[tor-commits] [tor/master] Only bother with dynamic DH moduli if we are a bridge.

Tue Nov 29 23:33:59 UTC 2011

commit f477ddcc20d5fc8c130b630854947a337881cd23
Author: George Kadianakis <desnacked at gmail.com>
Date:   Fri Nov 25 17:44:43 2011 +0100

    Only bother with dynamic DH moduli if we are a bridge.
---
 src/or/config.c |   32 ++++++++++++++++++--------------
 1 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/src/or/config.c b/src/or/config.c
index d403dec..a846ca9 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -1363,22 +1363,26 @@ options_act(const or_options_t *old_options)
   }
 
   /* If needed, generate a new TLS DH prime according to the current torrc. */
-  if (!old_options) {
-    if (options->DynamicDHGroups) {
-      char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus");
-      crypto_set_tls_dh_prime(fname);
-      tor_free(fname);
+  if (server_mode(options) && options->BridgeRelay) {
+    if (!old_options) {
+      if (options->DynamicDHGroups) {
+        char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus");
+        crypto_set_tls_dh_prime(fname);
+        tor_free(fname);
+      } else {
+        crypto_set_tls_dh_prime(NULL);
+      }
     } else {
-      crypto_set_tls_dh_prime(NULL);
-    }
-  } else {
-    if (options->DynamicDHGroups && !old_options->DynamicDHGroups) {
-      char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus");
-      crypto_set_tls_dh_prime(fname);
-      tor_free(fname);
-    } else if (!options->DynamicDHGroups && old_options->DynamicDHGroups) {
-      crypto_set_tls_dh_prime(NULL);
+      if (options->DynamicDHGroups && !old_options->DynamicDHGroups) {
+        char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus");
+        crypto_set_tls_dh_prime(fname);
+        tor_free(fname);
+      } else if (!options->DynamicDHGroups && old_options->DynamicDHGroups) {
+        crypto_set_tls_dh_prime(NULL);
+      }
     }
+  } else { /* clients don't need a dynamic DH prime. */
+    crypto_set_tls_dh_prime(NULL);
   }
 
   /* We want to reinit keys as needed before we do much of anything else:



