Skip to content
Permalink
Browse files

Merge PR #3185: Allow users to specify RFC 7919 Diffie-Hellman parame…

…ters for the sslDHParams murmur.ini option
  • Loading branch information...
mkrautz committed Aug 7, 2017
2 parents 807869b + 1ea4b92 commit 95504874a589a278b681087389e9f077593f8b45
Showing with 65 additions and 17 deletions.
  1. +10 −3 scripts/murmur.ini
  2. +10 −0 src/FFDHE.cpp
  3. +4 −0 src/FFDHE.h
  4. +26 −9 src/murmur/Meta.cpp
  5. +15 −5 src/tests/TestFFDHE/TestFFDHE.cpp
@@ -202,9 +202,16 @@ allowping=true
; The sslDHParams option allows you to specify a PEM-encoded file with
; Diffie-Hellman parameters, which will be used as the default Diffie-
; Hellman parameters for all virtual servers.
; If a file is not specified, each Murmur virtual server will auto-generate
; its own unique set of 2048-bit Diffie-Hellman parameters on first launch.
;sslDHParams=
;
; Instead of pointing sslDHParams to a file, you can also use the option
; to specify a named set of Diffie-Hellman parameters for Murmur to use.
; Murmur comes bundled with the Diffie-Hellman parameters from RFC 7919.
; These parameters are available by using the following names:
;
; @ffdhe2048, @ffdhe3072, @ffdhe4096, @ffdhe6144, @ffdhe8192
;
; By default, Murmur uses @ffdhe2048.
;sslDHParams=@ffdhe2048

; The sslCiphers option chooses the cipher suites to make available for use
; in SSL/TLS. This option is server-wide, and cannot be set on a
@@ -8,6 +8,16 @@
#include "FFDHE.h"
#include "FFDHETable.h"

QStringList FFDHE::NamedGroups() {
QStringList ng;
ng << QLatin1String("ffdhe2048");
ng << QLatin1String("ffdhe3072");
ng << QLatin1String("ffdhe4096");
ng << QLatin1String("ffdhe6144");
ng << QLatin1String("ffdhe8192");
return ng;
}

QByteArray FFDHE::PEMForNamedGroup(QString name) {
name = name.toLower();

@@ -9,6 +9,10 @@
/// FFDHE provides access to the Diffie-Hellman parameters from RFC 7919.
class FFDHE {
public:
/// NamedGroups returns a list of the supported named
/// groups for PEMForNamedGroup.
static QStringList NamedGroups();

/// PEMForNamedGroup returns the PEM-encoded
/// Diffie-Hellman parameters for the RFC 7919
/// group with the given name, such as "ffdhe2048",
@@ -15,6 +15,7 @@
#include "Version.h"
#include "SSL.h"
#include "EnvUtils.h"
#include "FFDHE.h"

#if defined(USE_QSSLDIFFIEHELLMANPARAMETERS)
# include <QSslDiffieHellmanParameters>
@@ -428,7 +429,7 @@ bool MetaParams::loadSSLSettings() {
QString qsSSLCert = qsSettings->value("sslCert").toString();
QString qsSSLKey = qsSettings->value("sslKey").toString();
QString qsSSLCA = qsSettings->value("sslCA").toString();
QString qsSSLDHParams = qsSettings->value("sslDHParams").toString();
QString qsSSLDHParams = typeCheckedFromSettings(QLatin1String("sslDHParams"), QString(QLatin1String("@ffdhe2048")));

qbaPassPhrase = qsSettings->value("sslPassPhrase").toByteArray();

@@ -519,12 +520,27 @@ bool MetaParams::loadSSLSettings() {

#if defined(USE_QSSLDIFFIEHELLMANPARAMETERS)
if (! qsSSLDHParams.isEmpty()) {
QFile pem(qsSSLDHParams);
if (pem.open(QIODevice::ReadOnly)) {
dhparams = pem.readAll();
pem.close();
if (qsSSLDHParams.startsWith(QLatin1String("@"))) {
QString group = qsSSLDHParams.mid(1).trimmed();
QByteArray pem = FFDHE::PEMForNamedGroup(group);
if (pem.isEmpty()) {
QStringList names = FFDHE::NamedGroups();
QStringList atNames;
foreach (QString name, names) {
atNames << QLatin1String("@") + name;
}
QString supported = atNames.join(QLatin1String(", "));
qFatal("MetaParms: Diffie-Hellman parameters with name '%s' is not available. (Supported: %s)", qPrintable(qsSSLDHParams), qPrintable(supported));
}
dhparams = pem;
} else {
qCritical("MetaParams: Failed to read %s", qPrintable(qsSSLDHParams));
QFile pem(qsSSLDHParams);
if (pem.open(QIODevice::ReadOnly)) {
dhparams = pem.readAll();
pem.close();
} else {
qFatal("MetaParams: Failed to read %s", qPrintable(qsSSLDHParams));
}
}
}

@@ -533,13 +549,14 @@ bool MetaParams::loadSSLSettings() {
if (qdhp.isValid()) {
tmpDHParams = dhparams;
} else {
qCritical("MetaParams: Unable to use specified Diffie-Hellman parameters: %s", qPrintable(qdhp.errorString()));
qFatal("MetaParams: Unable to use specified Diffie-Hellman parameters: %s", qPrintable(qdhp.errorString()));
return false;
}
}
#else
if (! qsSSLDHParams.isEmpty()) {
qCritical("MetaParams: This version of Murmur does not support Diffie-Hellman parameters (sslDHParams). Murmur will not start unless you remove the option from your murmur.ini file.");
QString qsSSLDHParamsIniValue = qsSettings->value(QLatin1String("sslDHParams")).toString();
if (! qsSSLDHParamsIniValue.isEmpty()) {
qFatal("MetaParams: This version of Murmur does not support Diffie-Hellman parameters (sslDHParams). Murmur will not start unless you remove the option from your murmur.ini file.");
return false;
}
#endif
@@ -22,6 +22,7 @@ class TestFFDHE : public QObject {
#if defined(USE_QSSLDIFFIEHELLMANPARAMETERS)
void exercise_data();
void exercise();
void namedGroupsMethod();
#endif
};

@@ -51,10 +52,7 @@ void TestFFDHE::exercise_data() {
QTest::newRow("trailingspace") << QString(QLatin1String("ffdhe2048 ")) << false;
}

void TestFFDHE::exercise() {
QFETCH(QString, name);
QFETCH(bool, expectedToWork);

static bool tryFFDHELookupByName(QString name) {
bool ok = true;

QByteArray pem = FFDHE::PEMForNamedGroup(name);
@@ -69,7 +67,19 @@ void TestFFDHE::exercise() {
}
}

QCOMPARE(ok, expectedToWork);
return ok;
}

void TestFFDHE::exercise() {
QFETCH(QString, name);
QFETCH(bool, expectedToWork);
QCOMPARE(tryFFDHELookupByName(name), expectedToWork);
}

void TestFFDHE::namedGroupsMethod() {
foreach (QString name, FFDHE::NamedGroups()) {
QCOMPARE(tryFFDHELookupByName(name), true);
}
}
#endif

0 comments on commit 9550487

Please sign in to comment.
You can’t perform that action at this time.