diff options
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/crypto.c | 70 | ||||
-rw-r--r-- | src/common/crypto.h | 5 |
2 files changed, 61 insertions, 14 deletions
diff --git a/src/common/crypto.c b/src/common/crypto.c index a3c292324b..c6285e5ce9 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -1851,7 +1851,7 @@ crypto_generate_dynamic_prime(void) /** Store our dynamic prime to <b>fname</b> for future use. */ int -router_store_dynamic_prime(const char *fname) +crypto_store_dynamic_prime(const char *fname) { FILE *fp = NULL; int retval = -1; @@ -1889,13 +1889,61 @@ router_store_dynamic_prime(const char *fname) return retval; } +/** Return the dynamic prime stored in <b>fname</b>. If there is no + dynamic prime stored in <b>fname</b>, return NULL. */ +static BIGNUM * +crypto_get_stored_dynamic_prime(const char *fname) +{ + int retval; + char *contents = NULL; + BIGNUM *dynamic_prime = BN_new(); + + tor_assert(fname); + + if (!dynamic_prime) + goto err; + + contents = read_file_to_str(fname, RFTS_IGNORE_MISSING, NULL); + if (!contents) + goto err; + + retval = BN_hex2bn(&dynamic_prime, contents); + if (!retval) { + log_notice(LD_GENERAL, "Could not understand the dynamic prime " + "format in '%s'", fname); + goto err; + } + + { /* log the dynamic prime: */ + char *s = BN_bn2hex(dynamic_prime); + tor_assert(s); + log_info(LD_OR, "Found stored dynamic prime: [%s]", s); + OPENSSL_free(s); + } + + goto done; + + err: + if (dynamic_prime) { + BN_free(dynamic_prime); + dynamic_prime = NULL; + } + + done: + tor_free(contents); + + return dynamic_prime; +} + + /** Set the global TLS Diffie-Hellman modulus. - * If <b>use_dynamic_primes</b> is <em>not</em> set, use the prime - * modulus of mod_ssl. - * If <b>use_dynamic_primes</b> is set, use <b>stored_dynamic_prime</b> - * if it exists, otherwise generate and use a new prime modulus. */ + * If <b>dynamic_prime_fname</b> is set, try to read a dynamic prime + * off it and use it as the DH modulus. If that's not possible, + * generate a new dynamic prime. + * If <b>dynamic_prime_fname</b> is NULL, use the Apache mod_ssl DH + * modulus. */ void -crypto_set_tls_dh_prime(int use_dynamic_primes, BIGNUM *stored_dynamic_prime) +crypto_set_tls_dh_prime(const char *dynamic_prime_fname) { BIGNUM *tls_prime = NULL; int r; @@ -1906,11 +1954,11 @@ crypto_set_tls_dh_prime(int use_dynamic_primes, BIGNUM *stored_dynamic_prime) dh_param_p_tls = NULL; } - if (use_dynamic_primes) { /* use dynamic primes: */ - if (stored_dynamic_prime) { - log_info(LD_OR, "Using stored dynamic prime."); - tls_prime = stored_dynamic_prime; - } else { + if (dynamic_prime_fname) { /* use dynamic primes: */ + log_info(LD_OR, "Using stored dynamic prime."); + tls_prime = crypto_get_stored_dynamic_prime(dynamic_prime_fname); + + if (!tls_prime) { log_info(LD_OR, "Generating fresh dynamic prime."); tls_prime = crypto_generate_dynamic_prime(); } diff --git a/src/common/crypto.h b/src/common/crypto.h index 8c99dd7a37..20298b3c49 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -95,9 +95,8 @@ int crypto_global_cleanup(void); crypto_pk_env_t *crypto_new_pk_env(void); void crypto_free_pk_env(crypto_pk_env_t *env); -void crypto_set_tls_dh_prime(int use_dynamic_primes, - BIGNUM *stored_dynamic_prime); -int router_store_dynamic_prime(const char *fname); +void crypto_set_tls_dh_prime(const char *dynamic_prime_fname); +int crypto_store_dynamic_prime(const char *fname); /* convenience function: wraps crypto_create_crypto_env, set_key, and init. */ crypto_cipher_env_t *crypto_create_init_cipher(const char *key, |