From: Ben Pfaff <blp@nicira.com>
Date: Thu, 27 Mar 2008 21:30:21 +0000 (-0700)
Subject: Add 1024-bit Diffie-Hellman parameters to vconn-ssl.
X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=5f9a684de51d748362b7685c3da9a4c961612103;p=sliver-openvswitch.git

Add 1024-bit Diffie-Hellman parameters to vconn-ssl.

1024-bit Diffie-Hellman is somewhat weak, but I haven't been able to
figure out how to make OpenSSL use longer Diffie-Hellman keys than that.
If this isn't available, OpenSSL doesn't let connections proceed.

This change should be reverted when we figure out how to make OpenSSL
use longer Diffie-Hellman keys.
---

diff --git a/lib/Makefile.am b/lib/Makefile.am
index 9e90f9528..f0c1ac6ec 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -30,12 +30,13 @@ if HAVE_OPENSSL
 libopenflow_la_SOURCES += \
 	vconn-ssl.c \
 	dhparams.c
-dhparams.c: dh2048.pem dh4096.pem
+dhparams.c: dh1024.pem dh2048.pem dh4096.pem
 	(echo '#include "dhparams.h"' &&			\
+	 openssl dhparam -C -in $(srcdir)/dh1024.pem -noout &&	\
 	 openssl dhparam -C -in $(srcdir)/dh2048.pem -noout &&	\
 	 openssl dhparam -C -in $(srcdir)/dh4096.pem -noout)	\
 	| sed 's/\(get_dh[0-9]*\)()/\1(void)/' > dhparams.c.tmp
 	mv dhparams.c.tmp dhparams.c
 endif
 
-EXTRA_DIST = dh2048.pem dh4096.pem dhparams.h
+EXTRA_DIST = dh1024.pem dh2048.pem dh4096.pem dhparams.h
diff --git a/lib/dh1024.pem b/lib/dh1024.pem
new file mode 100644
index 000000000..6eaeca9b8
--- /dev/null
+++ b/lib/dh1024.pem
@@ -0,0 +1,10 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
+jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
+ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC
+-----END DH PARAMETERS-----
+
+These are the 1024 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/lib/dhparams.h b/lib/dhparams.h
index 0daeb55fc..0377bb940 100644
--- a/lib/dhparams.h
+++ b/lib/dhparams.h
@@ -3,6 +3,7 @@
 
 #include <openssl/dh.h>
 
+DH *get_dh1024(void);
 DH *get_dh2048(void);
 DH *get_dh4096(void);
 
diff --git a/lib/vconn-ssl.c b/lib/vconn-ssl.c
index 94055922a..199c987ba 100644
--- a/lib/vconn-ssl.c
+++ b/lib/vconn-ssl.c
@@ -674,13 +674,14 @@ tmp_dh_callback(SSL *ssl, int is_export UNUSED, int keylength)
     };
 
     static struct dh dh_table[] = {
+        {1024, NULL, get_dh1024},
         {2048, NULL, get_dh2048},
         {4096, NULL, get_dh4096},
     };
 
     struct dh *dh;
 
-    for (dh = dh_table; dh < &dh[ARRAY_SIZE(dh_table)]; dh++) {
+    for (dh = dh_table; dh < &dh_table[ARRAY_SIZE(dh_table)]; dh++) {
         if (dh->keylength == keylength) {
             if (!dh->dh) {
                 dh->dh = dh->constructor();