From d4c2fd4da8c2bf2b42a93a175fcfaafd7be6fce6 Mon Sep 17 00:00:00 2001
From: Yann Leboulanger <asterix@lagaule.org>
Date: Tue, 12 Nov 2013 21:10:22 +0100
Subject: [PATCH] [fedor] enable forward secrecy thanks to Diffie-Hellman
 parameters. Fixes #7555

---
 data/other/dh4096.pem     | 18 ++++++++++++++++++
 src/common/jingle_xtls.py | 21 +++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 data/other/dh4096.pem

diff --git a/data/other/dh4096.pem b/data/other/dh4096.pem
new file mode 100644
index 000000000..1b35ad8e6
--- /dev/null
+++ b/data/other/dh4096.pem
@@ -0,0 +1,18 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ
+l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt
+Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS
+Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98
+VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc
+alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM
+sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9
+ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte
+OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH
+AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL
+KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=
+-----END DH PARAMETERS-----
+
+These are the 4096 bit DH parameters from "Assigned Number for SKIP Protocols"
+(http://www.skip-vpn.org/spec/numbers.html).
+See there for how they were generated.
+Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/src/common/jingle_xtls.py b/src/common/jingle_xtls.py
index 0df9c5b22..ff2003dcc 100644
--- a/src/common/jingle_xtls.py
+++ b/src/common/jingle_xtls.py
@@ -49,6 +49,8 @@ if PYOPENSSL_PRESENT:
     TYPE_DSA = crypto.TYPE_DSA
 
 SELF_SIGNED_CERTIFICATE = 'localcert'
+DH_PARAMS = 'dh_params.pem'
+DEFAULT_DH_PARAMS = 'dh4096.pem'
 
 def default_callback(connection, certificate, error_num, depth, return_code):
     log.info("certificate: %s" % certificate)
@@ -106,6 +108,25 @@ def get_context(fingerprint, verify_cb=None):
     cert_name = os.path.join(gajim.MY_CERT_DIR, SELF_SIGNED_CERTIFICATE)
     ctx.use_privatekey_file (cert_name + '.pkey')
     ctx.use_certificate_file(cert_name + '.cert')
+
+    # Try to load Diffie-Hellman parameters.
+    # First try user DH parameters, if this fails load the default DH parameters
+    dh_params_name = os.path.join(gajim.MY_CERT_DIR, DH_PARAMS)
+    try:
+        with open(dh_params_name, "r") as dh_params_file:
+            ctx.load_tmp_dh(dh_params_name)
+    except IOError as err:
+        log.warn('Unable to load DH parameter file: %s. You should generate it by using this command : "openssl dhparam 4096 -out ~/.local/share/gajim/dh_params.pem". This command take about 15 minutes to complete.' % dh_params_name)
+        default_dh_params_name = os.path.join(common.gajim.DATA_DIR,
+            'other', DEFAULT_DH_PARAMS)
+        try:
+            with open(default_dh_params_name, "r") as default_dh_params_file:
+                ctx.load_tmp_dh(default_dh_params_name)
+        except IOError as err:
+            log.error('Unable to load default DH parameter file: %s , %s'
+                % (default_dh_params_name, err))
+            raise
+
     store = ctx.get_cert_store()
     for f in os.listdir(os.path.expanduser(gajim.MY_PEER_CERTS_PATH)):
         load_cert_file(os.path.join(os.path.expanduser(