libmicrohttpd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] [PATCH] New option: MHD_OPTION_HTTPS_MEM_DHPARAMS


From: Hani Benhabiles
Subject: Re: [libmicrohttpd] [PATCH] New option: MHD_OPTION_HTTPS_MEM_DHPARAMS
Date: Thu, 3 Apr 2014 23:27:45 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

Hi Christian,

(Please CC me on further replies, as I am not subscribed to this specific
mailing-list.)

> Dear Hani,
> 
> First of all, thanks for the patch.
> 
> In principle, this is of course a reasonable idea, but the (1) unchecked
> and (2)
> leaking 'malloc' in the patch will need to be fixed before I'll take it.
> I would
> suggest simply adding the dhparms / 'gnutls_dh_params_t' to 'struct
> MHD_Daemon'
> so that we don't need a separate allocation/deallocation.
> 

Oh, I missed the leak part. For some reason I thought
gnutls_certificate_free_credentials() took care of it while writing this patch.

> Also, the TexInfo documentation and ChangeLog need to be updated.
> Naturally,
> I can do those changes myself, but it'll likely take me a few more days
> to find
> the time, so I wanted to let you know what the status is.  If you fix those
> minor issues, I (or some other committer) might of course be able to commit
> the changes before then.
> 

Please find below an updated patch.

And by the way, any rough estimate about the next stable release's date ?

---
 ChangeLog                 |  4 ++++
 doc/libmicrohttpd.texi    | 10 ++++++++++
 src/include/microhttpd.h  |  9 ++++++++-
 src/microhttpd/daemon.c   | 32 ++++++++++++++++++++++++++++++++
 src/microhttpd/internal.h |  5 +++++
 5 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 4b0049d..e934873 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Thu Apr 03 22:52:04 CET 2014
+       Added MHD_OPTION_HTTPS_MEM_DHPARAMS to allow users to set Diffie-Hellman
+       parameters to use in TLS handshakes. -Hani Benhabiles
+
 Tue Apr 01 07:10:23 CET 2014
        Added usage of native mutex on W32. -EG
 
diff --git a/doc/libmicrohttpd.texi b/doc/libmicrohttpd.texi
index f670a83..a618750 100644
--- a/doc/libmicrohttpd.texi
+++ b/doc/libmicrohttpd.texi
@@ -700,6 +700,16 @@ are acceptable for the application.  The string is passed
 unchanged to gnutls_priority_init.  If this option is not
 specified, ``NORMAL'' is used.
 
address@hidden MHD_OPTION_HTTPS_MEM_DHPARAMS
address@hidden SSL
address@hidden TLS
+Memory pointer to the Diffie-Hellman parameters to be used
+by the HTTPS daemon to support ciphersuites using (EC)DHE
+for key exchange.
+This option should be followed by an "const char*" argument.
+Without this, the presence of values like DHE-RSA in the
+priority string will be ignored by the GnuTLS library.
+
 @item MHD_OPTION_HTTPS_CERT_CALLBACK
 @cindex SSL
 @cindex TLS
diff --git a/src/include/microhttpd.h b/src/include/microhttpd.h
index c6e2505..bccfae2 100644
--- a/src/include/microhttpd.h
+++ b/src/include/microhttpd.h
@@ -837,7 +837,14 @@ enum MHD_OPTION
    * resources for the SYN packet along with its DATA.  This option should be
    * followed by an `unsigned int` argument.
    */
-  MHD_OPTION_TCP_FASTOPEN_QUEUE_SIZE = 23
+  MHD_OPTION_TCP_FASTOPEN_QUEUE_SIZE = 23,
+
+  /**
+   * Memory pointer for the Diffie-Hellman parameters (dh.pem) to be used by 
the
+   * HTTPS daemon for key exchange.
+   * This option should be followed by a `const char *` argument.
+   */
+  MHD_OPTION_HTTPS_MEM_DHPARAMS = 24,
 
 };
 
diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
index cd6a0bd..8ad01ab 100644
--- a/src/microhttpd/daemon.c
+++ b/src/microhttpd/daemon.c
@@ -520,6 +520,25 @@ MHD_init_daemon_certificate (struct MHD_Daemon *daemon)
        }
     }
 
+  if (NULL != daemon->https_mem_dhparams)
+    {
+      gnutls_dh_params_t dhparams;
+      if (NULL == (dhparams = malloc (sizeof (gnutls_dh_params_t))))
+        return -1;
+
+      cert.data = (unsigned char *) daemon->https_mem_dhparams;
+      cert.size = strlen (daemon->https_mem_dhparams);
+      if (gnutls_dh_params_import_pkcs3 (dhparams, &cert,
+                                        GNUTLS_X509_FMT_PEM) < 0)
+       {
+#if HAVE_MESSAGES
+         MHD_DLOG(daemon, "Bad Diffie-Hellman parameters format\n");
+#endif
+         return -1;
+       }
+      gnutls_certificate_set_dh_params (daemon->x509_cred, dhparams);
+      daemon->dh_params = dhparams;
+    }
   /* certificate & key loaded from memory */
   if ( (NULL != daemon->https_mem_cert) &&
        (NULL != daemon->https_mem_key) )
@@ -2965,6 +2984,16 @@ parse_options_va (struct MHD_Daemon *daemon,
                      opt);
 #endif
           break;
+        case MHD_OPTION_HTTPS_MEM_DHPARAMS:
+         if (0 != (daemon->options & MHD_USE_SSL))
+           daemon->https_mem_dhparams = va_arg (ap, const char *);
+#if HAVE_MESSAGES
+         else
+           MHD_DLOG (daemon,
+                     "MHD HTTPS option %d passed to MHD but MHD_USE_SSL not 
set\n",
+                     opt);
+#endif
+          break;
        case MHD_OPTION_HTTPS_CRED_TYPE:
          daemon->cred_type = (gnutls_credentials_type_t) va_arg (ap, int);
          break;
@@ -3087,6 +3116,7 @@ parse_options_va (struct MHD_Daemon *daemon,
                case MHD_OPTION_HTTPS_MEM_CERT:
                case MHD_OPTION_HTTPS_MEM_TRUST:
                case MHD_OPTION_HTTPS_PRIORITIES:
+               case MHD_OPTION_HTTPS_MEM_DHPARAMS:
                case MHD_OPTION_ARRAY:
                 case MHD_OPTION_HTTPS_CERT_CALLBACK:
                  if (MHD_YES != parse_options (daemon,
@@ -4135,6 +4165,8 @@ MHD_stop_daemon (struct MHD_Daemon *daemon)
       gnutls_priority_deinit (daemon->priority_cache);
       if (daemon->x509_cred)
         gnutls_certificate_free_credentials (daemon->x509_cred);
+      if (daemon->dh_params)
+        gnutls_dh_params_deinit (daemon->dh_params);
     }
 #endif
 #if EPOLL_SUPPORT
diff --git a/src/microhttpd/internal.h b/src/microhttpd/internal.h
index 57c1aeb..3cdb24f 100644
--- a/src/microhttpd/internal.h
+++ b/src/microhttpd/internal.h
@@ -1194,6 +1194,11 @@ struct MHD_Daemon
   const char *https_mem_trust;
 
   /**
+   * Pointer to our Diffie-Hellman parameters in memory.
+   */
+  const char *https_mem_dhparams;
+
+  /**
    * For how many connections do we have 'tls_read_ready' set to MHD_YES?
    * Used to avoid O(n) traversal over all connections when determining
    * event-loop timeout (as it needs to be zero if there is any connection
-- 
1.8.3.2



reply via email to

[Prev in Thread] Current Thread [Next in Thread]