From 13b2e3763541fc5045bbc09f14a5b0aae51558d0 Mon Sep 17 00:00:00 2001 From: Pierre-Louis Bonicoli Date: Wed, 21 Mar 2018 11:12:21 +0100 Subject: [PATCH 1/2] DH parameters are not always required for example ECDHE ciphers doesn't require DH parameters. Closes #499 --- src/bip.c | 6 ++---- src/connection.c | 27 +++++++++++++++++++++------ 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/src/bip.c b/src/bip.c index 40465d0..abb5afb 100644 --- a/src/bip.c +++ b/src/bip.c @@ -1332,11 +1332,9 @@ int main(int argc, char **argv) "readable / writable. Please fix the modes.", conf_ssl_certfile); - if (!conf_client_dh_file) { - conf_client_dh_file = default_path(conf_biphome, "dh.pem", - "DH parameters"); + if (conf_client_dh_file) { + assert_path_exists(conf_client_dh_file); } - assert_path_exists(conf_client_dh_file); } #endif diff --git a/src/connection.c b/src/connection.c index 86377a9..a322ab4 100644 --- a/src/connection.c +++ b/src/connection.c @@ -15,6 +15,7 @@ #include #include #include "connection.h" +#include "path_util.h" extern int errno; #ifdef HAVE_LIBSSL @@ -24,6 +25,7 @@ static int ssl_cx_idx; extern FILE *conf_global_log_file; static BIO *errbio = NULL; extern char *conf_ssl_certfile; +extern char *conf_biphome; extern char *conf_client_ciphers; extern char *conf_client_dh_file; static int SSLize(connection_t *cn, int *nc); @@ -1136,7 +1138,6 @@ static int ctx_set_dh(SSL_CTX *ctx) FILE *f; int ret; - /* Should not fail: already checked in main function */ if ((f = fopen(conf_client_dh_file, "r")) == NULL) { mylog(LOG_ERROR, "Unable to open DH parameters (%s): %s", conf_client_dh_file, strerror(errno)); @@ -1209,11 +1210,25 @@ connection_t *accept_new(connection_t *cn) return NULL; } - if (!ctx_set_dh(sslctx)) { - mylog(LOG_ERROR, "SSL Unable to load DH " - "parameters"); - connection_free(conn); - return NULL; + if (!conf_client_dh_file) { + // try with a default path but don't fail if it doesn't exist + conf_client_dh_file = default_path(conf_biphome, "dh.pem", + "DH parameters"); + + struct stat st_buf; + if (stat(conf_client_dh_file, &st_buf) != 0) { + free(conf_client_dh_file); + conf_client_dh_file = NULL; + } + } + + if (conf_client_dh_file) { + if (!ctx_set_dh(sslctx)) { + mylog(LOG_ERROR, "SSL Unable to load DH " + "parameters"); + connection_free(conn); + return NULL; + } } if (!SSL_CTX_use_certificate_chain_file(sslctx, From 7834471f78c1af516df4bdbc193a805582e9f7fa Mon Sep 17 00:00:00 2001 From: Pierre-Louis Bonicoli Date: Wed, 21 Mar 2018 11:32:46 +0100 Subject: [PATCH 2/2] default value isn't used when path doesn't exist --- src/path_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/path_util.c b/src/path_util.c index ea3bba1..2a7c4cb 100644 --- a/src/path_util.c +++ b/src/path_util.c @@ -23,7 +23,7 @@ char *default_path(const char *biphome, const char *filename, const char *desc) strcpy(conf_file, biphome); conf_file[strlen(biphome)] = '/'; strcat(conf_file, filename); - mylog(LOG_INFO, "Using default %s: %s", desc, conf_file); + mylog(LOG_INFO, "Default %s: %s", desc, conf_file); return conf_file; }