BUG/MEDIUM: ssl: EDH ciphers are not usable if no DH parameters present in pem file.

author Emeric Brun <ebrun@exceliance.fr>

Fri, 26 Apr 2013 09:05:44 +0000 (11:05 +0200)

committer Willy Tarreau <w@1wt.eu>

Fri, 26 Apr 2013 09:19:48 +0000 (11:19 +0200)
author Emeric Brun <ebrun@exceliance.fr>
Fri, 26 Apr 2013 09:05:44 +0000 (11:05 +0200)
committer Willy Tarreau <w@1wt.eu>
Fri, 26 Apr 2013 09:19:48 +0000 (11:19 +0200)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c

index 36a0481b6417200f293241049642c6628dde3cb9..3ee699195f5bfac94327b228f938426c1f629a6c 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -243,6 +243,29 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
         int ret = -1;
         BIO *in;
         DH *dh = NULL;
+       /* If not present, use parameters generated using 'openssl dhparam 1024 -C':
+        * -----BEGIN DH PARAMETERS-----
+        * MIGHAoGBAJJAJDXDoS5E03MNjnjK36eOL1tRqVa/9NuOVlI+lpXmPjJQbP65EvKn
+        * fSLnG7VMhoCJO4KtG88zf393ltP7loGB2bofcDSr+x+XsxBM8yA/Zj6BmQt+CQ9s
+        * TF7hoOV+wXTT6ErZ5y5qx9pq6hLfKXwTGFT78hrE6HnCO7xgtPdTAgEC
+        * -----END DH PARAMETERS-----
+       */
+       static const unsigned char dh1024_p[] = {
+               0x92, 0x40, 0x24, 0x35, 0xC3, 0xA1, 0x2E, 0x44, 0xD3, 0x73, 0x0D, 0x8E,
+               0x78, 0xCA, 0xDF, 0xA7, 0x8E, 0x2F, 0x5B, 0x51, 0xA9, 0x56, 0xBF, 0xF4,
+               0xDB, 0x8E, 0x56, 0x52, 0x3E, 0x96, 0x95, 0xE6, 0x3E, 0x32, 0x50, 0x6C,
+               0xFE, 0xB9, 0x12, 0xF2, 0xA7, 0x7D, 0x22, 0xE7, 0x1B, 0xB5, 0x4C, 0x86,
+               0x80, 0x89, 0x3B, 0x82, 0xAD, 0x1B, 0xCF, 0x33, 0x7F, 0x7F, 0x77, 0x96,
+               0xD3, 0xFB, 0x96, 0x81, 0x81, 0xD9, 0xBA, 0x1F, 0x70, 0x34, 0xAB, 0xFB,
+               0x1F, 0x97, 0xB3, 0x10, 0x4C, 0xF3, 0x20, 0x3F, 0x66, 0x3E, 0x81, 0x99,
+               0x0B, 0x7E, 0x09, 0x0F, 0x6C, 0x4C, 0x5E, 0xE1, 0xA0, 0xE5, 0x7E, 0xC1,
+               0x74, 0xD3, 0xE8, 0x4A, 0xD9, 0xE7, 0x2E, 0x6A, 0xC7, 0xDA, 0x6A, 0xEA,
+               0x12, 0xDF, 0x29, 0x7C, 0x13, 0x18, 0x54, 0xFB, 0xF2, 0x1A, 0xC4, 0xE8,
+               0x79, 0xC2, 0x3B, 0xBC, 0x60, 0xB4, 0xF7, 0x53,
+       };
+       static const unsigned char dh1024_g[] = {
+               0x02,
+       };
  
         in = BIO_new(BIO_s_file());
         if (in == NULL)
@@ -252,22 +275,35 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
                 goto end;
  
         dh = PEM_read_bio_DHparams(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
-       if (dh) {
-               SSL_CTX_set_tmp_dh(ctx, dh);
-               ret = 1;
-               goto end;
+       if (!dh) {
+               /* Clear openssl global errors stack */
+               ERR_clear_error();
+
+               dh = DH_new();
+               if (dh == NULL)
+                       goto end;
+
+               dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+               if (dh->p == NULL)
+                       goto end;
+
+               dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+               if (dh->g == NULL)
+                       goto end;
+
+               ret = 0; /* DH params not found */
         }
+       else
+               ret = 1;
  
-       ret = 0; /* DH params not found */
+       SSL_CTX_set_tmp_dh(ctx, dh);
  
-       /* Clear openssl global errors stack */
-       ERR_clear_error();
  end:
         if (dh)
                 DH_free(dh);
  
         if (in)
-       BIO_free(in);
+               BIO_free(in);
  
         return ret;
  }
author	Emeric Brun <ebrun@exceliance.fr>
	Fri, 26 Apr 2013 09:05:44 +0000 (11:05 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Fri, 26 Apr 2013 09:19:48 +0000 (11:19 +0200)