summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGilles Chehade <gilles@cvs.openbsd.org>2015-12-12 17:14:41 +0000
committerGilles Chehade <gilles@cvs.openbsd.org>2015-12-12 17:14:41 +0000
commitaf1a86cc50219e7aa1749890716a412204c3ca23 (patch)
treee499d4cf53c4a8ddb6ceb226592f77069ae633b0
parentc19125882b283c2abfa09443422fff2e790339e2 (diff)
bump DH params to 2048, it's been part of smtpd releases for a long time
and I've been running with it since June with no side-effect ok sunil@, jung@, millert@
-rw-r--r--usr.sbin/smtpd/ssl.c59
-rw-r--r--usr.sbin/smtpd/ssl.h4
2 files changed, 35 insertions, 28 deletions
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c
index d9f42ebebb1..e9affe0c6a1 100644
--- a/usr.sbin/smtpd/ssl.c
+++ b/usr.sbin/smtpd/ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.c,v 1.80 2015/12/05 21:27:42 mmcc Exp $ */
+/* $OpenBSD: ssl.c,v 1.81 2015/12/12 17:14:40 gilles Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -45,6 +45,9 @@
#include "log.h"
#include "ssl.h"
+static DH *get_dh2048(void);
+static DH *get_dh_from_memory(char *, size_t);
+
void
ssl_init(void)
{
@@ -83,7 +86,7 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki)
goto err;
if (pki->pki_dhparams_len == 0)
- dh = get_dh1024();
+ dh = get_dh2048();
else
dh = get_dh_from_memory(pki->pki_dhparams,
pki->pki_dhparams_len);
@@ -370,37 +373,43 @@ ssl_error(const char *where)
*
* -- gilles@
*/
-DH *
-get_dh1024(void)
+static DH *
+get_dh2048(void)
{
DH *dh;
- unsigned char dh1024_p[] = {
- 0xAD,0x37,0xBB,0x26,0x75,0x01,0x27,0x75,
- 0x06,0xB5,0xE7,0x1E,0x1F,0x2B,0xBC,0x51,
- 0xC0,0xF4,0xEB,0x42,0x7A,0x2A,0x83,0x1E,
- 0xE8,0xD1,0xD8,0xCC,0x9E,0xE6,0x15,0x1D,
- 0x06,0x46,0x50,0x94,0xB9,0xEE,0xB6,0x89,
- 0xB7,0x3C,0xAC,0x07,0x5E,0x29,0x37,0xCC,
- 0x8F,0xDF,0x48,0x56,0x85,0x83,0x26,0x02,
- 0xB8,0xB6,0x63,0xAF,0x2D,0x4A,0x57,0x93,
- 0x6B,0x54,0xE1,0x8F,0x28,0x76,0x9C,0x5D,
- 0x90,0x65,0xD1,0x07,0xFE,0x5B,0x05,0x65,
- 0xDA,0xD2,0xE2,0xAF,0x23,0xCA,0x2F,0xD6,
- 0x4B,0xD2,0x04,0xFE,0xDF,0x21,0x2A,0xE1,
- 0xCD,0x1B,0x70,0x76,0xB3,0x51,0xA4,0xC9,
- 0x2B,0x68,0xE3,0xDD,0xCB,0x97,0xDA,0x59,
- 0x50,0x93,0xEE,0xDB,0xBF,0xC7,0xFA,0xA7,
- 0x47,0xC4,0x4D,0xF0,0xC6,0x09,0x4A,0x4B
+ unsigned char dh2048_p[] = {
+ 0xB2,0xE2,0x07,0x34,0x16,0xEB,0x18,0xB5,0xED,0x0F,0xD4,0xC3,
+ 0xB6,0x6B,0x79,0xDF,0xA1,0x98,0x1C,0x8D,0x68,0x97,0x6C,0xDF,
+ 0xFF,0x38,0x60,0xEC,0x93,0x40,0xEF,0x26,0x12,0xB8,0x1B,0x79,
+ 0x68,0x72,0x47,0x8F,0x53,0x4C,0xBF,0x90,0xFF,0xE0,0x3E,0xE7,
+ 0x43,0x95,0x0B,0x97,0x43,0xDA,0xB4,0xE1,0x85,0x69,0xA5,0x67,
+ 0xFB,0x10,0x97,0x5A,0x0D,0x11,0xEB,0xED,0x78,0x82,0xCC,0xF5,
+ 0x7A,0xCC,0x27,0x27,0x5E,0xE5,0x3D,0xBA,0x47,0x38,0xBE,0x18,
+ 0xCA,0xC7,0x16,0xC7,0x7B,0x9E,0xA7,0xB0,0x80,0xAC,0x92,0x25,
+ 0x36,0x16,0x8F,0x29,0xA5,0x32,0x01,0x60,0x33,0x7C,0x2C,0x2F,
+ 0x49,0x7C,0x1D,0x4B,0xDA,0xBD,0xE4,0xF9,0x82,0x2B,0x71,0xCB,
+ 0x07,0xE3,0xCC,0x65,0x8A,0x1A,0xAB,0x81,0x0F,0xA9,0x96,0x35,
+ 0x4C,0xFD,0x42,0xFC,0xD6,0xE3,0xE8,0x2E,0x0E,0xAA,0x4D,0x75,
+ 0x54,0x02,0x49,0xDD,0xC5,0x5F,0x38,0x93,0xFA,0xEF,0x7D,0xBA,
+ 0x0C,0x75,0x93,0x09,0x8C,0x24,0x65,0xC6,0xF4,0xBF,0x59,0xF0,
+ 0x5D,0x0A,0xA4,0x26,0x7F,0xDA,0x0F,0x41,0x3A,0x43,0x61,0xDF,
+ 0x09,0x26,0xA1,0xB0,0xFE,0x8D,0xA6,0x21,0xC1,0xFD,0x41,0x65,
+ 0x30,0xE7,0xE4,0xD0,0x8E,0x78,0x93,0x3C,0x3E,0x3E,0xCA,0x30,
+ 0xA7,0x25,0x35,0x24,0x26,0x29,0xAC,0xCE,0x21,0x78,0x3B,0x9D,
+ 0xDD,0x0B,0x44,0xD0,0x7C,0xEB,0x2F,0xDD,0xE7,0x64,0xBC,0xF7,
+ 0x40,0x12,0xC8,0x35,0xFA,0x81,0xD6,0x80,0x39,0x1C,0x77,0x72,
+ 0x86,0x5B,0x19,0xDC,0xCB,0xDC,0xCB,0xF6,0x54,0x6F,0xB1,0xCB,
+ 0xE4,0xC3,0x05,0xD3
};
- unsigned char dh1024_g[] = {
+ unsigned char dh2048_g[] = {
0x02
};
if ((dh = DH_new()) == NULL)
return NULL;
- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+ dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+ dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
if (dh->p == NULL || dh->g == NULL) {
DH_free(dh);
return NULL;
@@ -409,7 +418,7 @@ get_dh1024(void)
return dh;
}
-DH *
+static DH *
get_dh_from_memory(char *params, size_t len)
{
BIO *mem;
diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h
index 228ed6abc45..48cc1645b34 100644
--- a/usr.sbin/smtpd/ssl.h
+++ b/usr.sbin/smtpd/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.15 2015/12/12 14:40:20 gilles Exp $ */
+/* $OpenBSD: ssl.h,v 1.16 2015/12/12 17:14:40 gilles Exp $ */
/*
* Copyright (c) 2013 Gilles Chehade <gilles@poolp.org>
*
@@ -54,8 +54,6 @@ void ssl_init(void);
int ssl_setup(SSL_CTX **, struct pki *);
SSL_CTX *ssl_ctx_create(const char *, char *, off_t);
int ssl_cmp(struct pki *, struct pki *);
-DH *get_dh1024(void);
-DH *get_dh_from_memory(char *, size_t);
void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *);
char *ssl_load_file(const char *, off_t *, mode_t);
char *ssl_load_key(const char *, off_t *, char *, mode_t, const char *);