diff options
| author | jsing <> | 2014-10-31 15:25:55 +0000 |
|---|---|---|
| committer | jsing <> | 2014-10-31 15:25:55 +0000 |
| commit | cd2b36b32fa0f08a47812cf4bc77f005cbba8fc4 (patch) | |
| tree | 10ac57418996f21ce78687efb7443c1a142dd4a1 /src | |
| parent | 911a534951a7133a0e7f2314d3a57682c584c2f7 (diff) | |
| download | openbsd-cd2b36b32fa0f08a47812cf4bc77f005cbba8fc4.tar.gz openbsd-cd2b36b32fa0f08a47812cf4bc77f005cbba8fc4.tar.bz2 openbsd-cd2b36b32fa0f08a47812cf4bc77f005cbba8fc4.zip | |
Add support for automatic DH ephemeral keys.
This allows an SSL server to enable DHE ciphers with a single setting,
which results in an DH key being generated based on the server key length.
Partly based on OpenSSL.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 30 | ||||
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 21 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_lib.c | 30 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_srvr.c | 21 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl.h | 8 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_cert.c | 3 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_lib.c | 53 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_locl.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl.h | 8 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_cert.c | 3 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 53 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 4 |
12 files changed, 194 insertions, 44 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 08c5111129..21f1367442 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.83 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.84 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1994,13 +1994,15 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
| 1994 | ret = 1; | 1994 | ret = 1; |
| 1995 | } | 1995 | } |
| 1996 | break; | 1996 | break; |
| 1997 | |||
| 1997 | case SSL_CTRL_SET_TMP_DH_CB: | 1998 | case SSL_CTRL_SET_TMP_DH_CB: |
| 1998 | { | 1999 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 1999 | SSLerr(SSL_F_SSL3_CTRL, | 2000 | return (ret); |
| 2000 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | 2001 | |
| 2001 | return (ret); | 2002 | case SSL_CTRL_SET_DH_AUTO: |
| 2002 | } | 2003 | s->cert->dh_tmp_auto = larg; |
| 2003 | break; | 2004 | return 1; |
| 2005 | |||
| 2004 | case SSL_CTRL_SET_TMP_ECDH: | 2006 | case SSL_CTRL_SET_TMP_ECDH: |
| 2005 | { | 2007 | { |
| 2006 | EC_KEY *ecdh = NULL; | 2008 | EC_KEY *ecdh = NULL; |
| @@ -2183,13 +2185,15 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
| 2183 | return 1; | 2185 | return 1; |
| 2184 | } | 2186 | } |
| 2185 | /*break; */ | 2187 | /*break; */ |
| 2188 | |||
| 2186 | case SSL_CTRL_SET_TMP_DH_CB: | 2189 | case SSL_CTRL_SET_TMP_DH_CB: |
| 2187 | { | 2190 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 2188 | SSLerr(SSL_F_SSL3_CTX_CTRL, | 2191 | return (0); |
| 2189 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | 2192 | |
| 2190 | return (0); | 2193 | case SSL_CTRL_SET_DH_AUTO: |
| 2191 | } | 2194 | ctx->cert->dh_tmp_auto = larg; |
| 2192 | break; | 2195 | return (1); |
| 2196 | |||
| 2193 | case SSL_CTRL_SET_TMP_ECDH: | 2197 | case SSL_CTRL_SET_TMP_ECDH: |
| 2194 | { | 2198 | { |
| 2195 | EC_KEY *ecdh = NULL; | 2199 | EC_KEY *ecdh = NULL; |
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 1b97895f76..3a311fbfb6 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.89 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1360,10 +1360,21 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1360 | r[0] = r[1] = r[2] = r[3] = NULL; | 1360 | r[0] = r[1] = r[2] = r[3] = NULL; |
| 1361 | n = 0; | 1361 | n = 0; |
| 1362 | if (type & SSL_kDHE) { | 1362 | if (type & SSL_kDHE) { |
| 1363 | dhp = cert->dh_tmp; | 1363 | if (s->cert->dh_tmp_auto != 0) { |
| 1364 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) | 1364 | if ((dhp = ssl_get_auto_dh(s)) == NULL) { |
| 1365 | al = SSL_AD_INTERNAL_ERROR; | ||
| 1366 | SSLerr( | ||
| 1367 | SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | ||
| 1368 | ERR_R_INTERNAL_ERROR); | ||
| 1369 | goto f_err; | ||
| 1370 | } | ||
| 1371 | } else | ||
| 1372 | dhp = cert->dh_tmp; | ||
| 1373 | |||
| 1374 | if (dhp == NULL && s->cert->dh_tmp_cb != NULL) | ||
| 1365 | dhp = s->cert->dh_tmp_cb(s, 0, | 1375 | dhp = s->cert->dh_tmp_cb(s, 0, |
| 1366 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); | 1376 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); |
| 1377 | |||
| 1367 | if (dhp == NULL) { | 1378 | if (dhp == NULL) { |
| 1368 | al = SSL_AD_HANDSHAKE_FAILURE; | 1379 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1369 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | 1380 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, |
| @@ -1377,7 +1388,9 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1377 | goto err; | 1388 | goto err; |
| 1378 | } | 1389 | } |
| 1379 | 1390 | ||
| 1380 | if ((dh = DHparams_dup(dhp)) == NULL) { | 1391 | if (s->cert->dh_tmp_auto != 0) { |
| 1392 | dh = dhp; | ||
| 1393 | } else if ((dh = DHparams_dup(dhp)) == NULL) { | ||
| 1381 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | 1394 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, |
| 1382 | ERR_R_DH_LIB); | 1395 | ERR_R_DH_LIB); |
| 1383 | goto err; | 1396 | goto err; |
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index 08c5111129..21f1367442 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.83 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.84 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1994,13 +1994,15 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
| 1994 | ret = 1; | 1994 | ret = 1; |
| 1995 | } | 1995 | } |
| 1996 | break; | 1996 | break; |
| 1997 | |||
| 1997 | case SSL_CTRL_SET_TMP_DH_CB: | 1998 | case SSL_CTRL_SET_TMP_DH_CB: |
| 1998 | { | 1999 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 1999 | SSLerr(SSL_F_SSL3_CTRL, | 2000 | return (ret); |
| 2000 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | 2001 | |
| 2001 | return (ret); | 2002 | case SSL_CTRL_SET_DH_AUTO: |
| 2002 | } | 2003 | s->cert->dh_tmp_auto = larg; |
| 2003 | break; | 2004 | return 1; |
| 2005 | |||
| 2004 | case SSL_CTRL_SET_TMP_ECDH: | 2006 | case SSL_CTRL_SET_TMP_ECDH: |
| 2005 | { | 2007 | { |
| 2006 | EC_KEY *ecdh = NULL; | 2008 | EC_KEY *ecdh = NULL; |
| @@ -2183,13 +2185,15 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
| 2183 | return 1; | 2185 | return 1; |
| 2184 | } | 2186 | } |
| 2185 | /*break; */ | 2187 | /*break; */ |
| 2188 | |||
| 2186 | case SSL_CTRL_SET_TMP_DH_CB: | 2189 | case SSL_CTRL_SET_TMP_DH_CB: |
| 2187 | { | 2190 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 2188 | SSLerr(SSL_F_SSL3_CTX_CTRL, | 2191 | return (0); |
| 2189 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | 2192 | |
| 2190 | return (0); | 2193 | case SSL_CTRL_SET_DH_AUTO: |
| 2191 | } | 2194 | ctx->cert->dh_tmp_auto = larg; |
| 2192 | break; | 2195 | return (1); |
| 2196 | |||
| 2193 | case SSL_CTRL_SET_TMP_ECDH: | 2197 | case SSL_CTRL_SET_TMP_ECDH: |
| 2194 | { | 2198 | { |
| 2195 | EC_KEY *ecdh = NULL; | 2199 | EC_KEY *ecdh = NULL; |
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 1b97895f76..3a311fbfb6 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.89 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1360,10 +1360,21 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1360 | r[0] = r[1] = r[2] = r[3] = NULL; | 1360 | r[0] = r[1] = r[2] = r[3] = NULL; |
| 1361 | n = 0; | 1361 | n = 0; |
| 1362 | if (type & SSL_kDHE) { | 1362 | if (type & SSL_kDHE) { |
| 1363 | dhp = cert->dh_tmp; | 1363 | if (s->cert->dh_tmp_auto != 0) { |
| 1364 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) | 1364 | if ((dhp = ssl_get_auto_dh(s)) == NULL) { |
| 1365 | al = SSL_AD_INTERNAL_ERROR; | ||
| 1366 | SSLerr( | ||
| 1367 | SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | ||
| 1368 | ERR_R_INTERNAL_ERROR); | ||
| 1369 | goto f_err; | ||
| 1370 | } | ||
| 1371 | } else | ||
| 1372 | dhp = cert->dh_tmp; | ||
| 1373 | |||
| 1374 | if (dhp == NULL && s->cert->dh_tmp_cb != NULL) | ||
| 1365 | dhp = s->cert->dh_tmp_cb(s, 0, | 1375 | dhp = s->cert->dh_tmp_cb(s, 0, |
| 1366 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); | 1376 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); |
| 1377 | |||
| 1367 | if (dhp == NULL) { | 1378 | if (dhp == NULL) { |
| 1368 | al = SSL_AD_HANDSHAKE_FAILURE; | 1379 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1369 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | 1380 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, |
| @@ -1377,7 +1388,9 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1377 | goto err; | 1388 | goto err; |
| 1378 | } | 1389 | } |
| 1379 | 1390 | ||
| 1380 | if ((dh = DHparams_dup(dhp)) == NULL) { | 1391 | if (s->cert->dh_tmp_auto != 0) { |
| 1392 | dh = dhp; | ||
| 1393 | } else if ((dh = DHparams_dup(dhp)) == NULL) { | ||
| 1381 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | 1394 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, |
| 1382 | ERR_R_DH_LIB); | 1395 | ERR_R_DH_LIB); |
| 1383 | goto err; | 1396 | goto err; |
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 2b1ceaf2c7..350d6fb4d1 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.68 2014/10/15 13:57:21 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.69 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1429,6 +1429,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) | |||
| 1429 | 1429 | ||
| 1430 | #define SSL_CTRL_SET_ECDH_AUTO 94 | 1430 | #define SSL_CTRL_SET_ECDH_AUTO 94 |
| 1431 | 1431 | ||
| 1432 | #define SSL_CTRL_SET_DH_AUTO 118 | ||
| 1433 | |||
| 1432 | #define DTLSv1_get_timeout(ssl, arg) \ | 1434 | #define DTLSv1_get_timeout(ssl, arg) \ |
| 1433 | SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) | 1435 | SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) |
| 1434 | #define DTLSv1_handle_timeout(ssl) \ | 1436 | #define DTLSv1_handle_timeout(ssl) \ |
| @@ -1453,6 +1455,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) | |||
| 1453 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh) | 1455 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh) |
| 1454 | #define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \ | 1456 | #define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \ |
| 1455 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) | 1457 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) |
| 1458 | #define SSL_CTX_set_dh_auto(ctx, onoff) \ | ||
| 1459 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL) | ||
| 1456 | #define SSL_CTX_set_ecdh_auto(ctx, onoff) \ | 1460 | #define SSL_CTX_set_ecdh_auto(ctx, onoff) \ |
| 1457 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) | 1461 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) |
| 1458 | 1462 | ||
| @@ -1464,6 +1468,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) | |||
| 1464 | SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh) | 1468 | SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh) |
| 1465 | #define SSL_set_tmp_ecdh(ssl,ecdh) \ | 1469 | #define SSL_set_tmp_ecdh(ssl,ecdh) \ |
| 1466 | SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) | 1470 | SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) |
| 1471 | #define SSL_set_dh_auto(s, onoff) \ | ||
| 1472 | SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL) | ||
| 1467 | #define SSL_set_ecdh_auto(s, onoff) \ | 1473 | #define SSL_set_ecdh_auto(s, onoff) \ |
| 1468 | SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) | 1474 | SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) |
| 1469 | 1475 | ||
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c index beea31c64b..8adb9aa032 100644 --- a/src/lib/libssl/src/ssl/ssl_cert.c +++ b/src/lib/libssl/src/ssl/ssl_cert.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_cert.c,v 1.43 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_cert.c,v 1.44 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -229,6 +229,7 @@ ssl_cert_dup(CERT *cert) | |||
| 229 | } | 229 | } |
| 230 | } | 230 | } |
| 231 | ret->dh_tmp_cb = cert->dh_tmp_cb; | 231 | ret->dh_tmp_cb = cert->dh_tmp_cb; |
| 232 | ret->dh_tmp_auto = cert->dh_tmp_auto; | ||
| 232 | 233 | ||
| 233 | if (cert->ecdh_tmp) { | 234 | if (cert->ecdh_tmp) { |
| 234 | ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); | 235 | ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); |
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 579c005cc3..078a710c33 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.89 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1942,7 +1942,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1942 | if (c == NULL) | 1942 | if (c == NULL) |
| 1943 | return; | 1943 | return; |
| 1944 | 1944 | ||
| 1945 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); | 1945 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || |
| 1946 | c->dh_tmp_auto != 0); | ||
| 1946 | 1947 | ||
| 1947 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || | 1948 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || |
| 1948 | c->ecdh_tmp_auto != 0); | 1949 | c->ecdh_tmp_auto != 0); |
| @@ -2176,6 +2177,54 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd) | |||
| 2176 | return (c->pkeys[idx].privatekey); | 2177 | return (c->pkeys[idx].privatekey); |
| 2177 | } | 2178 | } |
| 2178 | 2179 | ||
| 2180 | DH * | ||
| 2181 | ssl_get_auto_dh(SSL *s) | ||
| 2182 | { | ||
| 2183 | CERT_PKEY *cpk; | ||
| 2184 | int keylen; | ||
| 2185 | DH *dhp; | ||
| 2186 | |||
| 2187 | if (s->cert->dh_tmp_auto == 2) { | ||
| 2188 | keylen = 1024; | ||
| 2189 | } else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) { | ||
| 2190 | keylen = 1024; | ||
| 2191 | if (s->s3->tmp.new_cipher->strength_bits == 256) | ||
| 2192 | keylen = 3072; | ||
| 2193 | } else { | ||
| 2194 | if ((cpk = ssl_get_server_send_pkey(s)) == NULL) | ||
| 2195 | return (NULL); | ||
| 2196 | if (cpk->privatekey == NULL || cpk->privatekey->pkey.dh == NULL) | ||
| 2197 | return (NULL); | ||
| 2198 | keylen = EVP_PKEY_bits(cpk->privatekey); | ||
| 2199 | } | ||
| 2200 | |||
| 2201 | if ((dhp = DH_new()) == NULL) | ||
| 2202 | return (NULL); | ||
| 2203 | |||
| 2204 | dhp->g = BN_new(); | ||
| 2205 | if (dhp->g != NULL) | ||
| 2206 | BN_set_word(dhp->g, 2); | ||
| 2207 | |||
| 2208 | if (keylen >= 8192) | ||
| 2209 | dhp->p = get_rfc3526_prime_8192(NULL); | ||
| 2210 | else if (keylen >= 4096) | ||
| 2211 | dhp->p = get_rfc3526_prime_4096(NULL); | ||
| 2212 | else if (keylen >= 3072) | ||
| 2213 | dhp->p = get_rfc3526_prime_3072(NULL); | ||
| 2214 | else if (keylen >= 2048) | ||
| 2215 | dhp->p = get_rfc3526_prime_2048(NULL); | ||
| 2216 | else if (keylen >= 1536) | ||
| 2217 | dhp->p = get_rfc3526_prime_1536(NULL); | ||
| 2218 | else | ||
| 2219 | dhp->p = get_rfc2409_prime_1024(NULL); | ||
| 2220 | |||
| 2221 | if (dhp->p == NULL || dhp->g == NULL) { | ||
| 2222 | DH_free(dhp); | ||
| 2223 | return (NULL); | ||
| 2224 | } | ||
| 2225 | return (dhp); | ||
| 2226 | } | ||
| 2227 | |||
| 2179 | void | 2228 | void |
| 2180 | ssl_update_cache(SSL *s, int mode) | 2229 | ssl_update_cache(SSL *s, int mode) |
| 2181 | { | 2230 | { |
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index 955c169244..e7bcb890e4 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.72 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.73 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -442,6 +442,7 @@ typedef struct cert_st { | |||
| 442 | 442 | ||
| 443 | DH *dh_tmp; | 443 | DH *dh_tmp; |
| 444 | DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); | 444 | DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); |
| 445 | int dh_tmp_auto; | ||
| 445 | 446 | ||
| 446 | EC_KEY *ecdh_tmp; | 447 | EC_KEY *ecdh_tmp; |
| 447 | EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize); | 448 | EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize); |
| @@ -588,6 +589,7 @@ int ssl_undefined_const_function(const SSL *s); | |||
| 588 | CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); | 589 | CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); |
| 589 | X509 *ssl_get_server_send_cert(const SSL *); | 590 | X509 *ssl_get_server_send_cert(const SSL *); |
| 590 | EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); | 591 | EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); |
| 592 | DH *ssl_get_auto_dh(SSL *s); | ||
| 591 | int ssl_cert_type(X509 *x, EVP_PKEY *pkey); | 593 | int ssl_cert_type(X509 *x, EVP_PKEY *pkey); |
| 592 | void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); | 594 | void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); |
| 593 | STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); | 595 | STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); |
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 2b1ceaf2c7..350d6fb4d1 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.68 2014/10/15 13:57:21 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.69 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1429,6 +1429,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) | |||
| 1429 | 1429 | ||
| 1430 | #define SSL_CTRL_SET_ECDH_AUTO 94 | 1430 | #define SSL_CTRL_SET_ECDH_AUTO 94 |
| 1431 | 1431 | ||
| 1432 | #define SSL_CTRL_SET_DH_AUTO 118 | ||
| 1433 | |||
| 1432 | #define DTLSv1_get_timeout(ssl, arg) \ | 1434 | #define DTLSv1_get_timeout(ssl, arg) \ |
| 1433 | SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) | 1435 | SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) |
| 1434 | #define DTLSv1_handle_timeout(ssl) \ | 1436 | #define DTLSv1_handle_timeout(ssl) \ |
| @@ -1453,6 +1455,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) | |||
| 1453 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh) | 1455 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh) |
| 1454 | #define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \ | 1456 | #define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \ |
| 1455 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) | 1457 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) |
| 1458 | #define SSL_CTX_set_dh_auto(ctx, onoff) \ | ||
| 1459 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL) | ||
| 1456 | #define SSL_CTX_set_ecdh_auto(ctx, onoff) \ | 1460 | #define SSL_CTX_set_ecdh_auto(ctx, onoff) \ |
| 1457 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) | 1461 | SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) |
| 1458 | 1462 | ||
| @@ -1464,6 +1468,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) | |||
| 1464 | SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh) | 1468 | SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh) |
| 1465 | #define SSL_set_tmp_ecdh(ssl,ecdh) \ | 1469 | #define SSL_set_tmp_ecdh(ssl,ecdh) \ |
| 1466 | SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) | 1470 | SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) |
| 1471 | #define SSL_set_dh_auto(s, onoff) \ | ||
| 1472 | SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL) | ||
| 1467 | #define SSL_set_ecdh_auto(s, onoff) \ | 1473 | #define SSL_set_ecdh_auto(s, onoff) \ |
| 1468 | SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) | 1474 | SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) |
| 1469 | 1475 | ||
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index beea31c64b..8adb9aa032 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_cert.c,v 1.43 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_cert.c,v 1.44 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -229,6 +229,7 @@ ssl_cert_dup(CERT *cert) | |||
| 229 | } | 229 | } |
| 230 | } | 230 | } |
| 231 | ret->dh_tmp_cb = cert->dh_tmp_cb; | 231 | ret->dh_tmp_cb = cert->dh_tmp_cb; |
| 232 | ret->dh_tmp_auto = cert->dh_tmp_auto; | ||
| 232 | 233 | ||
| 233 | if (cert->ecdh_tmp) { | 234 | if (cert->ecdh_tmp) { |
| 234 | ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); | 235 | ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 579c005cc3..078a710c33 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.89 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1942,7 +1942,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1942 | if (c == NULL) | 1942 | if (c == NULL) |
| 1943 | return; | 1943 | return; |
| 1944 | 1944 | ||
| 1945 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); | 1945 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || |
| 1946 | c->dh_tmp_auto != 0); | ||
| 1946 | 1947 | ||
| 1947 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || | 1948 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || |
| 1948 | c->ecdh_tmp_auto != 0); | 1949 | c->ecdh_tmp_auto != 0); |
| @@ -2176,6 +2177,54 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd) | |||
| 2176 | return (c->pkeys[idx].privatekey); | 2177 | return (c->pkeys[idx].privatekey); |
| 2177 | } | 2178 | } |
| 2178 | 2179 | ||
| 2180 | DH * | ||
| 2181 | ssl_get_auto_dh(SSL *s) | ||
| 2182 | { | ||
| 2183 | CERT_PKEY *cpk; | ||
| 2184 | int keylen; | ||
| 2185 | DH *dhp; | ||
| 2186 | |||
| 2187 | if (s->cert->dh_tmp_auto == 2) { | ||
| 2188 | keylen = 1024; | ||
| 2189 | } else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) { | ||
| 2190 | keylen = 1024; | ||
| 2191 | if (s->s3->tmp.new_cipher->strength_bits == 256) | ||
| 2192 | keylen = 3072; | ||
| 2193 | } else { | ||
| 2194 | if ((cpk = ssl_get_server_send_pkey(s)) == NULL) | ||
| 2195 | return (NULL); | ||
| 2196 | if (cpk->privatekey == NULL || cpk->privatekey->pkey.dh == NULL) | ||
| 2197 | return (NULL); | ||
| 2198 | keylen = EVP_PKEY_bits(cpk->privatekey); | ||
| 2199 | } | ||
| 2200 | |||
| 2201 | if ((dhp = DH_new()) == NULL) | ||
| 2202 | return (NULL); | ||
| 2203 | |||
| 2204 | dhp->g = BN_new(); | ||
| 2205 | if (dhp->g != NULL) | ||
| 2206 | BN_set_word(dhp->g, 2); | ||
| 2207 | |||
| 2208 | if (keylen >= 8192) | ||
| 2209 | dhp->p = get_rfc3526_prime_8192(NULL); | ||
| 2210 | else if (keylen >= 4096) | ||
| 2211 | dhp->p = get_rfc3526_prime_4096(NULL); | ||
| 2212 | else if (keylen >= 3072) | ||
| 2213 | dhp->p = get_rfc3526_prime_3072(NULL); | ||
| 2214 | else if (keylen >= 2048) | ||
| 2215 | dhp->p = get_rfc3526_prime_2048(NULL); | ||
| 2216 | else if (keylen >= 1536) | ||
| 2217 | dhp->p = get_rfc3526_prime_1536(NULL); | ||
| 2218 | else | ||
| 2219 | dhp->p = get_rfc2409_prime_1024(NULL); | ||
| 2220 | |||
| 2221 | if (dhp->p == NULL || dhp->g == NULL) { | ||
| 2222 | DH_free(dhp); | ||
| 2223 | return (NULL); | ||
| 2224 | } | ||
| 2225 | return (dhp); | ||
| 2226 | } | ||
| 2227 | |||
| 2179 | void | 2228 | void |
| 2180 | ssl_update_cache(SSL *s, int mode) | 2229 | ssl_update_cache(SSL *s, int mode) |
| 2181 | { | 2230 | { |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 955c169244..e7bcb890e4 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.72 2014/10/31 14:51:01 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.73 2014/10/31 15:25:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -442,6 +442,7 @@ typedef struct cert_st { | |||
| 442 | 442 | ||
| 443 | DH *dh_tmp; | 443 | DH *dh_tmp; |
| 444 | DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); | 444 | DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); |
| 445 | int dh_tmp_auto; | ||
| 445 | 446 | ||
| 446 | EC_KEY *ecdh_tmp; | 447 | EC_KEY *ecdh_tmp; |
| 447 | EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize); | 448 | EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize); |
| @@ -588,6 +589,7 @@ int ssl_undefined_const_function(const SSL *s); | |||
| 588 | CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); | 589 | CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); |
| 589 | X509 *ssl_get_server_send_cert(const SSL *); | 590 | X509 *ssl_get_server_send_cert(const SSL *); |
| 590 | EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); | 591 | EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); |
| 592 | DH *ssl_get_auto_dh(SSL *s); | ||
| 591 | int ssl_cert_type(X509 *x, EVP_PKEY *pkey); | 593 | int ssl_cert_type(X509 *x, EVP_PKEY *pkey); |
| 592 | void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); | 594 | void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); |
| 593 | STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); | 595 | STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); |