Use automatic DH parameters, instead of fixed ones. Also disable DHE by

default since it is computationally expensive and a potential DoS vector.

ok gilles@

5 files changed, 29 insertions, 142 deletions

diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 33bae1c3127..ab0271920ec 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.183 2016/02/22 16:19:05 gilles Exp $	*/
+/*	$OpenBSD: parse.y,v 1.184 2016/04/21 14:27:41 jsing Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -176,7 +176,7 @@ typedef struct {
 %token	TABLE SECURE SMTPS CERTIFICATE DOMAIN BOUNCEWARN LIMIT INET4 INET6 NODSN SESSION
 %token  RELAY BACKUP VIA DELIVER TO LMTP MAILDIR MBOX RCPTTO HOSTNAME HOSTNAMES
 %token	ACCEPT REJECT INCLUDE ERROR MDA FROM FOR SOURCE MTA PKI SCHEDULER
-%token	ARROW AUTH TLS LOCAL VIRTUAL TAG TAGGED ALIAS FILTER KEY CA DHPARAMS
+%token	ARROW AUTH TLS LOCAL VIRTUAL TAG TAGGED ALIAS FILTER KEY CA DHE
 %token	AUTH_OPTIONAL TLS_REQUIRE USERBASE SENDER SENDERS MASK_SOURCE VERIFY FORWARDONLY RECIPIENT
 %token	CIPHERS RECEIVEDAUTH MASQUERADE SOCKET
 %token	<v.string>	STRING
@@ -397,8 +397,19 @@ opt_pki		: CERTIFICATE STRING {
 		| KEY STRING {
 			pki->pki_key_file = $2;
 		}
-		| DHPARAMS STRING {
-			pki->pki_dhparams_file = $2;
+		| DHE STRING {
+			if (strcasecmp($2, "none") == 0)
+				pki->pki_dhe = 0;
+			else if (strcasecmp($2, "auto") == 0)
+				pki->pki_dhe = 1;
+			else if (strcasecmp($2, "legacy") == 0)
+				pki->pki_dhe = 2;
+			else {
+				yyerror("invalid DHE keyword: %s", $2);
+				free($2);
+				YYERROR;
+			}
+			free($2);
 		}
 		;
 
@@ -1460,7 +1471,7 @@ lookup(char *s)
 		{ "ciphers",		CIPHERS },
 		{ "compression",	COMPRESSION },
 		{ "deliver",		DELIVER },
-		{ "dhparams",		DHPARAMS },
+		{ "dhe",		DHE },
 		{ "domain",		DOMAIN },
 		{ "encryption",		ENCRYPTION },
 		{ "expire",		EXPIRE },
diff --git a/usr.sbin/smtpd/smtpd.c b/usr.sbin/smtpd/smtpd.c
index 7af2d21b99e..afc889107d1 100644
--- a/usr.sbin/smtpd/smtpd.c
+++ b/usr.sbin/smtpd/smtpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.c,v 1.275 2016/03/17 19:40:43 krw Exp $	*/
+/*	$OpenBSD: smtpd.c,v 1.276 2016/04/21 14:27:41 jsing Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -728,10 +728,6 @@ load_pki_tree(void)
 
 		if (!ssl_load_certificate(pki, pki->pki_cert_file))
 			fatalx("load_pki_tree: failed to load certificate file");
-
-		if (pki->pki_dhparams_file)
-			if (!ssl_load_dhparams(pki, pki->pki_dhparams_file))
-				fatalx("load_pki_tree: failed to load dhparams file");
 	}
 
 	log_debug("debug: init ca-tree");
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 2ded1050ba1..3eef97193f0 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: smtpd.conf.5,v 1.157 2016/04/10 06:48:07 jmc Exp $
+.\"	$OpenBSD: smtpd.conf.5,v 1.158 2016/04/21 14:27:41 jsing Exp $
 .\"
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
 .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .\"
-.Dd $Mdocdate: April 10 2016 $
+.Dd $Mdocdate: April 21 2016 $
 .Dt SMTPD.CONF 5
 .Os
 .Sh NAME
@@ -851,19 +851,13 @@ Associate the key located in
 .Ar keyfile
 with
 .Ar hostname .
-.It Ic pki Ar hostname Ic dhparams Ar dhfile
-Associate the Diffie-Hellman parameters located in
-.Ar dhfile
-with
+.It Ic pki Ar hostname Ic dhe Ar params
+Specify the DHE parameters to use for DHE cipher suites with
 .Ar hostname .
-.Pp
-The parameters are used for ephemeral key exchange.
-If not specified,
-.Xr smtpd 8
-will use safely generated built-in parameters.
-.Pp
-Creation of Diffie-Hellman parameters is documented in
-.Xr openssl 1 .
+Valid parameter values are none, legacy and auto.
+For legacy a fixed key length of 1024 bits is used, whereas for auto the key
+length is determined automatically.
+The default is none, which disables DHE cipher suites.
 .It Ic queue compression
 Enable transparent compression of envelopes and messages.
 The only supported algorithm at the moment is gzip.
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c
index 819dfa14580..1b06966d9fa 100644
--- a/usr.sbin/smtpd/ssl.c
+++ b/usr.sbin/smtpd/ssl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.c,v 1.85 2015/12/13 09:52:44 gilles Exp $	*/
+/*	$OpenBSD: ssl.c,v 1.86 2016/04/21 14:27:41 jsing Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -45,9 +45,6 @@
 #include "log.h"
 #include "ssl.h"
 
-static DH	       *get_dh2048(void);
-static DH	       *get_dh_from_memory(char *, size_t);
-
 void
 ssl_init(void)
 {
@@ -71,7 +68,6 @@ int
 ssl_setup(SSL_CTX **ctxp, struct pki *pki,
     int (*sni_cb)(SSL *,int *,void *), const char *ciphers)
 {
-	DH	*dh;
 	SSL_CTX	*ctx;
 	uint8_t sid[SSL_MAX_SID_CTX_LENGTH];
 
@@ -89,13 +85,7 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki,
 	if (sni_cb)
 		SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
 
-	if (pki->pki_dhparams_len == 0)
-		dh = get_dh2048();
-	else
-		dh = get_dh_from_memory(pki->pki_dhparams,
-		    pki->pki_dhparams_len);
-	ssl_set_ephemeral_key_exchange(ctx, dh);
-	DH_free(dh);
+	SSL_CTX_set_dh_auto(ctx, pki->pki_dhe);
 
 	SSL_CTX_set_ecdh_auto(ctx, 1);
 
@@ -333,19 +323,6 @@ ssl_load_cafile(struct ca *c, const char *pathname)
 	return 1;
 }
 
-int
-ssl_load_dhparams(struct pki *p, const char *pathname)
-{
-	p->pki_dhparams = ssl_load_file(pathname, &p->pki_dhparams_len, 0755);
-	if (p->pki_dhparams == NULL) {
-		if (errno == EACCES)
-			return 0;
-		log_info("info: No DH parameters found in %s: "
-		    "using built-in parameters", pathname);
-	}
-	return 1;
-}
-
 const char *
 ssl_to_text(const SSL *ssl)
 {
@@ -371,93 +348,6 @@ ssl_error(const char *where)
 	}
 }
 
-/* From OpenSSL's documentation:
- *
- * If "strong" primes were used to generate the DH parameters, it is
- * not strictly necessary to generate a new key for each handshake
- * but it does improve forward secrecy.
- *
- * -- gilles@
- */
-static DH *
-get_dh2048(void)
-{
-	DH *dh;
-	unsigned char dh2048_p[] = {
-		0xB2,0xE2,0x07,0x34,0x16,0xEB,0x18,0xB5,0xED,0x0F,0xD4,0xC3,
-		0xB6,0x6B,0x79,0xDF,0xA1,0x98,0x1C,0x8D,0x68,0x97,0x6C,0xDF,
-		0xFF,0x38,0x60,0xEC,0x93,0x40,0xEF,0x26,0x12,0xB8,0x1B,0x79,
-		0x68,0x72,0x47,0x8F,0x53,0x4C,0xBF,0x90,0xFF,0xE0,0x3E,0xE7,
-		0x43,0x95,0x0B,0x97,0x43,0xDA,0xB4,0xE1,0x85,0x69,0xA5,0x67,
-		0xFB,0x10,0x97,0x5A,0x0D,0x11,0xEB,0xED,0x78,0x82,0xCC,0xF5,
-		0x7A,0xCC,0x27,0x27,0x5E,0xE5,0x3D,0xBA,0x47,0x38,0xBE,0x18,
-		0xCA,0xC7,0x16,0xC7,0x7B,0x9E,0xA7,0xB0,0x80,0xAC,0x92,0x25,
-		0x36,0x16,0x8F,0x29,0xA5,0x32,0x01,0x60,0x33,0x7C,0x2C,0x2F,
-		0x49,0x7C,0x1D,0x4B,0xDA,0xBD,0xE4,0xF9,0x82,0x2B,0x71,0xCB,
-		0x07,0xE3,0xCC,0x65,0x8A,0x1A,0xAB,0x81,0x0F,0xA9,0x96,0x35,
-		0x4C,0xFD,0x42,0xFC,0xD6,0xE3,0xE8,0x2E,0x0E,0xAA,0x4D,0x75,
-		0x54,0x02,0x49,0xDD,0xC5,0x5F,0x38,0x93,0xFA,0xEF,0x7D,0xBA,
-		0x0C,0x75,0x93,0x09,0x8C,0x24,0x65,0xC6,0xF4,0xBF,0x59,0xF0,
-		0x5D,0x0A,0xA4,0x26,0x7F,0xDA,0x0F,0x41,0x3A,0x43,0x61,0xDF,
-		0x09,0x26,0xA1,0xB0,0xFE,0x8D,0xA6,0x21,0xC1,0xFD,0x41,0x65,
-		0x30,0xE7,0xE4,0xD0,0x8E,0x78,0x93,0x3C,0x3E,0x3E,0xCA,0x30,
-		0xA7,0x25,0x35,0x24,0x26,0x29,0xAC,0xCE,0x21,0x78,0x3B,0x9D,
-		0xDD,0x0B,0x44,0xD0,0x7C,0xEB,0x2F,0xDD,0xE7,0x64,0xBC,0xF7,
-		0x40,0x12,0xC8,0x35,0xFA,0x81,0xD6,0x80,0x39,0x1C,0x77,0x72,
-		0x86,0x5B,0x19,0xDC,0xCB,0xDC,0xCB,0xF6,0x54,0x6F,0xB1,0xCB,
-		0xE4,0xC3,0x05,0xD3
-	};
-	unsigned char dh2048_g[] = {
-		0x02
-	};
-
-	if ((dh = DH_new()) == NULL)
-		return NULL;
-
-	dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
-	dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
-	if (dh->p == NULL || dh->g == NULL) {
-		DH_free(dh);
-		return NULL;
-	}
-
-	return dh;
-}
-
-static DH *
-get_dh_from_memory(char *params, size_t len)
-{
-	BIO *mem;
-	DH *dh;
-
-	mem = BIO_new_mem_buf(params, len);
-	if (mem == NULL)
-		return NULL;
-	dh = PEM_read_bio_DHparams(mem, NULL, NULL, NULL);
-	if (dh == NULL)
-		goto err;
-	if (dh->p == NULL || dh->g == NULL)
-		goto err;
-	return dh;
-
-err:
-	if (mem != NULL)
-		BIO_free(mem);
-	if (dh != NULL)
-		DH_free(dh);
-	return NULL;
-}
-
-
-void
-ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh)
-{
-	if (dh == NULL || !SSL_CTX_set_tmp_dh(ctx, dh)) {
-		ssl_error("ssl_set_ephemeral_key_exchange");
-		fatal("ssl_set_ephemeral_key_exchange: cannot set tmp dh");
-	}
-}
-
 int
 ssl_load_pkey(const void *data, size_t datalen, char *buf, off_t len,
     X509 **x509ptr, EVP_PKEY **pkeyptr)
diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h
index f86705a83d9..dfa6994cdb8 100644
--- a/usr.sbin/smtpd/ssl.h
+++ b/usr.sbin/smtpd/ssl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.h,v 1.19 2015/12/13 09:52:44 gilles Exp $	*/
+/*	$OpenBSD: ssl.h,v 1.20 2016/04/21 14:27:41 jsing Exp $	*/
 /*
  * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org>
  *
@@ -31,9 +31,7 @@ struct pki {
 
 	EVP_PKEY		*pki_pkey;
 
-	char			*pki_dhparams_file;
-	char			*pki_dhparams;
-	off_t			 pki_dhparams_len;
+	int			 pki_dhe;
 };
 
 struct ca {
@@ -51,7 +49,6 @@ int		ssl_setup(SSL_CTX **, struct pki *,
     int (*)(SSL *, int *, void *), const char *);
 SSL_CTX	       *ssl_ctx_create(const char *, char *, off_t, const char *);
 int	        ssl_cmp(struct pki *, struct pki *);
-void		ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *);
 char	       *ssl_load_file(const char *, off_t *, mode_t);
 char	       *ssl_load_key(const char *, off_t *, char *, mode_t, const char *);
 
@@ -61,7 +58,6 @@ void		ssl_error(const char *);
 int		ssl_load_certificate(struct pki *, const char *);
 int		ssl_load_keyfile(struct pki *, const char *, const char *);
 int		ssl_load_cafile(struct ca *, const char *);
-int		ssl_load_dhparams(struct pki *, const char *);
 int		ssl_load_pkey(const void *, size_t, char *, off_t,
 		    X509 **, EVP_PKEY **);
 int		ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,