From 2a135907c7d11221db45a55225d347134a2cc1e9 Mon Sep 17 00:00:00 2001
From: Ben Kibbey <bjk@luxsci.net>
Date: Sat, 17 Jan 2015 12:53:09 -0500
Subject: [PATCH] Add configuration parameter "tls_dh_level".

---
 doc/config.example |  3 +++
 doc/pwmd.html      |  6 ++++++
 doc/pwmd.texi      |  5 +++++
 src/pwmd.c         |  5 ++++-
 src/rcfile.c       | 19 +++++++++++++++++++
 src/tls.c          | 30 ++++++++++++++++++++++++++++--
 6 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/doc/config.example b/doc/config.example
index 5d54bed3..dcfa795a 100644
--- a/doc/config.example
+++ b/doc/config.example
@@ -151,6 +151,9 @@
 # The GnuTLS cipher suite and protocol to use.
 #tls_cipher_suite=SECURE256
 
+# TLS key exchange security level: low, medium or high.
+#tls_dh_level=medium
+
 # The interval in seconds to send the KEEPALIVE status message when
 # not in a command.
 #keepalive_interval=60
diff --git a/doc/pwmd.html b/doc/pwmd.html
index d37f7245..1865796a 100644
--- a/doc/pwmd.html
+++ b/doc/pwmd.html
@@ -689,6 +689,12 @@ will disable waiting. The default is <code>3</code>.
 <dt>&lsquo;<samp>tls_cipher_suite = string</samp>&rsquo;</dt>
 <dd><p>The GnuTLS cipher suite and protocol to use. See the GnuTLS documentation for
 information about the format of this string. The default is <code>SECURE256</code>.
+</p>
+</dd>
+<dt>&lsquo;<samp>tls_dh_level = string</samp>&rsquo;</dt>
+<dd><p>The security level (bits) of the generated key exchange parameters. Possible
+values are <code>low</code>, <code>medium</code> or <code>high</code>. The default is
+<code>medium</code>.
 </p></dd>
 </dl>
 
diff --git a/doc/pwmd.texi b/doc/pwmd.texi
index 039c1bce..56747e07 100644
--- a/doc/pwmd.texi
+++ b/doc/pwmd.texi
@@ -581,6 +581,11 @@ will disable waiting. The default is @code{3}.
 @item tls_cipher_suite = string
 The GnuTLS cipher suite and protocol to use. See the GnuTLS documentation for
 information about the format of this string. The default is @code{SECURE256}.
+
+@item tls_dh_level = string
+The security level (bits) of the generated key exchange parameters. Possible
+values are @code{low}, @code{medium} or @code{high}. The default is
+@code{medium}.
 @end table
 
 @node Pinentry, Commands, TLS, Configuration
diff --git a/src/pwmd.c b/src/pwmd.c
index edc30fbc..856849ea 100644
--- a/src/pwmd.c
+++ b/src/pwmd.c
@@ -1807,7 +1807,10 @@ start_stop_tls_with_protocol (int ipv6, int term)
 
   if (x509_cred == NULL)
     {
-      rc = tls_init_params ();
+      char *tmp = config_get_string ("global", "tls_dh_level");
+
+      rc = tls_init_params (tmp);
+      xfree (tmp);
       if (rc)
 	goto fail;
     }
diff --git a/src/rcfile.c b/src/rcfile.c
index 843570b6..75e5a43e 100644
--- a/src/rcfile.c
+++ b/src/rcfile.c
@@ -96,6 +96,7 @@ static struct config_params_s
   {  "tcp_interface",           PARAM_CHARP,            NULL},
   {  "tls_timeout",             PARAM_INT,              "300"},
   {  "tls_cipher_suite",	PARAM_CHARP,		"SECURE256"},
+  {  "tls_dh_level",		PARAM_CHARP,		"medium"},
   {  "pinentry_path",           PARAM_CHARP,            PINENTRY_PATH},
   {  "pinentry_timeout",        PARAM_INT,              DEFAULT_PINENTRY_TIMEOUT},
   {  "use_agent",               PARAM_BOOL,             "false"},
@@ -1236,6 +1237,24 @@ config_parse (const char *filename)
     log_write (_
 	       ("WARNING: %s: could not find a [global] configuration section!"),
 	       filename);
+  else
+    {
+      int exists;
+      char *tmp = config_get_string_param (tmpconfig, "global", "tls_dh_level",
+                                           &exists);
+      if (tmp)
+        {
+          if (strcasecmp (tmp, "low") && strcasecmp (tmp, "medium")
+              && strcasecmp (tmp, "high"))
+            {
+              xfree (tmp);
+              log_write (_("invalid tls_dh_level value"));
+              goto fail;
+            }
+
+          xfree (tmp);
+        }
+    }
 
 defaults:
   if (set_defaults (&tmpconfig))
diff --git a/src/tls.c b/src/tls.c
index 6986c0d5..babee39a 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -305,13 +305,39 @@ tls_write_hook (assuan_context_t ctx, assuan_fd_t fd, const void *data,
   return ret;
 }
 
+static int
+parse_dh_sec_level (const char *str, gpg_error_t *rc)
+{
+  *rc = 0;
+
+  if (!str)
+    return gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
+
+  if (!strcasecmp (str, "low"))
+    return gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW);
+  else if (!strcasecmp (str, "medium"))
+    return gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
+  else if (!strcasecmp (str, "high"))
+    return gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH);
+  else if (!strcasecmp (str, "ultra"))
+    return gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_ULTRA);
+
+  *rc = GPG_ERR_INV_VALUE;
+  return GNUTLS_SEC_PARAM_UNKNOWN;
+}
+
 gpg_error_t
-tls_init_params ()
+tls_init_params (const char *dh_sec_level)
 {
   int n;
   char *tmp, *tmp2;
   gpg_error_t rc = GPG_ERR_UNKNOWN_ERRNO;
+  int bits = parse_dh_sec_level (dh_sec_level, &rc);
+
+  if (rc)
+    return rc;
 
+  rc = GPG_ERR_UNKNOWN_ERRNO;
   n = gnutls_certificate_allocate_credentials (&x509_cred);
   if (n != GNUTLS_E_SUCCESS)
     {
@@ -377,7 +403,7 @@ tls_init_params ()
       goto fail;
     }
 
-  n = gnutls_dh_params_generate2 (dh_params, 1024);
+  n = gnutls_dh_params_generate2 (dh_params, bits);
   if (n != GNUTLS_E_SUCCESS)
     {
       log_write ("%s", gnutls_strerror (n));
-- 
2.11.4.GIT