diff options
| author | jsing <> | 2014-10-31 15:25:55 +0000 |
|---|---|---|
| committer | jsing <> | 2014-10-31 15:25:55 +0000 |
| commit | cd2b36b32fa0f08a47812cf4bc77f005cbba8fc4 (patch) | |
| tree | 10ac57418996f21ce78687efb7443c1a142dd4a1 /src/lib/libssl/s3_srvr.c | |
| parent | 911a534951a7133a0e7f2314d3a57682c584c2f7 (diff) | |
| download | openbsd-cd2b36b32fa0f08a47812cf4bc77f005cbba8fc4.tar.gz openbsd-cd2b36b32fa0f08a47812cf4bc77f005cbba8fc4.tar.bz2 openbsd-cd2b36b32fa0f08a47812cf4bc77f005cbba8fc4.zip | |
Add support for automatic DH ephemeral keys.
This allows an SSL server to enable DHE ciphers with a single setting,
which results in an DH key being generated based on the server key length.
Partly based on OpenSSL.
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 1b97895f76..3a311fbfb6 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.89 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1360,10 +1360,21 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1360 | r[0] = r[1] = r[2] = r[3] = NULL; | 1360 | r[0] = r[1] = r[2] = r[3] = NULL; |
| 1361 | n = 0; | 1361 | n = 0; |
| 1362 | if (type & SSL_kDHE) { | 1362 | if (type & SSL_kDHE) { |
| 1363 | dhp = cert->dh_tmp; | 1363 | if (s->cert->dh_tmp_auto != 0) { |
| 1364 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) | 1364 | if ((dhp = ssl_get_auto_dh(s)) == NULL) { |
| 1365 | al = SSL_AD_INTERNAL_ERROR; | ||
| 1366 | SSLerr( | ||
| 1367 | SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | ||
| 1368 | ERR_R_INTERNAL_ERROR); | ||
| 1369 | goto f_err; | ||
| 1370 | } | ||
| 1371 | } else | ||
| 1372 | dhp = cert->dh_tmp; | ||
| 1373 | |||
| 1374 | if (dhp == NULL && s->cert->dh_tmp_cb != NULL) | ||
| 1365 | dhp = s->cert->dh_tmp_cb(s, 0, | 1375 | dhp = s->cert->dh_tmp_cb(s, 0, |
| 1366 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); | 1376 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); |
| 1377 | |||
| 1367 | if (dhp == NULL) { | 1378 | if (dhp == NULL) { |
| 1368 | al = SSL_AD_HANDSHAKE_FAILURE; | 1379 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1369 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | 1380 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, |
| @@ -1377,7 +1388,9 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1377 | goto err; | 1388 | goto err; |
| 1378 | } | 1389 | } |
| 1379 | 1390 | ||
| 1380 | if ((dh = DHparams_dup(dhp)) == NULL) { | 1391 | if (s->cert->dh_tmp_auto != 0) { |
| 1392 | dh = dhp; | ||
| 1393 | } else if ((dh = DHparams_dup(dhp)) == NULL) { | ||
| 1381 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | 1394 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, |
| 1382 | ERR_R_DH_LIB); | 1395 | ERR_R_DH_LIB); |
| 1383 | goto err; | 1396 | goto err; |