From 219d904b7d12173ee93d016fe1a2cb8ae32eea9c Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Thu, 8 Aug 2013 21:02:13 +0200 Subject: [PATCH] Use pre-generated Diffie-Hellman parameters. This is much faster than generation them on each start and allows us to use larger parameter sizes. --- .gitignore | 1 + NEWS | 10 +++++++++- README | 1 + man/tlsproxy-setup.txt | 1 + src/tlsproxy-setup | 5 +++++ src/tlsproxy.c | 25 +++++++++++++++++++------ src/tlsproxy.h | 3 ++- tests/Makefile.am | 1 + tests/common.sh | 1 + 9 files changed, 40 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 2dfad82..9ebffca 100644 --- a/.gitignore +++ b/.gitignore @@ -29,5 +29,6 @@ /tests/client /tests/proxy-ca-key.pem /tests/proxy-ca.pem +/tests/proxy-dh.pem /tests/proxy-invalid.pem /tests/proxy-key.pem diff --git a/NEWS b/NEWS index 4327d39..30b8672 100644 --- a/NEWS +++ b/NEWS @@ -4,14 +4,22 @@ NEWS 0.X --- +- Important: The file proxy-dh.pem is now required. tlsproxy-setup creates it, + but running it will overwrite the existing proxy-*.pem files. To create only + proxy-dh.pem use: + + certtool --generate-dh-params --sec-param high --outfile proxy-dh.pem + - Add -a option, authentication for tlsproxy via basic digest authentication. +- Use pre-generated Diffie-Hellman parameters in proxy-dh.pem. - Code cleanup. - Better error handling. - Fix compile with recent GnuTLS (e.g. 3.2.3). - Improve (error) logging; log to stderr. - Add (basic) man pages. - Improve test suite. -- tlsproxy-setup: Increase expiry-date and use larger private key. +- tlsproxy-setup: Increase expiry-date and use larger private key, generate + proxy-dh.pem. 0.2 diff --git a/README b/README index 31d64f9..b0124c1 100644 --- a/README +++ b/README @@ -24,6 +24,7 @@ This creates the following files: - `proxy-ca.pem`: CA which is used for all connections to the client - `proxy-ca-key.pem`: private key for the CA +- `proxy-dh.pem`: Diffie-Hellman parameters for the proxy - `proxy-key.pem`: private key for the proxy - `proxy-invalid.pem`: special certificate used for invalid pages diff --git a/man/tlsproxy-setup.txt b/man/tlsproxy-setup.txt index e04e9f1..9e482f3 100644 --- a/man/tlsproxy-setup.txt +++ b/man/tlsproxy-setup.txt @@ -23,6 +23,7 @@ It creates the following files in the current directory: - proxy-ca.pem - proxy-ca-key.pem +- proxy-dh.pem - proxy-key.pem - proxy-invalid.pem diff --git a/src/tlsproxy-setup b/src/tlsproxy-setup index 4b57a22..d553404 100755 --- a/src/tlsproxy-setup +++ b/src/tlsproxy-setup @@ -59,4 +59,9 @@ certtool --generate-self-signed \ rm "$tempfile" +# Generate proxy Diffie-Hellman parameters. +certtool --generate-dh-params \ + --sec-param high \ + --outfile proxy-dh.pem + echo done diff --git a/src/tlsproxy.c b/src/tlsproxy.c index 3d9e80f..fed3799 100644 --- a/src/tlsproxy.c +++ b/src/tlsproxy.c @@ -42,9 +42,6 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL; /* Size of ringbuffer. */ #define RINGBUFFER_SIZE 10 -/* Bit size of Diffie-Hellman key exchange parameters. */ -#define DH_SIZE 1024 - /* For gnutls_*() functions. */ #define GNUTLS_ERROR_EXIT(error, message) \ @@ -373,6 +370,9 @@ static void log_function_gnutls(int level, const char *string) { static void initialize_gnutls(void) { int result; + char *dh_parameters; + gnutls_datum_t dh_parameters_datum; + /* Recent versions of GnuTLS automatically initialize the cryptography layer * in gnutls_global_init(). */ #if GNUTLS_VERSION_NUMBER <= 0x020b00 @@ -407,11 +407,24 @@ static void initialize_gnutls(void) { result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL); GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()"); - /* Generate Diffie-Hellman parameters. */ + /* Read Diffie-Hellman parameters. */ + dh_parameters = slurp_text_file(PROXY_DH_PATH); + if (dh_parameters == NULL) { + fprintf(stderr, PROXY_DH_PATH " missing, " + "use `tlsproxy-setup` to create it\n"); + exit(EXIT_FAILURE); + } + dh_parameters_datum.data = (unsigned char *)dh_parameters; + dh_parameters_datum.size = strlen(dh_parameters); + result = gnutls_dh_params_init(&global_tls_dh_params); GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()"); - result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE); - GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()"); + result = gnutls_dh_params_import_pkcs3(global_tls_dh_params, + &dh_parameters_datum, + GNUTLS_X509_FMT_PEM); + GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_import_pkcs3()"); + + free(dh_parameters); } static void deinitialize_gnutls(void) { gnutls_dh_params_deinit(global_tls_dh_params); diff --git a/src/tlsproxy.h b/src/tlsproxy.h index b3dcf7f..d244b8d 100644 --- a/src/tlsproxy.h +++ b/src/tlsproxy.h @@ -33,9 +33,10 @@ /* Length for path arrays. */ #define TLSPROXY_MAX_PATH_LENGTH 1024 -/* Paths to necessary TLS files: the CA and the server key. */ +/* Paths to necessary TLS files: the CA, the server key and DH parameters. */ #define PROXY_CA_PATH "proxy-ca.pem" #define PROXY_KEY_PATH "proxy-key.pem" +#define PROXY_DH_PATH "proxy-dh.pem" /* Path to special "invalid" certificate send to the client when an error * occurs. */ #define PROXY_INVALID_CERT_PATH "proxy-invalid.pem" diff --git a/tests/Makefile.am b/tests/Makefile.am index 81d4ce7..e727055 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -7,6 +7,7 @@ dist_check_DATA = server-bad.pem server-key.pem server.pem CLEANFILES = \ proxy-ca-key.pem \ proxy-ca.pem \ + proxy-dh.pem \ proxy-invalid.pem \ proxy-key.pem \ tmp diff --git a/tests/common.sh b/tests/common.sh index 893eec1..68ff879 100644 --- a/tests/common.sh +++ b/tests/common.sh @@ -48,6 +48,7 @@ tlsproxy_setup() { # present. if test -f proxy-ca-key.pem && test -f proxy-ca.pem && + test -f proxy-dh.pem && test -f proxy-invalid.pem && test -f proxy-key.pem then -- 2.45.2