From 4dfa8248a12957f92b28d1eb2893294e84770ed2 Mon Sep 17 00:00:00 2001
From: mom040267 <mom040267@users.noreply.github.com>
Date: Sun, 14 Dec 2014 07:26:38 +0000
Subject: [PATCH] iauto ecdh curve parameters; docs.

---
 ChangeLog                    |  1 +
 README.turnserver            |  7 +++++--
 examples/etc/turnserver.conf |  7 +++++--
 man/man1/turnadmin.1         |  2 +-
 man/man1/turnserver.1        |  9 ++++++---
 man/man1/turnutils.1         |  2 +-
 src/apps/common/apputils.h   |  6 ++++++
 src/apps/relay/mainrelay.c   | 31 +++++++++++++++++++++++--------
 8 files changed, 48 insertions(+), 17 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 87f6fcba..791b8e6b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
 Version 4.3.2.1 'Tolomei':
 	- STUN/TURN ALPN supported (when compiled with OpenSSL 1.0.2+ );
 	- DTLS v1.2 supported (when compiled with OpenSSL 1.0.2+ );
+	- Auto optimal ECDH parameters (when compiled with OpenSSL 1.0.2+ );
 	- TLS/DTLS code cleaning.
 
 11/29/2014 Oleg Moskalenko <mom040267@gmail.com>
diff --git a/README.turnserver b/README.turnserver
index 06fe32d0..79de0d56 100644
--- a/README.turnserver
+++ b/README.turnserver
@@ -444,8 +444,11 @@ Options with required values:
 			Forces TURN server to verify the client SSL certificates.
 			By default, no CA is set and no client certificate check is performed.
 
---ec-curve-name		Curve name for EC ciphers, if supported by OpenSSL library (TLS and DTLS).
-			The default value is prime256v1.
+--ec-curve-name		Curve name for EC ciphers, if supported by OpenSSL 
+			library (TLS and DTLS). The default value is prime256v1, 
+			if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+			an optimal curve will be automatically calculated, if not defined
+			by this option.
 
 --dh-file		Use custom DH TLS key, stored in PEM format in the file.
 			Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf
index efd96225..6e3c2f95 100644
--- a/examples/etc/turnserver.conf
+++ b/examples/etc/turnserver.conf
@@ -418,8 +418,11 @@
 # Example:
 #CA-file=/etc/ssh/id_rsa.cert
 
-# Curve name for EC ciphers, if supported by OpenSSL library (TLS and DTLS).
-# The default value is prime256v1.
+# Curve name for EC ciphers, if supported by OpenSSL 
+# library (TLS and DTLS). The default value is prime256v1, 
+# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+# an optimal curve will be automatically calculated, if not defined
+# by this option.
 #
 #ec-curve-name=prime256v1
 
diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1
index 6b1d34f0..36e92cfb 100644
--- a/man/man1/turnadmin.1
+++ b/man/man1/turnadmin.1
@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "10 December 2014" "" ""
+.TH TURN 1 "13 December 2014" "" ""
 .SH GENERAL INFORMATION
 
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 
diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1
index 5882842a..e60e14d8 100644
--- a/man/man1/turnserver.1
+++ b/man/man1/turnserver.1
@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "10 December 2014" "" ""
+.TH TURN 1 "13 December 2014" "" ""
 .SH GENERAL INFORMATION
 
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
@@ -649,8 +649,11 @@ By default, no CA is set and no client certificate check is performed.
 .TP
 .B
 \fB\-\-ec\-curve\-name\fP
-Curve name for EC ciphers, if supported by OpenSSL library (TLS and DTLS).
-The default value is prime256v1.
+Curve name for EC ciphers, if supported by OpenSSL 
+library (TLS and DTLS). The default value is prime256v1, 
+if pre\-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+an optimal curve will be automatically calculated, if not defined
+by this option.
 .TP
 .B
 \fB\-\-dh\-file\fP
diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1
index 61851d7c..b75d33d3 100644
--- a/man/man1/turnutils.1
+++ b/man/man1/turnutils.1
@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "10 December 2014" "" ""
+.TH TURN 1 "13 December 2014" "" ""
 .SH GENERAL INFORMATION
 
 A set of turnutils_* programs provides some utility functionality to be used
diff --git a/src/apps/common/apputils.h b/src/apps/common/apputils.h
index c61c77a9..adb38b69 100644
--- a/src/apps/common/apputils.h
+++ b/src/apps/common/apputils.h
@@ -110,6 +110,12 @@ extern int IS_TURN_SERVER;
 
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_FIRST_ALPN_VERSION
+#define SSL_SESSION_ECDH_AUTO_SUPPORTED 1
+#else
+#define SSL_SESSION_ECDH_AUTO_SUPPORTED 0
+#endif
+
 /////////// SSL //////////////////////////
 
 enum _TURN_TLS_TYPE {
diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c
index 84f53bb4..a4090e33 100644
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@@ -509,8 +509,11 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " --CA-file		<filename>		CA file in OpenSSL format.\n"
 "						Forces TURN server to verify the client SSL certificates.\n"
 "						By default, no CA is set and no client certificate check is performed.\n"
-" --ec-curve-name	<curve-name>		Curve name for EC ciphers, if supported by OpenSSL library\n"
-"						(TLS and DTLS). The default value is prime256v1.\n"
+" --ec-curve-name	<curve-name>		Curve name for EC ciphers, if supported by OpenSSL\n"
+"						library (TLS and DTLS). The default value is prime256v1,\n"
+"						if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,\n"
+"						an optimal curve will be automatically calculated, if not defined\n"
+"						by this option.\n"
 " --dh566					Use 566 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
 " --dh2066					Use 2066 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
 " --dh-file	<dh-file-name>			Use custom DH TLS key, stored in PEM format in the file.\n"
@@ -2435,23 +2438,35 @@ static void set_ctx(SSL_CTX* ctx, const char *protocol)
 #if !defined(OPENSSL_NO_EC) && defined(OPENSSL_EC_NAMED_CURVE)
 	{ //Elliptic curve algorithms:
 		int nid = NID_X9_62_prime256v1;
+		int set_tmp_curve = !SSL_SESSION_ECDH_AUTO_SUPPORTED;
 
 		if (turn_params.ec_curve_name[0]) {
 			nid = OBJ_sn2nid(turn_params.ec_curve_name);
 			if (nid == 0) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,"unknown curve name (%s), using NID_X9_62_prime256v1\n",turn_params.ec_curve_name);
 				nid = NID_X9_62_prime256v1;
+			} else {
+				set_tmp_curve = 1;
 			}
 		}
 
-		EC_KEY *ecdh = EC_KEY_new_by_curve_name(nid);
-		if (!ecdh) {
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
+		if(set_tmp_curve) {
+			EC_KEY *ecdh = EC_KEY_new_by_curve_name(nid);
+			if (!ecdh) {
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
 				      "%s: ERROR: allocate EC suite\n",__FUNCTION__);
-		} else {
-			SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-			EC_KEY_free(ecdh);
+				set_tmp_curve = 0;
+			} else {
+				SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+				EC_KEY_free(ecdh);
+			}
 		}
+
+#if SSL_SESSION_ECDH_AUTO_SUPPORTED
+		if(!set_tmp_curve) {
+			SSL_CTX_set_ecdh_auto(ctx,1);
+		}
+#endif
 	}
 #endif