summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2014-10-31 16:56:00 +0000
committerjsing <>2014-10-31 16:56:00 +0000
commitd76680694a8ae9d87e1bbbe277258ec62eba8580 (patch)
treee37efe3adc18b7d9d993ffd3576628a57a26f550 /src
parent11c8f53bbe792a97f9a752172d89126aacba9a31 (diff)
downloadopenbsd-d76680694a8ae9d87e1bbbe277258ec62eba8580.tar.gz
openbsd-d76680694a8ae9d87e1bbbe277258ec62eba8580.tar.bz2
openbsd-d76680694a8ae9d87e1bbbe277258ec62eba8580.zip
Use automatic DH ephemeral parameters instead of fixed 512 bit.
Based on OpenSSL.
Diffstat (limited to '')
-rw-r--r--src/usr.bin/openssl/s_server.c61
1 files changed, 23 insertions, 38 deletions
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 6f87819d1e..5987f76e1c 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s_server.c,v 1.3 2014/10/22 13:54:03 jsing Exp $ */ 1/* $OpenBSD: s_server.c,v 1.4 2014/10/31 16:56:00 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -190,40 +190,10 @@ generate_session_id(const SSL * ssl, unsigned char *id,
190 unsigned int *id_len); 190 unsigned int *id_len);
191#ifndef OPENSSL_NO_DH 191#ifndef OPENSSL_NO_DH
192static DH *load_dh_param(const char *dhfile); 192static DH *load_dh_param(const char *dhfile);
193static DH *get_dh512(void);
194#endif 193#endif
195 194
196static void s_server_init(void); 195static void s_server_init(void);
197 196
198#ifndef OPENSSL_NO_DH
199static unsigned char dh512_p[] = {
200 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
201 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
202 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
203 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
204 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
205 0x47, 0x74, 0xE8, 0x33,
206};
207static unsigned char dh512_g[] = {
208 0x02,
209};
210
211static DH *
212get_dh512(void)
213{
214 DH *dh = NULL;
215
216 if ((dh = DH_new()) == NULL)
217 return (NULL);
218 dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
219 dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
220 if ((dh->p == NULL) || (dh->g == NULL))
221 return (NULL);
222 return (dh);
223}
224#endif
225
226
227/* static int load_CA(SSL_CTX *ctx, char *file);*/ 197/* static int load_CA(SSL_CTX *ctx, char *file);*/
228 198
229#define BUFSIZZ 16*1024 199#define BUFSIZZ 16*1024
@@ -1149,15 +1119,22 @@ bad:
1149 else if (s_cert_file) 1119 else if (s_cert_file)
1150 dh = load_dh_param(s_cert_file); 1120 dh = load_dh_param(s_cert_file);
1151 1121
1152 if (dh != NULL) { 1122 if (dh != NULL)
1153 BIO_printf(bio_s_out, "Setting temp DH parameters\n"); 1123 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
1154 } else { 1124 else
1155 BIO_printf(bio_s_out, "Using default temp DH parameters\n"); 1125 BIO_printf(bio_s_out, "Using auto DH parameters\n");
1156 dh = get_dh512();
1157 }
1158 (void) BIO_flush(bio_s_out); 1126 (void) BIO_flush(bio_s_out);
1159 1127
1160 SSL_CTX_set_tmp_dh(ctx, dh); 1128 if (dh == NULL)
1129 SSL_CTX_set_dh_auto(ctx, 1);
1130 else if (!SSL_CTX_set_tmp_dh(ctx, dh)) {
1131 BIO_printf(bio_err,
1132 "Error setting temp DH parameters\n");
1133 ERR_print_errors(bio_err);
1134 DH_free(dh);
1135 goto end;
1136 }
1137
1161#ifndef OPENSSL_NO_TLSEXT 1138#ifndef OPENSSL_NO_TLSEXT
1162 if (ctx2) { 1139 if (ctx2) {
1163 if (!dhfile) { 1140 if (!dhfile) {
@@ -1170,7 +1147,15 @@ bad:
1170 dh = dh2; 1147 dh = dh2;
1171 } 1148 }
1172 } 1149 }
1173 SSL_CTX_set_tmp_dh(ctx2, dh); 1150 if (dh == NULL)
1151 SSL_CTX_set_dh_auto(ctx2, 1);
1152 else if (!SSL_CTX_set_tmp_dh(ctx2, dh)) {
1153 BIO_printf(bio_err,
1154 "Error setting temp DH parameters\n");
1155 ERR_print_errors(bio_err);
1156 DH_free(dh);
1157 goto end;
1158 }
1174 } 1159 }
1175#endif 1160#endif
1176 DH_free(dh); 1161 DH_free(dh);