ITS#7506 tls_g.c: Properly support DHParamFile.

If a DHParamFile or olcDHParamFile is specified then it will be loaded. This
allows use of DHE/EDH cipher suites which was previously impossible with
GnuTLS.

libraries/libldap/tls_g.c

@@ -45,8 +45,6 @@
 #include <gnutls/x509.h>
 #include <gcrypt.h>
 
-#define DH_BITS	(1024)
-
 #if LIBGNUTLS_VERSION_NUMBER >= 0x020200
 #define	HAVE_CIPHERSUITES	1
 /* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x
@@ -277,6 +275,8 @@ tlsg_ctx_free ( tls_ctx *ctx )
 	LDAP_FREE( c->kx_list );
 #endif
 	gnutls_certificate_free_credentials( c->cred );
+	if ( c->dh_params )
+		gnutls_dh_params_deinit( c->dh_params );
 	ber_memfree ( c );
 }
 
@@ -397,12 +397,6 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 		return -1;
 	}
 
-	if ( lo->ldo_tls_dhfile ) {
-		Debug( LDAP_DEBUG_ANY, 
-		       "TLS: warning: ignoring dhfile\n", 
-		       NULL, NULL, NULL );
-	}
-
 	if ( lo->ldo_tls_crlfile ) {
 		rc = gnutls_certificate_set_x509_crl_file( 
 			ctx->cred,
@@ -418,9 +412,20 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 	gnutls_certificate_set_verify_flags( ctx->cred,
 		GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
 
-	if ( is_server ) {
-		gnutls_dh_params_init(&ctx->dh_params);
-		gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
+	if ( is_server && lo->ldo_tls_dhfile ) {
+		gnutls_datum_t buf;
+		rc = tlsg_getfile( lo->ldo_tls_dhfile, &buf );
+		if ( rc ) return -1;
+		rc = gnutls_dh_params_init(&ctx->dh_params);
+		if ( rc ) {
+			LDAP_FREE( buf.data );
+			return -1;
+		}
+		rc = gnutls_dh_params_import_pkcs3( ctx->dh_params, &buf,
+			GNUTLS_X509_FMT_PEM );
+		LDAP_FREE( buf.data );
+		if ( rc ) return -1;
+		gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params );
 	}
 	return 0;
 }