SSL (patch 3)

Sun May 26 17:23:08 UTC 2002

This patch removes ephemeral RSA keys, adds ephemeral DH keys.
ERSA is now deprecated because the high cost of generating the
keys means that the keys are reused for long periods of time -
EDH keys can be efficiently regenerated for each session.

Bear Giles

-- Attached file included as plaintext by Ecartis --
-- Desc: /tmp/inn3

Index: inn/nnrpd/tls.c
diff -c inn/nnrpd/tls.c:1.1.1.1 inn/nnrpd/tls.c:1.2
*** inn/nnrpd/tls.c:1.1.1.1	Sun May 26 09:49:30 2002
--- inn/nnrpd/tls.c	Sun May 26 11:19:43 2002
***************
*** 142,147 ****
--- 142,153 ----

  /* taken from OpenSSL apps/s_cb.c */

+ /*
+  *	Generate empheral RSA key.  Because of the cost of generating
+  *	ERSA keys (and the consequent caching), it is deprecated in favor
+  *	of EDH keys.
+  */
+ /*
  static RSA *tmp_rsa_cb(SSL * s UNUSED, int export UNUSED, int keylength)
  {
      static RSA *rsa_tmp = NULL;
***************
*** 151,156 ****
--- 157,282 ----
      }
      return (rsa_tmp);
  }
+ */
+ 
+ /*
+  *	Hardcoded DH parameter files, from OpenSSL.
+  *	For information on how these files were generated, see
+  *	"Assigned Number for SKIP Protocols" 
+  *	(http://www.skip-vpn.org/spec/numbers.html.
+  */
+ static const char file_dh512[] =
+ "-----BEGIN DH PARAMETERS-----\n\
+ MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak\n\
+ XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC\n\
+ -----END DH PARAMETERS-----\n";
+ 
+ static const char file_dh1024[] =
+ "-----BEGIN DH PARAMETERS-----\n\
+ MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY\n\
+ jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6\n\
+ ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC\n\
+ -----END DH PARAMETERS-----\n";
+ 
+ static const char file_dh2048[] =
+ "-----BEGIN DH PARAMETERS-----\n\
+ MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV\n\
+ 89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50\n\
+ T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb\n\
+ zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX\n\
+ Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT\n\
+ CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==\n\
+ -----END DH PARAMETERS-----\n";
+ 
+ static const char file_dh4096[] =
+ "-----BEGIN DH PARAMETERS-----\n\
+ MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ\n\
+ l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt\n\
+ Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS\n\
+ Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98\n\
+ VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc\n\
+ alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM\n\
+ sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9\n\
+ ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte\n\
+ OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH\n\
+ AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL\n\
+ KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=\n\
+ -----END DH PARAMETERS-----\n";
+ 
+ /*
+  *	Load hardcoded DH parameters.
+  */
+ static DH *
+ load_dh_buffer (const char *buffer, size_t len)
+ {
+ 	BIO *bio;
+ 	DH *dh = NULL;
+ 
+ 	bio = BIO_new_mem_buf((char *) buffer, len);
+ 	if (bio == NULL)
+ 		return NULL;
+ 	dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ /*	if (dh == NULL) log error */
+ 	BIO_free(bio);
+ 
+ 	return dh;
+ }
+ 
+ /*
+  *	Generate empheral DH key.  Because this can take a long
+  *	time to compute, we use precomputed parameters of the
+  *	common key sizes.
+  *
+  *	These values can be static (once loaded or computed) since
+  *	the OpenSSL library can effectively generate random keys
+  *	from the information provided.
+  *
+  *	EDH keying is slightly less efficient than static RSA keying,
+  *	but it offers Perfect Forward Secrecy (PFS).
+  *
+  *	FIXME: support user-specified files, to eliminate risk of
+  *	"small group" attacks.
+  */
+ static DH *tmp_dh_cb(SSL *s UNUSED, int export UNUSED, int keylength)
+ {
+ 	DH *r = NULL;
+ 	static DH *dh = NULL;
+ 	static DH *dh512 = NULL;
+ 	static DH *dh1024 = NULL;
+ 	static DH *dh2048 = NULL;
+ 	static DH *dh4096 = NULL;
+ 
+ 	switch (keylength)
+ 	{
+ 	case 512:
+ 		if (dh512 == NULL)
+ 			dh512 = load_dh_buffer(file_dh512, sizeof file_dh512);
+ 		r = dh512;
+ 		break;
+ 	case 1024:
+ 		if (dh1024 == NULL)
+ 			dh1024 = load_dh_buffer(file_dh1024, sizeof file_dh1024);
+ 		r = dh1024;
+ 		break;
+ 	case 2048:
+ 		if (dh2048 == NULL)
+ 			dh2048 = load_dh_buffer(file_dh2048, sizeof file_dh2048);
+ 		r = dh2048;
+ 		break;
+ 	case 4096:
+ 		if (dh4096 == NULL)
+ 			dh4096 = load_dh_buffer(file_dh4096, sizeof file_dh4096);
+ 		r = dh4096;
+ 		break;
+ 	default:
+ 		/* we should check current keylength vs. requested keylength* /
+ 		/* also, this is an extremely expensive operation! */
+ 		dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+ 		r = dh;
+ 	}
+ 
+ 	return r;
+ }

  /* taken from OpenSSL apps/s_cb.c */

***************
*** 390,396 ****
  	Printf("TLS engine: cannot load cert/key data\n");
        return (-1);
      }
!     SSL_CTX_set_tmp_rsa_callback(CTX, tmp_rsa_cb);

      verify_depth = verifydepth;
      if (askcert!=0)
--- 516,524 ----
  	Printf("TLS engine: cannot load cert/key data\n");
        return (-1);
      }
! /*  SSL_CTX_set_tmp_rsa_callback(CTX, tmp_rsa_cb); */
!     SSL_CTX_set_tmp_dh_callback(CTX, tmp_dh_cb);
! 	SSL_CTX_set_options(CTX, SSL_OP_SINGLE_DH_USE);

      verify_depth = verifydepth;
      if (askcert!=0)