From ad58da41791dcff3ea672799aeca7bc740443130 Mon Sep 17 00:00:00 2001 From: NV Date: Tue, 27 Jan 2015 03:23:36 +0900 Subject: [PATCH] Add DhParamBits configuration to set Diffie-Hellman parameters --- src/Cedar/Cedar.c | 2 ++ src/Cedar/Cedar.h | 2 ++ src/Cedar/Interop_OpenVPN.c | 17 ++++++++++- src/Cedar/Interop_OpenVPN.h | 2 ++ src/Cedar/Server.c | 15 ++++++++++ src/Mayaqua/Encrypt.c | 41 ++++++++++++++++++++++++++ src/Mayaqua/Encrypt.h | 59 +++++++++++++++++++++++++++++++++++++ src/Mayaqua/Network.c | 24 ++++++++++----- src/Mayaqua/Network.h | 2 ++ 9 files changed, 155 insertions(+), 9 deletions(-) diff --git a/src/Cedar/Cedar.c b/src/Cedar/Cedar.c index 45a49a38..277f478d 100644 --- a/src/Cedar/Cedar.c +++ b/src/Cedar/Cedar.c @@ -1726,6 +1726,8 @@ CEDAR *NewCedar(X *server_x, K *server_k) c->UdpPortList = NewIntList(false); + c->DhParamBits = DH_PARAM_BITS_DEFAULT; + InitNetSvcList(c); InitLocalBridgeList(c); diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h index 562583c2..89d42430 100644 --- a/src/Cedar/Cedar.h +++ b/src/Cedar/Cedar.h @@ -308,6 +308,7 @@ #define FARM_BASE_POINT 100000 // Reference value of the cluster score #define FARM_DEFAULT_WEIGHT 100 // Standard performance ratio +#define DH_PARAM_BITS_DEFAULT 2048 // Bits of Diffie-Hellman Parameters #define SE_UDP_SIGN "SE2P" // Not used (only old UDP mode) @@ -1052,6 +1053,7 @@ typedef struct CEDAR LOCK *FifoBudgetLock; // Fifo budget lock UINT FifoBudget; // Fifo budget bool AcceptOnlyTls; // Accept only TLS (Disable SSL) + UINT DhParamBits; // Bits of Diffie-Hellman parameters char OpenVPNDefaultClientOption[MAX_SIZE]; // OpenVPN Default Client Option String } CEDAR; diff --git a/src/Cedar/Interop_OpenVPN.c b/src/Cedar/Interop_OpenVPN.c index 3f4ae23d..bedff469 100644 --- a/src/Cedar/Interop_OpenVPN.c +++ b/src/Cedar/Interop_OpenVPN.c @@ -2595,7 +2595,7 @@ OPENVPN_SERVER *NewOpenVpnServer(CEDAR *cedar, INTERRUPT_MANAGER *interrupt, SOC OvsLog(s, NULL, NULL, "LO_START"); - s->Dh = DhNewGroup2(); + s->Dh = DhNewFromBits(DH_PARAM_BITS_DEFAULT); return s; } @@ -2703,6 +2703,21 @@ OPENVPN_SERVER_UDP *NewOpenVpnServerUdp(CEDAR *cedar) return u; } +void OpenVpnServerUdpSetDhParam(OPENVPN_SERVER_UDP *u, DH_CTX *dh) +{ + // Validate arguments + if (u == NULL) { + return; + } + + if (u->OpenVpnServer->Dh) + { + DhFree(u->OpenVpnServer->Dh); + } + + u->OpenVpnServer->Dh = dh; +} + // Apply the port list to the OpenVPN server void OvsApplyUdpPortList(OPENVPN_SERVER_UDP *u, char *port_list) { diff --git a/src/Cedar/Interop_OpenVPN.h b/src/Cedar/Interop_OpenVPN.h index 9a33f1bf..6990eaf0 100644 --- a/src/Cedar/Interop_OpenVPN.h +++ b/src/Cedar/Interop_OpenVPN.h @@ -384,6 +384,8 @@ bool OvsGetNoOpenVpnTcp(); void OvsSetNoOpenVpnUdp(bool b); +void OpenVpnServerUdpSetDhParam(OPENVPN_SERVER_UDP *u, DH_CTX *dh); + #endif // INTEROP_OPENVPN_H diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index 08b1fb3d..8e8aaaf8 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -6140,6 +6140,19 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) // AcceptOnlyTls c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls"); + + // Bits of Diffie-Hellman parameters + c->DhParamBits = CfgGetInt(f, "DhParamBits"); + if (c->DhParamBits == 0) + { + c->DhParamBits = DH_PARAM_BITS_DEFAULT; + } + + SetDhParam(DhNewFromBits(c->DhParamBits)); + if (s->OpenVpnServerUdp) + { + OpenVpnServerUdpSetDhParam(s->OpenVpnServerUdp, DhNewFromBits(c->DhParamBits)); + } } Unlock(c->lock); @@ -6450,6 +6463,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s) CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls); + CfgAddInt(f, "DhParamBits", c->DhParamBits); + // Disable session reconnect CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT)); } diff --git a/src/Mayaqua/Encrypt.c b/src/Mayaqua/Encrypt.c index fe6f1449..532bd945 100644 --- a/src/Mayaqua/Encrypt.c +++ b/src/Mayaqua/Encrypt.c @@ -4827,12 +4827,53 @@ DH_CTX *DhNewGroup5() return DhNew(DH_GROUP5_PRIME_1536, 2); } +// Creating a DH GROUP14 +DH_CTX *DhNewGroup14() +{ + return DhNew(DH_GROUP14_PRIME_2048, 2); +} + +// Creating a DH GROUP15 +DH_CTX *DhNewGroup15() +{ + return DhNew(DH_GROUP15_PRIME_3072, 2); +} + +// Creating a DH GROUP16 +DH_CTX *DhNewGroup16() +{ + return DhNew(DH_GROUP16_PRIME_4096, 2); +} + // Creating a DH SIMPLE 160bits DH_CTX *DhNewSimple160() { return DhNew(DH_SIMPLE_160, 2); } +DH_CTX *DhNewFromBits(UINT bits) +{ + switch (bits) + { + case 160: + return DhNewSimple160(); + case 768: + return DhNewGroup1(); + case 1024: + return DhNewGroup2(); + case 1536: + return DhNewGroup5(); + case 2048: + return DhNewGroup14(); + case 3072: + return DhNewGroup15(); + case 4096: + return DhNewGroup16(); + default: + return DhNewGroup14(); + } +} + // Convert the DH parameters to file BUF *DhToBuf(DH_CTX *dh) { diff --git a/src/Mayaqua/Encrypt.h b/src/Mayaqua/Encrypt.h index 06f9729b..45d9eec5 100644 --- a/src/Mayaqua/Encrypt.h +++ b/src/Mayaqua/Encrypt.h @@ -168,6 +168,61 @@ void RAND_Free_For_SoftEther(); "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" +#define DH_GROUP14_PRIME_2048 \ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ + "15728E5A8AACAA68FFFFFFFFFFFFFFFF" + +#define DH_GROUP15_PRIME_3072 \ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ + "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" + +#define DH_GROUP16_PRIME_4096 \ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ + "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" \ + "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" \ + "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" \ + "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" \ + "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" \ + "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \ + "FFFFFFFFFFFFFFFF" + #define DH_SIMPLE_160 "AEE7561459353C95DDA966AE1FD25D95CD46E935" // Macro @@ -464,7 +519,11 @@ bool DhCompute(DH_CTX *dh, void *dst_priv_key, void *src_pub_key, UINT key_size) DH_CTX *DhNewGroup1(); DH_CTX *DhNewGroup2(); DH_CTX *DhNewGroup5(); +DH_CTX *DhNewGroup14(); +DH_CTX *DhNewGroup15(); +DH_CTX *DhNewGroup16(); DH_CTX *DhNewSimple160(); +DH_CTX *DhNewFromBits(UINT bits); DH_CTX *DhNew(char *prime, UINT g); void DhFree(DH_CTX *dh); BUF *DhToBuf(DH_CTX *dh); diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 26dfd11e..d801f7a5 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -245,7 +245,7 @@ static UINT rand_port_numbers[256] = {0}; static bool g_use_privateip_file = false; static bool g_source_ip_validation_force_disable = false; -static DH_CTX *dh_1024 = NULL; +static DH_CTX *dh_param = NULL; typedef struct PRIVATE_IP_SUBNET { @@ -17577,9 +17577,9 @@ DH *TmpDhCallback(SSL *ssl, int is_export, int keylength) { DH *ret = NULL; - if (dh_1024 != NULL) + if (dh_param != NULL) { - ret = dh_1024->dh; + ret = dh_param->dh; } return ret; @@ -17696,8 +17696,6 @@ void InitNetwork() disable_cache = false; - dh_1024 = DhNewGroup2(); - Zero(rand_port_numbers, sizeof(rand_port_numbers)); SetGetIpThreadMaxNum(DEFAULT_GETIP_THREAD_MAX_NUM); @@ -18103,10 +18101,10 @@ void SetCurrentGlobalIP(IP *ip, bool ipv6) void FreeNetwork() { - if (dh_1024 != NULL) + if (dh_param != NULL) { - DhFree(dh_1024); - dh_1024 = NULL; + DhFree(dh_param); + dh_param = NULL; } // Release of thread-related @@ -22650,6 +22648,16 @@ bool GetSniNameFromSslPacket(UCHAR *packet_buf, UINT packet_size, char *sni, UIN return ret; } +void SetDhParam(DH_CTX *dh) +{ + if (dh_param) + { + DhFree(dh_param); + } + + dh_param = dh; +} + // Developed by SoftEther VPN Project at University of Tsukuba in Japan. // Department of Computer Science has dozens of overly-enthusiastic geeks. // Join us: http://www.tsukuba.ac.jp/english/admission/ diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index e33c64ce..09c48b85 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -1010,6 +1010,8 @@ int GetCurrentTimezone(); bool GetSniNameFromSslPacket(UCHAR *packet_buf, UINT packet_size, char *sni, UINT sni_size); bool GetSniNameFromPreSslConnection(SOCK *s, char *sni, UINT sni_size); +void SetDhParam(DH_CTX *dh); + bool IsUseDnsProxy(); bool IsUseAlternativeHostname();