sstp: add ECDSA certs support and ssl-ecdh-curve option for ECDHE cip…

…hers
henriqueof · Jun 5, 2018 · d84c4b9 · d84c4b9
1 parent 9dd5287
commit d84c4b9
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/accel-pppd/accel-ppp.conf b/accel-pppd/accel-ppp.conf
@@ -113,6 +113,7 @@ verbose=1
 #cert-hash-sha256=
 #accept=ssl,proxy
 #ssl-dhparam=/etc/ssl/dhparam.pem
+#ssl-ecdh-curve=prime256v1
 #ssl-ciphers=DEFAULT
 #ssl-prefer-server-ciphers=0
 #ssl-ca-file=/etc/ssl/sstp-ca.crt

diff --git a/accel-pppd/accel-ppp.conf.5 b/accel-pppd/accel-ppp.conf.5
@@ -684,6 +684,9 @@ Specifies incoming connection acceptance mode.
 .BI "ssl-dhparam=" pemfile
 Specifies a file with DH parameters for DHE ciphers.
 .TP
+.BI "ssl-ecdh-curve=" string
+Specifies a curves for ECDHE ciphers. Value is specified in the format understood by the OpenSSL library.
+.TP
 .BI "ssl-ciphers=" string
 Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library.
 .TP

diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c
@@ -2370,6 +2370,9 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername)
 #endif
 #ifndef OPENSSL_NO_DH
 				SSL_OP_SINGLE_DH_USE |
+#endif
+#ifndef OPENSSL_NO_ECDH
+			        SSL_OP_SINGLE_ECDH_USE |
 #endif
 				SSL_OP_NO_SSLv2 |
 				SSL_OP_NO_SSLv3 |
@@ -2400,6 +2403,40 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername)
 		}
 #endif
 
+#ifndef OPENSSL_NO_ECDH
+		opt = conf_get_opt("sstp", "ssl-ecdh-curve");
+		{
+#if defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_CURVES_LIST)
+#ifdef SSL_CTRL_SET_ECDH_AUTO
+			/* not needed in OpenSSL 1.1.0+ */
+			SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
+#endif
+			if (opt && SSL_CTX_set1_curves_list(ssl_ctx, opt) == 0) {
+				log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+#else
+			EC_KEY *ecdh;
+			int nid;
+
+			nid = OBJ_sn2nid(opt ? : "prime256v1");
+			if (nid == 0) {
+				log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			ecdh = EC_KEY_new_by_curve_name(nid);
+			if (ecdh == NULL) {
+				log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL));
+				goto error;
+			}
+
+			SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
+			EC_KEY_free(ecdh);
+#endif
+		}
+#endif
+
 		opt = conf_get_opt("sstp", "ssl-ciphers");
 		if (opt && SSL_CTX_set_cipher_list(ssl_ctx, opt) != 1) {
 			log_error("sstp: SSL cipher list error: %s\n", ERR_error_string(ERR_get_error(), NULL));