Attachment 30804 Details for Bug 49559 – PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and 2.4.x)

[patch] PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and 2.4.x)

PR49559_PoC.diff (text/plain), 3.23 KB, created by Kaspar Brand on 2013-09-08 08:10:11 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Kaspar Brand

Created: 2013-09-08 08:10:11 UTC

Size: 3.23 KB

patch

obsolete

>Index: modules/ssl/ssl_private.h
>===================================================================
>--- modules/ssl/ssl_private.h	(revision 1520841)
>+++ modules/ssl/ssl_private.h	(working copy)
>@@ -930,8 +930,12 @@
> 
> /**  Diffie-Hellman Parameter Support  */
> DH           *ssl_dh_GetTmpParam(int);
>-DH           *ssl_dh_GetParamFromFile(char *);
>+DH           *ssl_dh_GetParamFromFile(const char *);
> 
>+#ifndef OPENSSL_NO_EC
>+EC_GROUP     *ssl_ec_GetParamFromFile(const char *);
>+#endif
>+
> unsigned char *ssl_asn1_table_set(apr_hash_t *table,
>                                   const char *key,
>                                   long int length);
>Index: modules/ssl/ssl_engine_dh.c
>===================================================================
>--- modules/ssl/ssl_engine_dh.c	(revision 1520841)
>+++ modules/ssl/ssl_engine_dh.c	(working copy)
>@@ -135,7 +135,7 @@
>     return dh;
> }
> 
>-DH *ssl_dh_GetParamFromFile(char *file)
>+DH *ssl_dh_GetParamFromFile(const char *file)
> {
>     DH *dh = NULL;
>     BIO *bio;
>Index: modules/ssl/ssl_engine_init.c
>===================================================================
>--- modules/ssl/ssl_engine_init.c	(revision 1520841)
>+++ modules/ssl/ssl_engine_init.c	(working copy)
>@@ -192,6 +192,18 @@
> #define MODSSL_TMP_KEY_INIT_EC(s, bits) \
>     ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits)
> 
>+EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
>+{
>+    EC_GROUP *ecg = NULL;
>+    BIO *bio;
>+
>+    if ((bio = BIO_new_file(file, "r")) == NULL)
>+        return NULL;
>+    ecg = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
>+    BIO_free(bio);
>+    return (ecg);
>+}
>+
> #endif
> 
> #define MODSSL_TMP_KEY_INIT_RSA(s, bits) \
>@@ -1184,10 +1196,14 @@
>     const char *rsa_id, *dsa_id;
> #ifndef OPENSSL_NO_EC
>     const char *ecc_id;
>+    EC_GROUP *ecparams;
>+    EC_KEY *eckey;
>+    int nid;
> #endif
>     const char *vhost_id = mctx->sc->vhost_id;
>     int i;
>     int have_rsa, have_dsa;
>+    DH *dhparams;
> #ifndef OPENSSL_NO_EC
>     int have_ecc;
> #endif
>@@ -1234,6 +1250,33 @@
>                 "Oops, no " KEYTYPES " server private key found?!");
>         ssl_die(s);
>     }
>+
>+    /*
>+     * Try to read DHE parameters from the (first) SSLCertificateFile
>+     */
>+    if ((mctx->pks->cert_files[0] != NULL) &&
>+        (dhparams = ssl_dh_GetParamFromFile(mctx->pks->cert_files[0]))) {
>+        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
>+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO()
>+                     "DHE parameters (%d bits) for %s configured from %s",
>+                     BN_num_bits(dhparams->p), vhost_id,
>+                     mctx->pks->cert_files[0]);
>+    }
>+
>+#ifndef OPENSSL_NO_EC
>+    /*
>+     * Similarly, try to read the ECDHE curve name from SSLCertificateFile
>+     */
>+    if ((mctx->pks->cert_files[0] != NULL) &&
>+        (ecparams = ssl_ec_GetParamFromFile(mctx->pks->cert_files[0])) &&
>+        (nid = EC_GROUP_get_curve_name(ecparams)) &&
>+        (eckey = EC_KEY_new_by_curve_name(nid))) {
>+        SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
>+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO()
>+                     "ECDHE curve (%s) for %s configured from %s",
>+                     OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]);
>+    }
>+#endif
> }
> 
> #ifdef HAVE_TLS_SESSION_TICKETS

Actions: View | Diff

Attachments on bug 49559: 25714 | 28699 | 30804