Introduce the DynamicPrimes configuration option.

2024-11-11 05:33:47 +01:00 · 2011-11-22 04:53:43 +01:00 · 2011-11-22 04:53:43 +01:00 · 659381e00d
commit 659381e00d
parent edec9409e8
9 changed files with 18 additions and 13 deletions
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@ -224,13 +224,15 @@ try_load_engine(const char *path, const char *engine)
 /** Initialize the crypto library.  Return 0 on success, -1 on failure.
 */
 int
-crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
+crypto_global_init(int useAccel, const char *accelName, const char *accelDir,
+                   int DynamicPrimes)
 {
  if (!_crypto_global_initialized) {
    ERR_load_crypto_strings();
    OpenSSL_add_all_algorithms();
    _crypto_global_initialized = 1;
    setup_openssl_threading();
+    use_dynamic_primes = DynamicPrimes;
    if (useAccel > 0) {
 #ifdef DISABLE_ENGINES
      (void)accelName;
@ -1815,6 +1817,8 @@ static BIGNUM *dh_param_p = NULL;
 static BIGNUM *dh_param_p_tls = NULL;
 /** Shared G parameter for our DH key exchanges. */
 static BIGNUM *dh_param_g = NULL;
+/** True if we use dynamic primes. */
+static int use_dynamic_primes = 0;

 /** Generate and return a reasonable and safe DH parameter p. */
 static BIGNUM *generate_rakshasa_prime(void)
@ -1871,13 +1875,8 @@ init_dh_param(void)
  r = BN_set_word(g, generator);
  tor_assert(r);

-  /* Are we generating a random DH parameter?*/
-  log_notice(LD_OR, "Do we want to generate a Rakshasa prime?");
-  rakshasa = get_rakshasa();
-  log_notice(LD_OR, "We think: %i?", rakshasa);
-
  /* This implements the prime number strategy outlined in prop 179 */
-  if (rakshasa == 1) {
+  if (use_dynamic_primes) {
    rakshasa_prime = generate_rakshasa_prime();
  }

--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@ -87,7 +87,8 @@ typedef struct crypto_dh_env_t crypto_dh_env_t;
 /* global state */
 int crypto_global_init(int hardwareAccel,
                       const char *accelName,
-                       const char *accelPath);
+                       const char *accelPath,
+                       int DynamicPrimes);
 void crypto_thread_cleanup(void);
 int crypto_global_cleanup(void);

--- a/src/or/config.c
+++ b/src/or/config.c
@ -247,6 +247,7 @@ static config_var_t _option_vars[] = {
  VAR("DirServer",               LINELIST, DirServers, NULL),
  V(DisableAllSwap,              BOOL,     "0"),
  V(DisableIOCP,                 BOOL,     "1"),
+  V(DynamicPrimes,               BOOL,     "1"),
  V(DNSPort,                     LINELIST, NULL),
  V(DNSListenAddress,            LINELIST, NULL),
  V(DownloadExtraInfo,           BOOL,     "0"),
--- a/src/or/main.c
+++ b/src/or/main.c
@ -2275,7 +2275,8 @@ tor_init(int argc, char *argv[])

  if (crypto_global_init(get_options()->HardwareAccel,
                         get_options()->AccelName,
-                         get_options()->AccelDir)) {
+                         get_options()->AccelDir,
+                         get_options()->DynamicPrimes)) {
    log_err(LD_BUG, "Unable to initialize OpenSSL. Exiting.");
    return -1;
  }
--- a/src/or/or.h
+++ b/src/or/or.h
@ -2873,6 +2873,8 @@ typedef struct {
  char *Address; /**< OR only: configured address for this onion router. */
  char *PidFile; /**< Where to store PID of Tor process. */

+  int DynamicPrimes; /**< Enable dynamic generation of primes for use in DH. */
+
  routerset_t *ExitNodes; /**< Structure containing nicknames, digests,
                           * country codes and IP address patterns of ORs to
                           * consider as exits. */
--- a/src/or/router.c
+++ b/src/or/router.c
@ -514,7 +514,8 @@ init_keys(void)
   * openssl to initialize itself. */
  if (crypto_global_init(get_options()->HardwareAccel,
                         get_options()->AccelName,
-                         get_options()->AccelDir)) {
+                         get_options()->AccelDir,
+                         get_options()->DynamicPrimes)) {
    log_err(LD_BUG, "Unable to initialize OpenSSL. Exiting.");
    return -1;
  }
--- a/src/test/test.c
+++ b/src/test/test.c
@ -1903,7 +1903,7 @@ main(int c, const char **v)
  }

  options->command = CMD_RUN_UNITTESTS;
-  if (crypto_global_init(0, NULL, NULL)) {
+  if (crypto_global_init(0, NULL, NULL, 1)) {
    printf("Can't initialize crypto subsystem; exiting.\n");
    return 1;
  }
--- a/src/tools/tor-checkkey.c
+++ b/src/tools/tor-checkkey.c
@ -31,7 +31,7 @@ main(int c, char **v)
    return 1;
  }

-  if (crypto_global_init(0, NULL, NULL)) {
+  if (crypto_global_init(0, NULL, NULL, 0)) {
    fprintf(stderr, "Couldn't initialize crypto library.\n");
    return 1;
  }
--- a/src/tools/tor-gencert.c
+++ b/src/tools/tor-gencert.c
@ -508,7 +508,7 @@ main(int argc, char **argv)
  init_logging();

  /* Don't bother using acceleration. */
-  if (crypto_global_init(0, NULL, NULL)) {
+  if (crypto_global_init(0, NULL, NULL, 0)) {
    fprintf(stderr, "Couldn't initialize crypto library.\n");
    return 1;
  }