Changeset 578:7c9a00bfd115 in freeDiameter
- Timestamp:
- Oct 27, 2010, 10:52:30 AM (14 years ago)
- Branch:
- default
- Phase:
- public
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
doc/freediameter.conf.sample
r513 r578 120 120 # Default : 1024 121 121 #TLS_DH_Bits = 1024; 122 123 # Alternatively, you can specify a file to load the PKCS#3 encoded 124 # DH parameters directly from. This accelerates the daemon start 125 # but is slightly less secure. If this file is provided, the 126 # TLS_DH_Bits parameters has no effect. 127 # Default : no default. 128 #TLS_DH_File = "<file.PEM>"; 122 129 123 130 -
freeDiameter/config.c
r542 r578 134 134 fd_log_debug(" - CRL .......... : %s\n", fd_g_config->cnf_sec_data.crl_file ?: "(none)"); 135 135 fd_log_debug(" - Priority ..... : %s\n", fd_g_config->cnf_sec_data.prio_string ?: "(default: '" GNUTLS_DEFAULT_PRIORITY "')"); 136 fd_log_debug(" - DH bits ...... : %d\n", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); 136 if (fd_g_config->cnf_sec_data.dh_file) 137 fd_log_debug(" - DH file ...... : %s\n", fd_g_config->cnf_sec_data.dh_file); 138 else 139 fd_log_debug(" - DH bits ...... : %d\n", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); 137 140 138 141 fd_log_debug(" Origin-State-Id ........ : %u\n", fd_g_config->cnf_orstateid); … … 261 264 { TRACE_DEBUG(INFO, "Error in priority string at position : %s", err_pos); return EINVAL; } ); 262 265 } 263 if (! fd_g_config->cnf_sec_data.dh_bits) {264 TRACE_DEBUG(INFO, "Generating Diffie-Hellman parameters of size %d (this takes a few seconds)... ", GNUTLS_DEFAULT_DHBITS);265 CHECK_GNUTLS_DO( gnutls_dh_params_generate2(266 fd_g_config->cnf_sec_data.dh_cache,267 GNUTLS_DEFAULT_DHBITS),268 { TRACE_DEBUG(INFO, "Error in DH bits value : %d", GNUTLS_DEFAULT_DHBITS); return EINVAL; } );269 }270 271 266 272 267 /* Verify that our certificate is valid -- otherwise remote peers will reject it */ … … 403 398 /* gnutls_certificate_set_verify_limits -- so far the default values are fine... */ 404 399 400 /* DH */ 401 if (fd_g_config->cnf_sec_data.dh_file) { 402 gnutls_datum_t dhparams = { NULL, 0 }; 403 size_t alloc = 0; 404 FILE *stream = fopen (fd_g_config->cnf_sec_data.dh_file, "rb"); 405 if (!stream) { 406 int err = errno; 407 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s\n", fd_g_config->cnf_sec_data.dh_file, strerror(err)); 408 return err; 409 } 410 do { 411 uint8_t * realloced = NULL; 412 size_t read = 0; 413 414 if (alloc < dhparams.size + BUFSIZ + 1) { 415 alloc += alloc / 2 + BUFSIZ + 1; 416 CHECK_MALLOC_DO( realloced = realloc(dhparams.data, alloc), 417 { 418 free(dhparams.data); 419 return ENOMEM; 420 } ) 421 dhparams.data = realloced; 422 } 423 424 read = fread( dhparams.data + dhparams.size, 1, alloc - dhparams.size - 1, stream ); 425 dhparams.size += read; 426 427 if (ferror(stream)) { 428 int err = errno; 429 TRACE_DEBUG(INFO, "An error occurred while reading '%s': %s\n", fd_g_config->cnf_sec_data.dh_file, strerror(err)); 430 return err; 431 } 432 } while (!feof(stream)); 433 dhparams.data[dhparams.size] = '\0'; 434 fclose(stream); 435 CHECK_GNUTLS_DO( gnutls_dh_params_import_pkcs3( 436 fd_g_config->cnf_sec_data.dh_cache, 437 &dhparams, 438 GNUTLS_X509_FMT_PEM), 439 { TRACE_DEBUG(INFO, "Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); 440 free(dhparams.data); 441 442 } else { 443 TRACE_DEBUG(INFO, "Generating fresh Diffie-Hellman parameters of size %d (this takes some time)... ", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); 444 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( 445 fd_g_config->cnf_sec_data.dh_cache, 446 fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS), 447 { TRACE_DEBUG(INFO, "Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); 448 } 449 405 450 return 0; 406 451 } … … 422 467 free(fd_g_config->cnf_sec_data.crl_file); fd_g_config->cnf_sec_data.crl_file = NULL; 423 468 free(fd_g_config->cnf_sec_data.prio_string); fd_g_config->cnf_sec_data.prio_string = NULL; 469 free(fd_g_config->cnf_sec_data.dh_file); fd_g_config->cnf_sec_data.dh_file = NULL; 424 470 425 471 /* Destroy dictionary */ -
freeDiameter/fdd.l
r258 r578 137 137 (?i:"TLS_Prio") { return TLS_PRIO; } 138 138 (?i:"TLS_DH_bits") { return TLS_DH_BITS; } 139 (?i:"TLS_DH_file") { return TLS_DH_FILE; } 139 140 140 141 -
freeDiameter/fdd.y
r308 r578 118 118 %token TLS_PRIO 119 119 %token TLS_DH_BITS 120 %token TLS_DH_FILE 120 121 121 122 … … 582 583 { 583 584 conf->cnf_sec_data.dh_bits = $3; 584 TRACE_DEBUG(FULL, "Generating DH parameters..."); 585 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( 586 conf->cnf_sec_data.dh_cache, 587 conf->cnf_sec_data.dh_bits), 588 { yyerror (&yylloc, conf, "Error setting DH Bits parameters."); 589 YYERROR; } ); 590 TRACE_DEBUG(FULL, "DH parameters generated."); 591 } 592 ; 585 } 586 | TLS_DH_FILE '=' QSTRING ';' 587 { 588 FILE * fd; 589 free(conf->cnf_sec_data.dh_file); 590 conf->cnf_sec_data.dh_file = $3; 591 fd = fopen($3, "r"); 592 if (fd == NULL) { 593 int ret = errno; 594 TRACE_DEBUG(INFO, "Unable to open DH file %s for reading: %s\n", $3, strerror(ret)); 595 yyerror (&yylloc, conf, "Error on file name"); 596 YYERROR; 597 } 598 fclose(fd); 599 } 600 ; -
include/freeDiameter/freeDiameter.h
r542 r578 112 112 char * prio_string; 113 113 unsigned int dh_bits; 114 char * dh_file; 114 115 115 116 /* GNUTLS parameters */
Note: See TracChangeset
for help on using the changeset viewer.