Update DH parameter configuration scripts.

* libs/tcpd/libcouriergnutls.c, libs/tcpd/libcouriertls.c: remove the TLS_DHCERTFILE setting, and use TLS_CERTFILE for all functionality. Read DH parameters from TLS_CERTFILE, or from the new TLS_DHPARAMS environment variable. * mkdhparams: New script that generates DH parameters into a standalone file. * Remove TLS_DHCERTFILE setting from imapd-ssl, pop3d-ssl, esmtpd and esmtpd-ssl. Add TLS_DHPARAMS. * Update imapd.cnf.openssl, pop3d.cnf.openssl, esmtpd.cnf.openssl, set default number of bits for RSA keys to 4096.
author: Sam Varshavchik 2013-11-10 20:07:18 -0500
committer: Sam Varshavchik 2013-11-10 21:55:21 -0500
commit: 4d91075b1b90f68527304b45bb26637a17e1454d (patch)
tree: dde479f63ba4470a3e9c4210b79cda13d0aab4c4 /tcpd
parent: 37a74ee0f736237b67330c620de7dc08232dec17 (diff)
download: courier-libs-4d91075b1b90f68527304b45bb26637a17e1454d.tar.bz2
2 files changed, 69 insertions, 92 deletions
diff --git a/tcpd/libcouriergnutls.c b/tcpd/libcouriergnutls.c
index 9f6f49d..fbf5e8c 100644
--- a/tcpd/libcouriergnutls.c
+++ b/tcpd/libcouriergnutls.c
@@ -127,7 +127,7 @@ struct ssl_context_t {
 	const char *priority_list;
 
 	char *certfile;
-	int certfiledh;
+	char *dhfile;
 
 	char *trustcerts;
 
@@ -142,6 +142,7 @@ struct ssl_handle_t {
 	gnutls_anon_server_credentials_t anonservercred;
 	gnutls_certificate_credentials_t xcred;
 	gnutls_dh_params_t dhparams;
+	int dhparams_initialized;
 	gnutls_session_t session;
 
 	gnutls_x509_privkey_t x509_key;
@@ -185,7 +186,7 @@ ssl_context tls_create(int isserver, const struct tls_info *info)
 	static int first=1;
 
 	ssl_context p=malloc(sizeof(struct ssl_context_t));
-	char *certfile=NULL, *dhcertfile=NULL;
+	char *certfile=NULL;
 	char debug_flag;
 
 	if (!p)
@@ -241,36 +242,34 @@ ssl_context tls_create(int isserver, const struct tls_info *info)
 				     "NORMAL:-CTYPE-OPENPGP");
 
 	if ((certfile=strdup(safe_getenv(p, "TLS_CERTFILE", ""))) == NULL ||
-	    (dhcertfile=strdup(safe_getenv(p, "TLS_DHCERTFILE", "")))
-	    == NULL ||
 	    (p->trustcerts=strdup(safe_getenv(p, "TLS_TRUSTCERTS", "")))
 	    == NULL)
 	{
 		if (certfile)
 			free(certfile);
-		if (dhcertfile)
-			free(dhcertfile);
 		tls_destroy(p);
 		return NULL;
 	}
 
-	if (*dhcertfile)
-	{
-		p->certfile=dhcertfile;
-		p->certfiledh=1;
-		dhcertfile=NULL;
-	}
-	else if (*certfile)
+	if (*certfile)
 	{
 		p->certfile=certfile;
-		p->certfiledh=0;
 		certfile=NULL;
 	}
 
 	if (certfile)
 		free(certfile);
-	if (dhcertfile)
-		free(dhcertfile);
+
+	if ((certfile=strdup(safe_getenv(p, "TLS_DHPARAMS", ""))) != NULL &&
+	    *certfile)
+	{
+		p->dhfile=certfile;
+	}
+	else
+	{
+		if (certfile)
+			free(certfile);
+	}
 
 	switch (*safe_getenv(p, "TLS_VERIFYPEER", "P")) {
 	case 'n':
@@ -325,7 +324,8 @@ void tls_destroy(ssl_context p)
 {
 	if (p->certfile)
 		free(p->certfile);
-
+	if (p->dhfile)
+		free(p->dhfile);
 	if (p->trustcerts)
 		free(p->trustcerts);
 
@@ -1202,21 +1202,28 @@ static int get_client_cert(gnutls_session_t session,
 }
 
 static int read_dh_params(gnutls_dh_params_t dhparams,
-			  const char *filename)
+			  const char *filename,
+			  int *dhparams_initialized)
 {
 	int rc;
-
 	gnutls_datum_t filebuf;
 
+	if (*dhparams_initialized)
+		return 0;
+
+	if (!filename)
+		return 0;
+
 	rc=read_file(filename, &filebuf);
 
 	if (rc == 0)
 	{
-		rc=gnutls_dh_params_import_pkcs3(dhparams, &filebuf,
-						 GNUTLS_X509_FMT_PEM);
+		if (gnutls_dh_params_import_pkcs3(dhparams, &filebuf,
+						  GNUTLS_X509_FMT_PEM) == 0)
+			*dhparams_initialized=1;
 		release_file(&filebuf);
 	}
-	return rc;
+	return 0;
 }
 
 static int db_store_func(void *dummy, gnutls_datum_t key,
@@ -1444,16 +1451,15 @@ RT |
                                             0);
 
         gnutls_certificate_set_verify_limits(ssl->xcred, 16384, 10);
+	ssl->dhparams_initialized=0;
 
 	if (gnutls_priority_set_direct(ssl->session, ctx->priority_list,
 				       NULL) < 0 ||
-	    (ctx->certfiledh && read_dh_params(ssl->dhparams,
-					       ctx->certfile) < 0) ||
+	    read_dh_params(ssl->dhparams, ctx->dhfile,
+			   &ssl->dhparams_initialized) < 0 ||
+	    read_dh_params(ssl->dhparams, ctx->certfile,
+			   &ssl->dhparams_initialized) < 0 ||
 	    add_certificates(ssl->xcred, ctx->trustcerts) < 0 ||
-#if 0
-	    add_certificates(ssl->xcred, ctx->certfile) < 0 ||
-	    add_certificates(ssl->xcred, ctx->dhcertfile) < 0 ||
-#endif
 	    gnutls_credentials_set(ssl->session, GNUTLS_CRD_ANON,
 				   ctx->isserver
 				   ? (void *)ssl->anonservercred
@@ -1473,7 +1479,7 @@ RT |
 		return NULL;
 	}
 
-	if (ctx->certfiledh)
+	if (ssl->dhparams_initialized)
 	{
 		gnutls_certificate_set_dh_params(ssl->xcred, ssl->dhparams);
 
diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c
index c44f318..50f0801 100644
--- a/tcpd/libcouriertls.c
+++ b/tcpd/libcouriertls.c
@@ -215,15 +215,6 @@ static int verifypeer(const struct tls_info *info, SSL *ssl)
 	return (0);
 }
 
-#ifndef NO_RSA
-
-static RSA *rsa_callback(SSL *s, int export, int keylength)
-{
-	return (RSA_generate_key(keylength,RSA_F4,NULL,NULL));
-}
-
-#endif
-
 static void nonsslerror(const struct tls_info *info, const char *pfix)
 {
 	char errmsg[256];
@@ -269,51 +260,23 @@ static void sslerror(const struct tls_info *info, const char *pfix, int rc)
 
 static void init_session_cache(struct tls_info *, SSL_CTX *);
 
-static int process_rsacertfile(SSL_CTX *ctx, const char *filename)
+static void load_dh_params(SSL_CTX *ctx, const char *filename,
+			   int *cert_file_flags)
 {
-#ifndef	NO_RSA
-
 	const struct tls_info *info=SSL_CTX_get_app_data(ctx);
 
-	SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
-
-	if(!SSL_CTX_use_certificate_chain_file(ctx, filename))
-	{
-		sslerror(info, filename, -1);
-		return (0);
-	}
-
-	if(!SSL_CTX_use_RSAPrivateKey_file(ctx, filename, SSL_FILETYPE_PEM))
-	{
-		sslerror(info, filename, -1);
-		return (0);
-	}
-#endif
-	return (1);
-}
-
-
-static int process_dhcertfile(SSL_CTX *ctx, const char *filename)
-{
-#ifndef	NO_DH
-
-	const struct tls_info *info=SSL_CTX_get_app_data(ctx);
 	BIO	*bio;
 	DH	*dh;
-	int	cert_done=0;
 
-	if(!SSL_CTX_use_certificate_chain_file(ctx, filename))
-	{
-		sslerror(info, filename, -1);
-		return (0);
-	}
+	if (*cert_file_flags)
+		return;
 
 	if ((bio=BIO_new_file(filename, "r")) != 0)
 	{
 		if ((dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) != 0)
 		{
 			SSL_CTX_set_tmp_dh(ctx, dh);
-			cert_done=1;
+			*cert_file_flags = 1;
 			DH_free(dh);
 		}
 		else
@@ -322,33 +285,40 @@ static int process_dhcertfile(SSL_CTX *ctx, const char *filename)
 	}
 	else
 		sslerror(info, filename, -1);
+}
 
-	if (!cert_done)
-	{
-		(*info->tls_err_msg)("couriertls: DH init failed!",
-				     info->app_data);
+static int read_certfile(SSL_CTX *ctx, const char *filename,
+			      int *cert_file_flags)
+{
+	const struct tls_info *info=SSL_CTX_get_app_data(ctx);
 
+	if(!SSL_CTX_use_certificate_chain_file(ctx, filename))
+	{
+		sslerror(info, filename, -1);
 		return (0);
 	}
 
+	load_dh_params(ctx, filename, cert_file_flags);
+
 	if(!SSL_CTX_use_PrivateKey_file(ctx, filename, SSL_FILETYPE_PEM))
 	{
 		sslerror(info, filename, -1);
 		return (0);
 	}
-#endif
 	return (1);
 }
 
 static int process_certfile(SSL_CTX *ctx, const char *certfile, const char *ip,
-			    int (*func)(SSL_CTX *, const char *))
+			    int (*func)(SSL_CTX *, const char *,
+					int *),
+			    int *cert_file_flags)
 {
 	if (ip && *ip)
 	{
 		char *test_file;
 
 		if (strncmp(ip, "::ffff:", 7) == 0 && strchr(ip, '.'))
-			return (process_certfile(ctx, certfile, ip+7, func));
+			return (process_certfile(ctx, certfile, ip+7, func, cert_file_flags));
 
 		test_file= malloc(strlen(certfile)+strlen(ip)+2);
 
@@ -358,7 +328,8 @@ static int process_certfile(SSL_CTX *ctx, const char *certfile, const char *ip,
 
 		if (access(test_file, R_OK) == 0)
 		{
-			int rc= (*func)(ctx, test_file);
+			int rc= (*func)(ctx, test_file,
+					cert_file_flags);
 
 			free(test_file);
 			return rc;
@@ -366,7 +337,7 @@ static int process_certfile(SSL_CTX *ctx, const char *certfile, const char *ip,
 		free(test_file);
 	}
 
-	return (*func)(ctx, certfile);
+	return (*func)(ctx, certfile, cert_file_flags);
 }
 
 static int client_cert_cb(ssl_handle ssl, X509 **x509, EVP_PKEY **pkey)
@@ -483,7 +454,7 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 	const char *protocol=safe_getenv(info, "TLS_PROTOCOL");
 	const char *ssl_cipher_list=safe_getenv(info, "TLS_CIPHER_LIST");
 	int session_timeout=atoi(safe_getenv(info, "TLS_TIMEOUT"));
-	const char *dhcertfile=safe_getenv(info, "TLS_DHCERTFILE");
+	const char *dhparamsfile=safe_getenv(info, "TLS_DHPARAMS");
 	const char *certfile=safe_getenv(info, "TLS_CERTFILE");
 	const char *s;
 	struct stat stat_buf;
@@ -493,16 +464,17 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 	struct tls_info *info_copy;
 	const SSL_METHOD *method=NULL;
 	long options;
+	int cert_file_flags;
 
 	if (!*ssl_cipher_list)
 		ssl_cipher_list=NULL;
 
-	if (!*dhcertfile)
-		dhcertfile=NULL;
-
 	if (!*certfile)
 		certfile=NULL;
 
+	if (!*dhparamsfile)
+		dhparamsfile=NULL;
+
 	s=safe_getenv(info, "TLS_TRUSTCERTS");
 	if (s && stat(s, &stat_buf) == 0)
 	{
@@ -599,15 +571,14 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 
 	s = safe_getenv(info, "TCPLOCALIP");
 
-	if (certfile && !process_certfile(ctx, certfile, s,
-					  process_rsacertfile))
-	{
-		tls_destroy(ctx);
-		return (NULL);
-	}
+	cert_file_flags=0;
+
+	if (dhparamsfile)
+		load_dh_params(ctx, dhparamsfile, &cert_file_flags);
 
-	if (dhcertfile && !process_certfile(ctx, dhcertfile, s,
-					    process_dhcertfile))
+	if (certfile && !process_certfile(ctx, certfile, s,
+					  read_certfile,
+					  &cert_file_flags))
 	{
 		tls_destroy(ctx);
 		return (NULL);
author	Sam Varshavchik	2013-11-10 20:07:18 -0500
committer	Sam Varshavchik	2013-11-10 21:55:21 -0500
commit	4d91075b1b90f68527304b45bb26637a17e1454d (patch)
tree	dde479f63ba4470a3e9c4210b79cda13d0aab4c4 /tcpd
parent	37a74ee0f736237b67330c620de7dc08232dec17 (diff)
download	courier-libs-4d91075b1b90f68527304b45bb26637a17e1454d.tar.bz2