DH *SSL_dh_get_tmp_param(int key_len) { DH *dh; if (key_len == 512) dh = get_dh(SSL_TMP_KEY_DH_512); else if (key_len == 1024) dh = get_dh(SSL_TMP_KEY_DH_1024); else if (key_len == 2048) dh = get_dh(SSL_TMP_KEY_DH_2048); else if (key_len == 4096) dh = get_dh(SSL_TMP_KEY_DH_4096); else dh = get_dh(SSL_TMP_KEY_DH_1024); return dh; }
int ssl_setup(SSL_CTX **ctxp, struct pki *pki, int (*sni_cb)(SSL *,int *,void *), const char *ciphers, const char *curve) { DH *dh; SSL_CTX *ctx; u_int8_t sid[SSL_MAX_SID_CTX_LENGTH]; ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len, ciphers); /* * Set session ID context to a random value. We don't support * persistent caching of sessions so it is OK to set a temporary * session ID context that is valid during run time. */ arc4random_buf(sid, sizeof(sid)); if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid))) goto err; SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, dummy_verify); if (sni_cb) SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb); if (pki->pki_dhparams_len == 0) dh = get_dh(); else dh = get_dh_from_memory(pki->pki_dhparams, pki->pki_dhparams_len); ssl_set_ephemeral_key_exchange(ctx, dh); DH_free(dh); ssl_set_ecdh_curve(ctx, curve); *ctxp = ctx; return 1; err: SSL_CTX_free(ctx); ssl_error("ssl_setup"); return 0; }