ITS#7506 tls_g.c: Properly support DHParamFile.

If a DHParamFile or olcDHParamFile is specified then it will be loaded. This
allows use of DHE/EDH cipher suites which was previously impossible with
GnuTLS.

diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index dfdc35da43a3d80a2c322c87af70eefa93f5b1b0..969960e9c485975e3c73b045fb416a81f54fe3f1 100644 (file)
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -45,8 +45,6 @@
 #include <gnutls/x509.h>
 #include <gcrypt.h>
 
-#define DH_BITS        (1024)
-
 #if LIBGNUTLS_VERSION_NUMBER >= 0x020200
 #define        HAVE_CIPHERSUITES       1
 /* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x
@@ -277,6 +275,8 @@ tlsg_ctx_free ( tls_ctx *ctx )
        LDAP_FREE( c->kx_list );
 #endif
        gnutls_certificate_free_credentials( c->cred );
+       if ( c->dh_params )
+               gnutls_dh_params_deinit( c->dh_params );
        ber_memfree ( c );
 }
 
@@ -397,12 +397,6 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
                return -1;
        }
 
-       if ( lo->ldo_tls_dhfile ) {
-               Debug( LDAP_DEBUG_ANY, 
-                      "TLS: warning: ignoring dhfile\n", 
-                      NULL, NULL, NULL );
-       }
-
        if ( lo->ldo_tls_crlfile ) {
                rc = gnutls_certificate_set_x509_crl_file( 
                        ctx->cred,
@@ -418,9 +412,20 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
        gnutls_certificate_set_verify_flags( ctx->cred,
                GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
 
-       if ( is_server ) {
-               gnutls_dh_params_init(&ctx->dh_params);
-               gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
+       if ( is_server && lo->ldo_tls_dhfile ) {
+               gnutls_datum_t buf;
+               rc = tlsg_getfile( lo->ldo_tls_dhfile, &buf );
+               if ( rc ) return -1;
+               rc = gnutls_dh_params_init(&ctx->dh_params);
+               if ( rc ) {
+                       LDAP_FREE( buf.data );
+                       return -1;
+               }
+               rc = gnutls_dh_params_import_pkcs3( ctx->dh_params, &buf,
+                       GNUTLS_X509_FMT_PEM );
+               LDAP_FREE( buf.data );
+               if ( rc ) return -1;
+               gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params );
        }
        return 0;
 }