upgrade DH params generation to 2048 bits

This commit is contained in:
psyc://loupsycedyglgamf.onion/~lynX 2016-08-10 15:44:57 +00:00
parent fdb1747099
commit a3f7701017
4 changed files with 38 additions and 22 deletions

10
CREDITS
View File

@ -279,3 +279,13 @@ Lars Duening thanks:
Wolf Dieter Dallinger (Pulami@Unitopia, wolf.dieter@dallinger.de)
Zonk@FinalFrontier (zonk@finalfrontier.mud.de, rueschi@berit-broese.de)
The Wizards of Evermore
-----------------------------------------------------------------------------
lynX thanks:
Philipp 'fippo' Hancke for most of TLS, expat, JSON, SRV, strftime...
zippo's 64 bit patches
nedko for autoconf
ng0 for reproducibility hint & inclusion in guix

View File

@ -1471,8 +1471,9 @@ echo "--- libidn"
AC_CHECK_HEADER(idna.h, lp_cv_has_idn=yes,lp_cv_has_idn=no)
AC_CHECK_HEADER(stringprep.h, lp_cv_has_idn=yes,lp_cv_has_idn=no)
# used to check for stringprep_check_version() but we require newer calls
# on BSD it also needs -lintl
AC_CHECK_LIB(idn, idna_strerror,
[lp_cv_has_idn=yes LIBS="${LIBS} -lidn"],lp_cv_has_idn=no)
[lp_cv_has_idn=yes LIBS="${LIBS} -lidn -lintl"],lp_cv_has_idn=no)
if test "x$lp_cv_has_idn" = "xyes"; then
AC_DEFINE(HAS_IDN, 1, [Does the machine offer IDNA?])
fi

View File

@ -57,7 +57,7 @@
/*-------------------------------------------------------------------------*/
#define DH_BITS 1024
#define DH_BITS 2048
/*-------------------------------------------------------------------------*/
/* Variables */
@ -81,7 +81,7 @@ static Bool tls_available = MY_FALSE;
static SSL_CTX * context = NULL;
/* The SSL program context. */
static DH *dhe1024 = NULL;
static DH *dhparams = NULL;
/* The Diffie-Hellmann parameters. */
#elif defined(HAS_GNUTLS)
@ -98,33 +98,38 @@ static gnutls_dh_params dh_params;
/*-------------------------------------------------------------------------*/
static Bool
set_dhe1024 (void)
set_dhparams (void)
/* Set the Diffie-Hellmann parameters.
* Return MY_TRUE on success, and MY_FALSE on error.
*/
{
DSA *dsaparams;
DH *dhparams;
DH *p;
if (dhe1024 != NULL)
if (dhparams != NULL)
return MY_TRUE;
dsaparams = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, 0, NULL);
debug_message("%s Generating DH parameters with %d bits. Please wait.\n", time_stamp(), DH_BITS);
#if 0
DSA *dsaparams;
dsaparams = DSA_generate_parameters(DH_BITS, NULL, 0, NULL, NULL, 0, NULL);
if (dsaparams == NULL)
return MY_FALSE;
dhparams = DSA_dup_DH(dsaparams);
p = DSA_dup_DH(dsaparams);
DSA_free(dsaparams);
if (dhparams == NULL)
#else
p = DH_generate_parameters(DH_BITS, 3, NULL, NULL);
#endif
debug_message("%s Generation %s.\n", time_stamp(), p? "completed": "failed");
if (p == NULL)
return MY_FALSE;
dhe1024 = dhparams;
dhparams = p;
return MY_TRUE;
} /* set_dhe1024() */
} /* set_dhparams() */
/*-------------------------------------------------------------------------*/
static int
@ -506,8 +511,8 @@ tls_global_init (void)
goto ssl_init_err;
}
if (!set_dhe1024()
|| !SSL_CTX_set_tmp_dh(context, dhe1024)
if (!set_dhparams()
|| !SSL_CTX_set_tmp_dh(context, dhparams)
)
{
#ifdef VERBOSE
@ -564,10 +569,10 @@ ssl_init_err:
, time_stamp(), errstring);
}
if (dhe1024 != NULL)
if (dhparams != NULL)
{
DH_free(dhe1024);
dhe1024 = NULL;
DH_free(dhparams);
dhparams = NULL;
}
if (context != NULL)
@ -642,10 +647,10 @@ tls_global_deinit (void)
{
#ifdef HAS_OPENSSL
if (dhe1024 != NULL)
if (dhparams != NULL)
{
DH_free(dhe1024);
dhe1024 = NULL;
DH_free(dhparams);
dhparams = NULL;
}
if (context != NULL)
{

View File

@ -17,7 +17,7 @@ version_longtype="stable"
# A timestamp, to be used by bumpversion and other scripts.
# It can be used, for example, to 'touch' this file on every build, thus
# forcing revision control systems to add it on every checkin automatically.
version_stamp="Thu Sep 29 11:49:32 CEST 2016"
version_stamp="Wed Mar 1 16:59:51 CET 2017"
# Okay, LDMUD is using 3.x.x so to avoid conflicts let's just use 4.x.x
version_major=4