From d5954ce249646f20151d40a4aaee0eafdca255af Mon Sep 17 00:00:00 2001
From: Tom Li <biergaizi2009@gmail.com>
Date: Mon, 2 Feb 2015 17:53:42 +0800
Subject: [PATCH] tls: adding support of dhparam.

Signed-off-by: Tom Li <biergaizi2009@gmail.com>
---
 plugins/tls | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/plugins/tls b/plugins/tls
index 21ef474..53f1d9c 100644
--- a/plugins/tls
+++ b/plugins/tls
@@ -8,9 +8,9 @@ tls - plugin to support STARTTLS
 
 # in config/plugins
 
-tls [B<cert_path priv_key_path ca_path>]
+tls [B<cert_path priv_key_path ca_path dhparam_path>]
 
-=over 4
+=over 5
 
 =item B<cert_path>
 
@@ -24,6 +24,11 @@ Path to the private key file. Default: I<ssl/qpsmtpd-server.key>
 
 Path to the certificate authority file. Default: I<ssl/qpsmtpd-ca.crt>
 
+=item B<dhparam_path>
+
+Path to the DH parameter file if you want Diffie-Hellman key exchange.
+Default: I<ssl/qpsmtpd-dhparam.pem>
+
 =back
 
 =head1 DESCRIPTION
@@ -66,19 +71,28 @@ use IO::Socket::SSL 0.98;
 use Qpsmtpd::Constants;
 
 sub init {
-    my ($self, $qp, $cert, $key, $ca) = @_;
+    my ($self, $qp, $cert, $key, $ca, $dhparam) = @_;
     my $dir = -d 'ssl' ? 'ssl' : 'config/ssl';
     $cert ||= "$dir/qpsmtpd-server.crt";
     $key  ||= "$dir/qpsmtpd-server.key";
     $ca   ||= "$dir/qpsmtpd-ca.crt";
+    $dhparam ||= "$dir/qpsmtpd-dhparam.pem";
     unless (-f $cert && -f $key && -f $ca) {
         $self->log(LOGERROR,
                    "Cannot locate cert/key!  Run plugins/tls_cert to generate");
         return;
     }
+    unless (-f $dhparam) {
+        $dhparam = "";
+        $self->log(LOGINFO,
+                   "Cannot locate dhparam, possible DHE algorithms will be unavailable.");
+        $self->log(LOGINFO,
+                   "The encryption strength will decline que to lack of Forward Secrecy.");
+    }
     $self->tls_cert($cert);
     $self->tls_key($key);
     $self->tls_ca($ca);
+    $self->tls_dhparam($dhparam);
     $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
 
     $self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers);
@@ -93,6 +107,7 @@ sub init {
                                         SSL_cert_file   => $self->tls_cert,
                                         SSL_key_file    => $self->tls_key,
                                         SSL_ca_file     => $self->tls_ca,
+					SSL_dh_file     => $self->tls_dhparam,
                                         SSL_cipher_list => $self->tls_ciphers,
                                         SSL_server      => 1,
                                         SSL_honor_cipher_order => 1
@@ -193,6 +208,7 @@ sub _convert_to_ssl {
                                        SSL_cert_file   => $self->tls_cert,
                                        SSL_key_file    => $self->tls_key,
                                        SSL_ca_file     => $self->tls_ca,
+				       SSL_dh_file     => $self->tls_dhparam,
                                        SSL_cipher_list => $self->tls_ciphers,
                                        SSL_server      => 1,
                                        SSL_reuse_ctx   => $self->ssl_context,
@@ -236,6 +252,12 @@ sub tls_ca {
     $self->{_tls_ca};
 }
 
+sub tls_dhparam {
+    my $self = shift;
+    @_ and $self->{_tls_dhparam} = shift;
+    $self->{_tls_dhparam};
+}
+
 sub tls_ciphers {
     my $self = shift;
     @_ and $self->{_tls_ciphers} = shift;
@@ -293,6 +315,7 @@ sub upgrade_socket {
                 SSL_cert_file   => $sp->tls_cert,
                 SSL_key_file    => $sp->tls_key,
                 SSL_ca_file     => $sp->tls_ca,
+                SSL_dh_file     => $self->tls_dhparam,
                 SSL_cipher_list => $sp->tls_ciphers,
                 SSL_startHandshake => 0,
                 SSL_server         => 1,