DH *SSL_dh_get_tmp_param(int key_len)
{
DH *dh;
if (key_len == 512)
dh = get_dh(SSL_TMP_KEY_DH_512);
else if (key_len == 1024)
dh = get_dh(SSL_TMP_KEY_DH_1024);
else if (key_len == 2048)
dh = get_dh(SSL_TMP_KEY_DH_2048);
else if (key_len == 4096)
dh = get_dh(SSL_TMP_KEY_DH_4096);
else
dh = get_dh(SSL_TMP_KEY_DH_1024);
return dh;
}
int
ssl_setup(SSL_CTX **ctxp, struct pki *pki, int (*sni_cb)(SSL *,int *,void *),
const char *ciphers, const char *curve)
{
DH *dh;
SSL_CTX *ctx;
u_int8_t sid[SSL_MAX_SID_CTX_LENGTH];
ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len, ciphers);
/*
* Set session ID context to a random value. We don't support
* persistent caching of sessions so it is OK to set a temporary
* session ID context that is valid during run time.
*/
arc4random_buf(sid, sizeof(sid));
if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))
goto err;
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, dummy_verify);
if (sni_cb)
SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
if (pki->pki_dhparams_len == 0)
dh = get_dh();
else
dh = get_dh_from_memory(pki->pki_dhparams,
pki->pki_dhparams_len);
ssl_set_ephemeral_key_exchange(ctx, dh);
DH_free(dh);
ssl_set_ecdh_curve(ctx, curve);
*ctxp = ctx;
return 1;
err:
SSL_CTX_free(ctx);
ssl_error("ssl_setup");
return 0;
}
