Commit e67567c4 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Support for loading Diffie-Hellman-Merkel key exchange parameters from cache.

This makes TLS server initialization a lot faster (especially under valgrind)
parent 032eb466
...@@ -1187,24 +1187,48 @@ static int OpenServer (vlc_object_t *obj) ...@@ -1187,24 +1187,48 @@ static int OpenServer (vlc_object_t *obj)
* - support other ciper suites * - support other ciper suites
*/ */
val = gnutls_dh_params_init( &p_sys->dh_params ); val = gnutls_dh_params_init( &p_sys->dh_params );
if( val >= 0 )
{
msg_Dbg( p_server, "computing DHE ciphers parameters" );
val = gnutls_dh_params_generate2 (p_sys->dh_params,
config_GetInt (obj, "gnutls-dh-bits"));
/* Write the DH parameter to cache */ if (val >= 0)
{
FILE *cache;
const char *cachedir = p_server->p_libvlc->psz_cachedir; const char *cachedir = p_server->p_libvlc->psz_cachedir;
char cachefile[strlen (cachedir) + sizeof ("/dh_params.pem")]; char cachefile[strlen (cachedir) + sizeof ("/dh_params.pem")];
sprintf (cachefile, "%s/dh_params.pem", cachedir); sprintf (cachefile, "%s/dh_params.pem", cachedir);
FILE *cache = utf8_fopen (cachefile, "wb"); /* Read DH parameters from cache */
cache = utf8_fopen (cachefile, "rb");
if (cache != NULL)
{
unsigned char buf[1024];
gnutls_datum_t data;
data.data = buf;
data.size = fread (buf, 1, sizeof (buf), cache);
msg_Dbg (p_server, "loading DHE parameters (%u bytes) from %s",
data.size, cachefile);
val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data,
GNUTLS_X509_FMT_PEM);
fclose (cache);
if (val == 0)
goto dh_done;
}
else
msg_Dbg (p_server, "cannot load DHE parameters from %s: %m",
cachefile);
msg_Dbg (p_server, "computing DHE ciphers parameters");
val = gnutls_dh_params_generate2 (p_sys->dh_params,
config_GetInt (obj, "gnutls-dh-bits"));
/* Write the DH parameter to cache */
cache = utf8_fopen (cachefile, "wb");
if (cache != NULL) if (cache != NULL)
{ {
size_t len = 0; size_t len = 0;
gnutls_dh_params_export_pkcs3 (p_sys->dh_params, gnutls_dh_params_export_pkcs3 (p_sys->dh_params,
GNUTLS_X509_FMT_PEM, NULL, &len); GNUTLS_X509_FMT_PEM, NULL, &len);
msg_Dbg (p_server, "caching DHE parameters (%u bytes) to %s", msg_Dbg (p_server, "saving DHE parameters (%u bytes) to %s",
(unsigned)len, cachefile); (unsigned)len, cachefile);
unsigned char buf[len]; unsigned char buf[len];
...@@ -1216,15 +1240,17 @@ static int OpenServer (vlc_object_t *obj) ...@@ -1216,15 +1240,17 @@ static int OpenServer (vlc_object_t *obj)
} }
else else
msg_Warn (p_server, "cannot open to %s: %m", cachefile); msg_Warn (p_server, "cannot open to %s: %m", cachefile);
} }
if( val < 0 )
if (val < 0)
{ {
msg_Err( p_server, "cannot initialize DHE cipher suites: %s", msg_Err (p_server, "cannot initialize DHE cipher suites: %s",
gnutls_strerror( val ) ); gnutls_strerror (val));
gnutls_certificate_free_credentials( p_sys->x509_cred ); gnutls_certificate_free_credentials (p_sys->x509_cred);
goto error; goto error;
} }
dh_done:
msg_Dbg( p_server, "ciphers parameters computed" ); msg_Dbg( p_server, "ciphers parameters computed" );
gnutls_certificate_set_dh_params( p_sys->x509_cred, p_sys->dh_params); gnutls_certificate_set_dh_params( p_sys->x509_cred, p_sys->dh_params);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment