Changeset a2b4ab6 in mod_gnutls for src/gnutls_config.c


Ignore:
Timestamp:
Jul 5, 2017, 1:47:32 AM (2 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
bd6591f
Parents:
92ac36e
Message:

Use GnuTLS known DH parameters

If the user does not configure the DH parameters to use, mod_gnutls
now estimates the GnuTLS security parameter based on the private key
and uses the matching DH group built into GnuTLS. Using one of the
known DH groups is recommended by the GnuTLS developers.

Using built-in DH groups requires compiling against GnuTLS version
3.5.6 or newer. Otherwise the ffdhe2048 DH group as defined in RFC
7919, Appendix A.1 is the new default, which is the built-in for
security parameter "medium" in current GnuTLS versions.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_config.c

    r92ac36e ra2b4ab6  
    8484}
    8585
    86 /* 2048-bit group parameters from SRP specification */
    87 const char static_dh_params[] = "-----BEGIN DH PARAMETERS-----\n"
    88         "MIIBBwKCAQCsa9tBMkqam/Fm3l4TiVgvr3K2ZRmH7gf8MZKUPbVgUKNzKcu0oJnt\n"
    89         "gZPgdXdnoT3VIxKrSwMxDc1/SKnaBP1Q6Ag5ae23Z7DPYJUXmhY6s2YaBfvV+qro\n"
    90         "KRipli8Lk7hV+XmT7Jde6qgNdArb9P90c1nQQdXDPqcdKB5EaxR3O8qXtDoj+4AW\n"
    91         "dr0gekNsZIHx0rkHhxdGGludMuaI+HdIVEUjtSSw1X1ep3onddLs+gMs+9v1L7N4\n"
    92         "YWAnkATleuavh05zA85TKZzMBBx7wwjYKlaY86jQw4JxrjX46dv7tpS1yAPYn3rk\n"
    93         "Nd4jbVJfVHWbZeNy/NaO8g+nER+eSv9zAgEC\n"
    94         "-----END DH PARAMETERS-----\n";
    95 
    96 /*
    97  * Clean up the various GnuTLS data structures allocated from
     86
     87
     88/**
     89 * Clean up the various GnuTLS data structures allocated by
    9890 * mgs_load_files()
    9991 */
     
    254246#endif
    255247
    256     if (sc->dh_params == NULL)
    257     {
    258         ret = gnutls_dh_params_init(&sc->dh_params);
    259         if (ret < 0) {
    260             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    261                          "GnuTLS: Failed to initialize"
    262                          ": (%d) %s", ret, gnutls_strerror(ret));
    263             ret = -1;
    264             goto cleanup;
    265         }
    266 
    267         /* Load DH parameters */
    268         if (sc->dh_file)
     248    /* Load user provided DH parameters, if any */
     249    if (sc->dh_file)
     250    {
     251        if (sc->dh_params == NULL)
    269252        {
    270             if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
     253            ret = gnutls_dh_params_init(&sc->dh_params);
     254            if (ret < 0) {
    271255                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    272                              "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
     256                             "GnuTLS: Failed to initialize"
     257                             ": (%d) %s", ret, gnutls_strerror(ret));
    273258                ret = -1;
    274259                goto cleanup;
    275260            }
    276 
    277             ret =
    278                 gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
    279                                               GNUTLS_X509_FMT_PEM);
    280             if (ret < 0) {
    281                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    282                              "GnuTLS: Failed to Import "
    283                              "DH params '%s': (%d) %s", sc->dh_file, ret,
    284                              gnutls_strerror(ret));
    285                 ret = -1;
    286                 goto cleanup;
    287             }
    288         } else {
    289             gnutls_datum_t pdata = {
    290                 (void *) static_dh_params,
    291                 sizeof(static_dh_params)
    292             };
    293 
    294             ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &pdata, GNUTLS_X509_FMT_PEM);
    295             if (ret < 0) {
    296                 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    297                              "GnuTLS: Unable to generate or load DH Params: (%d) %s",
    298                              ret, gnutls_strerror(ret));
    299                 ret = -1;
    300                 goto cleanup;
    301             }
     261        }
     262
     263        if (load_datum_from_file(spool, sc->dh_file, &data) != 0) {
     264            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     265                         "GnuTLS: Error Reading " "DH params '%s'", sc->dh_file);
     266            ret = -1;
     267            goto cleanup;
     268        }
     269
     270        ret =
     271            gnutls_dh_params_import_pkcs3(sc->dh_params, &data,
     272                                          GNUTLS_X509_FMT_PEM);
     273        if (ret < 0) {
     274            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     275                         "GnuTLS: Failed to Import "
     276                         "DH params '%s': (%d) %s", sc->dh_file, ret,
     277                         gnutls_strerror(ret));
     278            ret = -1;
     279            goto cleanup;
    302280        }
    303281    }
     
    11091087    sc->priorities = NULL;
    11101088    sc->dh_params = NULL;
     1089    sc->dh_file = NULL;
    11111090    sc->ca_list = NULL;
    11121091    sc->ca_list_size = 0;
Note: See TracChangeset for help on using the changeset viewer.