From f3cd02e668f94c294d685edb24a051e2451589f1 Mon Sep 17 00:00:00 2001

From: Tomas Jelinek <tojeline@redhat.com>

Date: Fri, 23 Oct 2020 16:37:56 +0200

Subject: [PATCH 2/2] add support for loading a DH key from a file

---

 pcsd/pcsd.conf             |  6 +++++-

 pcsd/rfc7919-ffdhe2048.pem |  8 ++++++++

 pcsd/settings.rb           |  1 +

 pcsd/ssl.rb                | 20 ++++++++++++++++++--

 4 files changed, 32 insertions(+), 3 deletions(-)

 create mode 100644 pcsd/rfc7919-ffdhe2048.pem

diff --git a/pcsd/pcsd.conf b/pcsd/pcsd.conf

index 73d8b0ce..9f522353 100644

--- a/pcsd/pcsd.conf

+++ b/pcsd/pcsd.conf

@@ -31,7 +31,11 @@ PCSD_SESSION_LIFETIME=3600

 # set SSL ciphers

 #PCSD_SSL_CIPHERS='DEFAULT:!RC4:!3DES:@STRENGTH'

-# set length (in bits) of DH key for key exchange

+# set a DH key for key exchange, this overrides PCSD_SSL_DH_KEX_BITS

+# set to an empty string to disable this option and generate a random DH key

+#PCSD_SSL_DH_KEX_FILE=/usr/lib/pcsd/rfc7919-ffdhe2048.pem

+

+# set length (in bits) of a DH key for key exchange

 #PCSD_SSL_DH_KEX_BITS=1024

 # Reject client initiated SSL/TLS renegotiation. Set this to true to make pcsd

diff --git a/pcsd/rfc7919-ffdhe2048.pem b/pcsd/rfc7919-ffdhe2048.pem

new file mode 100644

index 00000000..9b182b72

--- /dev/null

+++ b/pcsd/rfc7919-ffdhe2048.pem

@@ -0,0 +1,8 @@

+-----BEGIN DH PARAMETERS-----

+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz

++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a

+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7

+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi

+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD

+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==

+-----END DH PARAMETERS-----

diff --git a/pcsd/settings.rb b/pcsd/settings.rb

index 3edc02b7..e7ff410d 100644

--- a/pcsd/settings.rb

+++ b/pcsd/settings.rb

@@ -6,6 +6,7 @@ PCSD_DEFAULT_PORT = 2224

 CRT_FILE = PCSD_VAR_LOCATION + 'pcsd.crt'

 KEY_FILE = PCSD_VAR_LOCATION + 'pcsd.key'

 COOKIE_FILE = PCSD_VAR_LOCATION + 'pcsd.cookiesecret'

+DH_KEY_FILE = PCSD_EXEC_LOCATION + 'rfc7919-ffdhe2048.pem'

 PENGINE = "/usr/libexec/pacemaker/pengine"

 CIB_BINARY = '/usr/libexec/pacemaker/cib'

diff --git a/pcsd/ssl.rb b/pcsd/ssl.rb

index de356e46..5acbac37 100644

--- a/pcsd/ssl.rb

+++ b/pcsd/ssl.rb

@@ -157,7 +157,23 @@ dh_key_bits = 0

 if ENV['PCSD_SSL_DH_KEX_BITS']

   dh_key_bits = Integer(ENV['PCSD_SSL_DH_KEX_BITS']) rescue 0

 end

-if dh_key_bits > 0

+dh_key_file = DH_KEY_FILE

+if ENV['PCSD_SSL_DH_KEX_FILE']

+  dh_key_file = ENV['PCSD_SSL_DH_KEX_FILE']

+end

+

+dh_key = nil

+if not dh_key_file.empty?()

+  $logger.info "Using '#{dh_key_file}' as a DH key..."

+  begin

+    dh_key = OpenSSL::PKey::DH.new(File.read(dh_key_file))

+    dh_key.generate_key!

+    $logger.info "DH key loaded"

+  rescue => e

+    $logger.error "Unable to read DH key file: #{e}"

+    exit 1

+  end

+elsif dh_key_bits > 0

   $logger.info "Generating #{dh_key_bits}bits long DH key..."

   dh_key = OpenSSL::PKey::DH.generate(dh_key_bits)

   $logger.info "DH key created"

@@ -187,7 +203,7 @@ webrick_options = {

   :SSLCertName        => [[ "CN", server_name ]],

   :SSLOptions         => get_ssl_options(),

 }

-if dh_key_bits > 0

+if not dh_key.nil?()

   webrick_options[:SSLTmpDhCallback] = lambda {|ctx, is_export, keylen| dh_key }

 end

-- 

2.21.0