mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-20 23:00:56 -05:00
- Fix#663: ssl handshake fails when using unix socket because dh size
is too small. git-svn-id: file:///svn/unbound/trunk@3396 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards
parent
55412b2645
commit
69d2fd7818
2 changed files with 35 additions and 22 deletions
|
|
@ -140,32 +140,43 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The following function was generated using the openssl utility, using
|
* The following function was generated using the openssl utility, using
|
||||||
* the command : "openssl dhparam -dsaparam -C 512"
|
* the command : "openssl dhparam -dsaparam -C 1024"
|
||||||
|
* (some openssl versions reject DH that is 'too small', eg. 512).
|
||||||
*/
|
*/
|
||||||
#ifndef S_SPLINT_S
|
#ifndef S_SPLINT_S
|
||||||
DH *get_dh512()
|
DH *get_dh1024()
|
||||||
{
|
{
|
||||||
static unsigned char dh512_p[]={
|
static unsigned char dh1024_p[]={
|
||||||
0xC9,0xD7,0x05,0xDA,0x5F,0xAB,0x14,0xE8,0x11,0x56,0x77,0x85,
|
0xB3,0x67,0x2E,0x3B,0x68,0xC5,0xDA,0x58,0x46,0xD6,0x2B,0xD3,
|
||||||
0xB1,0x24,0x2C,0x95,0x60,0xEA,0xE2,0x10,0x6F,0x0F,0x84,0xEC,
|
0x41,0x78,0x97,0xE4,0xE1,0x61,0x71,0x68,0xE6,0x0F,0x1D,0x78,
|
||||||
0xF4,0x45,0xE8,0x90,0x7A,0xA7,0x03,0xFF,0x5B,0x88,0x53,0xDE,
|
0x05,0xAA,0xF0,0xFF,0x30,0xDF,0xAC,0x49,0x7F,0xE0,0x90,0xFE,
|
||||||
0xC4,0xDE,0xBC,0x42,0x78,0x71,0x23,0x7E,0x24,0xA5,0x5E,0x4E,
|
0xB9,0x56,0x4E,0x3F,0xE2,0x98,0x8A,0xED,0xF5,0x28,0x39,0xEF,
|
||||||
0xEF,0x6F,0xFF,0x5F,0xAF,0xBE,0x8A,0x77,0x62,0xB4,0x65,0x82,
|
0x2E,0xA6,0xB7,0x67,0xB2,0x43,0xE4,0x53,0xF8,0xEB,0x2C,0x1F,
|
||||||
0x7E,0xC9,0xED,0x2F,
|
0x06,0x77,0x3A,0x6F,0x62,0x98,0xC1,0x3B,0xF7,0xBA,0x4D,0x93,
|
||||||
|
0xF7,0xEB,0x5A,0xAD,0xC5,0x5F,0xF0,0xB7,0x24,0x35,0x81,0xF7,
|
||||||
|
0x7F,0x1F,0x24,0xC0,0xDF,0xD3,0xD8,0x40,0x72,0x7E,0xF3,0x19,
|
||||||
|
0x2B,0x26,0x27,0xF4,0xB6,0xB3,0xD4,0x7D,0x08,0x23,0xBE,0x68,
|
||||||
|
0x2B,0xCA,0xB4,0x46,0xA8,0x9E,0xDD,0x6C,0x3D,0x75,0xA6,0x48,
|
||||||
|
0xF7,0x44,0x43,0xBF,0x91,0xC2,0xB4,0x49,
|
||||||
};
|
};
|
||||||
static unsigned char dh512_g[]={
|
static unsigned char dh1024_g[]={
|
||||||
0x8D,0x3A,0x52,0xBC,0x8A,0x71,0x94,0x33,0x2F,0xE1,0xE8,0x4C,
|
0x5F,0x37,0xB5,0x80,0x4D,0xB4,0xC4,0xB2,0x37,0x12,0xD5,0x2F,
|
||||||
0x73,0x47,0x03,0x4E,0x7D,0x40,0xE5,0x84,0xA0,0xB5,0x6D,0x10,
|
0x56,0x81,0xB0,0xDF,0x3D,0x27,0xA2,0x54,0xE7,0x14,0x65,0x2D,
|
||||||
0x6F,0x90,0x43,0x05,0x1A,0xF9,0x0B,0x6A,0xD1,0x2A,0x9C,0x25,
|
0x72,0xA8,0x97,0xE0,0xA9,0x4A,0x09,0x5E,0x89,0xBE,0x34,0x9A,
|
||||||
0x0A,0xB9,0xD1,0x14,0xDC,0x35,0x1C,0x48,0x7C,0xC6,0x0C,0x6D,
|
0x90,0x98,0xC1,0xE8,0xBB,0x01,0x2B,0xC2,0x74,0x74,0x90,0x59,
|
||||||
0x32,0x1D,0xD3,0xC8,0x10,0xA8,0x82,0x14,0xA2,0x1C,0xF4,0x53,
|
0x0B,0x72,0x62,0x5C,0xFD,0x49,0x63,0x4B,0x38,0x91,0xF1,0x7F,
|
||||||
0x23,0x3B,0x1C,0xB9,
|
0x13,0x25,0xEB,0x52,0x50,0x47,0xA2,0x8C,0x32,0x28,0x42,0xAC,
|
||||||
|
0xBD,0x7A,0xCC,0x58,0xBE,0x36,0xDA,0x6A,0x24,0x06,0xC7,0xF1,
|
||||||
|
0xDA,0x8D,0x8A,0x3B,0x03,0xFA,0x6F,0x25,0xE5,0x20,0xA7,0xD6,
|
||||||
|
0x6F,0x74,0x61,0x53,0x14,0x81,0x29,0x04,0xB5,0x61,0x12,0x53,
|
||||||
|
0xA3,0xD6,0x09,0x98,0x0C,0x8F,0x1C,0xBB,0xD7,0x1C,0x2C,0xEE,
|
||||||
|
0x56,0x4B,0x74,0x8F,0x4A,0xF8,0xA9,0xD5,
|
||||||
};
|
};
|
||||||
DH *dh;
|
DH *dh;
|
||||||
|
|
||||||
if ((dh=DH_new()) == NULL) return(NULL);
|
if ((dh=DH_new()) == NULL) return(NULL);
|
||||||
dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
|
dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
|
||||||
dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
|
dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
|
||||||
if ((dh->p == NULL) || (dh->g == NULL))
|
if ((dh->p == NULL) || (dh->g == NULL))
|
||||||
{ DH_free(dh); return(NULL); }
|
{ DH_free(dh); return(NULL); }
|
||||||
dh->length = 160;
|
dh->length = 160;
|
||||||
|
|
@ -218,7 +229,7 @@ daemon_remote_create(struct config_file* cfg)
|
||||||
/* Since we have no certificates and hence no source of
|
/* Since we have no certificates and hence no source of
|
||||||
* DH params, let's generate and set them
|
* DH params, let's generate and set them
|
||||||
*/
|
*/
|
||||||
if(!SSL_CTX_set_tmp_dh(rc->ctx,get_dh512())) {
|
if(!SSL_CTX_set_tmp_dh(rc->ctx,get_dh1024())) {
|
||||||
log_crypto_err("Wanted to set DH param, but failed");
|
log_crypto_err("Wanted to set DH param, but failed");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,8 @@
|
||||||
used to turn it on. It ratelimits recursion effort per zone.
|
used to turn it on. It ratelimits recursion effort per zone.
|
||||||
For particular names you can configure exceptions in unbound.conf.
|
For particular names you can configure exceptions in unbound.conf.
|
||||||
- Fix that get_option for cache-sizes does not print double newline.
|
- Fix that get_option for cache-sizes does not print double newline.
|
||||||
|
- Fix#663: ssl handshake fails when using unix socket because dh size
|
||||||
|
is too small.
|
||||||
|
|
||||||
8 April 2015: Wouter
|
8 April 2015: Wouter
|
||||||
- Fix crash in dnstap: Do not try to log TCP responses after timeout.
|
- Fix crash in dnstap: Do not try to log TCP responses after timeout.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue