Update DH parameter configuration scripts.

* libs/tcpd/libcouriergnutls.c, libs/tcpd/libcouriertls.c: remove the TLS_DHCERTFILE setting, and use TLS_CERTFILE for all functionality. Read DH parameters from TLS_CERTFILE, or from the new TLS_DHPARAMS environment variable. * mkdhparams: New script that generates DH parameters into a standalone file. * Remove TLS_DHCERTFILE setting from imapd-ssl, pop3d-ssl, esmtpd and esmtpd-ssl. Add TLS_DHPARAMS. * Update imapd.cnf.openssl, pop3d.cnf.openssl, esmtpd.cnf.openssl, set default number of bits for RSA keys to 4096.
author: Sam Varshavchik 2013-11-10 20:07:18 -0500
committer: Sam Varshavchik 2013-11-10 21:55:21 -0500
commit: 4d91075b1b90f68527304b45bb26637a17e1454d (patch)
tree: dde479f63ba4470a3e9c4210b79cda13d0aab4c4
parent: 37a74ee0f736237b67330c620de7dc08232dec17 (diff)
download: courier-libs-4d91075b1b90f68527304b45bb26637a17e1454d.tar.bz2
14 files changed, 270 insertions, 122 deletions
diff --git a/imap/.gitignore b/imap/.gitignore
index 4b8bc07..3687d22 100644
--- a/imap/.gitignore
+++ b/imap/.gitignore
@@ -17,6 +17,11 @@
 /imapd.html.in
 /imapd.pam
 /imaplogin
+/mkdhparams
+/mkdhparams.8
+/mkdhparams.8.in
+/mkdhparams.html
+/mkdhparams.html.in
 /mkimapdcert
 /mkimapdcert.8
 /mkimapdcert.8.in
diff --git a/imap/ChangeLog b/imap/ChangeLog
index 297b0cc..a5eeb40 100644
--- a/imap/ChangeLog
+++ b/imap/ChangeLog
@@ -1,3 +1,19 @@
+2013-11-10  Sam Varshavchik  <mrsam@courier-mta.com>
+
+	* libs/tcpd/libcouriergnutls.c, libs/tcpd/libcouriertls.c: remove the
+	TLS_DHCERTFILE setting, and use TLS_CERTFILE for all functionality.
+	Read DH parameters from TLS_CERTFILE, or from the new TLS_DHPARAMS
+	environment variable.
+
+	* mkdhparams: New script that generates DH parameters into a standalone
+	file.
+
+	* Remove TLS_DHCERTFILE setting from imapd-ssl, pop3d-ssl, esmtpd and
+	esmtpd-ssl. Add TLS_DHPARAMS.
+
+	* Update imapd.cnf.openssl, pop3d.cnf.openssl, esmtpd.cnf.openssl,
+	set default number of bits for RSA keys to 4096.
+
 2013-10-14  Sam Varshavchik  <mrsam@courier-mta.com>
 
 	* libs/tcpd/libcouriertls.c (tls_create): Add TLSv1_1_method() and
diff --git a/imap/Makefile.am b/imap/Makefile.am
index 46a1e41..ef36662 100644
--- a/imap/Makefile.am
+++ b/imap/Makefile.am
@@ -8,22 +8,25 @@ BUILT_SOURCES=README.proxy
 
 DISTCLEANFILES=imapd.pam pop3d.pam imapd.cnf pop3d.cnf
 CLEANFILES=imapd.8 imapd.html mkimapdcert.html mkimapdcert.8 \
+	mkdhparams.html mkdhparams.8 \
 	courierpop3d.html courierpop3d.8 mkpop3dcert.html mkpop3dcert.8
 
 EXTRA_DIST=testsuite testsuite.txt smaptestsuite smaptestsuite.txt \
 	BUGS BUGS.html README README.html imapd.authpam \
 	pop3d.authpam system-auth.authpam system-auth2.authpam\
 	imapd.html.in imapd.8.in \
+	mkdhparams.html.in mkdhparams.8.in \
 	mkimapdcert.html.in mkimapdcert.8.in \
 	mkpop3dcert.html.in mkpop3dcert.8.in \
 	courierpop3d.html.in courierpop3d.8.in \
 	README.proxy README.proxy.html \
 	imapd.cnf.gnutls pop3d.cnf.gnutls
 
-noinst_SCRIPTS=mkimapdcert mkpop3dcert
+noinst_SCRIPTS=mkimapdcert mkpop3dcert mkdhparams
 noinst_PROGRAMS=imaplogin imapd pop3login pop3d
 
 noinst_DATA=imapd.8 imapd.html imapd.cnf pop3d.cnf \
+	mkdhparams.html mkdhparams.8 \
 	mkimapdcert.html mkimapdcert.8 \
 	mkpop3dcert.html mkpop3dcert.8 \
 	courierpop3d.html courierpop3d.8
@@ -102,6 +105,12 @@ imapd.html: imapd.html.in
 imapd.8: imapd.8.in
 	./config.status --file=imapd.8
 
+mkdhparams.html: mkdhparams.html.in
+	./config.status --file=mkdhparams.html
+
+mkdhparams.8: mkdhparams.8.in
+	./config.status --file=mkdhparams.8
+
 mkimapdcert.html: mkimapdcert.html.in
 	./config.status --file=mkimapdcert.html
 
@@ -128,6 +137,13 @@ imapd.8.in: imapd.sgml ../docbook/sgml2man
 	../docbook/sgml2man imapd.sgml imapd.8.in
 	mv imapd.8 imapd.8.in
 
+mkdhparams.html.in: mkdhparams.sgml ../docbook/sgml2html
+	../docbook/sgml2html mkdhparams.sgml mkdhparams.html.in
+
+mkdhparams.8.in: mkdhparams.sgml ../docbook/sgml2man
+	../docbook/sgml2man mkdhparams.sgml mkdhparams.8.in
+	mv mkdhparams.8 mkdhparams.8.in
+
 mkimapdcert.html.in: mkimapdcert.sgml ../docbook/sgml2html
 	../docbook/sgml2html mkimapdcert.sgml mkimapdcert.html.in
 
diff --git a/imap/configure.ac b/imap/configure.ac
index 7253d96..e60a5b5 100644
--- a/imap/configure.ac
+++ b/imap/configure.ac
@@ -367,5 +367,5 @@ int main()
 AC_SUBST(cacerts)
 
 AC_OUTPUT(Makefile imapd.dist imapd-ssl.dist pop3d.dist pop3d-ssl.dist
-	testsuitefix.pl mkimapdcert mkpop3dcert
+	testsuitefix.pl mkimapdcert mkpop3dcert mkdhparams
 	imapd.cnf.openssl pop3d.cnf.openssl)
diff --git a/imap/imapd-ssl.dist.in b/imap/imapd-ssl.dist.in
index ac2f468..609c5aa 100644
--- a/imap/imapd-ssl.dist.in
+++ b/imap/imapd-ssl.dist.in
@@ -194,16 +194,6 @@ COURIERTLS=@bindir@/couriertls
 # This is supposed to be an inactivity timeout, but its not yet implemented.
 #
 
-##NAME: TLS_DHCERTFILE:0
-#
-# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
-# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
-# you must generate a DH pair that will be used.  In most situations the
-# DH pair is to be treated as confidential, and the file specified by
-# TLS_DHCERTFILE must not be world-readable.
-#
-# TLS_DHCERTFILE=
-
 ##NAME: TLS_CERTFILE:0
 #
 # TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
@@ -238,6 +228,12 @@ COURIERTLS=@bindir@/couriertls
 
 TLS_CERTFILE=@certsdir@/imapd.pem
 
+##NAME: TLS_DHPARAMS:0
+#
+# TLS_DHPARAMS - DH parameter file.
+#
+TLS_DHPARAMS=@certsdir@/dhparams.pem
+
 ##NAME: TLS_TRUSTCERTS:0
 #
 # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
diff --git a/imap/imapd.cnf.openssl.in b/imap/imapd.cnf.openssl.in
index 0c66526..db9c732 100644
--- a/imap/imapd.cnf.openssl.in
+++ b/imap/imapd.cnf.openssl.in
@@ -2,7 +2,7 @@
 RANDFILE = @certsdir@/imapd.rand
 
 [ req ]
-default_bits = 1024
+default_bits = 4096
 encrypt_key = yes
 distinguished_name = req_dn
 x509_extensions = cert_type
diff --git a/imap/mkdhparams.in b/imap/mkdhparams.in
new file mode 100644
index 0000000..f5bddfa
--- /dev/null
+++ b/imap/mkdhparams.in
@@ -0,0 +1,44 @@
+#! @SHELL@
+#
+# Copyright 2013 Double Precision, Inc.  See COPYING for
+# distribution information.
+#
+# Run this script monthly to generate DH parameters.
+
+if test -f @certsdir@/dhparams.pem
+then
+    if test "`find @certsdir@/dhparams.pem -mtime +25 -print `" = ""
+    then
+	# Less than 25 days old
+	exit 0
+    fi
+fi
+
+set -e
+
+cp /dev/null @certsdir@/dhparams.pem.tmp
+chmod 600 @certsdir@/dhparams.pem.tmp
+chown @mailuser@ @certsdir@/dhparams.pem.tmp
+
+BITS="$DH_BITS"
+if test "@ssllib@" = "openssl"
+then
+    if test "$BITS" = ""
+    then
+	BITS=768
+    fi
+
+    dd if=@RANDOMV@ of=@certsdir@/dhparams.rand.tmp count=1 2>/dev/null
+    @OPENSSL@ dhparam -rand @certsdir@/dhparams.rand.tmp -outform PEM $BITS >@certsdir@/dhparams.pem.tmp
+    rm -f @certsdir@/dhparams.rand.tmp
+    mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem
+else
+    if test "$BITS" = ""
+    then
+	BITS=high
+    fi
+
+    @CERTTOOL@ --generate-dh-params --sec-param $BITS >@certsdir@/dhparams.pem.tmp
+    mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem
+fi
+
diff --git a/imap/mkdhparams.sgml b/imap/mkdhparams.sgml
new file mode 100644
index 0000000..086a530
--- /dev/null
+++ b/imap/mkdhparams.sgml
@@ -0,0 +1,81 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<!-- Copyright 2013 Double Precision, Inc.  See COPYING for -->
+<!-- distribution information. -->
+<refentry>
+  <info><author><firstname>Sam</firstname><surname>Varshavchik</surname><contrib>Author</contrib></author><productname>Courier Mail Server</productname></info>
+
+  <refmeta>
+    <refentrytitle>mkdhparams</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>Double Precision, Inc.</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>mkdhparams</refname>
+    <refpurpose>create DH parameter file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>@sbindir@/mkdhparams</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+
+    <para>
+      This script creates new DH parameters and saves them in
+      <filename>@certsdir@/dhparams.pem</filename>. If this file already exists
+      and it's less than 25 days old, the script returns immediately.
+      If this file is over 25 days old, new DH parameters get generated and
+      the file gets replaced.
+    </para>
+
+    <para>
+      This script is intended to be execute when the system boots, or from
+      a monthly cron job.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>@certsdir@/dhparams.pem</term>
+	<listitem>
+	  <simpara>
+	    DH Parameter file.
+	  </simpara>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>ENVIRONMENT VARIABLES</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>BITS</term>
+	<listitem>
+	  <simpara>
+	    Customize the DH parameter bit size. The default value depends on
+	    whether this script uses OpenSSL or GnuTLS libraries. For OpenSSL
+	    the default number of bits is 768. GnuTLS uses a security level
+	    setting, rather than the number of bits, and the default
+	    security level is "high".
+	  </simpara>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+
+    <para>
+      <ulink url="courier.html"><citerefentry><refentrytitle>courier</refentrytitle><manvolnum>8</manvolnum></citerefentry></ulink></para>
+  </refsect1>
+</refentry>
diff --git a/imap/mkimapdcert.in b/imap/mkimapdcert.in
index 4156975..3bc1df1 100644
--- a/imap/mkimapdcert.in
+++ b/imap/mkimapdcert.in
@@ -24,6 +24,9 @@ then
 fi
 
 umask 077
+set -e
+
+BITS="$BITS"
 
 cleanup() {
 	rm -f @certsdir@/imapd.pem
@@ -44,20 +47,26 @@ then
 	dd if=@RANDOMV@ of=@certsdir@/imapd.rand count=1 2>/dev/null
 	@OPENSSL@ req -new -x509 -days 365 -nodes \
 		  -config @sysconfdir@/imapd.cnf -out @certsdir@/imapd.pem -keyout @certsdir@/imapd.pem || cleanup
-	@OPENSSL@ gendh -rand @certsdir@/imapd.rand 512 >>@certsdir@/imapd.pem || cleanup
 	@OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/imapd.pem || cleanup
 	rm -f @certsdir@/imapd.rand
 else
+	if test "$BITS" = ""
+	then
+		BITS="high"
+	fi
 	cp /dev/null @certsdir@/imapd.key
 	chmod 600 @certsdir@/imapd.key
 	cp /dev/null @certsdir@/imapd.cert
 	chmod 600 @certsdir@/imapd.cert
 	cp /dev/null @certsdir@/imapd.pem
 	chmod 600 @certsdir@/imapd.pem
+	chown @mailuser@ @certsdir@/imapd.pem
+	cp /dev/null @certsdir@/imapd.pem
+	cp /dev/null @certsdir@/imapd.cert
+	cp /dev/null @certsdir@/imapd.key
 
-	@CERTTOOL@ --generate-privkey --outfile imapd.key
+	@CERTTOOL@ --generate-privkey --sec-param=$BITS --outfile imapd.key
 	@CERTTOOL@ --generate-self-signed --load-privkey imapd.key --outfile imapd.cert --template @sysconfdir@/imapd.cnf
-	@CERTTOOL@ --generate-dh-params >>imapd.cert
 	cat imapd.key imapd.cert >imapd.pem
 	rm -f imapd.key imapd.cert
 fi
diff --git a/imap/mkpop3dcert.in b/imap/mkpop3dcert.in
index 9a4c530..5d48a1f 100644
--- a/imap/mkpop3dcert.in
+++ b/imap/mkpop3dcert.in
@@ -24,6 +24,7 @@ then
 fi
 
 umask 077
+set -e
 
 cleanup() {
 	rm -f @certsdir@/pop3d.pem
@@ -34,6 +35,9 @@ cleanup() {
 }
 
 cd @certsdir@
+umask 077
+BITS="$BITS"
+set -e
 
 if test "@ssllib@" = "openssl"
 then
@@ -44,20 +48,24 @@ then
 	dd if=@RANDOMV@ of=@certsdir@/pop3d.rand count=1 2>/dev/null
 	@OPENSSL@ req -new -x509 -days 365 -nodes \
 		  -config @sysconfdir@/pop3d.cnf -out @certsdir@/pop3d.pem -keyout @certsdir@/pop3d.pem || cleanup
-	@OPENSSL@ gendh -rand @certsdir@/pop3d.rand 512 >>@certsdir@/pop3d.pem || cleanup
 	@OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/pop3d.pem || cleanup
 	rm -f @certsdir@/pop3d.rand
 else
+	if test "$BITS" = ""
+	then
+		BITS="high"
+	fi
+
 	cp /dev/null @certsdir@/pop3d.key
 	chmod 600 @certsdir@/pop3d.key
 	cp /dev/null @certsdir@/pop3d.cert
 	chmod 600 @certsdir@/pop3d.cert
 	cp /dev/null @certsdir@/pop3d.pem
 	chmod 600 @certsdir@/pop3d.pem
+	chown @mailuser@ @certsdir@/pop3d.pem
 
-	@CERTTOOL@ --generate-privkey --outfile pop3d.key
+	@CERTTOOL@ --generate-privkey --sec-param=$BITS --outfile pop3d.key
 	@CERTTOOL@ --generate-self-signed --load-privkey pop3d.key --outfile pop3d.cert --template @sysconfdir@/pop3d.cnf
-	@CERTTOOL@ --generate-dh-params >>pop3d.cert
 	cat pop3d.key pop3d.cert >pop3d.pem
 	rm -f pop3d.key pop3d.cert
 fi
diff --git a/imap/pop3d-ssl.dist.in b/imap/pop3d-ssl.dist.in
index 81a395a..1164b77 100644
--- a/imap/pop3d-ssl.dist.in
+++ b/imap/pop3d-ssl.dist.in
@@ -158,16 +158,6 @@ COURIERTLS=@bindir@/couriertls
 # This is supposed to be an inactivity timeout, but its not yet implemented.
 #
 
-##NAME: TLS_DHCERTFILE:0
-#
-# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate.
-# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
-# you must generate a DH pair that will be used.  In most situations the
-# DH pair is to be treated as confidential, and the file specified by
-# TLS_DHCERTFILE must not be world-readable.
-#
-# TLS_DHCERTFILE=
-
 ##NAME: TLS_CERTFILE:0
 #
 # TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
@@ -202,6 +192,12 @@ COURIERTLS=@bindir@/couriertls
 
 TLS_CERTFILE=@certsdir@/pop3d.pem
 
+##NAME: TLS_DHPARAMS:0
+#
+# TLS_DHPARAMS - DH parameter file.
+#
+TLS_DHPARAMS=@certsdir@/dhparams.pem
+
 ##NAME: TLS_TRUSTCERTS:0
 #
 # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
diff --git a/imap/pop3d.cnf.openssl.in b/imap/pop3d.cnf.openssl.in
index 971965e..5ef1d47 100644
--- a/imap/pop3d.cnf.openssl.in
+++ b/imap/pop3d.cnf.openssl.in
@@ -2,7 +2,7 @@
 RANDFILE = @certsdir@/pop3d.rand
 
 [ req ]
-default_bits = 1024
+default_bits = 4096
 encrypt_key = yes
 distinguished_name = req_dn
 x509_extensions = cert_type
diff --git a/tcpd/libcouriergnutls.c b/tcpd/libcouriergnutls.c
index 9f6f49d..fbf5e8c 100644
--- a/tcpd/libcouriergnutls.c
+++ b/tcpd/libcouriergnutls.c
@@ -127,7 +127,7 @@ struct ssl_context_t {
 	const char *priority_list;
 
 	char *certfile;
-	int certfiledh;
+	char *dhfile;
 
 	char *trustcerts;
 
@@ -142,6 +142,7 @@ struct ssl_handle_t {
 	gnutls_anon_server_credentials_t anonservercred;
 	gnutls_certificate_credentials_t xcred;
 	gnutls_dh_params_t dhparams;
+	int dhparams_initialized;
 	gnutls_session_t session;
 
 	gnutls_x509_privkey_t x509_key;
@@ -185,7 +186,7 @@ ssl_context tls_create(int isserver, const struct tls_info *info)
 	static int first=1;
 
 	ssl_context p=malloc(sizeof(struct ssl_context_t));
-	char *certfile=NULL, *dhcertfile=NULL;
+	char *certfile=NULL;
 	char debug_flag;
 
 	if (!p)
@@ -241,36 +242,34 @@ ssl_context tls_create(int isserver, const struct tls_info *info)
 				     "NORMAL:-CTYPE-OPENPGP");
 
 	if ((certfile=strdup(safe_getenv(p, "TLS_CERTFILE", ""))) == NULL ||
-	    (dhcertfile=strdup(safe_getenv(p, "TLS_DHCERTFILE", "")))
-	    == NULL ||
 	    (p->trustcerts=strdup(safe_getenv(p, "TLS_TRUSTCERTS", "")))
 	    == NULL)
 	{
 		if (certfile)
 			free(certfile);
-		if (dhcertfile)
-			free(dhcertfile);
 		tls_destroy(p);
 		return NULL;
 	}
 
-	if (*dhcertfile)
-	{
-		p->certfile=dhcertfile;
-		p->certfiledh=1;
-		dhcertfile=NULL;
-	}
-	else if (*certfile)
+	if (*certfile)
 	{
 		p->certfile=certfile;
-		p->certfiledh=0;
 		certfile=NULL;
 	}
 
 	if (certfile)
 		free(certfile);
-	if (dhcertfile)
-		free(dhcertfile);
+
+	if ((certfile=strdup(safe_getenv(p, "TLS_DHPARAMS", ""))) != NULL &&
+	    *certfile)
+	{
+		p->dhfile=certfile;
+	}
+	else
+	{
+		if (certfile)
+			free(certfile);
+	}
 
 	switch (*safe_getenv(p, "TLS_VERIFYPEER", "P")) {
 	case 'n':
@@ -325,7 +324,8 @@ void tls_destroy(ssl_context p)
 {
 	if (p->certfile)
 		free(p->certfile);
-
+	if (p->dhfile)
+		free(p->dhfile);
 	if (p->trustcerts)
 		free(p->trustcerts);
 
@@ -1202,21 +1202,28 @@ static int get_client_cert(gnutls_session_t session,
 }
 
 static int read_dh_params(gnutls_dh_params_t dhparams,
-			  const char *filename)
+			  const char *filename,
+			  int *dhparams_initialized)
 {
 	int rc;
-
 	gnutls_datum_t filebuf;
 
+	if (*dhparams_initialized)
+		return 0;
+
+	if (!filename)
+		return 0;
+
 	rc=read_file(filename, &filebuf);
 
 	if (rc == 0)
 	{
-		rc=gnutls_dh_params_import_pkcs3(dhparams, &filebuf,
-						 GNUTLS_X509_FMT_PEM);
+		if (gnutls_dh_params_import_pkcs3(dhparams, &filebuf,
+						  GNUTLS_X509_FMT_PEM) == 0)
+			*dhparams_initialized=1;
 		release_file(&filebuf);
 	}
-	return rc;
+	return 0;
 }
 
 static int db_store_func(void *dummy, gnutls_datum_t key,
@@ -1444,16 +1451,15 @@ RT |
                                             0);
 
         gnutls_certificate_set_verify_limits(ssl->xcred, 16384, 10);
+	ssl->dhparams_initialized=0;
 
 	if (gnutls_priority_set_direct(ssl->session, ctx->priority_list,
 				       NULL) < 0 ||
-	    (ctx->certfiledh && read_dh_params(ssl->dhparams,
-					       ctx->certfile) < 0) ||
+	    read_dh_params(ssl->dhparams, ctx->dhfile,
+			   &ssl->dhparams_initialized) < 0 ||
+	    read_dh_params(ssl->dhparams, ctx->certfile,
+			   &ssl->dhparams_initialized) < 0 ||
 	    add_certificates(ssl->xcred, ctx->trustcerts) < 0 ||
-#if 0
-	    add_certificates(ssl->xcred, ctx->certfile) < 0 ||
-	    add_certificates(ssl->xcred, ctx->dhcertfile) < 0 ||
-#endif
 	    gnutls_credentials_set(ssl->session, GNUTLS_CRD_ANON,
 				   ctx->isserver
 				   ? (void *)ssl->anonservercred
@@ -1473,7 +1479,7 @@ RT |
 		return NULL;
 	}
 
-	if (ctx->certfiledh)
+	if (ssl->dhparams_initialized)
 	{
 		gnutls_certificate_set_dh_params(ssl->xcred, ssl->dhparams);
 
diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c
index c44f318..50f0801 100644
--- a/tcpd/libcouriertls.c
+++ b/tcpd/libcouriertls.c
@@ -215,15 +215,6 @@ static int verifypeer(const struct tls_info *info, SSL *ssl)
 	return (0);
 }
 
-#ifndef NO_RSA
-
-static RSA *rsa_callback(SSL *s, int export, int keylength)
-{
-	return (RSA_generate_key(keylength,RSA_F4,NULL,NULL));
-}
-
-#endif
-
 static void nonsslerror(const struct tls_info *info, const char *pfix)
 {
 	char errmsg[256];
@@ -269,51 +260,23 @@ static void sslerror(const struct tls_info *info, const char *pfix, int rc)
 
 static void init_session_cache(struct tls_info *, SSL_CTX *);
 
-static int process_rsacertfile(SSL_CTX *ctx, const char *filename)
+static void load_dh_params(SSL_CTX *ctx, const char *filename,
+			   int *cert_file_flags)
 {
-#ifndef	NO_RSA
-
 	const struct tls_info *info=SSL_CTX_get_app_data(ctx);
 
-	SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
-
-	if(!SSL_CTX_use_certificate_chain_file(ctx, filename))
-	{
-		sslerror(info, filename, -1);
-		return (0);
-	}
-
-	if(!SSL_CTX_use_RSAPrivateKey_file(ctx, filename, SSL_FILETYPE_PEM))
-	{
-		sslerror(info, filename, -1);
-		return (0);
-	}
-#endif
-	return (1);
-}
-
-
-static int process_dhcertfile(SSL_CTX *ctx, const char *filename)
-{
-#ifndef	NO_DH
-
-	const struct tls_info *info=SSL_CTX_get_app_data(ctx);
 	BIO	*bio;
 	DH	*dh;
-	int	cert_done=0;
 
-	if(!SSL_CTX_use_certificate_chain_file(ctx, filename))
-	{
-		sslerror(info, filename, -1);
-		return (0);
-	}
+	if (*cert_file_flags)
+		return;
 
 	if ((bio=BIO_new_file(filename, "r")) != 0)
 	{
 		if ((dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) != 0)
 		{
 			SSL_CTX_set_tmp_dh(ctx, dh);
-			cert_done=1;
+			*cert_file_flags = 1;
 			DH_free(dh);
 		}
 		else
@@ -322,33 +285,40 @@ static int process_dhcertfile(SSL_CTX *ctx, const char *filename)
 	}
 	else
 		sslerror(info, filename, -1);
+}
 
-	if (!cert_done)
-	{
-		(*info->tls_err_msg)("couriertls: DH init failed!",
-				     info->app_data);
+static int read_certfile(SSL_CTX *ctx, const char *filename,
+			      int *cert_file_flags)
+{
+	const struct tls_info *info=SSL_CTX_get_app_data(ctx);
 
+	if(!SSL_CTX_use_certificate_chain_file(ctx, filename))
+	{
+		sslerror(info, filename, -1);
 		return (0);
 	}
 
+	load_dh_params(ctx, filename, cert_file_flags);
+
 	if(!SSL_CTX_use_PrivateKey_file(ctx, filename, SSL_FILETYPE_PEM))
 	{
 		sslerror(info, filename, -1);
 		return (0);
 	}
-#endif
 	return (1);
 }
 
 static int process_certfile(SSL_CTX *ctx, const char *certfile, const char *ip,
-			    int (*func)(SSL_CTX *, const char *))
+			    int (*func)(SSL_CTX *, const char *,
+					int *),
+			    int *cert_file_flags)
 {
 	if (ip && *ip)
 	{
 		char *test_file;
 
 		if (strncmp(ip, "::ffff:", 7) == 0 && strchr(ip, '.'))
-			return (process_certfile(ctx, certfile, ip+7, func));
+			return (process_certfile(ctx, certfile, ip+7, func, cert_file_flags));
 
 		test_file= malloc(strlen(certfile)+strlen(ip)+2);
 
@@ -358,7 +328,8 @@ static int process_certfile(SSL_CTX *ctx, const char *certfile, const char *ip,
 
 		if (access(test_file, R_OK) == 0)
 		{
-			int rc= (*func)(ctx, test_file);
+			int rc= (*func)(ctx, test_file,
+					cert_file_flags);
 
 			free(test_file);
 			return rc;
@@ -366,7 +337,7 @@ static int process_certfile(SSL_CTX *ctx, const char *certfile, const char *ip,
 		free(test_file);
 	}
 
-	return (*func)(ctx, certfile);
+	return (*func)(ctx, certfile, cert_file_flags);
 }
 
 static int client_cert_cb(ssl_handle ssl, X509 **x509, EVP_PKEY **pkey)
@@ -483,7 +454,7 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 	const char *protocol=safe_getenv(info, "TLS_PROTOCOL");
 	const char *ssl_cipher_list=safe_getenv(info, "TLS_CIPHER_LIST");
 	int session_timeout=atoi(safe_getenv(info, "TLS_TIMEOUT"));
-	const char *dhcertfile=safe_getenv(info, "TLS_DHCERTFILE");
+	const char *dhparamsfile=safe_getenv(info, "TLS_DHPARAMS");
 	const char *certfile=safe_getenv(info, "TLS_CERTFILE");
 	const char *s;
 	struct stat stat_buf;
@@ -493,16 +464,17 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 	struct tls_info *info_copy;
 	const SSL_METHOD *method=NULL;
 	long options;
+	int cert_file_flags;
 
 	if (!*ssl_cipher_list)
 		ssl_cipher_list=NULL;
 
-	if (!*dhcertfile)
-		dhcertfile=NULL;
-
 	if (!*certfile)
 		certfile=NULL;
 
+	if (!*dhparamsfile)
+		dhparamsfile=NULL;
+
 	s=safe_getenv(info, "TLS_TRUSTCERTS");
 	if (s && stat(s, &stat_buf) == 0)
 	{
@@ -599,15 +571,14 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 
 	s = safe_getenv(info, "TCPLOCALIP");
 
-	if (certfile && !process_certfile(ctx, certfile, s,
-					  process_rsacertfile))
-	{
-		tls_destroy(ctx);
-		return (NULL);
-	}
+	cert_file_flags=0;
+
+	if (dhparamsfile)
+		load_dh_params(ctx, dhparamsfile, &cert_file_flags);
 
-	if (dhcertfile && !process_certfile(ctx, dhcertfile, s,
-					    process_dhcertfile))
+	if (certfile && !process_certfile(ctx, certfile, s,
+					  read_certfile,
+					  &cert_file_flags))
 	{
 		tls_destroy(ctx);
 		return (NULL);
author	Sam Varshavchik	2013-11-10 20:07:18 -0500
committer	Sam Varshavchik	2013-11-10 21:55:21 -0500
commit	4d91075b1b90f68527304b45bb26637a17e1454d (patch)
tree	dde479f63ba4470a3e9c4210b79cda13d0aab4c4
parent	37a74ee0f736237b67330c620de7dc08232dec17 (diff)
download	courier-libs-4d91075b1b90f68527304b45bb26637a17e1454d.tar.bz2