relay: set Diffie-Hellman parameters on first SSL connection from a client (makes relay plugin load faster), reuse function gnutls_sec_param_to_pk_bits

author: Sebastien Helleu <flashcode@flashtux.org> 2012-07-30 09:28:27 +0200
committer: Sebastien Helleu <flashcode@flashtux.org> 2012-07-30 09:28:27 +0200
commit: 3f973f8cbc12b8bf0333a50232369fd40747e669 (patch)
tree: aaf8785d7312197ae64e4f88a15aeafdc02f88b4 /src/plugins/relay
parent: ee74131f693cb020fe62caa1ff7de8dd084bb215 (diff)
download: weechat-3f973f8cbc12b8bf0333a50232369fd40747e669.zip
3 files changed, 34 insertions, 7 deletions
diff --git a/src/plugins/relay/relay-client.c b/src/plugins/relay/relay-client.c
index 5965117b1..8c98e5718 100644
--- a/src/plugins/relay/relay-client.c
+++ b/src/plugins/relay/relay-client.c
@@ -626,6 +626,7 @@ relay_client_new (int sock, const char *address, struct t_relay_server *server)
 {
     struct t_relay_client *new_client;
 #ifdef HAVE_GNUTLS
+    int bits;
     struct t_config_option *ptr_option;
 #endif
 
@@ -664,6 +665,29 @@ relay_client_new (int sock, const char *address, struct t_relay_server *server)
                                 weechat_prefix ("error"), RELAY_PLUGIN_NAME);
             }
             new_client->status = RELAY_STATUS_CONNECTING;
+            /*
+             * set Diffie-Hellman parameters on first SSL connection from a
+             * client (done only one time)
+             */
+            if (!relay_gnutls_dh_params)
+            {
+                relay_gnutls_dh_params = malloc (sizeof (*relay_gnutls_dh_params));
+                if (relay_gnutls_dh_params)
+                {
+                    gnutls_dh_params_init (relay_gnutls_dh_params);
+#if LIBGNUTLS_VERSION_NUMBER >= 0x020c00
+                    /* for gnutls >= 2.12.0 */
+                    bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH,
+                                                        GNUTLS_SEC_PARAM_LOW);
+#else
+                    /* default for old gnutls */
+                    bits = 1024;
+#endif
+                    gnutls_dh_params_generate2 (*relay_gnutls_dh_params, bits);
+                    gnutls_certificate_set_dh_params (relay_gnutls_x509_cred,
+                                                      *relay_gnutls_dh_params);
+                }
+            }
             gnutls_init (&(new_client->gnutls_sess), GNUTLS_SERVER);
             if (relay_gnutls_priority_cache)
                 gnutls_priority_set (new_client->gnutls_sess, *relay_gnutls_priority_cache);
diff --git a/src/plugins/relay/relay-network.c b/src/plugins/relay/relay-network.c
index c19178c8b..d63ade548 100644
--- a/src/plugins/relay/relay-network.c
+++ b/src/plugins/relay/relay-network.c
@@ -38,8 +38,8 @@ int relay_network_init_ssl_cert_key_ok = 0;
 
 #ifdef HAVE_GNUTLS
 gnutls_certificate_credentials_t relay_gnutls_x509_cred;
-gnutls_priority_t *relay_gnutls_priority_cache;
-gnutls_dh_params_t relay_gnutls_dh_params;
+gnutls_priority_t *relay_gnutls_priority_cache = NULL;
+gnutls_dh_params_t *relay_gnutls_dh_params = NULL;
 #endif
 
 
@@ -118,11 +118,6 @@ relay_network_init ()
     gnutls_certificate_allocate_credentials (&relay_gnutls_x509_cred);
     relay_network_set_ssl_cert_key (0);
 
-    /* Diffie-Hellman parameters */
-    gnutls_dh_params_init (&relay_gnutls_dh_params);
-    gnutls_dh_params_generate2 (relay_gnutls_dh_params, 1024);
-    gnutls_certificate_set_dh_params (relay_gnutls_x509_cred, relay_gnutls_dh_params);
-
     /* priority */
     relay_gnutls_priority_cache = malloc (sizeof (*relay_gnutls_priority_cache));
     if (relay_gnutls_priority_cache)
@@ -155,6 +150,13 @@ relay_network_end ()
         {
             gnutls_priority_deinit (*relay_gnutls_priority_cache);
             free (relay_gnutls_priority_cache);
+            relay_gnutls_priority_cache = NULL;
+        }
+        if (relay_gnutls_dh_params)
+        {
+            gnutls_dh_params_deinit (*relay_gnutls_dh_params);
+            free (relay_gnutls_dh_params);
+            relay_gnutls_dh_params = NULL;
         }
         gnutls_certificate_free_credentials (relay_gnutls_x509_cred);
 #endif
diff --git a/src/plugins/relay/relay-network.h b/src/plugins/relay/relay-network.h
index 8db57eed3..439c22524 100644
--- a/src/plugins/relay/relay-network.h
+++ b/src/plugins/relay/relay-network.h
@@ -30,6 +30,7 @@ extern int relay_network_init_ssl_cert_key_ok;
 #ifdef HAVE_GNUTLS
 extern gnutls_certificate_credentials_t relay_gnutls_x509_cred;
 extern gnutls_priority_t *relay_gnutls_priority_cache;
+extern gnutls_dh_params_t *relay_gnutls_dh_params;
 #endif
 
 extern void relay_network_set_ssl_cert_key (int verbose);
author	Sebastien Helleu <flashcode@flashtux.org>	2012-07-30 09:28:27 +0200
committer	Sebastien Helleu <flashcode@flashtux.org>	2012-07-30 09:28:27 +0200
commit	3f973f8cbc12b8bf0333a50232369fd40747e669 (patch)
tree	aaf8785d7312197ae64e4f88a15aeafdc02f88b4 /src/plugins/relay
parent	ee74131f693cb020fe62caa1ff7de8dd084bb215 (diff)
download	weechat-3f973f8cbc12b8bf0333a50232369fd40747e669.zip