Create DH parameters from OpenSSL at module init, avoiding (very

minor) race and leaks: * modules/ssl/ssl_engine_init.c (make_dh_params): Moved/rejigged variant of make_get_dh() macro. (init_dh_params, free_dh_params): New functions. (modssl_get_dh_params): Split out from ssl_callback_TmpDH. (ssl_init_Module, ssl_init_ModuleKill): Use new init_/free_. * modules/ssl/ssl_engine_kernel.c: Moved out DH parameter handling. (ssl_callback_TmpDH): Use modssl_get_dh_params. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1598107 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2014-05-28 19:14:28 +00:00
parent 6bf7e3d223
commit d3eac27e32
3 changed files with 76 additions and 49 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1310,47 +1310,6 @@ const authz_provider ssl_authz_provider_verify_client =
 **  _________________________________________________________________
 */

-/*
- * Grab well-defined DH parameters from OpenSSL, see <openssl/bn.h>
- * (get_rfc*) for all available primes.
- * Hand out the same DH structure though once generated as we leak
- * memory otherwise and freeing the structure up after use would be
- * hard to track and in fact is not needed at all as it is safe to
- * use the same parameters over and over again security wise (in
- * contrast to the keys itself) and code safe as the returned structure
- * is duplicated by OpenSSL anyway. Hence no modification happens
- * to our copy.
- */
-#define make_get_dh(rfc,size,gen) \
-static DH *get_dh##size(void) \
-{ \
-    static DH *dh = NULL; \
-    DH *dh_tmp; \
-\
-    if (dh) { \
-        return dh; \
-    } \
-    if (!(dh_tmp = DH_new())) { \
-        return NULL; \
-    } \
-    dh_tmp->p = get_##rfc##_prime_##size(NULL); \
-    BN_dec2bn(&dh_tmp->g, #gen); \
-    if (!dh_tmp->p || !dh_tmp->g) { \
-        DH_free(dh_tmp); \
-        return NULL; \
-    } \
-    dh = dh_tmp; \
-    return dh; \
-}
-
-/*
- * Prepare DH parameters from 1024 to 4096 bits, in 1024-bit increments
- */
-make_get_dh(rfc2409, 1024, 2)
-make_get_dh(rfc3526, 2048, 2)
-make_get_dh(rfc3526, 3072, 2)
-make_get_dh(rfc3526, 4096, 2)
-
 /*
 * Hand out standard DH parameters, based on the authentication strength
 */
@@ -1390,14 +1349,7 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
    ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
                  "handing out built-in DH parameters for %d-bit authenticated connection", keylen);

-    if (keylen >= 4096)
-        return get_dh4096();
-    else if (keylen >= 3072)
-        return get_dh3072();
-    else if (keylen >= 2048)
-        return get_dh2048();
-    else
-        return get_dh1024();
+    return modssl_get_dh_params(keylen);
 }

 /*