diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-10-31 16:56:01 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-10-31 16:56:01 +0000 |
| commit | 06a3e2de950763cb9071af6861ceb5d2eccab6bd (patch) | |
| tree | bc931aaf65529033bf1059fcefae3ec8a4008c79 /usr.bin | |
| parent | 4cffd457c209b701049feca5234530d799cf1feb (diff) | |
Use automatic DH ephemeral parameters instead of fixed 512 bit.
Based on OpenSSL.
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/openssl/s_server.c | 61 |
1 files changed, 23 insertions, 38 deletions
diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c index 6f87819d1eb..5987f76e1c4 100644 --- a/usr.bin/openssl/s_server.c +++ b/usr.bin/openssl/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.3 2014/10/22 13:54:03 jsing Exp $ */ +/* $OpenBSD: s_server.c,v 1.4 2014/10/31 16:56:00 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -190,40 +190,10 @@ generate_session_id(const SSL * ssl, unsigned char *id, unsigned int *id_len); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); -static DH *get_dh512(void); #endif static void s_server_init(void); -#ifndef OPENSSL_NO_DH -static unsigned char dh512_p[] = { - 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75, - 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F, - 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3, - 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12, - 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C, - 0x47, 0x74, 0xE8, 0x33, -}; -static unsigned char dh512_g[] = { - 0x02, -}; - -static DH * -get_dh512(void) -{ - DH *dh = NULL; - - if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - return (NULL); - return (dh); -} -#endif - - /* static int load_CA(SSL_CTX *ctx, char *file);*/ #define BUFSIZZ 16*1024 @@ -1149,15 +1119,22 @@ bad: else if (s_cert_file) dh = load_dh_param(s_cert_file); - if (dh != NULL) { + if (dh != NULL) BIO_printf(bio_s_out, "Setting temp DH parameters\n"); - } else { - BIO_printf(bio_s_out, "Using default temp DH parameters\n"); - dh = get_dh512(); - } + else + BIO_printf(bio_s_out, "Using auto DH parameters\n"); (void) BIO_flush(bio_s_out); - SSL_CTX_set_tmp_dh(ctx, dh); + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx, 1); + else if (!SSL_CTX_set_tmp_dh(ctx, dh)) { + BIO_printf(bio_err, + "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } + #ifndef OPENSSL_NO_TLSEXT if (ctx2) { if (!dhfile) { @@ -1170,7 +1147,15 @@ bad: dh = dh2; } } - SSL_CTX_set_tmp_dh(ctx2, dh); + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx2, 1); + else if (!SSL_CTX_set_tmp_dh(ctx2, dh)) { + BIO_printf(bio_err, + "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } } #endif DH_free(dh); |