From 0df900240b19caec85a627488dfb3ee685e5b737 Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Wed, 12 Jun 2013 11:24:02 +0200
Subject: imrelp: new parameter "compression.dhbits"

which controls the number of bits being used for
Diffie-Hellman key generation
---
 ChangeLog               |  3 +++
 configure.ac            |  2 +-
 doc/imrelp.html         | 10 ++++++++++
 plugins/imrelp/imrelp.c |  8 ++++++++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 24b885fa..6f58734c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 ---------------------------------------------------------------------------
 Version 7.5.1 [devel] 2013-06-??
+- imrelp:
+  * new parameter "compression.dhbits" to control the number of
+    bits being used for Diffie-Hellman key generation
 - added experimental TCP stream compression (imptcp only, currently)
 - added BSD-specific syslog facilities
   * "console"
diff --git a/configure.ac b/configure.ac
index 53900b61..56457c05 100644
--- a/configure.ac
+++ b/configure.ac
@@ -999,7 +999,7 @@ AC_ARG_ENABLE(relp,
         [enable_relp=no]
 )
 if test "x$enable_relp" = "xyes"; then
-	PKG_CHECK_MODULES(RELP, relp >= 1.1.1)
+	PKG_CHECK_MODULES(RELP, relp >= 1.1.2)
 fi
 AM_CONDITIONAL(ENABLE_RELP, test x$enable_relp = xyes)
 
diff --git a/doc/imrelp.html b/doc/imrelp.html
index 11894668..80117299 100644
--- a/doc/imrelp.html
+++ b/doc/imrelp.html
@@ -49,6 +49,16 @@ The controls if the TLS stream should be compressed (zipped). While this
 increases CPU use, the network bandwidth should be reduced. Note that
 typical text-based log records usually compress rather well.
 </li>
+<li><b>tls.dhbits</b> (not mandatory, integer)<br>
+This setting controls how many bits are used for Diffie-Hellman key
+generation. If not set, the librelp default is used. For secrity
+reasons, at least 1024 bits should be used. Please note that the number
+of bits must be supported by GnuTLS. If an invalid number is given, rsyslog
+will report an error when the listener is started. We do this to be transparent
+to changes/upgrades in GnuTLS (to check at config processing time, we would need
+to hardcode the supported bits and keep them in sync with GnuTLS - this is
+even impossible when custom GnuTLS changes are made...).
+</li>
 </ul>
 <b>Caveats/Known Bugs:</b>
 <ul>
diff --git a/plugins/imrelp/imrelp.c b/plugins/imrelp/imrelp.c
index 7fa98617..100574b1 100644
--- a/plugins/imrelp/imrelp.c
+++ b/plugins/imrelp/imrelp.c
@@ -76,6 +76,7 @@ struct instanceConf_s {
 	uchar *pszBindPort;		/* port to bind to */
 	sbool bEnableTLS;
 	sbool bEnableTLSZip;
+	int dhBits;
 	struct instanceConf_s *next;
 };
 
@@ -104,6 +105,7 @@ static struct cnfparamblk modpblk =
 static struct cnfparamdescr inppdescr[] = {
 	{ "port", eCmdHdlrString, CNFPARAM_REQUIRED },
 	{ "tls", eCmdHdlrBinary, 0 },
+	{ "tls.dhbits", eCmdHdlrInt, 0 },
 	{ "tls.compression", eCmdHdlrBinary, 0 }
 };
 static struct cnfparamblk inppblk =
@@ -171,6 +173,7 @@ createInstance(instanceConf_t **pinst)
 	inst->pszBindPort = NULL;
 	inst->bEnableTLS = 0;
 	inst->bEnableTLSZip = 0;
+	inst->dhBits = 0;
 
 	/* node created, let's add to config */
 	if(loadModConf->tail == NULL) {
@@ -240,6 +243,9 @@ addListner(modConfData_t __attribute__((unused)) *modConf, instanceConf_t *inst)
 		if(inst->bEnableTLSZip) {
 			relpSrvEnableTLSZip(pSrv);
 		}
+		if(inst->dhBits) {
+			relpSrvSetDHBits(pSrv, inst->dhBits);
+		}
 	}
 	CHKiRet(relpEngineListnerConstructFinalize(pRelpEngine, pSrv));
 
@@ -276,6 +282,8 @@ CODESTARTnewInpInst
 			inst->pszBindPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
 		} else if(!strcmp(inppblk.descr[i].name, "tls")) {
 			inst->bEnableTLS = (unsigned) pvals[i].val.d.n;
+		} else if(!strcmp(inppblk.descr[i].name, "tls.dhbits")) {
+			inst->dhBits = (unsigned) pvals[i].val.d.n;
 		} else if(!strcmp(inppblk.descr[i].name, "tls.compression")) {
 			inst->bEnableTLSZip = (unsigned) pvals[i].val.d.n;
 		} else {
-- 
cgit v1.2.3