Add 1024-bit Diffie-Hellman parameters to vconn-ssl.

1024-bit Diffie-Hellman is somewhat weak, but I haven't been able to
figure out how to make OpenSSL use longer Diffie-Hellman keys than that.
If this isn't available, OpenSSL doesn't let connections proceed.

This change should be reverted when we figure out how to make OpenSSL
use longer Diffie-Hellman keys.

diff --git a/lib/Makefile.am b/lib/Makefile.am
index 9e90f9528d07dbba2fa0cf7e8e38829f1a90ee3e..f0c1ac6ec7bff3d0b91719e702d142369a418d25 100644 (file)
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -30,12 +30,13 @@ if HAVE_OPENSSL
 libopenflow_la_SOURCES += \
        vconn-ssl.c \
        dhparams.c
-dhparams.c: dh2048.pem dh4096.pem
+dhparams.c: dh1024.pem dh2048.pem dh4096.pem
        (echo '#include "dhparams.h"' &&                        \
+        openssl dhparam -C -in $(srcdir)/dh1024.pem -noout &&  \
         openssl dhparam -C -in $(srcdir)/dh2048.pem -noout &&  \
         openssl dhparam -C -in $(srcdir)/dh4096.pem -noout)    \
        | sed 's/\(get_dh[0-9]*\)()/\1(void)/' > dhparams.c.tmp
        mv dhparams.c.tmp dhparams.c
 endif
 
-EXTRA_DIST = dh2048.pem dh4096.pem dhparams.h
+EXTRA_DIST = dh1024.pem dh2048.pem dh4096.pem dhparams.h

diff --git a/lib/dh1024.pem b/lib/dh1024.pem
new file mode 100644 (file)
index 0000000..6eaeca9
--- /dev/null
+++ b/lib/dh1024.pem
@@ -0,0 +1,10 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
+jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
+ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC
+-----END DH PARAMETERS-----
+
+These are the 1024 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.

diff --git a/lib/dhparams.h b/lib/dhparams.h
index 0daeb55fc7416dc2615081599f9156ce19f14949..0377bb940520d585a42da37341fa29e482c21a1e 100644 (file)
--- a/lib/dhparams.h
+++ b/lib/dhparams.h
@@ -3,6 +3,7 @@
 
 #include <openssl/dh.h>
 
+DH *get_dh1024(void);
 DH *get_dh2048(void);
 DH *get_dh4096(void);
 

diff --git a/lib/vconn-ssl.c b/lib/vconn-ssl.c
index 94055922a4cad4c9d5e0b9248c7c3bca0ce8dd99..199c987ba2af75f23093e43fab5fd4e2b2b42381 100644 (file)
--- a/lib/vconn-ssl.c
+++ b/lib/vconn-ssl.c
@@ -674,13 +674,14 @@ tmp_dh_callback(SSL *ssl, int is_export UNUSED, int keylength)
     };
 
     static struct dh dh_table[] = {
+        {1024, NULL, get_dh1024},
         {2048, NULL, get_dh2048},
         {4096, NULL, get_dh4096},
     };
 
     struct dh *dh;
 
-    for (dh = dh_table; dh < &dh[ARRAY_SIZE(dh_table)]; dh++) {
+    for (dh = dh_table; dh < &dh_table[ARRAY_SIZE(dh_table)]; dh++) {
         if (dh->keylength == keylength) {
             if (!dh->dh) {
                 dh->dh = dh->constructor();