add support for DHE ciphers via compiled in dhparam

make it possible to use regular (non EC) EDH ciphers. To make this possible a Diffie-Hellman parameter must be passed to the openssl library. There are a few options possible as described in the manuals at [1] and [2]. Simplest approach is to generate a DH parameter using openssl dhparam -C <lenght> and include the code into the application. The lenght used for this commit is 2236 bits long, which is the longest possible without risking backward incompatibilities with old systems as stated in [1]. Newer systems should use ECDH anyway, so it makes sense to keep this method as compatible with older system as possible. Paramters longer than 2048 should still be secure enough at the time of writing. [1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters [2] https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3)
author: Enrico Tagliavini <enrico.tagliavini@fmi.ch> 2018-02-07 13:44:06 +0100
committer: metalefty <meta@vmeta.jp> 2018-03-01 09:57:35 +0900
commit: 70b5adb3960a96db100a5a7812ea7404e1561d29 (patch)
tree: 48eb84286acbc76e9463ddce19f4d17e22f2f3e4
parent: 6cdc0f31b0be94b60fc35e8cfb6acc8d727f855b (diff)
download: xrdp-proprietary-70b5adb3960a96db100a5a7812ea7404e1561d29.tar.gz
xrdp-proprietary-70b5adb3960a96db100a5a7812ea7404e1561d29.zip
1 files changed, 61 insertions, 0 deletions
diff --git a/common/ssl_calls.c b/common/ssl_calls.c
index bd2181c0..de447e46 100644
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@@ -32,6 +32,7 @@
 #include <openssl/hmac.h>
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
+# include <openssl/dh.h>
 
 #include "os_calls.h"
 #include "arch.h"
@@ -486,6 +487,60 @@ ssl_gen_key_xrdp1(int key_size_in_bits, const char *exp, int exp_len,
 }
 
 /*****************************************************************************/
+/** static DH parameter, can be used if no custom parameter is specified
+see also 
+ * https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
+ * https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3)
+*/
+DH *get_dh2236()
+{
+    static unsigned char dhp_2236[] = {
+        0x0A, 0x32, 0x29, 0xCA, 0x5A, 0x84, 0x4C, 0xD2, 0x66, 0x61,
+        0x29, 0xAD, 0x46, 0xD7, 0xFB, 0x3A, 0x1E, 0x92, 0x8D, 0x3F,
+        0xC8, 0x16, 0x41, 0x83, 0x0C, 0xA1, 0x96, 0x29, 0xD9, 0x0B,
+        0x28, 0x3F, 0x9A, 0x1F, 0xDA, 0x81, 0x9F, 0xD2, 0x3E, 0xE4,
+        0xFA, 0x94, 0xDF, 0x35, 0x7F, 0x7F, 0xBB, 0x23, 0xA4, 0xB2,
+        0x66, 0x50, 0x64, 0x3E, 0xCD, 0x50, 0xAE, 0xEC, 0x51, 0xE1,
+        0x12, 0x41, 0xB7, 0xC4, 0xF9, 0x79, 0xC7, 0x3D, 0x80, 0x16,
+        0xE2, 0xA8, 0x4B, 0xCA, 0x0B, 0x2A, 0xA3, 0xC1, 0x93, 0xCD,
+        0x15, 0x2C, 0xE3, 0x81, 0x92, 0x0A, 0x4C, 0x59, 0x88, 0x07,
+        0xC3, 0x18, 0xCC, 0x9B, 0xCE, 0x74, 0x7A, 0x80, 0x3A, 0x85,
+        0x6E, 0xF3, 0x81, 0x2B, 0xD3, 0x84, 0x6C, 0xBC, 0xB6, 0xE2,
+        0x51, 0xCD, 0x20, 0x4B, 0x3C, 0x45, 0x03, 0xDB, 0xA9, 0xB4,
+        0xFB, 0x95, 0x54, 0x16, 0x46, 0xA7, 0x7F, 0x03, 0xFC, 0xBB,
+        0xA1, 0xF7, 0x71, 0x10, 0xCB, 0x58, 0x21, 0x5C, 0xF4, 0x89,
+        0x52, 0x91, 0xAC, 0x69, 0x84, 0xA0, 0x6D, 0x88, 0xC8, 0x05,
+        0x2B, 0x23, 0x0B, 0x88, 0xB2, 0xE7, 0xE8, 0x28, 0x7E, 0x0D,
+        0x01, 0xBF, 0xBF, 0xCD, 0xC8, 0xD7, 0xE8, 0x2C, 0x6C, 0xE3,
+        0x58, 0xFD, 0x37, 0x9D, 0x31, 0x98, 0xAC, 0xC3, 0x49, 0x8E,
+        0x0B, 0x66, 0x86, 0xE7, 0xD2, 0xE5, 0xD6, 0x1D, 0x95, 0x1F,
+        0xD2, 0x84, 0xE5, 0x68, 0x76, 0x5C, 0x40, 0xB9, 0xF1, 0x58,
+        0xD2, 0x33, 0x2D, 0x92, 0x1F, 0xA1, 0x8A, 0xD1, 0xE6, 0x35,
+        0xC2, 0xBF, 0xBF, 0xD8, 0x63, 0xB5, 0x8E, 0x3D, 0x50, 0xD2,
+        0x80, 0x67, 0x5B, 0x04, 0x4F, 0x33, 0x20, 0xAF, 0xA1, 0xE9,
+        0xB5, 0xA6, 0x7A, 0x17, 0x8E, 0xC2, 0x3D, 0xFF, 0xB6, 0x81,
+        0x2A, 0xA8, 0x13, 0x32, 0x78, 0x8B, 0x38, 0x09, 0x8F, 0x54,
+        0x5D, 0x6F, 0x3E, 0x84, 0x93, 0x49, 0x96, 0x26, 0x4E, 0x68,
+        0x82, 0x42, 0x40, 0xD9, 0x30, 0xA3, 0x90, 0x6B, 0x99, 0x1B,
+        0x11, 0x3A, 0x36, 0xE9, 0xD8, 0x52, 0x8A, 0x85, 0xDD, 0xB3
+    };
+    static unsigned char dhg_2236[] = {
+        0x02
+    };
+    DH *dh = DH_new();
+
+    if (dh == NULL)
+        return NULL;
+    dh->p=BN_bin2bn(dhp_2236,sizeof(dhp_2236),NULL);
+    dh->g=BN_bin2bn(dhg_2236,sizeof(dhg_2236),NULL);
+    if (dh->p == NULL || dh->g == NULL) {
+        DH_free(dh);
+        return NULL;
+    }
+    return dh;
+}
+
+/*****************************************************************************/
 struct ssl_tls *
 ssl_tls_create(struct trans *trans, const char *key, const char *cert)
 {
@@ -592,6 +647,12 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
                      SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
                      SSL_MODE_ENABLE_PARTIAL_WRITE);
     SSL_CTX_set_options(self->ctx, options);
+    DH *dh = get_dh2236 ();
+    if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1) {
+        g_writeln("SSL_CTX_set_tmp_dh failed");
+        return 1;
+    }
+    DH_free (dh);
 #if defined(SSL_CTX_set_ecdh_auto)
     SSL_CTX_set_ecdh_auto(self->ctx, 1);
 #endif
author	Enrico Tagliavini <enrico.tagliavini@fmi.ch>	2018-02-07 13:44:06 +0100
committer	metalefty <meta@vmeta.jp>	2018-03-01 09:57:35 +0900
commit	70b5adb3960a96db100a5a7812ea7404e1561d29 (patch)
tree	48eb84286acbc76e9463ddce19f4d17e22f2f3e4
parent	6cdc0f31b0be94b60fc35e8cfb6acc8d727f855b (diff)
download	xrdp-proprietary-70b5adb3960a96db100a5a7812ea7404e1561d29.tar.gz xrdp-proprietary-70b5adb3960a96db100a5a7812ea7404e1561d29.zip