mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-24 04:11:02 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Use DH parameters defined in RFC7919 instead of hard coded ones

Browse Source 
RFC7919 defined sets of DH parameters supposedly strong enough to be
used safely. We will then use them when we can instead of our hard coded
ones (namely the ffdhe2048 and ffdhe4096 named groups).
The ffdhe2048 and ffdhe4096 named groups were integrated in OpenSSL
starting with version 1.1.1. Instead of duplicating those parameters in
haproxy for older versions of OpenSSL, we will keep using our own
parameters when they are not provided by the SSL library.
We will also need to keep our 1024 bits DH parameters since they are
considered not safe enough to have a dedicated named group in RFC7919
but we must still keep it for retrocompatibility with old Java clients.

This request was described in GitHub issue #1604.
This commit is contained in:
Remi Tricot-Le Breton 2022-04-12 11:31:54 +02:00 committed by William Lallemand
parent 43041aaefd
commit 528b3fd9be
1 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
src/ssl_sock.c
View File

@ -2954,6 +2954,41 @@ end:
#endif
}
static inline HASSL_DH *ssl_get_dh_by_nid(int nid)
{
#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
OSSL_PARAM params[2];
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
const char *named_group = NULL;
if (!pctx)
goto end;
named_group = OBJ_nid2ln(nid);
if (!named_group)
goto end;
params[0] = OSSL_PARAM_construct_utf8_string("group", (char*)named_group, 0);
params[1] = OSSL_PARAM_construct_end();
if (EVP_PKEY_keygen_init(pctx) && EVP_PKEY_CTX_set_params(pctx, params))
EVP_PKEY_generate(pctx, &pkey);
end:
EVP_PKEY_CTX_free(pctx);
return pkey;
#else
HASSL_DH *dh = NULL;
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
dh = DH_new_by_nid(nid);
#endif
return dh;
#endif
}
static HASSL_DH * ssl_get_dh_1024(void)
{
@ -2990,6 +3025,7 @@ static HASSL_DH * ssl_get_dh_1024(void)
static HASSL_DH *ssl_get_dh_2048(void)
{
#if (HA_OPENSSL_VERSION_NUMBER < 0x10101000L)
static unsigned char dh2048_p[]={
0xEC,0x86,0xF8,0x70,0xA0,0x33,0x16,0xEC,0x05,0x1A,0x73,0x59,
0xCD,0x1F,0x8B,0xF8,0x29,0xE4,0xD2,0xCF,0x52,0xDD,0xC2,0x24,
@ -3030,10 +3066,14 @@ static HASSL_DH *ssl_get_dh_2048(void)
dh = ssl_new_dh_fromdata(p, g);
return dh;
#else
return ssl_get_dh_by_nid(NID_ffdhe2048);
#endif
}
static HASSL_DH *ssl_get_dh_4096(void)
{
#if (HA_OPENSSL_VERSION_NUMBER < 0x10101000L)
static unsigned char dh4096_p[]={
0xDE,0x16,0x94,0xCD,0x99,0x58,0x07,0xF1,0xF7,0x32,0x96,0x11,
0x04,0x82,0xD4,0x84,0x72,0x80,0x99,0x06,0xCA,0xF0,0xA3,0x68,
@ -3095,6 +3135,9 @@ static HASSL_DH *ssl_get_dh_4096(void)
dh = ssl_new_dh_fromdata(p, g);
return dh;
#else
return ssl_get_dh_by_nid(NID_ffdhe4096);
#endif
}
static HASSL_DH *ssl_get_tmp_dh(EVP_PKEY *pkey)