diff options
| -rw-r--r-- | imap/.gitignore | 5 | ||||
| -rw-r--r-- | imap/ChangeLog | 16 | ||||
| -rw-r--r-- | imap/Makefile.am | 18 | ||||
| -rw-r--r-- | imap/configure.ac | 2 | ||||
| -rw-r--r-- | imap/imapd-ssl.dist.in | 16 | ||||
| -rw-r--r-- | imap/imapd.cnf.openssl.in | 2 | ||||
| -rw-r--r-- | imap/mkdhparams.in | 44 | ||||
| -rw-r--r-- | imap/mkdhparams.sgml | 81 | ||||
| -rw-r--r-- | imap/mkimapdcert.in | 15 | ||||
| -rw-r--r-- | imap/mkpop3dcert.in | 14 | ||||
| -rw-r--r-- | imap/pop3d-ssl.dist.in | 16 | ||||
| -rw-r--r-- | imap/pop3d.cnf.openssl.in | 2 | ||||
| -rw-r--r-- | tcpd/libcouriergnutls.c | 64 | ||||
| -rw-r--r-- | tcpd/libcouriertls.c | 97 |
14 files changed, 270 insertions, 122 deletions
diff --git a/imap/.gitignore b/imap/.gitignore index 4b8bc07..3687d22 100644 --- a/imap/.gitignore +++ b/imap/.gitignore @@ -17,6 +17,11 @@ /imapd.html.in /imapd.pam /imaplogin +/mkdhparams +/mkdhparams.8 +/mkdhparams.8.in +/mkdhparams.html +/mkdhparams.html.in /mkimapdcert /mkimapdcert.8 /mkimapdcert.8.in diff --git a/imap/ChangeLog b/imap/ChangeLog index 297b0cc..a5eeb40 100644 --- a/imap/ChangeLog +++ b/imap/ChangeLog @@ -1,3 +1,19 @@ +2013-11-10 Sam Varshavchik <mrsam@courier-mta.com> + + * libs/tcpd/libcouriergnutls.c, libs/tcpd/libcouriertls.c: remove the + TLS_DHCERTFILE setting, and use TLS_CERTFILE for all functionality. + Read DH parameters from TLS_CERTFILE, or from the new TLS_DHPARAMS + environment variable. + + * mkdhparams: New script that generates DH parameters into a standalone + file. + + * Remove TLS_DHCERTFILE setting from imapd-ssl, pop3d-ssl, esmtpd and + esmtpd-ssl. Add TLS_DHPARAMS. + + * Update imapd.cnf.openssl, pop3d.cnf.openssl, esmtpd.cnf.openssl, + set default number of bits for RSA keys to 4096. + 2013-10-14 Sam Varshavchik <mrsam@courier-mta.com> * libs/tcpd/libcouriertls.c (tls_create): Add TLSv1_1_method() and diff --git a/imap/Makefile.am b/imap/Makefile.am index 46a1e41..ef36662 100644 --- a/imap/Makefile.am +++ b/imap/Makefile.am @@ -8,22 +8,25 @@ BUILT_SOURCES=README.proxy DISTCLEANFILES=imapd.pam pop3d.pam imapd.cnf pop3d.cnf CLEANFILES=imapd.8 imapd.html mkimapdcert.html mkimapdcert.8 \ + mkdhparams.html mkdhparams.8 \ courierpop3d.html courierpop3d.8 mkpop3dcert.html mkpop3dcert.8 EXTRA_DIST=testsuite testsuite.txt smaptestsuite smaptestsuite.txt \ BUGS BUGS.html README README.html imapd.authpam \ pop3d.authpam system-auth.authpam system-auth2.authpam\ imapd.html.in imapd.8.in \ + mkdhparams.html.in mkdhparams.8.in \ mkimapdcert.html.in mkimapdcert.8.in \ mkpop3dcert.html.in mkpop3dcert.8.in \ courierpop3d.html.in courierpop3d.8.in \ README.proxy README.proxy.html \ imapd.cnf.gnutls pop3d.cnf.gnutls -noinst_SCRIPTS=mkimapdcert mkpop3dcert +noinst_SCRIPTS=mkimapdcert mkpop3dcert mkdhparams noinst_PROGRAMS=imaplogin imapd pop3login pop3d noinst_DATA=imapd.8 imapd.html imapd.cnf pop3d.cnf \ + mkdhparams.html mkdhparams.8 \ mkimapdcert.html mkimapdcert.8 \ mkpop3dcert.html mkpop3dcert.8 \ courierpop3d.html courierpop3d.8 @@ -102,6 +105,12 @@ imapd.html: imapd.html.in imapd.8: imapd.8.in ./config.status --file=imapd.8 +mkdhparams.html: mkdhparams.html.in + ./config.status --file=mkdhparams.html + +mkdhparams.8: mkdhparams.8.in + ./config.status --file=mkdhparams.8 + mkimapdcert.html: mkimapdcert.html.in ./config.status --file=mkimapdcert.html @@ -128,6 +137,13 @@ imapd.8.in: imapd.sgml ../docbook/sgml2man ../docbook/sgml2man imapd.sgml imapd.8.in mv imapd.8 imapd.8.in +mkdhparams.html.in: mkdhparams.sgml ../docbook/sgml2html + ../docbook/sgml2html mkdhparams.sgml mkdhparams.html.in + +mkdhparams.8.in: mkdhparams.sgml ../docbook/sgml2man + ../docbook/sgml2man mkdhparams.sgml mkdhparams.8.in + mv mkdhparams.8 mkdhparams.8.in + mkimapdcert.html.in: mkimapdcert.sgml ../docbook/sgml2html ../docbook/sgml2html mkimapdcert.sgml mkimapdcert.html.in diff --git a/imap/configure.ac b/imap/configure.ac index 7253d96..e60a5b5 100644 --- a/imap/configure.ac +++ b/imap/configure.ac @@ -367,5 +367,5 @@ int main() AC_SUBST(cacerts) AC_OUTPUT(Makefile imapd.dist imapd-ssl.dist pop3d.dist pop3d-ssl.dist - testsuitefix.pl mkimapdcert mkpop3dcert + testsuitefix.pl mkimapdcert mkpop3dcert mkdhparams imapd.cnf.openssl pop3d.cnf.openssl) diff --git a/imap/imapd-ssl.dist.in b/imap/imapd-ssl.dist.in index ac2f468..609c5aa 100644 --- a/imap/imapd-ssl.dist.in +++ b/imap/imapd-ssl.dist.in @@ -194,16 +194,6 @@ COURIERTLS=@bindir@/couriertls # This is supposed to be an inactivity timeout, but its not yet implemented. # -##NAME: TLS_DHCERTFILE:0 -# -# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate. -# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA -# you must generate a DH pair that will be used. In most situations the -# DH pair is to be treated as confidential, and the file specified by -# TLS_DHCERTFILE must not be world-readable. -# -# TLS_DHCERTFILE= - ##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS @@ -238,6 +228,12 @@ COURIERTLS=@bindir@/couriertls TLS_CERTFILE=@certsdir@/imapd.pem +##NAME: TLS_DHPARAMS:0 +# +# TLS_DHPARAMS - DH parameter file. +# +TLS_DHPARAMS=@certsdir@/dhparams.pem + ##NAME: TLS_TRUSTCERTS:0 # # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. diff --git a/imap/imapd.cnf.openssl.in b/imap/imapd.cnf.openssl.in index 0c66526..db9c732 100644 --- a/imap/imapd.cnf.openssl.in +++ b/imap/imapd.cnf.openssl.in @@ -2,7 +2,7 @@ RANDFILE = @certsdir@/imapd.rand [ req ] -default_bits = 1024 +default_bits = 4096 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type diff --git a/imap/mkdhparams.in b/imap/mkdhparams.in new file mode 100644 index 0000000..f5bddfa --- /dev/null +++ b/imap/mkdhparams.in @@ -0,0 +1,44 @@ +#! @SHELL@ +# +# Copyright 2013 Double Precision, Inc. See COPYING for +# distribution information. +# +# Run this script monthly to generate DH parameters. + +if test -f @certsdir@/dhparams.pem +then + if test "`find @certsdir@/dhparams.pem -mtime +25 -print `" = "" + then + # Less than 25 days old + exit 0 + fi +fi + +set -e + +cp /dev/null @certsdir@/dhparams.pem.tmp +chmod 600 @certsdir@/dhparams.pem.tmp +chown @mailuser@ @certsdir@/dhparams.pem.tmp + +BITS="$DH_BITS" +if test "@ssllib@" = "openssl" +then + if test "$BITS" = "" + then + BITS=768 + fi + + dd if=@RANDOMV@ of=@certsdir@/dhparams.rand.tmp count=1 2>/dev/null + @OPENSSL@ dhparam -rand @certsdir@/dhparams.rand.tmp -outform PEM $BITS >@certsdir@/dhparams.pem.tmp + rm -f @certsdir@/dhparams.rand.tmp + mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem +else + if test "$BITS" = "" + then + BITS=high + fi + + @CERTTOOL@ --generate-dh-params --sec-param $BITS >@certsdir@/dhparams.pem.tmp + mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem +fi + diff --git a/imap/mkdhparams.sgml b/imap/mkdhparams.sgml new file mode 100644 index 0000000..086a530 --- /dev/null +++ b/imap/mkdhparams.sgml @@ -0,0 +1,81 @@ +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<!-- Copyright 2013 Double Precision, Inc. See COPYING for --> +<!-- distribution information. --> +<refentry> + <info><author><firstname>Sam</firstname><surname>Varshavchik</surname><contrib>Author</contrib></author><productname>Courier Mail Server</productname></info> + + <refmeta> + <refentrytitle>mkdhparams</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo>Double Precision, Inc.</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>mkdhparams</refname> + <refpurpose>create DH parameter file</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis sepchar=" "> + <command>@sbindir@/mkdhparams</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + + <para> + This script creates new DH parameters and saves them in + <filename>@certsdir@/dhparams.pem</filename>. If this file already exists + and it's less than 25 days old, the script returns immediately. + If this file is over 25 days old, new DH parameters get generated and + the file gets replaced. + </para> + + <para> + This script is intended to be execute when the system boots, or from + a monthly cron job. + </para> + </refsect1> + + <refsect1> + <title>FILES</title> + + <variablelist> + <varlistentry> + <term>@certsdir@/dhparams.pem</term> + <listitem> + <simpara> + DH Parameter file. + </simpara> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>ENVIRONMENT VARIABLES</title> + + <variablelist> + <varlistentry> + <term>BITS</term> + <listitem> + <simpara> + Customize the DH parameter bit size. The default value depends on + whether this script uses OpenSSL or GnuTLS libraries. For OpenSSL + the default number of bits is 768. GnuTLS uses a security level + setting, rather than the number of bits, and the default + security level is "high". + </simpara> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + + <para> + <ulink url="courier.html"><citerefentry><refentrytitle>courier</refentrytitle><manvolnum>8</manvolnum></citerefentry></ulink></para> + </refsect1> +</refentry> diff --git a/imap/mkimapdcert.in b/imap/mkimapdcert.in index 4156975..3bc1df1 100644 --- a/imap/mkimapdcert.in +++ b/imap/mkimapdcert.in @@ -24,6 +24,9 @@ then fi umask 077 +set -e + +BITS="$BITS" cleanup() { rm -f @certsdir@/imapd.pem @@ -44,20 +47,26 @@ then dd if=@RANDOMV@ of=@certsdir@/imapd.rand count=1 2>/dev/null @OPENSSL@ req -new -x509 -days 365 -nodes \ -config @sysconfdir@/imapd.cnf -out @certsdir@/imapd.pem -keyout @certsdir@/imapd.pem || cleanup - @OPENSSL@ gendh -rand @certsdir@/imapd.rand 512 >>@certsdir@/imapd.pem || cleanup @OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/imapd.pem || cleanup rm -f @certsdir@/imapd.rand else + if test "$BITS" = "" + then + BITS="high" + fi cp /dev/null @certsdir@/imapd.key chmod 600 @certsdir@/imapd.key cp /dev/null @certsdir@/imapd.cert chmod 600 @certsdir@/imapd.cert cp /dev/null @certsdir@/imapd.pem chmod 600 @certsdir@/imapd.pem + chown @mailuser@ @certsdir@/imapd.pem + cp /dev/null @certsdir@/imapd.pem + cp /dev/null @certsdir@/imapd.cert + cp /dev/null @certsdir@/imapd.key - @CERTTOOL@ --generate-privkey --outfile imapd.key + @CERTTOOL@ --generate-privkey --sec-param=$BITS --outfile imapd.key @CERTTOOL@ --generate-self-signed --load-privkey imapd.key --outfile imapd.cert --template @sysconfdir@/imapd.cnf - @CERTTOOL@ --generate-dh-params >>imapd.cert cat imapd.key imapd.cert >imapd.pem rm -f imapd.key imapd.cert fi diff --git a/imap/mkpop3dcert.in b/imap/mkpop3dcert.in index 9a4c530..5d48a1f 100644 --- a/imap/mkpop3dcert.in +++ b/imap/mkpop3dcert.in @@ -24,6 +24,7 @@ then fi umask 077 +set -e cleanup() { rm -f @certsdir@/pop3d.pem @@ -34,6 +35,9 @@ cleanup() { } cd @certsdir@ +umask 077 +BITS="$BITS" +set -e if test "@ssllib@" = "openssl" then @@ -44,20 +48,24 @@ then dd if=@RANDOMV@ of=@certsdir@/pop3d.rand count=1 2>/dev/null @OPENSSL@ req -new -x509 -days 365 -nodes \ -config @sysconfdir@/pop3d.cnf -out @certsdir@/pop3d.pem -keyout @certsdir@/pop3d.pem || cleanup - @OPENSSL@ gendh -rand @certsdir@/pop3d.rand 512 >>@certsdir@/pop3d.pem || cleanup @OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/pop3d.pem || cleanup rm -f @certsdir@/pop3d.rand else + if test "$BITS" = "" + then + BITS="high" + fi + cp /dev/null @certsdir@/pop3d.key chmod 600 @certsdir@/pop3d.key cp /dev/null @certsdir@/pop3d.cert chmod 600 @certsdir@/pop3d.cert cp /dev/null @certsdir@/pop3d.pem chmod 600 @certsdir@/pop3d.pem + chown @mailuser@ @certsdir@/pop3d.pem - @CERTTOOL@ --generate-privkey --outfile pop3d.key + @CERTTOOL@ --generate-privkey --sec-param=$BITS --outfile pop3d.key @CERTTOOL@ --generate-self-signed --load-privkey pop3d.key --outfile pop3d.cert --template @sysconfdir@/pop3d.cnf - @CERTTOOL@ --generate-dh-params >>pop3d.cert cat pop3d.key pop3d.cert >pop3d.pem rm -f pop3d.key pop3d.cert fi diff --git a/imap/pop3d-ssl.dist.in b/imap/pop3d-ssl.dist.in index 81a395a..1164b77 100644 --- a/imap/pop3d-ssl.dist.in +++ b/imap/pop3d-ssl.dist.in @@ -158,16 +158,6 @@ COURIERTLS=@bindir@/couriertls # This is supposed to be an inactivity timeout, but its not yet implemented. # -##NAME: TLS_DHCERTFILE:0 -# -# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate. -# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA -# you must generate a DH pair that will be used. In most situations the -# DH pair is to be treated as confidential, and the file specified by -# TLS_DHCERTFILE must not be world-readable. -# -# TLS_DHCERTFILE= - ##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS @@ -202,6 +192,12 @@ COURIERTLS=@bindir@/couriertls TLS_CERTFILE=@certsdir@/pop3d.pem +##NAME: TLS_DHPARAMS:0 +# +# TLS_DHPARAMS - DH parameter file. +# +TLS_DHPARAMS=@certsdir@/dhparams.pem + ##NAME: TLS_TRUSTCERTS:0 # # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. diff --git a/imap/pop3d.cnf.openssl.in b/imap/pop3d.cnf.openssl.in index 971965e..5ef1d47 100644 --- a/imap/pop3d.cnf.openssl.in +++ b/imap/pop3d.cnf.openssl.in @@ -2,7 +2,7 @@ RANDFILE = @certsdir@/pop3d.rand [ req ] -default_bits = 1024 +default_bits = 4096 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type diff --git a/tcpd/libcouriergnutls.c b/tcpd/libcouriergnutls.c index 9f6f49d..fbf5e8c 100644 --- a/tcpd/libcouriergnutls.c +++ b/tcpd/libcouriergnutls.c @@ -127,7 +127,7 @@ struct ssl_context_t { const char *priority_list; char *certfile; - int certfiledh; + char *dhfile; char *trustcerts; @@ -142,6 +142,7 @@ struct ssl_handle_t { gnutls_anon_server_credentials_t anonservercred; gnutls_certificate_credentials_t xcred; gnutls_dh_params_t dhparams; + int dhparams_initialized; gnutls_session_t session; gnutls_x509_privkey_t x509_key; @@ -185,7 +186,7 @@ ssl_context tls_create(int isserver, const struct tls_info *info) static int first=1; ssl_context p=malloc(sizeof(struct ssl_context_t)); - char *certfile=NULL, *dhcertfile=NULL; + char *certfile=NULL; char debug_flag; if (!p) @@ -241,36 +242,34 @@ ssl_context tls_create(int isserver, const struct tls_info *info) "NORMAL:-CTYPE-OPENPGP"); if ((certfile=strdup(safe_getenv(p, "TLS_CERTFILE", ""))) == NULL || - (dhcertfile=strdup(safe_getenv(p, "TLS_DHCERTFILE", ""))) - == NULL || (p->trustcerts=strdup(safe_getenv(p, "TLS_TRUSTCERTS", ""))) == NULL) { if (certfile) free(certfile); - if (dhcertfile) - free(dhcertfile); tls_destroy(p); return NULL; } - if (*dhcertfile) - { - p->certfile=dhcertfile; - p->certfiledh=1; - dhcertfile=NULL; - } - else if (*certfile) + if (*certfile) { p->certfile=certfile; - p->certfiledh=0; certfile=NULL; } if (certfile) free(certfile); - if (dhcertfile) - free(dhcertfile); + + if ((certfile=strdup(safe_getenv(p, "TLS_DHPARAMS", ""))) != NULL && + *certfile) + { + p->dhfile=certfile; + } + else + { + if (certfile) + free(certfile); + } switch (*safe_getenv(p, "TLS_VERIFYPEER", "P")) { case 'n': @@ -325,7 +324,8 @@ void tls_destroy(ssl_context p) { if (p->certfile) free(p->certfile); - + if (p->dhfile) + free(p->dhfile); if (p->trustcerts) free(p->trustcerts); @@ -1202,21 +1202,28 @@ static int get_client_cert(gnutls_session_t session, } static int read_dh_params(gnutls_dh_params_t dhparams, - const char *filename) + const char *filename, + int *dhparams_initialized) { int rc; - gnutls_datum_t filebuf; + if (*dhparams_initialized) + return 0; + + if (!filename) + return 0; + rc=read_file(filename, &filebuf); if (rc == 0) { - rc=gnutls_dh_params_import_pkcs3(dhparams, &filebuf, - GNUTLS_X509_FMT_PEM); + if (gnutls_dh_params_import_pkcs3(dhparams, &filebuf, + GNUTLS_X509_FMT_PEM) == 0) + *dhparams_initialized=1; release_file(&filebuf); } - return rc; + return 0; } static int db_store_func(void *dummy, gnutls_datum_t key, @@ -1444,16 +1451,15 @@ RT | 0); gnutls_certificate_set_verify_limits(ssl->xcred, 16384, 10); + ssl->dhparams_initialized=0; if (gnutls_priority_set_direct(ssl->session, ctx->priority_list, NULL) < 0 || - (ctx->certfiledh && read_dh_params(ssl->dhparams, - ctx->certfile) < 0) || + read_dh_params(ssl->dhparams, ctx->dhfile, + &ssl->dhparams_initialized) < 0 || + read_dh_params(ssl->dhparams, ctx->certfile, + &ssl->dhparams_initialized) < 0 || add_certificates(ssl->xcred, ctx->trustcerts) < 0 || -#if 0 - add_certificates(ssl->xcred, ctx->certfile) < 0 || - add_certificates(ssl->xcred, ctx->dhcertfile) < 0 || -#endif gnutls_credentials_set(ssl->session, GNUTLS_CRD_ANON, ctx->isserver ? (void *)ssl->anonservercred @@ -1473,7 +1479,7 @@ RT | return NULL; } - if (ctx->certfiledh) + if (ssl->dhparams_initialized) { gnutls_certificate_set_dh_params(ssl->xcred, ssl->dhparams); diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c index c44f318..50f0801 100644 --- a/tcpd/libcouriertls.c +++ b/tcpd/libcouriertls.c @@ -215,15 +215,6 @@ static int verifypeer(const struct tls_info *info, SSL *ssl) return (0); } -#ifndef NO_RSA - -static RSA *rsa_callback(SSL *s, int export, int keylength) -{ - return (RSA_generate_key(keylength,RSA_F4,NULL,NULL)); -} - -#endif - static void nonsslerror(const struct tls_info *info, const char *pfix) { char errmsg[256]; @@ -269,51 +260,23 @@ static void sslerror(const struct tls_info *info, const char *pfix, int rc) static void init_session_cache(struct tls_info *, SSL_CTX *); -static int process_rsacertfile(SSL_CTX *ctx, const char *filename) +static void load_dh_params(SSL_CTX *ctx, const char *filename, + int *cert_file_flags) { -#ifndef NO_RSA - const struct tls_info *info=SSL_CTX_get_app_data(ctx); - SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback); - - if(!SSL_CTX_use_certificate_chain_file(ctx, filename)) - { - sslerror(info, filename, -1); - return (0); - } - - if(!SSL_CTX_use_RSAPrivateKey_file(ctx, filename, SSL_FILETYPE_PEM)) - { - sslerror(info, filename, -1); - return (0); - } -#endif - return (1); -} - - -static int process_dhcertfile(SSL_CTX *ctx, const char *filename) -{ -#ifndef NO_DH - - const struct tls_info *info=SSL_CTX_get_app_data(ctx); BIO *bio; DH *dh; - int cert_done=0; - if(!SSL_CTX_use_certificate_chain_file(ctx, filename)) - { - sslerror(info, filename, -1); - return (0); - } + if (*cert_file_flags) + return; if ((bio=BIO_new_file(filename, "r")) != 0) { if ((dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) != 0) { SSL_CTX_set_tmp_dh(ctx, dh); - cert_done=1; + *cert_file_flags = 1; DH_free(dh); } else @@ -322,33 +285,40 @@ static int process_dhcertfile(SSL_CTX *ctx, const char *filename) } else sslerror(info, filename, -1); +} - if (!cert_done) - { - (*info->tls_err_msg)("couriertls: DH init failed!", - info->app_data); +static int read_certfile(SSL_CTX *ctx, const char *filename, + int *cert_file_flags) +{ + const struct tls_info *info=SSL_CTX_get_app_data(ctx); + if(!SSL_CTX_use_certificate_chain_file(ctx, filename)) + { + sslerror(info, filename, -1); return (0); } + load_dh_params(ctx, filename, cert_file_flags); + if(!SSL_CTX_use_PrivateKey_file(ctx, filename, SSL_FILETYPE_PEM)) { sslerror(info, filename, -1); return (0); } -#endif return (1); } static int process_certfile(SSL_CTX *ctx, const char *certfile, const char *ip, - int (*func)(SSL_CTX *, const char *)) + int (*func)(SSL_CTX *, const char *, + int *), + int *cert_file_flags) { if (ip && *ip) { char *test_file; if (strncmp(ip, "::ffff:", 7) == 0 && strchr(ip, '.')) - return (process_certfile(ctx, certfile, ip+7, func)); + return (process_certfile(ctx, certfile, ip+7, func, cert_file_flags)); test_file= malloc(strlen(certfile)+strlen(ip)+2); @@ -358,7 +328,8 @@ static int process_certfile(SSL_CTX *ctx, const char *certfile, const char *ip, if (access(test_file, R_OK) == 0) { - int rc= (*func)(ctx, test_file); + int rc= (*func)(ctx, test_file, + cert_file_flags); free(test_file); return rc; @@ -366,7 +337,7 @@ static int process_certfile(SSL_CTX *ctx, const char *certfile, const char *ip, free(test_file); } - return (*func)(ctx, certfile); + return (*func)(ctx, certfile, cert_file_flags); } static int client_cert_cb(ssl_handle ssl, X509 **x509, EVP_PKEY **pkey) @@ -483,7 +454,7 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) const char *protocol=safe_getenv(info, "TLS_PROTOCOL"); const char *ssl_cipher_list=safe_getenv(info, "TLS_CIPHER_LIST"); int session_timeout=atoi(safe_getenv(info, "TLS_TIMEOUT")); - const char *dhcertfile=safe_getenv(info, "TLS_DHCERTFILE"); + const char *dhparamsfile=safe_getenv(info, "TLS_DHPARAMS"); const char *certfile=safe_getenv(info, "TLS_CERTFILE"); const char *s; struct stat stat_buf; @@ -493,16 +464,17 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) struct tls_info *info_copy; const SSL_METHOD *method=NULL; long options; + int cert_file_flags; if (!*ssl_cipher_list) ssl_cipher_list=NULL; - if (!*dhcertfile) - dhcertfile=NULL; - if (!*certfile) certfile=NULL; + if (!*dhparamsfile) + dhparamsfile=NULL; + s=safe_getenv(info, "TLS_TRUSTCERTS"); if (s && stat(s, &stat_buf) == 0) { @@ -599,15 +571,14 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) s = safe_getenv(info, "TCPLOCALIP"); - if (certfile && !process_certfile(ctx, certfile, s, - process_rsacertfile)) - { - tls_destroy(ctx); - return (NULL); - } + cert_file_flags=0; + + if (dhparamsfile) + load_dh_params(ctx, dhparamsfile, &cert_file_flags); - if (dhcertfile && !process_certfile(ctx, dhcertfile, s, - process_dhcertfile)) + if (certfile && !process_certfile(ctx, certfile, s, + read_certfile, + &cert_file_flags)) { tls_destroy(ctx); return (NULL); |