LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3280 Commits
1 Branch
46 MiB
 
 
 
 
 
 
Tree: 95f5cf9c04
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '95f5cf9c04'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-tun...

98 lines
3.3 KiB
Raw Blame History

From 5d769ca828fdb055052b3dbc232864bdf2853c9f Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne@aquaray.fr>
Date: Thu, 28 May 2015 16:23:00 +0200
Subject: [PATCH 12/14] BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value
being overwritten
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Hervé Commowick reported that the logic used to avoid complaining about
ssl-default-dh-param not being set when static DH params are present
in the certificate file was clearly wrong when more than one sni_ctx
is used.
This patch stores whether static DH params are being used for each
SSL_CTX individually, and does not overwrite the value of
tune.ssl.default-dh-param.
(cherry picked from commit 4f902b88323927c9d25d391a809e3678ac31df41)
---
src/ssl_sock.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a78fc6a..0f7819b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -47,6 +47,9 @@
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
#include <openssl/ocsp.h>
#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
#include <common/buffer.h>
#include <common/compat.h>
@@ -107,6 +110,7 @@ int sslconns = 0;
int totalsslconns = 0;
#ifndef OPENSSL_NO_DH
+static int ssl_dh_ptr_index = -1;
static DH *local_dh_1024 = NULL;
static DH *local_dh_2048 = NULL;
static DH *local_dh_4096 = NULL;
@@ -1076,10 +1080,12 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
if (dh) {
ret = 1;
SSL_CTX_set_tmp_dh(ctx, dh);
- /* Setting ssl default dh param to the size of the static DH params
- found in the file. This way we know that there is no use
- complaining later about ssl-default-dh-param not being set. */
- global.tune.ssl_default_dh_param = DH_size(dh) * 8;
+
+ if (ssl_dh_ptr_index >= 0) {
+ /* store a pointer to the DH params to avoid complaining about
+ ssl-default-dh-param not being set for this SSL_CTX */
+ SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, dh);
+ }
}
else {
/* Clear openssl global errors stack */
@@ -1274,6 +1280,12 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
* the tree, so it will be discovered and cleaned in time.
*/
#ifndef OPENSSL_NO_DH
+ /* store a NULL pointer to indicate we have not yet loaded
+ a custom DH param file */
+ if (ssl_dh_ptr_index >= 0) {
+ SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
+ }
+
ret = ssl_sock_load_dh_params(ctx, path);
if (ret < 0) {
if (err)
@@ -1593,7 +1605,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
/* If tune.ssl.default-dh-param has not been set and
no static DH params were in the certificate file. */
- if (global.tune.ssl_default_dh_param == 0) {
+ if (global.tune.ssl_default_dh_param == 0 &&
+ (ssl_dh_ptr_index == -1 ||
+ SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
ciphers = ctx->cipher_list;
if (ciphers) {
@@ -4715,6 +4729,10 @@ static void __ssl_sock_init(void)
bind_register_keywords(&bind_kws);
srv_register_keywords(&srv_kws);
cfg_register_keywords(&cfg_kws);
+
+#ifndef OPENSSL_NO_DH
+ ssl_dh_ptr_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+#endif
}
__attribute__((destructor))
--
2.0.5