[AOLSERVER-COMMITS] nsopenssl dh1024.h, NONE, 1.1 ChangeLog, 1.117, 1.118 sslcontext.c, 1.11, 1.12

[Scott S. G. <sc...@us...>]

Update of /cvsroot/aolserver/nsopenssl
In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv29122

Modified Files:
	ChangeLog sslcontext.c 
Added Files:
	dh1024.h 
Log Message:
sslcontext.c, dh1024.h:

Added 1024 bit DH parameters so that ciphers that utilize DH parameters can be
configured. If DH parameters are not available, any ciphers that require them
are silently ignored by OpenSSL even if you've explicitly specified them in the
CipherSuite configuration string. Some of these ciphers provide for forward
secrecy. The parameters come from the OpenSSL distribution in apps/dh1024.pem.


Index: sslcontext.c
===================================================================
RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -C2 -d -r1.11 -r1.12
*** sslcontext.c	28 Mar 2006 17:56:30 -0000	1.11
--- sslcontext.c	16 Dec 2016 16:45:41 -0000	1.12
***************
*** 38,41 ****
--- 38,42 ----
  
  #include "nsopenssl.h"
+ #include "dh1024.h"
  
  Tcl_HashTable NsOpenSSLServers;
***************
*** 247,257 ****
      SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_ALL);
  
-     /* This apparently prevents some sort of DH attack */
-     SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_SINGLE_DH_USE);
- 
      /* Temporary key callback required for 40-bit export browsers */
      SSL_CTX_set_tmp_rsa_callback(sslcontext->sslctx, IssueTmpRSAKey);
  
      /*
       * Failure in one of these will cause SSL context to be left uninitialized.
       */
--- 248,283 ----
      SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_ALL);
  
      /* Temporary key callback required for 40-bit export browsers */
      SSL_CTX_set_tmp_rsa_callback(sslcontext->sslctx, IssueTmpRSAKey);
  
      /*
+      * Set up DH parameters to enable use of some forward secrecy ciphers.
+      * For now we will only use 1024 bit DH params generated by the latest
+      * OpenSSL release. We create the .h file this way:
+      *
+      * $OPENSSL dhparam -inform PEM -in $DH_PEM_FILE -C -noout >> $DH_C_FILE
+      *
+      * DH_PEM_FILE -> OpenSSL source dist apps/dh1024.pem file
+      * DH_C_FILE -> dh1024.h in the nsopenssl distribution directory
+      *
+      * The source dh1024.pem file might be regenerated and a new one supplied
+      * with each release of OpenSSL.
+      *
+      * See: https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
+      */
+ 
+     DH *dh = get_dh1024 ();
+     if (SSL_CTX_set_tmp_dh(sslcontext->sslctx, dh) == 1) {
+         Ns_Log(Notice, "%s (%s): DH parameters (1024 bit) set", 
+             MODULE, server);
+         /* This apparently prevents some sort of DH attack */
+         SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_SINGLE_DH_USE);
+     } else {
+         Ns_Log(Error, "%s (%s): failed to set DH parameters - some ciphers will not be available", 
+             MODULE, server);
+     }
+     DH_free (dh);
+ 
+     /*
       * Failure in one of these will cause SSL context to be left uninitialized.
       */

Index: ChangeLog
===================================================================
RCS file: /cvsroot/aolserver/nsopenssl/ChangeLog,v
retrieving revision 1.117
retrieving revision 1.118
diff -C2 -d -r1.117 -r1.118
*** ChangeLog	20 Nov 2004 06:43:51 -0000	1.117
--- ChangeLog	16 Dec 2016 16:45:41 -0000	1.118
***************
*** 1,2 ****
--- 1,12 ----
+ 2016-12-16  Scott S. Goodwin <sc...@sc...>
+ 
+ 	* sslcontext.c, dh1024.h: Added 1024 bit DH parameters so that 
+ 	  ciphers that utilize DH parameters can be configured. If DH
+ 	  parameters are not available, any ciphers that require them are
+ 	  silently ignored by OpenSSL even if you've explicitly specified them
+ 	  in the CipherSuite configuration string. Some of these ciphers
+ 	  provide for forward secrecy. The parameters come from the OpenSSL
+ 	  distribution in apps/dh1024.pem.
+ 
  2004-11-20  tag v3_0beta26
  

--- NEW FILE: dh1024.h ---
/* 1024-bit DH params from OpenSSL 1.0.1j apps/dh1024.pem */
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
DH *get_dh1024()
	{
	static unsigned char dh1024_p[]={
		0xF4,0x88,0xFD,0x58,0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,
		0x91,0x07,0x36,0x6B,0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,
		0x88,0xB3,0x1C,0x7C,0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,
		0x43,0xF0,0xA5,0x5B,0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,
		0x38,0xD3,0x34,0xFD,0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,
		0xDE,0x33,0x21,0x2C,0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,
		0x18,0x11,0x8D,0x7C,0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,
		0x19,0xC8,0x07,0x29,0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,
		0xD0,0x0A,0x50,0x9B,0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,
		0x41,0x9F,0x9C,0x7C,0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,
		0xA2,0x5E,0xC3,0x55,0xE9,0x2F,0x78,0xC7,
		};
	static unsigned char dh1024_g[]={
		0x02,
		};
	DH *dh;

	if ((dh=DH_new()) == NULL) return(NULL);
	dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
	dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
	if ((dh->p == NULL) || (dh->g == NULL))
		{ DH_free(dh); return(NULL); }
	return(dh);
	}