From: Ben Jencks Date: Sun, 27 Jan 2013 22:26:14 +0000 (-0500) Subject: ITS#7506 tls_g.c: Properly support DHParamFile. X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=622d13a32ec8d623c26a11b60b63e443dc86df99;p=openldap ITS#7506 tls_g.c: Properly support DHParamFile. If a DHParamFile or olcDHParamFile is specified then it will be loaded. This allows use of DHE/EDH cipher suites which was previously impossible with GnuTLS. --- diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c index dfdc35da43..969960e9c4 100644 --- a/libraries/libldap/tls_g.c +++ b/libraries/libldap/tls_g.c @@ -45,8 +45,6 @@ #include #include -#define DH_BITS (1024) - #if LIBGNUTLS_VERSION_NUMBER >= 0x020200 #define HAVE_CIPHERSUITES 1 /* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x @@ -277,6 +275,8 @@ tlsg_ctx_free ( tls_ctx *ctx ) LDAP_FREE( c->kx_list ); #endif gnutls_certificate_free_credentials( c->cred ); + if ( c->dh_params ) + gnutls_dh_params_deinit( c->dh_params ); ber_memfree ( c ); } @@ -397,12 +397,6 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) return -1; } - if ( lo->ldo_tls_dhfile ) { - Debug( LDAP_DEBUG_ANY, - "TLS: warning: ignoring dhfile\n", - NULL, NULL, NULL ); - } - if ( lo->ldo_tls_crlfile ) { rc = gnutls_certificate_set_x509_crl_file( ctx->cred, @@ -418,9 +412,20 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) gnutls_certificate_set_verify_flags( ctx->cred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT ); - if ( is_server ) { - gnutls_dh_params_init(&ctx->dh_params); - gnutls_dh_params_generate2(ctx->dh_params, DH_BITS); + if ( is_server && lo->ldo_tls_dhfile ) { + gnutls_datum_t buf; + rc = tlsg_getfile( lo->ldo_tls_dhfile, &buf ); + if ( rc ) return -1; + rc = gnutls_dh_params_init(&ctx->dh_params); + if ( rc ) { + LDAP_FREE( buf.data ); + return -1; + } + rc = gnutls_dh_params_import_pkcs3( ctx->dh_params, &buf, + GNUTLS_X509_FMT_PEM ); + LDAP_FREE( buf.data ); + if ( rc ) return -1; + gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params ); } return 0; }