Commit 74151247 authored by Guillaume Roguez's avatar Guillaume Roguez Committed by Alexandre Lision

security: fix crashes during DH generation

When DH parameters are generated an error can occures
and an empty (default constructed) DH params instance
is returned.
This causes a crashes into ring account code that not
handles such case.

This patch fixes this issue by adding operator bool()
method to DH params and checking if not false when
trying to save them.

Note: If no DH params are generated, the empty instance
is given up to the TlsSession object.
Check if your cipher suite could handle empty DH params!

Change-Id: I98c9c0317f4b8cb107ea0bca5f94b69321cbba76
Tuleap: #792
parent 90eea3b4
......@@ -1241,14 +1241,16 @@ RingAccount::loadDhParams(const std::string path)
return {fileutils::loadFile(path)};
} catch (const std::exception& e) {
RING_WARN("Failed to load DhParams file '%s': %s", path.c_str(), e.what());
auto params = tls::DhParams::generate();
try {
fileutils::saveFile(path, params.serialize(), 0600);
RING_DBG("Saved DhParams to file '%s'", path.c_str());
} catch (const std::exception& ex) {
RING_WARN("Failed to save DhParams in file '%s': %s", path.c_str(), ex.what());
if (auto params = tls::DhParams::generate()) {
try {
fileutils::saveFile(path, params.serialize(), 0600);
RING_DBG("Saved DhParams to file '%s'", path.c_str());
} catch (const std::exception& ex) {
RING_WARN("Failed to save DhParams in file '%s': %s", path.c_str(), ex.what());
}
return params;
}
return params;
return {};
}
}
......
......@@ -71,6 +71,10 @@ DhParams::DhParams(const std::vector<uint8_t>& data)
std::vector<uint8_t>
DhParams::serialize() const
{
if (!params_) {
RING_WARN("serialize() called on an empty DhParams");
return {};
}
gnutls_datum_t out;
if (gnutls_dh_params_export2_pkcs3(params_.get(), GNUTLS_X509_FMT_PEM, &out))
return {};
......@@ -779,6 +783,7 @@ DhParams
DhParams::generate()
{
using clock = std::chrono::high_resolution_clock;
return {};
auto bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, /* GNUTLS_SEC_PARAM_HIGH */ GNUTLS_SEC_PARAM_HIGH);
RING_DBG("Generating DH params with %u bits", bits);
......
......@@ -78,6 +78,10 @@ public:
return params_.get();
}
explicit inline operator bool() const {
return bool(params_);
}
/** Serialize data in PEM format */
std::vector<uint8_t> serialize() const;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment