From 4e81a34146923dcd7fff5026bf08a8f05497fd90 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 28 Jun 2014 15:43:06 +0900
Subject: [PATCH] nghttpd: Add --dh-param-file option to support DHE ciphers

---
 src/HttpServer.cc | 22 ++++++++++++++++++++++
 src/HttpServer.h  |  1 +
 src/nghttpd.cc    |  9 +++++++++
 3 files changed, 32 insertions(+)

diff --git a/src/HttpServer.cc b/src/HttpServer.cc
index 8880166b..9f660cd8 100644
--- a/src/HttpServer.cc
+++ b/src/HttpServer.cc
@@ -1694,6 +1694,28 @@ int HttpServer::run()
 
 #endif // OPENSSL_NO_EC
 
+    if(!config_->dh_param_file.empty()) {
+      // Read DH parameters from file
+      auto bio = BIO_new_file(config_->dh_param_file.c_str(), "r");
+      if(bio == nullptr) {
+        std::cerr << "BIO_new_file() failed: "
+                  << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+        return -1;
+      }
+
+      auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
+
+      if(dh == nullptr) {
+        std::cerr << "PEM_read_bio_DHparams() failed: "
+                  << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+        return -1;
+      }
+
+      SSL_CTX_set_tmp_dh(ssl_ctx, dh);
+      DH_free(dh);
+      BIO_free(bio);
+    }
+
     if(SSL_CTX_use_PrivateKey_file(ssl_ctx,
                                    config_->private_key_file.c_str(),
                                    SSL_FILETYPE_PEM) != 1) {
diff --git a/src/HttpServer.h b/src/HttpServer.h
index efba5434..91cba297 100644
--- a/src/HttpServer.h
+++ b/src/HttpServer.h
@@ -63,6 +63,7 @@ struct Config {
   std::string host;
   std::string private_key_file;
   std::string cert_file;
+  std::string dh_param_file;
   timeval stream_read_timeout;
   timeval stream_write_timeout;
   void *data_ptr;
diff --git a/src/nghttpd.cc b/src/nghttpd.cc
index b6ef4ff2..1a29d3c0 100644
--- a/src/nghttpd.cc
+++ b/src/nghttpd.cc
@@ -133,6 +133,10 @@ Options:
                      Set the number of worker threads.
                      Default: 1
   -e, --error-gzip   Make error response gzipped.
+  --dh-param-file=<PATH>
+                     Path to  file that contains DH  parameters in PEM
+                     format.  Without  this option, DHE  cipher suites
+                     are not available.
   --version          Display version information and exit.
   -h, --help         Display this help and exit.)"
       << std::endl;
@@ -159,6 +163,7 @@ int main(int argc, char **argv)
       {"no-tls", no_argument, &flag, 1},
       {"color", no_argument, &flag, 2},
       {"version", no_argument, &flag, 3},
+      {"dh-param-file", required_argument, &flag, 4},
       {nullptr, 0, nullptr, 0}
     };
     int option_index = 0;
@@ -233,6 +238,10 @@ int main(int argc, char **argv)
         // version
         print_version(std::cout);
         exit(EXIT_SUCCESS);
+      case 4:
+        // dh-param-file
+        config.dh_param_file = optarg;
+        break;
       }
       break;
     default: