Fix/update for post-quantum cryptography in TLS

etc/openwsman.conf

@@ -32,8 +32,12 @@ ipv6 = yes
 
 # the openwsman server certificate file, in .pem format
 ssl_cert_file = /etc/openwsman/servercert.pem
+# the openwsman server certificate fallback file, in .pem format
+#ssl_cert_fallback_file = /etc/openwsman/servercert-fallback.pem
 # the openwsman server private key, in .pem format
 ssl_key_file = /etc/openwsman/serverkey.pem
+# the openwsman server private key fallback, in .pem format
+#ssl_key_fallback_file = /etc/openwsman/serverkey-fallback.pem
 
 # space-separated list of SSL protocols to *dis*able
 # possible values: SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv1_2

src/server/shttpd/shttpd.c

@@ -1508,7 +1508,6 @@ set_ssl(struct shttpd_ctx *ctx, const char *pem)
 	char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols();
 	char *ssl_cipher_list = wsmand_options_get_ssl_cipher_list();
 	int		retval = FALSE;
-	EC_KEY*		key;
 
 	/* Load SSL library dynamically */
 	if ((lib = dlopen(SSL_LIB, RTLD_LAZY)) == NULL) {
@@ -1539,11 +1538,15 @@ set_ssl(struct shttpd_ctx *ctx, const char *pem)
 	else
 		retval = TRUE;
 
-	/* This enables ECDH Perfect Forward secrecy. Currently with just the most generic p256 prime curve */
-	key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-	if (key != NULL) {
-		SSL_CTX_set_tmp_ecdh(CTX, key);
-		EC_KEY_free(key);
+	/* Add fall back certificate/key pair */
+	if (wsmand_options_get_ssl_cert_fallback_file() &&
+                    wsmand_options_get_ssl_key_fallback_file()) {
+		if (SSL_CTX_use_certificate_file(CTX, wsmand_options_get_ssl_cert_fallback_file(), SSL_FILETYPE_PEM) != 1)
+			_shttpd_report_ssl_error("cannot open certificate fallback file", wsmand_options_get_ssl_cert_fallback_file());
+		else if (SSL_CTX_use_PrivateKey_file(CTX, wsmand_options_get_ssl_key_fallback_file(), SSL_FILETYPE_PEM) != 1)
+			_shttpd_report_ssl_error("cannot open fallback PrivateKey", wsmand_options_get_ssl_key_fallback_file());
+		else
+			retval = TRUE;
 	}
 
 	while (ssl_disabled_protocols) {

src/server/wsmand-daemon.c

@@ -76,8 +76,10 @@ static int use_ipv6 = 0;
 #endif
 static int use_digest = 0;
 static char *ssl_key_file = NULL;
+static char *ssl_key_fallback_file = NULL;
 static char *service_path = DEFAULT_SERVICE_PATH;
 static char *ssl_cert_file = NULL;
+static char *ssl_cert_fallback_file = NULL;
 static char *ssl_disabled_protocols = NULL;
 static char *ssl_cipher_list = NULL;
 static char *pid_file = DEFAULT_PID_PATH;
@@ -186,7 +188,9 @@ int wsmand_read_config(dictionary * ini)
 	service_path =
 	    iniparser_getstring(ini, "server:service_path", "/wsman");
 	ssl_key_file = iniparser_getstr(ini, "server:ssl_key_file");
+	ssl_key_fallback_file = iniparser_getstr(ini, "server:ssl_key_fallback_file");
 	ssl_cert_file = iniparser_getstr(ini, "server:ssl_cert_file");
+	ssl_cert_fallback_file = iniparser_getstr(ini, "server:ssl_cert_fallback_file");
         ssl_disabled_protocols = iniparser_getstr(ini, "server:ssl_disabled_protocols");
         ssl_cipher_list = iniparser_getstr(ini, "server:ssl_cipher_list");
 	use_ipv4 = iniparser_getboolean(ini, "server:ipv4", 1);
@@ -364,6 +368,16 @@ char *wsmand_options_get_ssl_cert_file(void)
 	return ssl_cert_file;
 }
 
+char *wsmand_options_get_ssl_key_fallback_file(void)
+{
+	return ssl_key_fallback_file;
+}
+
+char *wsmand_options_get_ssl_cert_fallback_file(void)
+{
+	return ssl_cert_fallback_file;
+}
+
 char *wsmand_options_get_ssl_disabled_protocols(void)
 {
 	return ssl_disabled_protocols;

src/server/wsmand-daemon.h

@@ -76,6 +76,8 @@ int wsmand_options_get_server_port(void);
 int wsmand_options_get_server_ssl_port(void);
 char *wsmand_options_get_ssl_key_file(void);
 char *wsmand_options_get_ssl_cert_file(void);
+char *wsmand_options_get_ssl_key_fallback_file(void);
+char *wsmand_options_get_ssl_cert_fallback_file(void);
 char *wsmand_options_get_ssl_disabled_protocols(void);
 char *wsmand_options_get_ssl_cipher_list(void);
 int wsmand_options_get_digest(void);