>From 6f120920d359d3b880c5c56bde4c1b91c3bedb01 Mon Sep 17 00:00:00 2001 From: Ben Jencks Date: Sun, 27 Jan 2013 18:27:03 -0500 Subject: [PATCH] ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. If a DHParamFile or olcDHParamFile is specified, then it will be used, otherwise a hardcoded 1024 bit parameter will be used. This allows the use of larger parameters; previously only 512 or 1024 bit parameters would ever be used. >From cfeb28412c28ce9feeea6e6c055286f201bd0a34 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 7 Sep 2013 06:39:53 -0700 Subject: [PATCH] ITS#7506 fix prev commit The patch unconditionally enabled DHparams, which is a significant change of behavior. Reverting to previous behavior, which only enables DH use if a DHparam file was configured. --- libraries/libldap/tls_o.c.orig 2015-07-15 18:14:17.000000000 +0200 +++ libraries/libldap/tls_o.c 2015-07-15 18:14:41.000000000 +0200 @@ -58,26 +58,15 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); -static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ); - -typedef struct dhplist { - struct dhplist *next; - int keylength; - DH *param; -} dhplist; - -static dhplist *tlso_dhparams; - static int tlso_seed_PRNG( const char *randfile ); #ifdef LDAP_R_COMPILE /* * provide mutexes for the OpenSSL library. */ static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS]; -static ldap_pvt_thread_mutex_t tlso_dh_mutex; static void tlso_locking_cb( int mode, int type, const char *file, int line ) { if ( mode & CRYPTO_LOCK ) { @@ -106,9 +95,8 @@ for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) { ldap_pvt_thread_mutex_init( &tlso_mutexes[i] ); } - ldap_pvt_thread_mutex_init( &tlso_dh_mutex ); CRYPTO_set_locking_callback( tlso_locking_cb ); CRYPTO_set_id_callback( tlso_thread_self ); } #endif /* LDAP_R_COMPILE */ @@ -310,27 +298,27 @@ if ( lo->ldo_tls_dhfile ) { DH *dh = NULL; BIO *bio; - dhplist *p; + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { Debug( LDAP_DEBUG_ANY, "TLS: could not use DH parameters file `%s'.\n", lo->ldo_tls_dhfile,0,0); tlso_report_error(); return -1; } - while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { - p = LDAP_MALLOC( sizeof(dhplist) ); - if ( p != NULL ) { - p->keylength = DH_size( dh ) * 8; - p->param = dh; - p->next = tlso_dhparams; - tlso_dhparams = p; - } + if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not read DH parameters file `%s'.\n", + lo->ldo_tls_dhfile,0,0); + tlso_report_error(); + BIO_free( bio ); + return -1; } BIO_free( bio ); + SSL_CTX_set_tmp_dh( ctx, dh ); } if ( tlso_opt_trace ) { SSL_CTX_set_info_callback( ctx, tlso_info_cb ); @@ -348,11 +336,8 @@ SSL_CTX_set_verify( ctx, i, lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ? tlso_verify_ok : tlso_verify_cb ); SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); - if ( lo->ldo_tls_dhfile ) { - SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb ); - } #ifdef HAVE_OPENSSL_CRL if ( lo->ldo_tls_crlcheck ) { X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) { @@ -1159,110 +1144,8 @@ return 0; } -struct dhinfo { - int keylength; - const char *pem; - size_t size; -}; - - -/* From the OpenSSL 0.9.7 distro */ -static const char tlso_dhpem512[] = -"-----BEGIN DH PARAMETERS-----\n\ -MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\ -a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\ ------END DH PARAMETERS-----\n"; - -static const char tlso_dhpem1024[] = -"-----BEGIN DH PARAMETERS-----\n\ -MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ -/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ -/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ ------END DH PARAMETERS-----\n"; - -static const char tlso_dhpem2048[] = -"-----BEGIN DH PARAMETERS-----\n\ -MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\ -AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\ -z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\ -pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\ -aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\ -Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\ ------END DH PARAMETERS-----\n"; - -static const char tlso_dhpem4096[] = -"-----BEGIN DH PARAMETERS-----\n\ -MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\ -vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\ -TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\ -bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\ -rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\ -EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\ -bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\ -W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\ -ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\ -NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\ -jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\ ------END DH PARAMETERS-----\n"; - -static const struct dhinfo tlso_dhpem[] = { - { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, - { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, - { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, - { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, - { 0, NULL, 0 } -}; - -static DH * -tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) -{ - struct dhplist *p = NULL; - BIO *b = NULL; - DH *dh = NULL; - int i; - - /* Do we have params of this length already? */ - LDAP_MUTEX_LOCK( &tlso_dh_mutex ); - for ( p = tlso_dhparams; p; p=p->next ) { - if ( p->keylength == key_length ) { - LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); - return p->param; - } - } - - /* No - check for hardcoded params */ - - for (i=0; tlso_dhpem[i].keylength; i++) { - if ( tlso_dhpem[i].keylength == key_length ) { - b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size ); - break; - } - } - - if ( b ) { - dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL ); - BIO_free( b ); - } - - /* Generating on the fly is expensive/slow... */ - if ( !dh ) { - dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL ); - } - if ( dh ) { - p = LDAP_MALLOC( sizeof(struct dhplist) ); - if ( p != NULL ) { - p->keylength = key_length; - p->param = dh; - p->next = tlso_dhparams; - tlso_dhparams = p; - } - } - - LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); - return dh; -} tls_impl ldap_int_tls_impl = { "OpenSSL",