From: Simon Ruderich <simon@ruderich.org>
Date: Thu, 8 Aug 2013 19:02:13 +0000 (+0200)
Subject: Use pre-generated Diffie-Hellman parameters.
X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=commitdiff_plain;h=219d904b7d12173ee93d016fe1a2cb8ae32eea9c

Use pre-generated Diffie-Hellman parameters.

This is much faster than generation them on each start and allows us to
use larger parameter sizes.
---

diff --git a/.gitignore b/.gitignore
index 2dfad82..9ebffca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,5 +29,6 @@
 /tests/client
 /tests/proxy-ca-key.pem
 /tests/proxy-ca.pem
+/tests/proxy-dh.pem
 /tests/proxy-invalid.pem
 /tests/proxy-key.pem
diff --git a/NEWS b/NEWS
index 4327d39..30b8672 100644
--- a/NEWS
+++ b/NEWS
@@ -4,14 +4,22 @@ NEWS
 0.X
 ---
 
+- Important: The file proxy-dh.pem is now required. tlsproxy-setup creates it,
+  but running it will overwrite the existing proxy-*.pem files. To create only
+  proxy-dh.pem use:
+
+    certtool --generate-dh-params --sec-param high --outfile proxy-dh.pem
+
 - Add -a option, authentication for tlsproxy via basic digest authentication.
+- Use pre-generated Diffie-Hellman parameters in proxy-dh.pem.
 - Code cleanup.
 - Better error handling.
 - Fix compile with recent GnuTLS (e.g. 3.2.3).
 - Improve (error) logging; log to stderr.
 - Add (basic) man pages.
 - Improve test suite.
-- tlsproxy-setup: Increase expiry-date and use larger private key.
+- tlsproxy-setup: Increase expiry-date and use larger private key, generate
+                  proxy-dh.pem.
 
 
 0.2
diff --git a/README b/README
index 31d64f9..b0124c1 100644
--- a/README
+++ b/README
@@ -24,6 +24,7 @@ This creates the following files:
 
 - `proxy-ca.pem`:      CA which is used for all connections to the client
 - `proxy-ca-key.pem`:  private key for the CA
+- `proxy-dh.pem`:      Diffie-Hellman parameters for the proxy
 - `proxy-key.pem`:     private key for the proxy
 - `proxy-invalid.pem`: special certificate used for invalid pages
 
diff --git a/man/tlsproxy-setup.txt b/man/tlsproxy-setup.txt
index e04e9f1..9e482f3 100644
--- a/man/tlsproxy-setup.txt
+++ b/man/tlsproxy-setup.txt
@@ -23,6 +23,7 @@ It creates the following files in the current directory:
 
 - proxy-ca.pem
 - proxy-ca-key.pem
+- proxy-dh.pem
 - proxy-key.pem
 - proxy-invalid.pem
 
diff --git a/src/tlsproxy-setup b/src/tlsproxy-setup
index 4b57a22..d553404 100755
--- a/src/tlsproxy-setup
+++ b/src/tlsproxy-setup
@@ -59,4 +59,9 @@ certtool --generate-self-signed \
 
 rm "$tempfile"
 
+# Generate proxy Diffie-Hellman parameters.
+certtool --generate-dh-params \
+         --sec-param high \
+         --outfile proxy-dh.pem
+
 echo done
diff --git a/src/tlsproxy.c b/src/tlsproxy.c
index 3d9e80f..fed3799 100644
--- a/src/tlsproxy.c
+++ b/src/tlsproxy.c
@@ -42,9 +42,6 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL;
 /* Size of ringbuffer. */
 #define RINGBUFFER_SIZE 10
 
-/* Bit size of Diffie-Hellman key exchange parameters. */
-#define DH_SIZE 1024
-
 
 /* For gnutls_*() functions. */
 #define GNUTLS_ERROR_EXIT(error, message) \
@@ -373,6 +370,9 @@ static void log_function_gnutls(int level, const char *string) {
 
 static void initialize_gnutls(void) {
     int result;
+    char *dh_parameters;
+    gnutls_datum_t dh_parameters_datum;
+
 /* Recent versions of GnuTLS automatically initialize the cryptography layer
  * in gnutls_global_init(). */
 #if GNUTLS_VERSION_NUMBER <= 0x020b00
@@ -407,11 +407,24 @@ static void initialize_gnutls(void) {
     result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL);
     GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()");
 
-    /* Generate Diffie-Hellman parameters. */
+    /* Read Diffie-Hellman parameters. */
+    dh_parameters = slurp_text_file(PROXY_DH_PATH);
+    if (dh_parameters == NULL) {
+        fprintf(stderr, PROXY_DH_PATH " missing, "
+                        "use `tlsproxy-setup` to create it\n");
+        exit(EXIT_FAILURE);
+    }
+    dh_parameters_datum.data = (unsigned char *)dh_parameters;
+    dh_parameters_datum.size = strlen(dh_parameters);
+
     result = gnutls_dh_params_init(&global_tls_dh_params);
     GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()");
-    result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE);
-    GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()");
+    result = gnutls_dh_params_import_pkcs3(global_tls_dh_params,
+                                           &dh_parameters_datum,
+                                           GNUTLS_X509_FMT_PEM);
+    GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_import_pkcs3()");
+
+    free(dh_parameters);
 }
 static void deinitialize_gnutls(void) {
     gnutls_dh_params_deinit(global_tls_dh_params);
diff --git a/src/tlsproxy.h b/src/tlsproxy.h
index b3dcf7f..d244b8d 100644
--- a/src/tlsproxy.h
+++ b/src/tlsproxy.h
@@ -33,9 +33,10 @@
 /* Length for path arrays. */
 #define TLSPROXY_MAX_PATH_LENGTH 1024
 
-/* Paths to necessary TLS files: the CA and the server key. */
+/* Paths to necessary TLS files: the CA, the server key and DH parameters. */
 #define PROXY_CA_PATH  "proxy-ca.pem"
 #define PROXY_KEY_PATH "proxy-key.pem"
+#define PROXY_DH_PATH  "proxy-dh.pem"
 /* Path to special "invalid" certificate send to the client when an error
  * occurs. */
 #define PROXY_INVALID_CERT_PATH "proxy-invalid.pem"
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 81d4ce7..e727055 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -7,6 +7,7 @@ dist_check_DATA = server-bad.pem server-key.pem server.pem
 CLEANFILES = \
 	proxy-ca-key.pem \
 	proxy-ca.pem \
+	proxy-dh.pem \
 	proxy-invalid.pem \
 	proxy-key.pem \
 	tmp
diff --git a/tests/common.sh b/tests/common.sh
index 893eec1..68ff879 100644
--- a/tests/common.sh
+++ b/tests/common.sh
@@ -48,6 +48,7 @@ tlsproxy_setup() {
     # present.
     if test -f proxy-ca-key.pem &&
             test -f proxy-ca.pem &&
+            test -f proxy-dh.pem &&
             test -f proxy-invalid.pem &&
             test -f proxy-key.pem
     then