ARCHIVE/rippled
1
0
Fork 0
mirror of https://github.com/XRPLF/rippled.git synced 2025-11-19 18:45:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Support larger EDH keys:

Browse Source 
In the past we used only 512-bit EDH keys. To protect against the
LOGJAM attack, OpenSSL 1.0.1n and later versions reject EDH keys
that are less than 768 bits and a future version will increase the
minimum to 1024.

We now have DH parameters for 1024-bit and 2048-bit EDH keys and
will correctly return and use those, when asked. Note that at this
time, OpenSSL will only ask for 512 or 1024 bit keys.
This commit is contained in:
JoelKatz
2015-06-12 11:52:41 -07:00
committed by Nik Bougalis
parent 623faa1550
commit 7239bcf0b7
1 changed files with 78 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
src/ripple/basics/impl/make_SSLContext.cpp
View File

@@ -132,7 +132,7 @@ static x509_ptr x509_new()
int const margin = 60 * 60; // 3600, one hour
int const length = 10 * 365.25 * 24 * 60 * 60; // 315576000, ten years
X509_gmtime_adj (X509_get_notBefore (x509), -margin);
X509_gmtime_adj (X509_get_notAfter (x509), length);
@@ -198,10 +198,10 @@ static
DH*
getDH (int keyLength)
{
if (keyLength == 512 || keyLength == 1024)
if (keyLength == 512 || keyLength == 1024 || keyLength == 2048)
{
static dh_ptr dh512 = make_DH(getRawDHParams (keyLength));
return dh512.get ();
static dh_ptr dh = make_DH(getRawDHParams (keyLength));
return dh.get ();
}
else
{
@@ -434,35 +434,89 @@ initAuthenticated (boost::asio::ssl::context& context,
} // openssl
//------------------------------------------------------------------------------
std::string
getRawDHParams (int keySize)
{
std::string params;
// Original code provided the 512-bit keySize parameters
// when 1024 bits were requested so we will do the same.
if (keySize == 1024)
keySize = 512;
switch (keySize)
{
case 512:
{
// These are the DH parameters that OpenCoin has chosen for Ripple
//
std::uint8_t const raw [] = {
0x30, 0x46, 0x02, 0x41, 0x00, 0x98, 0x15, 0xd2, 0xd0, 0x08, 0x32, 0xda,
0xaa, 0xac, 0xc4, 0x71, 0xa3, 0x1b, 0x11, 0xf0, 0x6c, 0x62, 0xb2, 0x35,
0x8a, 0x10, 0x92, 0xc6, 0x0a, 0xa3, 0x84, 0x7e, 0xaf, 0x17, 0x29, 0x0b,
0x70, 0xef, 0x07, 0x4f, 0xfc, 0x9d, 0x6d, 0x87, 0x99, 0x19, 0x09, 0x5b,
0x6e, 0xdb, 0x57, 0x72, 0x4a, 0x7e, 0xcd, 0xaf, 0xbd, 0x3a, 0x97, 0x55,
0x51, 0x77, 0x5a, 0x34, 0x7c, 0xe8, 0xc5, 0x71, 0x63, 0x02, 0x01, 0x02
};
{
// These are the DH parameters that OpenCoin has chosen for Ripple
//
std::uint8_t const raw512 [] = {
0x30, 0x46, 0x02, 0x41, 0x00, 0x98, 0x15, 0xd2, 0xd0, 0x08, 0x32, 0xda,
0xaa, 0xac, 0xc4, 0x71, 0xa3, 0x1b, 0x11, 0xf0, 0x6c, 0x62, 0xb2, 0x35,
0x8a, 0x10, 0x92, 0xc6, 0x0a, 0xa3, 0x84, 0x7e, 0xaf, 0x17, 0x29, 0x0b,
0x70, 0xef, 0x07, 0x4f, 0xfc, 0x9d, 0x6d, 0x87, 0x99, 0x19, 0x09, 0x5b,
0x6e, 0xdb, 0x57, 0x72, 0x4a, 0x7e, 0xcd, 0xaf, 0xbd, 0x3a, 0x97, 0x55,
0x51, 0x77, 0x5a, 0x34, 0x7c, 0xe8, 0xc5, 0x71, 0x63, 0x02, 0x01, 0x02
};
params.resize (sizeof (raw));
std::copy (raw, raw + sizeof (raw), params.begin ());
}
params.resize (sizeof (raw512));
std::copy (raw512, raw512 + sizeof (raw512), params.begin ());
break;
}
case 1024:
{
// These are the DH parameters that Ripple Labs has chosen for Ripple
//
std::uint8_t const raw1024 [] = {
0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x86, 0xb1, 0x85, 0x36, 0x3d,
0xbc, 0x0b, 0x03, 0xa5, 0xde, 0x53, 0x23, 0x4c, 0x59, 0xd4, 0x2b, 0x2e,
0x88, 0xdf, 0x83, 0x8e, 0xab, 0xe9, 0xc9, 0x0f, 0x20, 0x5c, 0x3e, 0x8d,
0x0e, 0x2c, 0xff, 0xcf, 0x3a, 0xfa, 0x71, 0x67, 0xb2, 0x90, 0xb5, 0x9e,
0x13, 0x9f, 0xa3, 0x70, 0xb2, 0xdf, 0x8d, 0xa4, 0x91, 0xfb, 0x26, 0xe0,
0x95, 0xd2, 0xf9, 0x3b, 0xa5, 0x1f, 0xe4, 0x88, 0x0f, 0x65, 0xfc, 0x8e,
0x58, 0x47, 0x8c, 0x77, 0x93, 0x8c, 0x2d, 0x2a, 0xfa, 0x50, 0xb4, 0xc5,
0x29, 0xba, 0x65, 0xc4, 0x39, 0xeb, 0x8a, 0xc5, 0x93, 0x39, 0xf9, 0x3c,
0x15, 0x1e, 0x95, 0x82, 0x0d, 0x02, 0xff, 0x92, 0x4c, 0xc5, 0x07, 0x76,
0x62, 0xaf, 0xdc, 0xc0, 0x96, 0x95, 0xcf, 0x61, 0x51, 0x17, 0x7c, 0x02,
0x81, 0xdb, 0xc2, 0x6b, 0x07, 0x03, 0x96, 0x39, 0xcc, 0xde, 0xc9, 0xcd,
0x5d, 0x77, 0x3b, 0x02, 0x01, 0x02
};
params.resize (sizeof (raw1024));
std::copy (raw1024, raw1024 + sizeof (raw1024), params.begin ());
break;
}
case 2048:
{
// These are the DH parameters that Ripple Labs has chosen for Ripple
//
std::uint8_t const raw2048 [] = {
0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0x8f, 0xca, 0x66,
0x85, 0x33, 0xcb, 0xcf, 0x36, 0x27, 0xb2, 0x4c, 0xb8, 0x50, 0xb8, 0xf9,
0x53, 0xf8, 0xb9, 0x2d, 0x1c, 0xa2, 0xad, 0x86, 0x58, 0x29, 0x3b, 0x88,
0x3e, 0xf5, 0x65, 0xb8, 0xda, 0x22, 0xf4, 0x8b, 0x21, 0x12, 0x18, 0xf7,
0x16, 0xcd, 0x7c, 0xc7, 0x3a, 0x2d, 0x61, 0xb7, 0x11, 0xf6, 0xb0, 0x65,
0xa0, 0x5b, 0xa4, 0x06, 0x95, 0x28, 0xa4, 0x4f, 0x76, 0xc0, 0xeb, 0xfa,
0x95, 0xdf, 0xbf, 0x19, 0x90, 0x64, 0x8f, 0x60, 0xd5, 0x36, 0xba, 0xab,
0x0d, 0x5a, 0x5c, 0x94, 0xd5, 0xf7, 0x32, 0xd6, 0x2a, 0x76, 0x77, 0x83,
0x10, 0xc4, 0x2f, 0x10, 0x96, 0x3e, 0x37, 0x84, 0x45, 0x9c, 0xef, 0x33,
0xf6, 0xd0, 0x2a, 0xa7, 0xce, 0x0a, 0xce, 0x0d, 0xa1, 0xa7, 0x44, 0x5d,
0x18, 0x3f, 0x4f, 0xa4, 0x23, 0x9c, 0x5d, 0x74, 0x4f, 0xee, 0xdf, 0xaa,
0x0d, 0x0a, 0x52, 0x57, 0x73, 0xb1, 0xe4, 0xc5, 0x72, 0x93, 0x9d, 0x03,
0xe9, 0xf5, 0x48, 0x8c, 0xd1, 0xe6, 0x7c, 0x21, 0x65, 0x4e, 0x16, 0x51,
0xa3, 0x16, 0x51, 0x10, 0x75, 0x60, 0x37, 0x93, 0xb8, 0x15, 0xd6, 0x14,
0x41, 0x4a, 0x61, 0xc9, 0x1a, 0x4e, 0x9f, 0x38, 0xd8, 0x2c, 0xa5, 0x31,
0xe1, 0x87, 0xda, 0x1f, 0xa4, 0x31, 0xa2, 0xa4, 0x42, 0x1e, 0xe0, 0x30,
0xea, 0x2f, 0x9b, 0x77, 0x91, 0x59, 0x3e, 0xd5, 0xd0, 0xc5, 0x84, 0x45,
0x17, 0x19, 0x74, 0x8b, 0x18, 0xb0, 0xc1, 0xe0, 0xfc, 0x1c, 0xaf, 0xe6,
0x2a, 0xef, 0x4e, 0x0e, 0x8a, 0x5c, 0xc2, 0x91, 0xb9, 0x2b, 0xf8, 0x17,
0x8d, 0xed, 0x44, 0xaa, 0x47, 0xaa, 0x52, 0xa2, 0xdb, 0xb6, 0xf5, 0xa1,
0x88, 0x85, 0xa1, 0xd5, 0x87, 0xb8, 0x07, 0xd3, 0x97, 0xbe, 0x37, 0x74,
0x72, 0xf1, 0xa8, 0x29, 0xf1, 0xa7, 0x7d, 0x19, 0xc3, 0x27, 0x09, 0xcf,
0x23, 0x02, 0x01, 0x02
};
params.resize (sizeof (raw2048));
std::copy (raw2048, raw2048 + sizeof (raw2048), params.begin ());
break;
}
default:
break;
};