diff options
| author | David Timber <dxdt@dev.snart.me> | 2022-11-05 19:34:07 +0800 |
|---|---|---|
| committer | David Timber <dxdt@dev.snart.me> | 2022-11-05 19:34:07 +0800 |
| commit | 5fd13be001b654fda70a8f6d919a84fcd8f31d4d (patch) | |
| tree | 8a6d5eded194f2b8e5fa4a7929e2f81a46b0d7e9 | |
| parent | 1fb630b7df7d65c436f7486266671f9eb942067c (diff) | |
Do not load empty DH param data ...
- Let the library set up forward secrecy if not used
| -rw-r--r-- | src/proone-htbthost.c | 6 | ||||
| -rw-r--r-- | src/proone.c | 14 |
2 files changed, 12 insertions, 8 deletions
diff --git a/src/proone-htbthost.c b/src/proone-htbthost.c index 50604f0..e89acab 100644 --- a/src/proone-htbthost.c +++ b/src/proone-htbthost.c @@ -203,9 +203,11 @@ static void load_ssl_conf ( MBEDTLS_SSL_PRESET_DEFAULT) == 0 && mbedtls_x509_crt_parse(s_crt, S_CRT, sizeof(S_CRT)) == 0 && mbedtls_pk_parse_key(s_key, S_KEY, sizeof(S_KEY), NULL, 0) == 0 && - mbedtls_dhm_parse_dhm(dhm, DH, sizeof(DH)) == 0 && + (sizeof(DH) > 0 ? + mbedtls_dhm_parse_dhm(dhm, DH, sizeof(DH)) : 0) == 0 && mbedtls_ssl_conf_own_cert(s_conf, s_crt, s_key) == 0 && - mbedtls_ssl_conf_dh_param_ctx(s_conf, dhm) == 0); + (sizeof(DH) > 0 ? + mbedtls_ssl_conf_dh_param_ctx(s_conf, dhm) : 0) == 0); mbedtls_ssl_conf_ca_chain(s_conf, ca, NULL); mbedtls_ssl_conf_verify(s_conf, prne_mbedtls_x509_crt_verify_cb, NULL); mbedtls_ssl_conf_rng(s_conf, mbedtls_ctr_drbg_random, rnd); diff --git a/src/proone.c b/src/proone.c index 843d75a..6805e0b 100644 --- a/src/proone.c +++ b/src/proone.c @@ -876,17 +876,19 @@ static void load_ssl_conf (void) { 0); BREAKIF_ERR("mbedtls_pk_parse_key"); data = prne_dvault_get_bin(PRNE_DATA_KEY_X509_DH, &dvlen); - mret = mbedtls_dhm_parse_dhm(&prne_g.s_ssl.dhm, data, dvlen); - BREAKIF_ERR("mbedtls_dhm_parse_dhm"); + if (dvlen > 0) { + mret = mbedtls_dhm_parse_dhm(&prne_g.s_ssl.dhm, data, dvlen); + BREAKIF_ERR("mbedtls_dhm_parse_dhm"); + mret = mbedtls_ssl_conf_dh_param_ctx( + &prne_g.s_ssl.conf, + &prne_g.s_ssl.dhm); + BREAKIF_ERR("mbedtls_ssl_conf_dh_param_ctx"); + } mret = mbedtls_ssl_conf_own_cert( &prne_g.s_ssl.conf, &prne_g.s_ssl.crt, &prne_g.s_ssl.pk); BREAKIF_ERR("mbedtls_ssl_conf_own_cert"); - mret = mbedtls_ssl_conf_dh_param_ctx( - &prne_g.s_ssl.conf, - &prne_g.s_ssl.dhm); - BREAKIF_ERR("mbedtls_ssl_conf_dh_param_ctx"); mret = mbedtls_ssl_conf_alpn_protocols( &prne_g.s_ssl.conf, ALP_LIST); |