src - OpenBSD base system

diff options


context:
space:
mode:

author	Gilles Chehade <gilles@cvs.openbsd.org>	2013-01-28 13:42:15 +0000
committer	Gilles Chehade <gilles@cvs.openbsd.org>	2013-01-28 13:42:15 +0000
commit	8a6b4ec33f6c5bd0015d3ad2cf67b0eba1324a55 (patch)
tree	721048a0f36a216dc96d1c16f17ab3f75411ab7b /usr.sbin/ldapd
parent	dc9f829328a1ee8160ad51fd823041a136c6cb62 (diff)

ssl.c is a very old copy of smtpd's and didn't catch up the bump of the

DH prime parameter. bring the update from smtpd... openldap client now accepts to connect to a ssl-enabled ldapd server, issue reported by Joel Carnat and Vadim Agarkov diff ok mikeb@ and martinh@

Diffstat (limited to 'usr.sbin/ldapd')

-rw-r--r--

usr.sbin/ldapd/ssl.c

1 files changed, 47 insertions, 45 deletions

diff --git a/usr.sbin/ldapd/ssl.c b/usr.sbin/ldapd/ssl.c
index 89e3ba65096..2bf992ba330 100644
--- a/usr.sbin/ldapd/ssl.c
+++ b/usr.sbin/ldapd/ssl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl.c,v 1.4 2010/07/01 02:19:11 martinh Exp $ */

+/* $OpenBSD: ssl.c,v 1.5 2013/01/28 13:42:14 gilles Exp $ */

@@ -50,37 +50,12 @@ void ssl_read(int, short, void *);

void ssl_write(int, short, void *);

int ssl_bufferevent_add(struct event *, int);

-DH *get_dh512(void);

-void ssl_set_ephemeral_key_exchange(SSL_CTX *);

+DH *get_dh1024(void);

+void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *);

extern void bufferevent_read_pressure_cb(struct evbuffer *, size_t,

size_t, void *);

-/* From OpenSSL's documentation:

- *

- * If "strong" primes were used to generate the DH parameters, it is

- * not strictly necessary to generate a new key for each handshake

- * but it does improve forward secrecy.

- *

- * These are the parameters used by both sendmail and openssl's

- * s_server.

- *

- * -- gilles@

- */

-unsigned char dh512_p[] = {

- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,

- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,

- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,

- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,

- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,

- 0x47,0x74,0xE8,0x33,

-};

-unsigned char dh512_g[] = {

- 0x02,

-};

void

ssl_read(int fd, short event, void *p)

{

@@ -409,7 +384,7 @@ ssl_setup(struct ldapd_config *env, struct listener *l)

(const unsigned char *)l->ssl_cert_name, strlen(l->ssl_cert_name) + 1))

goto err;

- ssl_set_ephemeral_key_exchange(l->ssl_ctx);

+ ssl_set_ephemeral_key_exchange(l->ssl_ctx, get_dh1024());

log_debug("ssl_setup: ssl setup finished for listener: %p", l);

return;

@@ -535,29 +510,56 @@ ssl_session_destroy(struct conn *s)

SSL_free(s->s_ssl);

}

+/* From OpenSSL's documentation:

+ *

+ * If "strong" primes were used to generate the DH parameters, it is

+ * not strictly necessary to generate a new key for each handshake

+ * but it does improve forward secrecy.

+ *

+ * -- gilles@

+ */

DH *

-get_dh512(void)

+get_dh1024(void)

{

- DH *dh;

- if ((dh = DH_new()) == NULL)

+ DH *dh;

+ unsigned char dh1024_p[] = {

+ 0xAD,0x37,0xBB,0x26,0x75,0x01,0x27,0x75,

+ 0x06,0xB5,0xE7,0x1E,0x1F,0x2B,0xBC,0x51,

+ 0xC0,0xF4,0xEB,0x42,0x7A,0x2A,0x83,0x1E,

+ 0xE8,0xD1,0xD8,0xCC,0x9E,0xE6,0x15,0x1D,

+ 0x06,0x46,0x50,0x94,0xB9,0xEE,0xB6,0x89,

+ 0xB7,0x3C,0xAC,0x07,0x5E,0x29,0x37,0xCC,

+ 0x8F,0xDF,0x48,0x56,0x85,0x83,0x26,0x02,

+ 0xB8,0xB6,0x63,0xAF,0x2D,0x4A,0x57,0x93,

+ 0x6B,0x54,0xE1,0x8F,0x28,0x76,0x9C,0x5D,

+ 0x90,0x65,0xD1,0x07,0xFE,0x5B,0x05,0x65,

+ 0xDA,0xD2,0xE2,0xAF,0x23,0xCA,0x2F,0xD6,

+ 0x4B,0xD2,0x04,0xFE,0xDF,0x21,0x2A,0xE1,

+ 0xCD,0x1B,0x70,0x76,0xB3,0x51,0xA4,0xC9,

+ 0x2B,0x68,0xE3,0xDD,0xCB,0x97,0xDA,0x59,

+ 0x50,0x93,0xEE,0xDB,0xBF,0xC7,0xFA,0xA7,

+ 0x47,0xC4,0x4D,0xF0,0xC6,0x09,0x4A,0x4B

+ };

+ unsigned char dh1024_g[] = {

+ 0x02

+ };

+ if ((dh = DH_new()) == NULL)

return NULL;

- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);

- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);

- if (dh->p == NULL || dh->g == NULL)

- return NULL;

+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);

+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);

+ if (dh->p == NULL || dh->g == NULL) {

+ DH_free(dh);

+ return NULL;

+ }

- return dh;

+ return dh;

}

void

-ssl_set_ephemeral_key_exchange(SSL_CTX *ctx)

+ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh)

{

- DH *dh;

- dh = get_dh512();

- if (dh != NULL)

- SSL_CTX_set_tmp_dh(ctx, dh);

+ if (dh == NULL || !SSL_CTX_set_tmp_dh(ctx, dh))

+ fatal("ssl_set_ephemeral_key_exchange: cannot set tmp dh");

}