gnutls: generate Diffie-Hellman parameters dynamically (fixes #14702)

cafbe261 · Rémi Denis-Courmont · 5f000e6a · cafbe261 · 5f000e6a · cafbe261
Commit cafbe261 authored Aug 23, 2015 by Rémi Denis-Courmont
Showing with 9 additions and 27 deletions

modules/misc/Makefile.am modules/misc/Makefile.am +1 -1

modules/misc/dhparams.h modules/misc/dhparams.h +0 -17

modules/misc/gnutls.c modules/misc/gnutls.c +8 -8

po/POTFILES.in po/POTFILES.in +0 -1

No files found.
--- a/modules/misc/Makefile.am
+++ b/modules/misc/Makefile.am
@@ -24,7 +24,7 @@ libfingerprinter_plugin_la_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/misc
 libfingerprinter_plugin_la_LIBADD = $(LIBM) $(LIBPTHREAD)
 misc_LTLIBRARIES += libfingerprinter_plugin.la
-libgnutls_plugin_la_SOURCES = misc/gnutls.c misc/dhparams.h
+libgnutls_plugin_la_SOURCES = misc/gnutls.c
 libgnutls_plugin_la_CFLAGS = $(AM_CFLAGS) $(GNUTLS_CFLAGS)
 libgnutls_plugin_la_LIBADD = $(GNUTLS_LIBS)
 if HAVE_WIN32

--- a/modules/misc/dhparams.h
+++ b/modules/misc/dhparams.h
-/**
- * Pre-computed Diffie-Hellman-Merkel parameters.
- * $Id$
- * Numbers are not copyrightable.
- *
- * If you feel like it, generate new ones:
- * # certtool --generate-dh-params --bits 2048
- */
-static const unsigned char dh_params[] =
-    "-----BEGIN DH PARAMETERS-----\n"
-    "MIIBBwKCAQDJ9pqmqBy71hn5pA3QL1AiGB2JOKq2wfdRq3EQVdbOtPscXM6BXdm7"
-    "NfBRUZIGT47oPNgCOhVV33z9OfnMHCSiMoWFPZeT14Mdm5TQBBYA2H6tf0g2Fp4X"
-    "qs7eeYheslzkg1V7U7PcdsyopiGI0FC4Heq+PxcyFOC0DuDUNiRq2Pk51gSUQURS"
-    "dtTyiU5fEFUETcFN2FWuPuCdQpA0xmYnQwnTJKq75b1GAxRlp6XqTbWmXgBggwYk"
-    "+O/oGpgVLlwZPquSbumbQsp4OU0Lk0hxqTR4Jd3XIeBuV/pc1zZaCH/9LIQT6aXn"
-    "S1wHhOlCUKgPWlBtx82omKgyo8ebJwWjAgEG\n"
-    "-----END DH PARAMETERS-----";
--- a/modules/misc/gnutls.c
+++ b/modules/misc/gnutls.c
 /*****************************************************************************
 * gnutls.c
 *****************************************************************************
- * Copyright (C) 2004-2014 Rémi Denis-Courmont
+ * Copyright (C) 2004-2015 Rémi Denis-Courmont
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
@@ -37,7 +37,6 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
-#include "dhparams.h"
 #if (GNUTLS_VERSION_NUMBER >= 0x030300)
 static int gnutls_Init (vlc_object_t *obj)
@@ -631,18 +630,17 @@ static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
    }
    /* FIXME:
+     * - regenerate these regularly
     * - support other cipher suites
     */
    val = gnutls_dh_params_init (&sys->dh_params);
    if (val >= 0)
    {
-        const gnutls_datum_t data = {
+        gnutls_sec_param_t sec = GNUTLS_SEC_PARAM_MEDIUM;
-            .data = (unsigned char *)dh_params,
+        unsigned bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, sec);
-            .size = sizeof (dh_params) - 1,
-        };
-        val = gnutls_dh_params_import_pkcs3 (sys->dh_params, &data,
+        msg_Dbg (crd, "generating Diffie-Hellman %u-bits parameters...", bits);
-                                             GNUTLS_X509_FMT_PEM);
+        val = gnutls_dh_params_generate2 (sys->dh_params, bits);
        if (val == 0)
            gnutls_certificate_set_dh_params (sys->x509_cred,
                                              sys->dh_params);
@@ -653,6 +651,8 @@ static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
                 gnutls_strerror (val));
    }
+    msg_Dbg (crd, "ciphers parameters loaded");
    crd->sys = sys;
    crd->open = gnutls_ServerSessionOpen;
    crd->handshake = gnutls_ServerHandshake;

--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -982,7 +982,6 @@ modules/lua/vlc.h
 modules/meta_engine/folder.c
 modules/meta_engine/taglib.cpp
 modules/misc/audioscrobbler.c
-modules/misc/dhparams.h
 modules/misc/gnutls.c
 modules/misc/inhibit/dbus.c
 modules/misc/inhibit/xdg.c