Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
  • 2 commits
  • 3 files changed
  • 1 commit comment
  • 2 contributors
Showing with 35 additions and 0 deletions.
  1. +14 −0 configuration.cc
  2. +1 −0  configuration.h
  3. +20 −0 stud.cc
View
14 configuration.cc
@@ -54,6 +54,7 @@
#define CFG_CIPHERS "ciphers"
#define CFG_SSL_ENGINE "ssl-engine"
#define CFG_PREFER_SERVER_CIPHERS "prefer-server-ciphers"
+#define CFG_EC_CURVE "ec-curve"
#define CFG_BACKEND "backend"
#define CFG_FRONTEND "frontend"
#define CFG_WORKERS "workers"
@@ -151,6 +152,7 @@ stud_config * config_new (void) {
r->CERT_FILES = NULL;
r->CIPHER_SUITE = NULL;
r->ENGINE = NULL;
+ r->EC_CURVE = NULL;
r->BACKLOG = 100;
#ifdef USE_SHARED_CACHE
@@ -195,6 +197,7 @@ void config_destroy (stud_config *cfg) {
}
if (cfg->CIPHER_SUITE != NULL) free(cfg->CIPHER_SUITE);
if (cfg->ENGINE != NULL) free(cfg->ENGINE);
+ if (cfg->EC_CURVE != NULL) free(cfg->EC_CURVE);
#ifdef USE_SHARED_CACHE
if (cfg->SHCUPD_IP != NULL) free(cfg->SHCUPD_IP);
@@ -577,6 +580,11 @@ void config_param_validate (const char *k, char *v, stud_config *cfg, char *file
config_assign_str(&cfg->ENGINE, v);
}
}
+ else if (strcmp(k, CFG_EC_CURVE) == 0) {
+ if (v != NULL && strlen(v) > 0) {
+ config_assign_str(&cfg->EC_CURVE, v);
+ }
+ }
else if (strcmp(k, CFG_PREFER_SERVER_CIPHERS) == 0) {
r = config_param_val_bool(v, &cfg->PREFER_SERVER_CIPHERS);
}
@@ -1001,6 +1009,12 @@ void config_print_default (FILE *fd, stud_config *cfg) {
fprintf(fd, FMT_QSTR, CFG_CIPHERS, config_disp_str(cfg->CIPHER_SUITE));
fprintf(fd, "\n");
+ fprintf(fd, "# EC curve to use in ECDH and other ciphers.\n");
+ fprintf(fd, "#\n");
+ fprintf(fd, "# type: string\n");
+ fprintf(fd, FMT_QSTR, CFG_EC_CURVE, config_disp_str(cfg->EC_CURVE));
+ fprintf(fd, "\n");
+
fprintf(fd, "# Enforce server cipher list order\n");
fprintf(fd, "#\n");
fprintf(fd, "# type: boolean\n");
View
1  configuration.h
@@ -54,6 +54,7 @@ struct __stud_config {
struct cert_files *CERT_FILES;
char *CIPHER_SUITE;
char *ENGINE;
+ char *EC_CURVE;
int BACKLOG;
#ifdef USE_SHARED_CACHE
int SHARED_CACHE;
View
20 stud.cc
@@ -668,6 +668,26 @@ SSL_CTX *make_ctx(const char *pemfile) {
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}
+ if (CONFIG->EC_CURVE != NULL) {
+ int ecdh_nid;
+
+ ecdh_nid = OBJ_sn2nid(CONFIG->EC_CURVE);
+ if (ecdh_nid == NID_undef) {
+ fprintf(stderr, "EC curve id '%s' not found\n", CONFIG->EC_CURVE);
+ } else {
+ EC_KEY* ecdh;
+
+ ecdh = EC_KEY_new_by_curve_name(ecdh_nid);
+ if (ecdh == NULL) {
+ fprintf(stderr, "EC curve '%s' not found\n", CONFIG->EC_CURVE);
+ } else {
+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+ SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+ EC_KEY_free(ecdh);
+ }
+ }
+ }
+
if (CONFIG->PMODE == SSL_CLIENT) {
return ctx;
}

Showing you all comments on commits in this comparison.

@georgekola
Owner

Looks Good!

Something went wrong with that request. Please try again.