From a3f770101788bc8f97ef1fb054792294a0fe894a Mon Sep 17 00:00:00 2001
From: "psyc://loupsycedyglgamf.onion/~lynX"
 <BM-NB7xa9gEpmJgYp9PVnEdACiZcGmmEJcY>
Date: Wed, 10 Aug 2016 15:44:57 +0000
Subject: [PATCH] upgrade DH params generation to 2048 bits

---
 CREDITS                   | 10 +++++++++
 src/autoconf/configure.ac |  3 ++-
 src/pkg-tls.c             | 45 ++++++++++++++++++++++-----------------
 src/version.sh            |  2 +-
 4 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/CREDITS b/CREDITS
index b30a499..5f4c2ac 100644
--- a/CREDITS
+++ b/CREDITS
@@ -279,3 +279,13 @@ Lars Duening thanks:
      Wolf Dieter Dallinger (Pulami@Unitopia, wolf.dieter@dallinger.de)
      Zonk@FinalFrontier (zonk@finalfrontier.mud.de, rueschi@berit-broese.de)
      The Wizards of Evermore
+
+ -----------------------------------------------------------------------------
+
+ lynX thanks:
+
+    Philipp 'fippo' Hancke for most of TLS, expat, JSON, SRV, strftime...
+    zippo's 64 bit patches
+    nedko for autoconf
+    ng0 for reproducibility hint & inclusion in guix
+
diff --git a/src/autoconf/configure.ac b/src/autoconf/configure.ac
index 975a22a..cfd2b93 100644
--- a/src/autoconf/configure.ac
+++ b/src/autoconf/configure.ac
@@ -1471,8 +1471,9 @@ echo "--- libidn"
 AC_CHECK_HEADER(idna.h, lp_cv_has_idn=yes,lp_cv_has_idn=no)
 AC_CHECK_HEADER(stringprep.h, lp_cv_has_idn=yes,lp_cv_has_idn=no)
 # used to check for stringprep_check_version() but we require newer calls
+# on BSD it also needs -lintl
 AC_CHECK_LIB(idn, idna_strerror,
-	     [lp_cv_has_idn=yes LIBS="${LIBS} -lidn"],lp_cv_has_idn=no)
+	     [lp_cv_has_idn=yes LIBS="${LIBS} -lidn -lintl"],lp_cv_has_idn=no)
 if test "x$lp_cv_has_idn" = "xyes"; then
     AC_DEFINE(HAS_IDN, 1, [Does the machine offer IDNA?])
 fi
diff --git a/src/pkg-tls.c b/src/pkg-tls.c
index 6fad47e..9183d70 100644
--- a/src/pkg-tls.c
+++ b/src/pkg-tls.c
@@ -57,7 +57,7 @@
 
 /*-------------------------------------------------------------------------*/
 
-#define DH_BITS 1024
+#define DH_BITS 2048
 
 /*-------------------------------------------------------------------------*/
 /* Variables */
@@ -81,7 +81,7 @@ static Bool tls_available = MY_FALSE;
 static SSL_CTX * context = NULL;
   /* The SSL program context. */
 
-static DH *dhe1024 = NULL;
+static DH *dhparams = NULL;
   /* The Diffie-Hellmann parameters. */
 
 #elif defined(HAS_GNUTLS)
@@ -98,33 +98,38 @@ static gnutls_dh_params dh_params;
 
 /*-------------------------------------------------------------------------*/
 static Bool
-set_dhe1024 (void)
+set_dhparams (void)
 
 /* Set the Diffie-Hellmann parameters.
  * Return MY_TRUE on success, and MY_FALSE on error.
  */
 
 {
-    DSA *dsaparams;
-    DH *dhparams;
+    DH *p;
 
-    if (dhe1024 != NULL)
+    if (dhparams != NULL)
         return MY_TRUE;
 
-    dsaparams = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, 0, NULL);
+    debug_message("%s Generating DH parameters with %d bits. Please wait.\n", time_stamp(), DH_BITS);
+#if 0
+    DSA *dsaparams;
+    dsaparams = DSA_generate_parameters(DH_BITS, NULL, 0, NULL, NULL, 0, NULL);
 
     if (dsaparams == NULL)
         return MY_FALSE;
 
-    dhparams = DSA_dup_DH(dsaparams);
+    p = DSA_dup_DH(dsaparams);
     DSA_free(dsaparams);
-    if (dhparams == NULL)
+#else
+    p = DH_generate_parameters(DH_BITS, 3, NULL, NULL);
+#endif
+    debug_message("%s Generation %s.\n", time_stamp(), p? "completed": "failed");
+    if (p == NULL)
         return MY_FALSE;
 
-    dhe1024 = dhparams;
-
+    dhparams = p;
     return MY_TRUE;
-} /* set_dhe1024() */
+} /* set_dhparams() */
                                                   
 /*-------------------------------------------------------------------------*/
 static int
@@ -506,8 +511,8 @@ tls_global_init (void)
         goto ssl_init_err;
     }
 
-    if (!set_dhe1024()
-     || !SSL_CTX_set_tmp_dh(context, dhe1024)
+    if (!set_dhparams()
+     || !SSL_CTX_set_tmp_dh(context, dhparams)
        )
     {
 #ifdef VERBOSE
@@ -564,10 +569,10 @@ ssl_init_err:
                          , time_stamp(), errstring);
         }
 
-        if (dhe1024 != NULL)
+        if (dhparams != NULL)
         {
-            DH_free(dhe1024);
-            dhe1024 = NULL;
+            DH_free(dhparams);
+            dhparams = NULL;
         }
 
         if (context != NULL)
@@ -642,10 +647,10 @@ tls_global_deinit (void)
 {
 #ifdef HAS_OPENSSL
 
-    if (dhe1024 != NULL)
+    if (dhparams != NULL)
     {
-        DH_free(dhe1024);
-        dhe1024 = NULL;
+        DH_free(dhparams);
+        dhparams = NULL;
     }
     if (context != NULL)
     {
diff --git a/src/version.sh b/src/version.sh
index 19c091f..bfb6220 100644
--- a/src/version.sh
+++ b/src/version.sh
@@ -17,7 +17,7 @@ version_longtype="stable"
 # A timestamp, to be used by bumpversion and other scripts.
 # It can be used, for example, to 'touch' this file on every build, thus
 # forcing revision control systems to add it on every checkin automatically.
-version_stamp="Thu Sep 29 11:49:32 CEST 2016"
+version_stamp="Wed Mar  1 16:59:51 CET 2017"
 
 # Okay, LDMUD is using 3.x.x so to avoid conflicts let's just use 4.x.x
 version_major=4