Log In
Log In
Places
All Projects
Status Monitor
Collapse sidebar
zimbra:collaboration:8.7
zimbra-openldap
ITS7506.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ITS7506.patch of Package zimbra-openldap
diff --git a/doc/guide/admin/tls.sdf b/doc/guide/admin/tls.sdf index 00bf83c..cd8343d 100644 --- a/doc/guide/admin/tls.sdf +++ b/doc/guide/admin/tls.sdf @@ -188,18 +188,20 @@ and it doesn't need very much data to work. This directive is ignored with GnuTLS and Mozilla NSS. -H4: TLSEphemeralDHParamFile <filename> +H4: TLSDHParamFile <filename> This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order -to use a DSA certificate on the server side (i.e. -{{EX:TLSCertificateKeyFile}} points to a DSA key). Multiple sets -of parameters can be included in the file; all of them will be -processed. Parameters can be generated using the following command +to use DHE-based cipher suites, including all DSA-based suites (i.e. +{{EX:TLSCertificateKeyFile}} points to a DSA key), and RSA when the 'key +encipherment' key usage is not specified in the certificate. Parameters can be +generated using the following command > openssl dhparam [-dsaparam] -out <filename> <numbits> +or +> certtool --generate-dh-params --bits <numbits> --outfile <filename> -This directive is ignored with GnuTLS and Mozilla NSS. +This directive is ignored with Mozilla NSS. H4: TLSVerifyClient { never | allow | try | demand } diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index 2f8e656..95621a1 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -920,12 +920,15 @@ browser. Press 'Enter' for the new password. .B olcTLSDHParamFile: <filename> This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP .B olcTLSProtocolMin: <major>[.<minor>] diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 8840e3a..1a895c9 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1151,13 +1151,16 @@ browser. Press 'Enter' for the new password. .B TLSDHParamFile <filename> This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on -the server. If multiple sets of parameters are present in the file, all of -them will be processed. Note that setting this option may also enable +the server, or an RSA certificate missing the "key encipherment" key usage. +Note that setting this option may also enable Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. -You should append "!ADH" to your cipher suites if you have changed them -from the default, otherwise no certificate exchanges or verification will -be done. When using GnuTLS these parameters are always generated randomly so -this directive is ignored. This directive is ignored when using Mozilla NSS. +Anonymous key exchanges should generally be avoided since they provide no +actual client or server authentication and provide no protection against +man-in-the-middle attacks. +You should append "!ADH" to your cipher suites to ensure that these suites +are not used. +When using Mozilla NSS these parameters are always generated randomly +so this directive is ignored. .TP .B TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index 2ecee46..3b274c4 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -59,16 +59,6 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); -static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ); - -typedef struct dhplist { - struct dhplist *next; - int keylength; - DH *param; -} dhplist; - -static dhplist *tlso_dhparams; - static int tlso_seed_PRNG( const char *randfile ); #ifdef LDAP_R_COMPILE @@ -76,7 +66,6 @@ static int tlso_seed_PRNG( const char *randfile ); * provide mutexes for the OpenSSL library. */ static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS]; -static ldap_pvt_thread_mutex_t tlso_dh_mutex; static void tlso_locking_cb( int mode, int type, const char *file, int line ) { @@ -107,7 +96,6 @@ static void tlso_thr_init( void ) for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) { ldap_pvt_thread_mutex_init( &tlso_mutexes[i] ); } - ldap_pvt_thread_mutex_init( &tlso_dh_mutex ); CRYPTO_set_locking_callback( tlso_locking_cb ); CRYPTO_set_id_callback( tlso_thread_self ); } @@ -311,7 +299,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) if ( lo->ldo_tls_dhfile ) { DH *dh = NULL; BIO *bio; - dhplist *p; + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { Debug( LDAP_DEBUG_ANY, @@ -320,16 +308,16 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) tlso_report_error(); return -1; } - while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { - p = LDAP_MALLOC( sizeof(dhplist) ); - if ( p != NULL ) { - p->keylength = DH_size( dh ) * 8; - p->param = dh; - p->next = tlso_dhparams; - tlso_dhparams = p; - } + if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not read DH parameters file `%s'.\n", + lo->ldo_tls_dhfile,0,0); + tlso_report_error(); + BIO_free( bio ); + return -1; } BIO_free( bio ); + SSL_CTX_set_tmp_dh( ctx, dh ); } if ( tlso_opt_trace ) { @@ -349,9 +337,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ? tlso_verify_ok : tlso_verify_cb ); SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); - if ( lo->ldo_tls_dhfile ) { - SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb ); - } #ifdef HAVE_OPENSSL_CRL if ( lo->ldo_tls_crlcheck ) { X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); @@ -1175,108 +1160,6 @@ tlso_seed_PRNG( const char *randfile ) return 0; } -struct dhinfo { - int keylength; - const char *pem; - size_t size; -}; - - -/* From the OpenSSL 0.9.7 distro */ -static const char tlso_dhpem512[] = -"-----BEGIN DH PARAMETERS-----\n\ -MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\ -a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\ ------END DH PARAMETERS-----\n"; - -static const char tlso_dhpem1024[] = -"-----BEGIN DH PARAMETERS-----\n\ -MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ -/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ -/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ ------END DH PARAMETERS-----\n"; - -static const char tlso_dhpem2048[] = -"-----BEGIN DH PARAMETERS-----\n\ -MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\ -AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\ -z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\ -pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\ -aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\ -Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\ ------END DH PARAMETERS-----\n"; - -static const char tlso_dhpem4096[] = -"-----BEGIN DH PARAMETERS-----\n\ -MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\ -vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\ -TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\ -bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\ -rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\ -EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\ -bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\ -W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\ -ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\ -NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\ -jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\ ------END DH PARAMETERS-----\n"; - -static const struct dhinfo tlso_dhpem[] = { - { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, - { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, - { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, - { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, - { 0, NULL, 0 } -}; - -static DH * -tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) -{ - struct dhplist *p = NULL; - BIO *b = NULL; - DH *dh = NULL; - int i; - - /* Do we have params of this length already? */ - LDAP_MUTEX_LOCK( &tlso_dh_mutex ); - for ( p = tlso_dhparams; p; p=p->next ) { - if ( p->keylength == key_length ) { - LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); - return p->param; - } - } - - /* No - check for hardcoded params */ - - for (i=0; tlso_dhpem[i].keylength; i++) { - if ( tlso_dhpem[i].keylength == key_length ) { - b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size ); - break; - } - } - - if ( b ) { - dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL ); - BIO_free( b ); - } - - /* Generating on the fly is expensive/slow... */ - if ( !dh ) { - dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL ); - } - if ( dh ) { - p = LDAP_MALLOC( sizeof(struct dhplist) ); - if ( p != NULL ) { - p->keylength = key_length; - p->param = dh; - p->next = tlso_dhparams; - tlso_dhparams = p; - } - } - - LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); - return dh; -} tls_impl ldap_int_tls_impl = { "OpenSSL", --- openldap-2.4.44/libraries/libldap/tls_g.c.orig 2016-02-05 17:57:45.000000000 -0600 +++ openldap-2.4.44/libraries/libldap/tls_g.c 2016-02-10 13:51:02.955752150 -0600 @@ -44,8 +44,6 @@ #include <gnutls/gnutls.h> #include <gnutls/x509.h> -#define DH_BITS (1024) - typedef struct tlsg_ctx { struct ldapoptions *lo; gnutls_certificate_credentials_t cred; @@ -181,6 +179,8 @@ return; gnutls_priority_deinit( c->prios ); gnutls_certificate_free_credentials( c->cred ); + if ( c->dh_params ) + gnutls_dh_params_deinit( c->dh_params ); ber_memfree ( c ); } @@ -291,12 +291,6 @@ return -1; } - if ( lo->ldo_tls_dhfile ) { - Debug( LDAP_DEBUG_ANY, - "TLS: warning: ignoring dhfile\n", - NULL, NULL, NULL ); - } - if ( lo->ldo_tls_crlfile ) { rc = gnutls_certificate_set_x509_crl_file( ctx->cred, @@ -306,15 +300,23 @@ rc = 0; } - /* FIXME: ITS#5992 - this should go be configurable, + /* FIXME: ITS#5992 - this should be configurable, * and V1 CA certs should be phased out ASAP. */ gnutls_certificate_set_verify_flags( ctx->cred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT ); - if ( is_server ) { - gnutls_dh_params_init(&ctx->dh_params); - gnutls_dh_params_generate2(ctx->dh_params, DH_BITS); + if ( is_server && lo->ldo_tls_dhfile ) { + gnutls_datum_t buf; + rc = tlsg_getfile( lo->ldo_tls_dhfile, &buf ); + if ( rc ) return -1; + rc = gnutls_dh_params_init( &ctx->dh_params ); + if ( rc == 0 ) + rc = gnutls_dh_params_import_pkcs3( ctx->dh_params, &buf, + GNUTLS_X509_FMT_PEM ); + LDAP_FREE( buf.data ); + if ( rc ) return -1; + gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params ); } return 0; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Contact
Support
@OBShq
The Open Build Service is an
openSUSE project
.
Log In
Places
Places
All Projects
Status Monitor