From 3eb7cc8fc384f98d85b9a9530d417018a6942a74 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 4 Aug 2014 16:18:42 +0000
Subject: A ressl server needs different configuration from a ressl client -
 provide a specific server configuration function and call this from
 ressl_configure.

---
 src/lib/libressl/ressl.c          |  3 +++
 src/lib/libressl/ressl_internal.h |  1 +
 src/lib/libressl/ressl_server.c   | 37 +++++++++++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+)

(limited to 'src/lib')

diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c
index 44a8a19421..439b6d1edd 100644
--- a/src/lib/libressl/ressl.c
+++ b/src/lib/libressl/ressl.c
@@ -87,6 +87,9 @@ ressl_configure(struct ressl *ctx, struct ressl_config *config)
 
 	ctx->config = config;
 
+	if ((ctx->flags & RESSL_SERVER) != 0)
+		return (ressl_configure_server(ctx));
+
 	return (0);
 }
 
diff --git a/src/lib/libressl/ressl_internal.h b/src/lib/libressl/ressl_internal.h
index 75ca11dd02..44d098b4b3 100644
--- a/src/lib/libressl/ressl_internal.h
+++ b/src/lib/libressl/ressl_internal.h
@@ -56,6 +56,7 @@ struct ressl *ressl_server_conn(struct ressl *ctx);
 
 int ressl_check_hostname(X509 *cert, const char *host);
 int ressl_configure_keypair(struct ressl *ctx);
+int ressl_configure_server(struct ressl *ctx);
 int ressl_host_port(const char *hostport, char **host, char **port);
 int ressl_set_error(struct ressl *ctx, char *fmt, ...);
 
diff --git a/src/lib/libressl/ressl_server.c b/src/lib/libressl/ressl_server.c
index 4aadda2f6b..3fbff91be2 100644
--- a/src/lib/libressl/ressl_server.c
+++ b/src/lib/libressl/ressl_server.c
@@ -14,6 +14,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <openssl/ec.h>
+#include <openssl/ssl.h>
+
 #include "ressl_internal.h"
 
 struct ressl *
@@ -42,6 +45,40 @@ ressl_server_conn(struct ressl *ctx)
 	return (conn_ctx);
 }
 
+int
+ressl_configure_server(struct ressl *ctx)
+{
+	EC_KEY *ecdh_key;
+
+	/* XXX - add a configuration option to control versions. */
+	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
+		ressl_set_error(ctx, "ssl context failure");
+		goto err;
+	}
+
+	if (ressl_configure_keypair(ctx) != 0)
+		goto err;
+
+	if (ctx->config->ciphers != NULL) {
+		if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
+		    ctx->config->ciphers) != 1) {
+			ressl_set_error(ctx, "failed to set ciphers");
+			goto err;
+		}
+	}
+
+	if ((ecdh_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)) == NULL)
+		goto err;
+	SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key);
+	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
+	EC_KEY_free(ecdh_key);
+
+	return (0);
+
+err:
+	return (-1);
+}
+
 int
 ressl_listen(struct ressl *ctx, const char *host, const char *port, int af)
 {
-- 
cgit v1.2.3-55-g6feb