Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / a4bcd9a5a80428629b67dfa6b0ec1ac63b9e69d5^! / .
commita4bcd9a5a80428629b67dfa6b0ec1ac63b9e69d5[log] [tgz]
authorEmeric Brun <ebrun@exceliance.fr>Thu Sep 20 16:19:02 2012 +0200
committerWilly Tarreau <w@1wt.eu>Tue Oct 02 08:01:42 2012 +0200
treece69e04d9b1e01209730bb60d7ccdb759af8b6ee
parente603e69d187c3cf23cb0b3a845006adb06d659fa [diff]
MINOR: ssl: try to load Diffie-Hellman parameters from cert file

Feature is disabled if openssl compiled with OPENSSL_NO_DH.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 4862a9a..5a7f01d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -128,6 +128,41 @@
 }
 #endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
 
+#ifndef OPENSSL_NO_DH
+/* Loads Diffie-Hellman parameter from a file. Returns 1 if loaded, else -1
+   if an error occured, and 0 if parameter not found. */
+int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
+{
+	int ret = -1;
+	BIO *in;
+	DH *dh = NULL;
+
+	in = BIO_new(BIO_s_file());
+	if (in == NULL)
+		goto end;
+
+	if (BIO_read_filename(in, file) <= 0)
+		goto end;
+
+	dh = PEM_read_bio_DHparams(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
+	if (dh) {
+		SSL_CTX_set_tmp_dh(ctx, dh);
+		ret = 1;
+		goto end;
+	}
+
+	ret = 0; /* DH params not found */
+end:
+	if (dh)
+		DH_free(dh);
+
+	if (in)
+	BIO_free(in);
+
+	return ret;
+}
+#endif
+
 /* Loads a certificate key and CA chain from a file. Returns 0 on error, -1 if
  * an early error happens and the caller must call SSL_CTX_free() by itelf.
  */
@@ -287,6 +322,16 @@
 	/* we must not free the SSL_CTX anymore below, since it's already in
 	 * the tree, so it will be discovered and cleaned in time.
 	 */
+#ifndef OPENSSL_NO_DH
+	ret = ssl_sock_load_dh_params(ctx, path);
+	if (ret < 0) {
+		if (err)
+			memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
+				  *err ? *err : "", path);
+		return 1;
+	}
+#endif
+
 #ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
 	if (bind_conf->default_ctx) {
 		memprintf(err, "%sthis version of openssl cannot load multiple SSL certificates.\n",
@@ -347,6 +392,9 @@
 #ifndef SSL_OP_NO_COMPRESSION                           /* needs OpenSSL >= 0.9.9 */
 #define SSL_OP_NO_COMPRESSION 0
 #endif
+#ifndef SSL_OP_SINGLE_DH_USE                            /* needs OpenSSL >= 0.9.6 */
+#define SSL_OP_SINGLE_DH_USE 0
+#endif
 #ifndef SSL_MODE_RELEASE_BUFFERS                        /* needs OpenSSL >= 1.0.0 */
 #define SSL_MODE_RELEASE_BUFFERS 0
 #endif
@@ -357,6 +405,7 @@
 		SSL_OP_ALL | /* all known workarounds for bugs */
 		SSL_OP_NO_SSLv2 |
 		SSL_OP_NO_COMPRESSION |
+		SSL_OP_SINGLE_DH_USE |
 		SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
 	int sslmode =
 		SSL_MODE_ENABLE_PARTIAL_WRITE |