- lophttpd: Adding DH code

stealth · Mar 14, 2014 · a8bca36 · a8bca36
1 parent a89b16a
commit a8bca36
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 7 deletions.
diff --git a/Makefile b/Makefile
@@ -10,7 +10,7 @@ LIBS=-lssl -lcrypto
 #DEFS+=-DUSE_SANDBOX
 
 #override lophttps secure cipher list
-#DEFS+=-DUSE_CIPHERS=\"ALL:!ADH:!LOW:!EXP:!RC4:!MD5:@STRENGTH\"
+#DEFS+=-DUSE_CIPHERS=\"ALL:!ADH:!LOW:!EXP:!RC4:!MD5:kDHE:@STRENGTH\"
 
 CXX=c++ -Wall -O2 $(DEFS) -ansi
 LD=c++
@@ -23,14 +23,14 @@ clean:
 distclean: clean
 	rm -f lhttpd
 
-lhttpd: lonely.o socket.o main.o misc.o log.o multicore.o config.o flavor.o client.o
+lhttpd: lonely.o socket.o main.o misc.o log.o multicore.o config.o flavor.o client.o dh.o
 	$(LD) $(LDFLAGS) lonely.o socket.o main.o misc.o log.o multicore.o config.o flavor.o\
-	                 client.o -o lhttpd $(LIBS)
+	                 client.o dh.o -o lhttpd $(LIBS)
 
 
-frontend: lonely.o socket.o frontend-main.o log.o multicore.o rproxy.o config.o misc.o flavor.o client.o
+frontend: lonely.o socket.o frontend-main.o log.o multicore.o rproxy.o config.o misc.o flavor.o client.o dh.o
 	$(LD) $(LDFLAGS) lonely.o socket.o frontend-main.o misc.o log.o multicore.o rproxy.o\
-	                 config.o flavor.o client.o -o frontend $(LIBS)
+	                 config.o flavor.o client.o dh.o -o frontend $(LIBS)
 
 frontend-main.o: frontend-main.cc
 	$(CXX) $(CFLAGS) -c frontend-main.cc
@@ -65,3 +65,6 @@ lonely.o: lonely.cc lonely.h
 client.o: client.cc client.h
 	$(CXX) $(CFLAGS) -c client.cc
 
+dh.o: dh.cc
+	$(CXX) $(CFLAGS) -c dh.cc
+
diff --git a/dh.cc b/dh.cc
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2008-2014 Sebastian Krahmer.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Sebastian Krahmer.
+ * 4. The name Sebastian Krahmer may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <openssl/ssl.h>
+#include <openssl/crypto.h>
+#include <openssl/dh.h>
+
+#include "dh512.cc"
+#include "dh1024.cc"
+
+
+static DH *dh512 = NULL;
+static DH *dh1024 = NULL;
+
+
+DH *dh_callback(SSL *ssl, int is_exported, int keylen)
+{
+	if (keylen == 512)
+		return dh512;
+	return dh1024;
+}
+
+
+int enable_dh(SSL_CTX *ctx)
+{
+	if ((dh512 = get_dh512()) != NULL && (dh1024 = get_dh1024()) != NULL) {
+		SSL_CTX_set_tmp_dh_callback(ctx, dh_callback);
+		return 1;
+	}
+	return 0;
+}
+
diff --git a/dh1024.cc b/dh1024.cc
@@ -0,0 +1,7 @@
+#include <openssl/dh.h>
+
+DH *get_dh1024()
+{
+	return NULL;
+}
+
diff --git a/dh512.cc b/dh512.cc
@@ -0,0 +1,7 @@
+#include <openssl/dh.h>
+
+DH *get_dh512()
+{
+	return NULL;
+}
+
diff --git a/lonely.cc b/lonely.cc
@@ -69,6 +69,8 @@ extern "C" {
 #include <openssl/err.h>
 }
 
+extern int enable_dh(SSL_CTX *);
+
 #ifdef USE_SSL_PRIVSEP
 extern "C" {
 #include "sslps.h"
@@ -128,9 +130,9 @@ const string lonely_http::put_hdr_fmt =
 
 
 #ifdef USE_CIPHERS
-const string ciphers = USE_CIPHERS;
+string ciphers = USE_CIPHERS;
 #else
-const string ciphers = "!LOW:!EXP:!MD5:!CAMELLIA:!RC4:!MEDIUM:!DES:RSA:DH:EDH:AES256:SHA1:IDEA";
+string ciphers = "!LOW:!EXP:!MD5:!CAMELLIA:!RC4:!MEDIUM:!DES:kDHE:RSA:AES256:SHA1:IDEA";
 #endif
 
 
@@ -147,6 +149,7 @@ const char *lonely<state_engine>::why()
 }
 
 
+
 template<typename state_engine>
 int lonely<state_engine>::init(const string &host, const string &port)
 {
@@ -393,6 +396,13 @@ int lonely_http::setup_ssl(const string &cpath, const string &kpath)
 
 	SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
 
+	// check for DHE and enable it if there are parameters
+	string::size_type dhe = ciphers.find("rDHE)");
+	if (dhe != string::npos) {
+		if (enable_dh(ssl_ctx) != 1)
+			ciphers.erase(dhe, 4);
+	}
+
 	if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers.c_str()) != 1) {
 		err = "lonely_http::setup_ssl::SSL_CTX_set_cipher_list:";
 		err += ERR_error_string(ERR_get_error(), NULL);

diff --git a/newdh b/newdh
@@ -0,0 +1,8 @@
+#!/usr/bin/perl
+
+print "Generating 1024 bit DH parameters ...\n\n";
+system("openssl dhparam -noout -C 1024 > dh1024.cc");
+
+print "Generating 512 bit DH parameters ...\n\n";
+system("openssl dhparam -noout -C 512 > dh512.cc");
+