dovecot-2.2: ssl-params: Don't fail completely if 512 bit DH par...
dovecot at dovecot.org
dovecot at dovecot.org
Sat Nov 2 15:30:55 EET 2013
details: http://hg.dovecot.org/dovecot-2.2/rev/c472e0454ee3
changeset: 16913:c472e0454ee3
user: Timo Sirainen <tss at iki.fi>
date: Sat Nov 02 15:30:47 2013 +0200
description:
ssl-params: Don't fail completely if 512 bit DH parameters generation fails.
diffstat:
src/ssl-params/ssl-params-openssl.c | 17 ++++++++++-------
1 files changed, 10 insertions(+), 7 deletions(-)
diffs (45 lines):
diff -r 43ab5abeb8f0 -r c472e0454ee3 src/ssl-params/ssl-params-openssl.c
--- a/src/ssl-params/ssl-params-openssl.c Sat Nov 02 15:27:28 2013 +0200
+++ b/src/ssl-params/ssl-params-openssl.c Sat Nov 02 15:30:47 2013 +0200
@@ -29,16 +29,14 @@
return buf;
}
-static void generate_dh_parameters(int bitsize, int fd, const char *fname)
+static bool generate_dh_parameters(int bitsize, int fd, const char *fname)
{
DH *dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL);
unsigned char *buf, *p;
int len;
- if (dh == NULL) {
- i_fatal("DH_generate_parameters(bits=%d, gen=%d) failed: %s",
- bitsize, DH_GENERATOR, ssl_last_error());
- }
+ if (dh == NULL)
+ return FALSE;
len = i2d_DHparams(dh, NULL);
if (len < 0)
@@ -52,14 +50,19 @@
write_full(fd, buf, len) < 0)
i_fatal("write_full() failed for file %s: %m", fname);
i_free(buf);
+ return TRUE;
}
void ssl_generate_parameters(int fd, unsigned int dh_length, const char *fname)
{
int bits;
- generate_dh_parameters(512, fd, fname);
- generate_dh_parameters(dh_length, fd, fname);
+ /* this fails in FIPS mode */
+ (void)generate_dh_parameters(512, fd, fname);
+ if (!generate_dh_parameters(dh_length, fd, fname)) {
+ i_fatal("DH_generate_parameters(bits=%d, gen=%d) failed: %s",
+ dh_length, DH_GENERATOR, ssl_last_error());
+ }
bits = 0;
if (write_full(fd, &bits, sizeof(bits)) < 0)
i_fatal("write_full() failed for file %s: %m", fname);
More information about the dovecot-cvs
mailing list