Add DhParamBits configuration to set Diffie-Hellman parameters

2025-07-08 00:34:57 +03:00 · 2015-01-27 03:23:36 +09:00
parent 75f9836ce5
commit ad58da4179
9 changed files with 155 additions and 9 deletions
--- a/src/Cedar/Cedar.c
+++ b/src/Cedar/Cedar.c
@ -1726,6 +1726,8 @@ CEDAR *NewCedar(X *server_x, K *server_k)

 	c->UdpPortList = NewIntList(false);

+	c->DhParamBits = DH_PARAM_BITS_DEFAULT;
+
 	InitNetSvcList(c);

 	InitLocalBridgeList(c);
--- a/src/Cedar/Cedar.h
+++ b/src/Cedar/Cedar.h
@ -308,6 +308,7 @@
 #define	FARM_BASE_POINT				100000		// Reference value of the cluster score
 #define	FARM_DEFAULT_WEIGHT			100			// Standard performance ratio

+#define DH_PARAM_BITS_DEFAULT		2048		// Bits of Diffie-Hellman Parameters


 #define	SE_UDP_SIGN			"SE2P"		// Not used (only old UDP mode)
@ -1052,6 +1053,7 @@ typedef struct CEDAR
 	LOCK *FifoBudgetLock;			// Fifo budget lock
 	UINT FifoBudget;				// Fifo budget
 	bool AcceptOnlyTls;				// Accept only TLS (Disable SSL)
+	UINT DhParamBits;				// Bits of Diffie-Hellman parameters
 	char OpenVPNDefaultClientOption[MAX_SIZE];	// OpenVPN Default Client Option String
 } CEDAR;

--- a/src/Cedar/Interop_OpenVPN.c
+++ b/src/Cedar/Interop_OpenVPN.c
@ -2595,7 +2595,7 @@ OPENVPN_SERVER *NewOpenVpnServer(CEDAR *cedar, INTERRUPT_MANAGER *interrupt, SOC

 	OvsLog(s, NULL, NULL, "LO_START");

-	s->Dh = DhNewGroup2();
+	s->Dh = DhNewFromBits(DH_PARAM_BITS_DEFAULT);

 	return s;
 }
@ -2703,6 +2703,21 @@ OPENVPN_SERVER_UDP *NewOpenVpnServerUdp(CEDAR *cedar)
 	return u;
 }

+void OpenVpnServerUdpSetDhParam(OPENVPN_SERVER_UDP *u, DH_CTX *dh)
+{
+	// Validate arguments
+	if (u == NULL) {
+		return;
+	}
+
+	if (u->OpenVpnServer->Dh)
+	{
+		DhFree(u->OpenVpnServer->Dh);
+	}
+
+	u->OpenVpnServer->Dh = dh;
+}
+
 // Apply the port list to the OpenVPN server
 void OvsApplyUdpPortList(OPENVPN_SERVER_UDP *u, char *port_list)
 {
--- a/src/Cedar/Interop_OpenVPN.h
+++ b/src/Cedar/Interop_OpenVPN.h
@ -384,6 +384,8 @@ bool OvsGetNoOpenVpnTcp();

 void OvsSetNoOpenVpnUdp(bool b);

+void OpenVpnServerUdpSetDhParam(OPENVPN_SERVER_UDP *u, DH_CTX *dh);
+


 #endif	// INTEROP_OPENVPN_H
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@ -6140,6 +6140,19 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)

 		// AcceptOnlyTls
 		c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
+
+		// Bits of Diffie-Hellman parameters
+		c->DhParamBits = CfgGetInt(f, "DhParamBits");
+		if (c->DhParamBits == 0)
+		{
+			c->DhParamBits = DH_PARAM_BITS_DEFAULT;
+		}
+
+		SetDhParam(DhNewFromBits(c->DhParamBits));
+		if (s->OpenVpnServerUdp)
+		{
+			OpenVpnServerUdpSetDhParam(s->OpenVpnServerUdp, DhNewFromBits(c->DhParamBits));
+		}
 	}
 	Unlock(c->lock);

@ -6450,6 +6463,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)

 		CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls);

+		CfgAddInt(f, "DhParamBits", c->DhParamBits);
+
 		// Disable session reconnect
 		CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT));
 	}