diff options
author | Gilles Chehade <gilles@cvs.openbsd.org> | 2015-12-12 17:14:41 +0000 |
---|---|---|
committer | Gilles Chehade <gilles@cvs.openbsd.org> | 2015-12-12 17:14:41 +0000 |
commit | af1a86cc50219e7aa1749890716a412204c3ca23 (patch) | |
tree | e499d4cf53c4a8ddb6ceb226592f77069ae633b0 | |
parent | c19125882b283c2abfa09443422fff2e790339e2 (diff) |
bump DH params to 2048, it's been part of smtpd releases for a long time
and I've been running with it since June with no side-effect
ok sunil@, jung@, millert@
-rw-r--r-- | usr.sbin/smtpd/ssl.c | 59 | ||||
-rw-r--r-- | usr.sbin/smtpd/ssl.h | 4 |
2 files changed, 35 insertions, 28 deletions
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index d9f42ebebb1..e9affe0c6a1 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.80 2015/12/05 21:27:42 mmcc Exp $ */ +/* $OpenBSD: ssl.c,v 1.81 2015/12/12 17:14:40 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -45,6 +45,9 @@ #include "log.h" #include "ssl.h" +static DH *get_dh2048(void); +static DH *get_dh_from_memory(char *, size_t); + void ssl_init(void) { @@ -83,7 +86,7 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki) goto err; if (pki->pki_dhparams_len == 0) - dh = get_dh1024(); + dh = get_dh2048(); else dh = get_dh_from_memory(pki->pki_dhparams, pki->pki_dhparams_len); @@ -370,37 +373,43 @@ ssl_error(const char *where) * * -- gilles@ */ -DH * -get_dh1024(void) +static DH * +get_dh2048(void) { DH *dh; - unsigned char dh1024_p[] = { - 0xAD,0x37,0xBB,0x26,0x75,0x01,0x27,0x75, - 0x06,0xB5,0xE7,0x1E,0x1F,0x2B,0xBC,0x51, - 0xC0,0xF4,0xEB,0x42,0x7A,0x2A,0x83,0x1E, - 0xE8,0xD1,0xD8,0xCC,0x9E,0xE6,0x15,0x1D, - 0x06,0x46,0x50,0x94,0xB9,0xEE,0xB6,0x89, - 0xB7,0x3C,0xAC,0x07,0x5E,0x29,0x37,0xCC, - 0x8F,0xDF,0x48,0x56,0x85,0x83,0x26,0x02, - 0xB8,0xB6,0x63,0xAF,0x2D,0x4A,0x57,0x93, - 0x6B,0x54,0xE1,0x8F,0x28,0x76,0x9C,0x5D, - 0x90,0x65,0xD1,0x07,0xFE,0x5B,0x05,0x65, - 0xDA,0xD2,0xE2,0xAF,0x23,0xCA,0x2F,0xD6, - 0x4B,0xD2,0x04,0xFE,0xDF,0x21,0x2A,0xE1, - 0xCD,0x1B,0x70,0x76,0xB3,0x51,0xA4,0xC9, - 0x2B,0x68,0xE3,0xDD,0xCB,0x97,0xDA,0x59, - 0x50,0x93,0xEE,0xDB,0xBF,0xC7,0xFA,0xA7, - 0x47,0xC4,0x4D,0xF0,0xC6,0x09,0x4A,0x4B + unsigned char dh2048_p[] = { + 0xB2,0xE2,0x07,0x34,0x16,0xEB,0x18,0xB5,0xED,0x0F,0xD4,0xC3, + 0xB6,0x6B,0x79,0xDF,0xA1,0x98,0x1C,0x8D,0x68,0x97,0x6C,0xDF, + 0xFF,0x38,0x60,0xEC,0x93,0x40,0xEF,0x26,0x12,0xB8,0x1B,0x79, + 0x68,0x72,0x47,0x8F,0x53,0x4C,0xBF,0x90,0xFF,0xE0,0x3E,0xE7, + 0x43,0x95,0x0B,0x97,0x43,0xDA,0xB4,0xE1,0x85,0x69,0xA5,0x67, + 0xFB,0x10,0x97,0x5A,0x0D,0x11,0xEB,0xED,0x78,0x82,0xCC,0xF5, + 0x7A,0xCC,0x27,0x27,0x5E,0xE5,0x3D,0xBA,0x47,0x38,0xBE,0x18, + 0xCA,0xC7,0x16,0xC7,0x7B,0x9E,0xA7,0xB0,0x80,0xAC,0x92,0x25, + 0x36,0x16,0x8F,0x29,0xA5,0x32,0x01,0x60,0x33,0x7C,0x2C,0x2F, + 0x49,0x7C,0x1D,0x4B,0xDA,0xBD,0xE4,0xF9,0x82,0x2B,0x71,0xCB, + 0x07,0xE3,0xCC,0x65,0x8A,0x1A,0xAB,0x81,0x0F,0xA9,0x96,0x35, + 0x4C,0xFD,0x42,0xFC,0xD6,0xE3,0xE8,0x2E,0x0E,0xAA,0x4D,0x75, + 0x54,0x02,0x49,0xDD,0xC5,0x5F,0x38,0x93,0xFA,0xEF,0x7D,0xBA, + 0x0C,0x75,0x93,0x09,0x8C,0x24,0x65,0xC6,0xF4,0xBF,0x59,0xF0, + 0x5D,0x0A,0xA4,0x26,0x7F,0xDA,0x0F,0x41,0x3A,0x43,0x61,0xDF, + 0x09,0x26,0xA1,0xB0,0xFE,0x8D,0xA6,0x21,0xC1,0xFD,0x41,0x65, + 0x30,0xE7,0xE4,0xD0,0x8E,0x78,0x93,0x3C,0x3E,0x3E,0xCA,0x30, + 0xA7,0x25,0x35,0x24,0x26,0x29,0xAC,0xCE,0x21,0x78,0x3B,0x9D, + 0xDD,0x0B,0x44,0xD0,0x7C,0xEB,0x2F,0xDD,0xE7,0x64,0xBC,0xF7, + 0x40,0x12,0xC8,0x35,0xFA,0x81,0xD6,0x80,0x39,0x1C,0x77,0x72, + 0x86,0x5B,0x19,0xDC,0xCB,0xDC,0xCB,0xF6,0x54,0x6F,0xB1,0xCB, + 0xE4,0xC3,0x05,0xD3 }; - unsigned char dh1024_g[] = { + unsigned char dh2048_g[] = { 0x02 }; if ((dh = DH_new()) == NULL) return NULL; - dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); - dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); if (dh->p == NULL || dh->g == NULL) { DH_free(dh); return NULL; @@ -409,7 +418,7 @@ get_dh1024(void) return dh; } -DH * +static DH * get_dh_from_memory(char *params, size_t len) { BIO *mem; diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h index 228ed6abc45..48cc1645b34 100644 --- a/usr.sbin/smtpd/ssl.h +++ b/usr.sbin/smtpd/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.15 2015/12/12 14:40:20 gilles Exp $ */ +/* $OpenBSD: ssl.h,v 1.16 2015/12/12 17:14:40 gilles Exp $ */ /* * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org> * @@ -54,8 +54,6 @@ void ssl_init(void); int ssl_setup(SSL_CTX **, struct pki *); SSL_CTX *ssl_ctx_create(const char *, char *, off_t); int ssl_cmp(struct pki *, struct pki *); -DH *get_dh1024(void); -DH *get_dh_from_memory(char *, size_t); void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); char *ssl_load_file(const char *, off_t *, mode_t); char *ssl_load_key(const char *, off_t *, char *, mode_t, const char *); |