) {
+    e = BN_new();
+    rsa = RSA_new();
+    BN_set_word(e,RSA_F4);
+
+    res = (long) RSA_generate_key_ex(rsa,len,e,NULL);
+    BN_free(e);
+
+    if (res == -1) return 0;
+    if (!rsa) return 0;
+    
+    /* seldom "needed": maybe deal with an export cipher */
+    res = SSL_CTX_set_tmp_rsa(ctx,rsa);
+    RSA_free(rsa);
+    if (!res) return 0;
+  }
+
+  return 1;
+}
+
+int ssl_params_dh(SSL_CTX *ctx,const char *dhfile)
+{
+  DH *dh;
+  BIO *bio;
+
+  if (dhfile) {
+    dh = 0;
+    bio = BIO_new_file(dhfile,"r");
+    if (!bio) return 0;
+    dh = PEM_read_bio_DHparams(bio,0,0,0);
+    BIO_free(bio);
+    if (!dh) return 0;
+    if (!SSL_CTX_set_tmp_dh(ctx,dh)) return 0;
+  }
+
+  return 1;
+}
+
+int ssl_params_ecdh(SSL_CTX *ctx,const char *ecdhfile)
+{
+  EC_KEY *ecdh;
+
+  SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+#ifdef SSL_CTRL_SET_ECDH_AUTO
+  SSL_CTX_set_ecdh_auto(ctx,1);
+#else
+  /* insecure and compatible curves, see http://safecurves.cr.yp.to/ */
+  ecdh = EC_KEY_new_by_curve_name(NID_secp521r1);
+  if (ecdh == NULL) {
+    /* NIST P-384 / AES-256 */
+    ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
+  }
+  if (ecdh == NULL) {
+    /* NIST P-256 / AES-128 */
+    ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+  }
+  if (ecdh != NULL) {
+    SSL_CTX_set_tmp_ecdh(ctx,ecdh);
+    EC_KEY_free(ecdh);
+    return 1;
+  }
+#endif
+  return 0;
+}