int
ssl_setup(SSL_CTX **ctxp, struct pki *pki)
{
DH *dh;
SSL_CTX *ctx;
ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len);
if (!SSL_CTX_set_session_id_context(ctx,
(const unsigned char *)pki->pki_name,
strlen(pki->pki_name) + 1))
goto err;
if (pki->pki_dhparams_len == 0)
dh = get_dh1024();
else
dh = get_dh_from_memory(pki->pki_dhparams,
pki->pki_dhparams_len);
ssl_set_ephemeral_key_exchange(ctx, dh);
DH_free(dh);
ssl_set_ecdh_curve(ctx, SSL_ECDH_CURVE);
*ctxp = ctx;
return 1;
err:
SSL_CTX_free(ctx);
ssl_error("ssl_setup");
return 0;
}
int
ssl_setup(SSL_CTX **ctxp, struct pki *pki,
int (*sni_cb)(SSL *,int *,void *), const char *ciphers)
{
SSL_CTX *ctx;
uint8_t sid[SSL_MAX_SID_CTX_LENGTH];
ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len, ciphers);
/*
* Set session ID context to a random value. We don't support
* persistent caching of sessions so it is OK to set a temporary
* session ID context that is valid during run time.
*/
arc4random_buf(sid, sizeof(sid));
if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))
goto err;
if (sni_cb)
SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
SSL_CTX_set_dh_auto(ctx, pki->pki_dhe);
SSL_CTX_set_ecdh_auto(ctx, 1);
*ctxp = ctx;
return 1;
err:
SSL_CTX_free(ctx);
ssl_error("ssl_setup");
return 0;
}
int
ssl_setup(SSL_CTX **ctxp, struct pki *pki, int (*sni_cb)(SSL *,int *,void *),
const char *ciphers, const char *curve)
{
DH *dh;
SSL_CTX *ctx;
u_int8_t sid[SSL_MAX_SID_CTX_LENGTH];
ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len, ciphers);
/*
* Set session ID context to a random value. We don't support
* persistent caching of sessions so it is OK to set a temporary
* session ID context that is valid during run time.
*/
arc4random_buf(sid, sizeof(sid));
if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))
goto err;
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, dummy_verify);
if (sni_cb)
SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
if (pki->pki_dhparams_len == 0)
dh = get_dh();
else
dh = get_dh_from_memory(pki->pki_dhparams,
pki->pki_dhparams_len);
ssl_set_ephemeral_key_exchange(ctx, dh);
DH_free(dh);
ssl_set_ecdh_curve(ctx, curve);
*ctxp = ctx;
return 1;
err:
SSL_CTX_free(ctx);
ssl_error("ssl_setup");
return 0;
}
void *
ssl_mta_init(void *pkiname, char *cert, off_t cert_len, const char *ciphers)
{
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
ctx = ssl_ctx_create(pkiname, cert, cert_len, ciphers);
if ((ssl = SSL_new(ctx)) == NULL)
goto err;
if (!SSL_set_ssl_method(ssl, SSLv23_client_method()))
goto err;
SSL_CTX_free(ctx);
return (void *)(ssl);
err:
if (ssl != NULL)
SSL_free(ssl);
if (ctx != NULL)
SSL_CTX_free(ctx);
ssl_error("ssl_mta_init");
return (NULL);
}
