From: jsing <jsing@openbsd.org>
Date: Mon, 4 Aug 2014 16:18:42 +0000 (+0000)
Subject: A ressl server needs different configuration from a ressl client - provide
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=324b29ae707916c13234efa97964fdc76c92d9de;p=openbsd

A ressl server needs different configuration from a ressl client - provide
a specific server configuration function and call this from
ressl_configure.
---

diff --git a/lib/libressl/ressl.c b/lib/libressl/ressl.c
index 44a8a194210..439b6d1edda 100644
--- a/lib/libressl/ressl.c
+++ b/lib/libressl/ressl.c
@@ -87,6 +87,9 @@ ressl_configure(struct ressl *ctx, struct ressl_config *config)
 
 	ctx->config = config;
 
+	if ((ctx->flags & RESSL_SERVER) != 0)
+		return (ressl_configure_server(ctx));
+
 	return (0);
 }
 
diff --git a/lib/libressl/ressl_internal.h b/lib/libressl/ressl_internal.h
index 75ca11dd02b..44d098b4b35 100644
--- a/lib/libressl/ressl_internal.h
+++ b/lib/libressl/ressl_internal.h
@@ -56,6 +56,7 @@ struct ressl *ressl_server_conn(struct ressl *ctx);
 
 int ressl_check_hostname(X509 *cert, const char *host);
 int ressl_configure_keypair(struct ressl *ctx);
+int ressl_configure_server(struct ressl *ctx);
 int ressl_host_port(const char *hostport, char **host, char **port);
 int ressl_set_error(struct ressl *ctx, char *fmt, ...);
 
diff --git a/lib/libressl/ressl_server.c b/lib/libressl/ressl_server.c
index 4aadda2f6b0..3fbff91be2c 100644
--- a/lib/libressl/ressl_server.c
+++ b/lib/libressl/ressl_server.c
@@ -14,6 +14,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <openssl/ec.h>
+#include <openssl/ssl.h>
+
 #include "ressl_internal.h"
 
 struct ressl *
@@ -42,6 +45,40 @@ ressl_server_conn(struct ressl *ctx)
 	return (conn_ctx);
 }
 
+int
+ressl_configure_server(struct ressl *ctx)
+{
+	EC_KEY *ecdh_key;
+
+	/* XXX - add a configuration option to control versions. */
+	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
+		ressl_set_error(ctx, "ssl context failure");
+		goto err;
+	}
+
+	if (ressl_configure_keypair(ctx) != 0)
+		goto err;
+
+	if (ctx->config->ciphers != NULL) {
+		if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
+		    ctx->config->ciphers) != 1) {
+			ressl_set_error(ctx, "failed to set ciphers");
+			goto err;
+		}
+	}
+
+	if ((ecdh_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)) == NULL)
+		goto err;
+	SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key);
+	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
+	EC_KEY_free(ecdh_key);
+
+	return (0);
+
+err:
+	return (-1);
+}
+
 int
 ressl_listen(struct ressl *ctx, const char *host, const char *port, int af)
 {