Commit 57237c5f authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Hard-code precomputed Diffie-Hellman-Merkel group parameters.

These are not confidential, and fairly slow to compute.
(This is much simpler than caching them to disk, and more
 portable-app-friendly)
parent 080934b2
...@@ -9,7 +9,7 @@ SOURCES_win32text = win32text.c ...@@ -9,7 +9,7 @@ SOURCES_win32text = win32text.c
SOURCES_quartztext = quartztext.c SOURCES_quartztext = quartztext.c
SOURCES_logger = logger.c SOURCES_logger = logger.c
SOURCES_vod_rtsp = rtsp.c SOURCES_vod_rtsp = rtsp.c
SOURCES_gnutls = gnutls.c SOURCES_gnutls = gnutls.c dhparams.h
SOURCES_svg = svg.c SOURCES_svg = svg.c
SOURCES_profile_parser = profile_parser.c SOURCES_profile_parser = profile_parser.c
SOURCES_audioscrobbler = audioscrobbler.c SOURCES_audioscrobbler = audioscrobbler.c
/**
* Pre-computed Diffie-Hellman-Merkel parameters.
* $Id$
* Numbers are not copyrightable.
*
* If you feel like it, generate new ones:
* # certtool --generate-dh-params --bits 2048
*/
static const unsigned char dh_params[] =
"-----BEGIN DH PARAMETERS-----\n"
"MIIBBwKCAQDJ9pqmqBy71hn5pA3QL1AiGB2JOKq2wfdRq3EQVdbOtPscXM6BXdm7"
"NfBRUZIGT47oPNgCOhVV33z9OfnMHCSiMoWFPZeT14Mdm5TQBBYA2H6tf0g2Fp4X"
"qs7eeYheslzkg1V7U7PcdsyopiGI0FC4Heq+PxcyFOC0DuDUNiRq2Pk51gSUQURS"
"dtTyiU5fEFUETcFN2FWuPuCdQpA0xmYnQwnTJKq75b1GAxRlp6XqTbWmXgBggwYk"
"+O/oGpgVLlwZPquSbumbQsp4OU0Lk0hxqTR4Jd3XIeBuV/pc1zZaCH/9LIQT6aXn"
"S1wHhOlCUKgPWlBtx82omKgyo8ebJwWjAgEG\n"
"-----END DH PARAMETERS-----";
...@@ -49,10 +49,11 @@ ...@@ -49,10 +49,11 @@
#include <gnutls/gnutls.h> #include <gnutls/gnutls.h>
#include <gnutls/x509.h> #include <gnutls/x509.h>
#define DH_BITS 1024
#define CACHE_TIMEOUT 3600 #define CACHE_TIMEOUT 3600
#define CACHE_SIZE 64 #define CACHE_SIZE 64
#include "dhparams.h"
/***************************************************************************** /*****************************************************************************
* Module descriptor * Module descriptor
*****************************************************************************/ *****************************************************************************/
...@@ -61,12 +62,6 @@ static void CloseClient (vlc_object_t *); ...@@ -61,12 +62,6 @@ static void CloseClient (vlc_object_t *);
static int OpenServer (vlc_object_t *); static int OpenServer (vlc_object_t *);
static void CloseServer (vlc_object_t *); static void CloseServer (vlc_object_t *);
#define DH_BITS_TEXT N_("Diffie-Hellman prime bits")
#define DH_BITS_LONGTEXT N_( \
"This allows you to modify the Diffie-Hellman prime's number of bits, " \
"used for TLS or SSL-based server-side encryption. This is generally " \
"not needed." )
#define CACHE_TIMEOUT_TEXT N_("Expiration time for resumed TLS sessions") #define CACHE_TIMEOUT_TEXT N_("Expiration time for resumed TLS sessions")
#define CACHE_TIMEOUT_LONGTEXT N_( \ #define CACHE_TIMEOUT_LONGTEXT N_( \
"It is possible to cache the resumed TLS sessions. This is the expiration "\ "It is possible to cache the resumed TLS sessions. This is the expiration "\
...@@ -101,8 +96,7 @@ vlc_module_begin(); ...@@ -101,8 +96,7 @@ vlc_module_begin();
set_subcategory( SUBCAT_ADVANCED_MISC ); set_subcategory( SUBCAT_ADVANCED_MISC );
set_callbacks( OpenServer, CloseServer ); set_callbacks( OpenServer, CloseServer );
add_integer( "gnutls-dh-bits", DH_BITS, NULL, DH_BITS_TEXT, add_obsolete_integer( "gnutls-dh-bits" );
DH_BITS_LONGTEXT, VLC_TRUE );
add_integer( "gnutls-cache-timeout", CACHE_TIMEOUT, NULL, add_integer( "gnutls-cache-timeout", CACHE_TIMEOUT, NULL,
CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, VLC_TRUE ); CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, VLC_TRUE );
add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT, add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT,
...@@ -772,6 +766,9 @@ static int OpenClient (vlc_object_t *obj) ...@@ -772,6 +766,9 @@ static int OpenClient (vlc_object_t *obj)
p_sys->session.session)) p_sys->session.session))
goto s_error; goto s_error;
/* minimum DH prime bits */
gnutls_dh_set_prime_bits (p_sys->session.session, 1024);
i_val = gnutls_credentials_set (p_sys->session.session, i_val = gnutls_credentials_set (p_sys->session.session,
GNUTLS_CRD_CERTIFICATE, GNUTLS_CRD_CERTIFICATE,
p_sys->x509_cred); p_sys->x509_cred);
...@@ -1028,9 +1025,6 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server ) ...@@ -1028,9 +1025,6 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
if (p_session->pf_handshake == gnutls_HandshakeAndValidate) if (p_session->pf_handshake == gnutls_HandshakeAndValidate)
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE); gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
i_val = config_GetInt (p_server, "gnutls-dh-bits");
gnutls_dh_set_prime_bits (session, i_val);
/* Session resumption support */ /* Session resumption support */
i_val = config_GetInt (p_server, "gnutls-cache-timeout"); i_val = config_GetInt (p_server, "gnutls-cache-timeout");
gnutls_db_set_cache_expiration (session, i_val); gnutls_db_set_cache_expiration (session, i_val);
...@@ -1183,77 +1177,27 @@ static int OpenServer (vlc_object_t *obj) ...@@ -1183,77 +1177,27 @@ static int OpenServer (vlc_object_t *obj)
} }
/* FIXME: /* FIXME:
* - regenerate these regularly
* - support other ciper suites * - support other ciper suites
*/ */
val = gnutls_dh_params_init( &p_sys->dh_params ); val = gnutls_dh_params_init (&p_sys->dh_params);
if (val >= 0) if (val >= 0)
{ {
FILE *cache; const gnutls_datum_t data = {
const char *cachedir = p_server->p_libvlc->psz_cachedir; .data = (unsigned char *)dh_params,
char cachefile[strlen (cachedir) + sizeof ("/dh_params.pem")]; .size = sizeof (dh_params) - 1,
sprintf (cachefile, "%s/dh_params.pem", cachedir); };
/* Read DH parameters from cache */
cache = utf8_fopen (cachefile, "rb");
if (cache != NULL)
{
unsigned char buf[1024];
gnutls_datum_t data;
data.data = buf;
data.size = fread (buf, 1, sizeof (buf), cache);
msg_Dbg (p_server, "loading DHE parameters (%u bytes) from %s",
data.size, cachefile);
val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data, val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data,
GNUTLS_X509_FMT_PEM); GNUTLS_X509_FMT_PEM);
fclose (cache);
if (val == 0) if (val == 0)
goto dh_done; gnutls_certificate_set_dh_params (p_sys->x509_cred,
p_sys->dh_params);
} }
else
msg_Dbg (p_server, "cannot load DHE parameters from %s: %m",
cachefile);
msg_Dbg (p_server, "computing DHE ciphers parameters");
val = gnutls_dh_params_generate2 (p_sys->dh_params,
config_GetInt (obj, "gnutls-dh-bits"));
/* Write the DH parameter to cache */
cache = utf8_fopen (cachefile, "wb");
if (cache != NULL)
{
size_t len = 0;
gnutls_dh_params_export_pkcs3 (p_sys->dh_params,
GNUTLS_X509_FMT_PEM, NULL, &len);
msg_Dbg (p_server, "saving DHE parameters (%u bytes) to %s",
(unsigned)len, cachefile);
unsigned char buf[len];
gnutls_dh_params_export_pkcs3 (p_sys->dh_params,
GNUTLS_X509_FMT_PEM, buf, &len);
if (fwrite (buf, 1, len, cache) != len)
msg_Warn (p_server, "cannot write to %s: %m", cachefile);
fclose (cache);
}
else
msg_Warn (p_server, "cannot open to %s: %m", cachefile);
}
if (val < 0) if (val < 0)
{ {
msg_Err (p_server, "cannot initialize DHE cipher suites: %s", msg_Err (p_server, "cannot initialize DHE cipher suites: %s",
gnutls_strerror (val)); gnutls_strerror (val));
gnutls_certificate_free_credentials (p_sys->x509_cred);
goto error;
} }
dh_done:
msg_Dbg( p_server, "ciphers parameters computed" );
gnutls_certificate_set_dh_params( p_sys->x509_cred, p_sys->dh_params);
return VLC_SUCCESS; return VLC_SUCCESS;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment