Clean up and refactor server side DHE key exchange.

Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation based on parameters determined by the specified key bits. Convert the existing DHE auto parameter selection code into a function that just tells us how many key bits to use. Untangle and rework the server side DHE key exchange to use the ssl_kex_* functions. ok inoguchi@ tb@
author: jsing <> 2021-12-04 14:03:22 +0000
committer: jsing <> 2021-12-04 14:03:22 +0000
commit: 553bc9b478f48580c6c51ddaa65c906cac0ee4e7 (patch)
tree: eaa42a538f5b252c276e4477b5f4bd6b0fd7a981 /src/lib/libssl/ssl_kex.c
parent: 7747938abe289fe6b8f9dd672e16cfcfcbdf8c95 (diff)
download: openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.tar.gz
openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.tar.bz2
openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.zip
1 files changed, 46 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_kex.c b/src/lib/libssl/ssl_kex.c
index 639981bec9..78b528b168 100644
--- a/src/lib/libssl/ssl_kex.c
+++ b/src/lib/libssl/ssl_kex.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: ssl_kex.c,v 1.7 2021/12/04 13:50:35 jsing Exp $ */
+/* $OpenBSD: ssl_kex.c,v 1.8 2021/12/04 14:03:22 jsing Exp $ */
 /*
- * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -17,6 +17,7 @@
 #include <stdlib.h>
+#include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/ec.h>
 #include <openssl/ecdh.h>
@@ -40,7 +41,50 @@ ssl_kex_generate_dhe(DH *dh, DH *dh_params)
        if (!DH_set0_pqg(dh, p, NULL, g))
                goto err;
+        p = NULL;
+        g = NULL;
+        if (!DH_generate_key(dh))
+                goto err;
+        ret = 1;
+ err:
+        BN_free(p);
+        BN_free(g);
+        return ret;
+}
+int
+ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_bits)
+{
+        BIGNUM *p = NULL, *g = NULL;
+        int ret = 0;
+        if (key_bits >= 8192)
+                p = get_rfc3526_prime_8192(NULL);
+        else if (key_bits >= 4096)
+                p = get_rfc3526_prime_4096(NULL);
+        else if (key_bits >= 3072)
+                p = get_rfc3526_prime_3072(NULL);
+        else if (key_bits >= 2048)
+                p = get_rfc3526_prime_2048(NULL);
+        else if (key_bits >= 1536)
+                p = get_rfc3526_prime_1536(NULL);
+        else
+                p = get_rfc2409_prime_1024(NULL);
+        if (p == NULL)
+                goto err;
+        if ((g = BN_new()) == NULL)
+                goto err;
+        if (!BN_set_word(g, 2))
+                goto err;
+        if (!DH_set0_pqg(dh, p, NULL, g))
+                goto err;
        p = NULL;
        g = NULL;
author	jsing <>	2021-12-04 14:03:22 +0000
committer	jsing <>	2021-12-04 14:03:22 +0000
commit	553bc9b478f48580c6c51ddaa65c906cac0ee4e7 (patch)
tree	eaa42a538f5b252c276e4477b5f4bd6b0fd7a981 /src/lib/libssl/ssl_kex.c
parent	7747938abe289fe6b8f9dd672e16cfcfcbdf8c95 (diff)
download	openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.tar.gz openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.tar.bz2 openbsd-553bc9b478f48580c6c51ddaa65c906cac0ee4e7.zip

diff --git a/src/lib/libssl/ssl_kex.c b/src/lib/libssl/ssl_kex.c index 639981bec9..78b528b168 100644 --- a/src/lib/libssl/ssl_kex.c +++ b/src/lib/libssl/ssl_kex.c
@@ -1,6 +1,6 @@
1	/* $OpenBSD: ssl_kex.c,v 1.7 2021/12/04 13:50:35 jsing Exp $ */	1	/* $OpenBSD: ssl_kex.c,v 1.8 2021/12/04 14:03:22 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
4	*	4	*
5	* Permission to use, copy, modify, and distribute this software for any	5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above	6	* purpose with or without fee is hereby granted, provided that the above
@@ -17,6 +17,7 @@
17		17
18	#include <stdlib.h>	18	#include <stdlib.h>
19		19
		20	#include <openssl/bn.h>
20	#include <openssl/dh.h>	21	#include <openssl/dh.h>
21	#include <openssl/ec.h>	22	#include <openssl/ec.h>
22	#include <openssl/ecdh.h>	23	#include <openssl/ecdh.h>
@@ -40,7 +41,50 @@ ssl_kex_generate_dhe(DH dh, DH dh_params)
40		41
41	if (!DH_set0_pqg(dh, p, NULL, g))	42	if (!DH_set0_pqg(dh, p, NULL, g))
42	goto err;	43	goto err;
		44	p = NULL;
		45	g = NULL;
		46
		47	if (!DH_generate_key(dh))
		48	goto err;
		49
		50	ret = 1;
		51
		52	err:
		53	BN_free(p);
		54	BN_free(g);
		55
		56	return ret;
		57	}
43		58
		59	int
		60	ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_bits)
		61	{
		62	BIGNUM p = NULL, g = NULL;
		63	int ret = 0;
		64
		65	if (key_bits >= 8192)
		66	p = get_rfc3526_prime_8192(NULL);
		67	else if (key_bits >= 4096)
		68	p = get_rfc3526_prime_4096(NULL);
		69	else if (key_bits >= 3072)
		70	p = get_rfc3526_prime_3072(NULL);
		71	else if (key_bits >= 2048)
		72	p = get_rfc3526_prime_2048(NULL);
		73	else if (key_bits >= 1536)
		74	p = get_rfc3526_prime_1536(NULL);
		75	else
		76	p = get_rfc2409_prime_1024(NULL);
		77
		78	if (p == NULL)
		79	goto err;
		80
		81	if ((g = BN_new()) == NULL)
		82	goto err;
		83	if (!BN_set_word(g, 2))
		84	goto err;
		85
		86	if (!DH_set0_pqg(dh, p, NULL, g))
		87	goto err;
44	p = NULL;	88	p = NULL;
45	g = NULL;	89	g = NULL;
46		90