Allow setting DH parameters.

src/config.c

@@ -151,6 +151,7 @@ unsigned j;
 	READ_STRING("ocsp-response", config->cert, 0);
 	READ_STRING("server-cert", config->cert, 1);
 	READ_STRING("server-key", config->key, 1);
+	READ_STRING("dh-params", config->dh_params_file, 0);
 	READ_STRING("pin-file", config->pin_file, 0);
 	READ_STRING("srk-pin-file", config->srk_pin_file, 0);
 #ifdef ANYCONNECT_CLIENT_COMPAT
@@ -333,6 +334,7 @@ unsigned i;
 #endif
 	DEL(config->ocsp_response);
 	DEL(config->banner);
+	DEL(config->dh_params_file);
 	DEL(config->name);
 	DEL(config->cert);
 	DEL(config->key);

src/ocserv-args.c

@@ -2,7 +2,7 @@
  *  
  *  DO NOT EDIT THIS FILE   (ocserv-args.c)
  *  
- *  It has been AutoGen-ed  March  5, 2013 at 10:09:33 PM by AutoGen 5.16
+ *  It has been AutoGen-ed  March  7, 2013 at 09:19:14 AM by AutoGen 5.16
  *  From the definitions    ocserv-args.def
  *  and the template file   options
  *

src/ocserv-args.def

@@ -118,6 +118,10 @@ try-mtu-discovery = false
 server-cert = /path/to/cert.pem
 server-key = /path/to/key.pem
 
+# Diffie-Hellman parameters. Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
 # If you have a certificate from a CA that provides an OCSP
 # service you may provide a fresh OCSP status response within
 # the TLS handshake. That will prevent the client from connecting

src/ocserv-args.h

@@ -2,7 +2,7 @@
  *  
  *  DO NOT EDIT THIS FILE   (ocserv-args.h)
  *  
- *  It has been AutoGen-ed  March  5, 2013 at 10:09:33 PM by AutoGen 5.16
+ *  It has been AutoGen-ed  March  7, 2013 at 09:19:14 AM by AutoGen 5.16
  *  From the definitions    ocserv-args.def
  *  and the template file   options
  *

src/tlslib.c

@@ -362,7 +362,8 @@ unsigned usage;
 #endif
 		/* no URL */
 		ret = gnutls_load_file(s->config->cert, &data);
-		GNUTLS_FATAL_ERR(ret);
+		if (ret < 0)
+			return;
 		
 		ret = gnutls_x509_crt_init(&crt);
 		GNUTLS_FATAL_ERR(ret);
@@ -377,7 +378,9 @@ unsigned usage;
 		ret = gnutls_x509_crt_get_key_usage(crt, &usage, NULL);
 		if (ret >= 0) {
 			if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
-				mslog(s, NULL, LOG_WARNING, "server certificate does not support key encipherment; it may cause issues to connecting clients\n");
+				mslog(s, NULL, LOG_WARNING, "server certificate key usage prevents key encipherment; unable to support the RSA ciphersuites\n");
+				if (s->config->dh_params_file != NULL)
+					mslog(s, NULL, LOG_WARNING, "no DH-params file specified; server will be limited to ECDHE ciphersuites\n");
 			}
 		}
 #if GNUTLS_VERSION_NUMBER > 0x030100
@@ -390,6 +393,27 @@ cleanup:
 	return;
 }
 
+static void set_dh_params(main_server_st* s, gnutls_certificate_credentials_t cred)
+{
+gnutls_datum_t data;
+int ret;
+
+	if (s->config->dh_params_file != NULL) {
+		ret = gnutls_dh_params_init (&s->creds.dh_params);
+		GNUTLS_FATAL_ERR(ret);
+
+		ret = gnutls_load_file(s->config->dh_params_file, &data);
+		GNUTLS_FATAL_ERR(ret);
+
+		ret = gnutls_dh_params_import_pkcs3(s->creds.dh_params, &data, GNUTLS_X509_FMT_PEM);
+		GNUTLS_FATAL_ERR(ret);
+
+		gnutls_free(data.data);
+
+		gnutls_certificate_set_dh_params(cred, s->creds.dh_params);
+	}
+}
+
 /* reload key files etc. */
 void tls_global_init_certs(main_server_st* s)
 {
@@ -411,6 +435,8 @@ const char* perr;
 	if (ret < 0) {
 		exit(1);
 	}
+	
+	set_dh_params(s, s->creds.xcred);
 
 	gnutls_certificate_set_pin_function (s->creds.xcred, pin_callback, &s->creds);
 	

src/tlslib.h

@@ -56,6 +56,7 @@ void tls_fatal_close(gnutls_session_t session,
 struct tls_st {
 	gnutls_certificate_credentials_t xcred;
 	gnutls_priority_t cprio;
+	gnutls_dh_params_t dh_params;
 	char pin[MAX_PIN_SIZE];
 	char srk_pin[MAX_PIN_SIZE];
 };

src/vpn.h

@@ -64,6 +64,7 @@ struct cfg_st {
 	char *key;
 	char *ca;
 	char *crl;
+	char *dh_params_file;
 	char *cert_user_oid;	/* The OID that will be used to extract the username */
 	char *cert_group_oid;	/* The OID that will be used to extract the groupname */
 	unsigned int auth_types;	/* or'ed sequence of AUTH_TYPE */