Add SSL_CONF command to set DH Parameters.

diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index c57bf80109b60ee94937cb67d58f19f74fe21370..c55f63128be9ff0be62c7bc3423e980c9ce9bbe3 100644 (file)
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -103,6 +103,12 @@ context. This option is only supported if certificate operations
 are permitted. Note: if no B<-key> option is set then a private key is
 not loaded: it does not currently use the B<-cert> file.
 
+=item B<-dhparam>
+
+Attempts to use the file B<value> as the set of temporary DH parameters for
+the appropriate context. This option is only supported if certificate
+operations are permitted.
+
 =item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
 
 Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 
@@ -185,6 +191,12 @@ context. This option is only supported if certificate operations
 are permitted. Note: if no B<-key> option is set then a private key is
 not loaded: it does not currently use the B<Certificate> file.
 
+=item B<DHParameters>
+
+Attempts to use the file B<value> as the set of temporary DH parameters for
+the appropriate context. This option is only supported if certificate
+operations are permitted.
+
 =item B<SignatureAlgorithms>
 
 This sets the supported signature algorithms for TLS v1.2. For clients this

diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 90d77fa0344049f5908583187ff9110955f6071a..a6c79e45bbd2964330e3a1c1baf4ddb2a149dc3a 100644 (file)
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -388,7 +388,39 @@ static int cmd_PrivateKey(SSL_CONF_CTX *cctx, const char *value)
                rv = SSL_use_PrivateKey_file(cctx->ssl, value, SSL_FILETYPE_PEM);
        return rv > 0;
        }
-
+#ifndef OPENSSL_NO_DH
+static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
+       {
+       int rv = 0;
+       DH *dh = NULL;
+       BIO *in = NULL;
+       if (!(cctx->flags & SSL_CONF_FLAG_CERTIFICATE))
+               return -2;
+       if (cctx->ctx || cctx->ssl)
+               {
+               in = BIO_new(BIO_s_file_internal());
+               if (!in)
+                       goto end;
+               if (BIO_read_filename(in, value) <= 0)
+                       goto end;
+               dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
+               if (!dh)
+                       goto end;
+               }
+       else
+               return 1;
+       if (cctx->ctx)
+               rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh);
+       if (cctx->ssl)
+               rv = SSL_set_tmp_dh(cctx->ssl, dh);
+       end:
+       if (dh)
+               DH_free(dh);
+       if (in)
+               BIO_free(in);
+       return rv > 0;
+       }
+#endif
 typedef struct
        {
        int (*cmd)(SSL_CONF_CTX *cctx, const char *value);
@@ -416,7 +448,10 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
        SSL_CONF_CMD_STRING(Protocol, NULL),
        SSL_CONF_CMD_STRING(Options, NULL),
        SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE),
-       SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE)
+       SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE),
+#ifndef OPENSSL_NO_DH
+       SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_TYPE_FILE)
+#endif
 };
 
 static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)