diff options
| author | Matt Caswell <matt@openssl.org> | 2020-10-14 10:25:35 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2020-11-18 15:14:22 +0100 |
| commit | 091f6074c554a14bd9d37186e40ff9d556e4b216 (patch) | |
| tree | 3190a46233adee735d55f3659ed0f5a87a2cfbf0 /ssl/t1_lib.c | |
| parent | DOC: Rewrite the section on reporting errors in doc/man3/ERR_put_error.pod (diff) | |
| download | openssl-091f6074c554a14bd9d37186e40ff9d556e4b216.tar.xz openssl-091f6074c554a14bd9d37186e40ff9d556e4b216.zip | |
Convert TLS auto DH parameters to use EVP_PKEY
Previously a DH object was constructed and then assigned to an EVP_PKEY.
Instead we now construct the EVP_PKEY directly instead.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
Diffstat (limited to 'ssl/t1_lib.c')
| -rw-r--r-- | ssl/t1_lib.c | 51 |
1 files changed, 31 insertions, 20 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ff80b81167..9089cb8086 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -19,6 +19,7 @@ #include <openssl/dh.h> #include <openssl/bn.h> #include <openssl/provider.h> +#include <openssl/param_build.h> #include "internal/nelem.h" #include "internal/evp.h" #include "internal/tlsgroups.h" @@ -2873,12 +2874,15 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) return tls1_check_chain(s, x, pk, chain, -1); } -#ifndef OPENSSL_NO_DH -DH *ssl_get_auto_dh(SSL *s) +EVP_PKEY *ssl_get_auto_dh(SSL *s) { - DH *dhp; - BIGNUM *p, *g; + EVP_PKEY *dhp = NULL; + BIGNUM *p; int dh_secbits = 80; + EVP_PKEY_CTX *pctx = NULL; + OSSL_PARAM_BLD *tmpl = NULL; + OSSL_PARAM *params = NULL; + if (s->cert->dh_tmp_auto != 2) { if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { if (s->s3.tmp.new_cipher->strength_bits == 256) @@ -2892,15 +2896,6 @@ DH *ssl_get_auto_dh(SSL *s) } } - dhp = DH_new(); - if (dhp == NULL) - return NULL; - g = BN_new(); - if (g == NULL || !BN_set_word(g, 2)) { - DH_free(dhp); - BN_free(g); - return NULL; - } if (dh_secbits >= 192) p = BN_get_rfc3526_prime_8192(NULL); else if (dh_secbits >= 152) @@ -2911,15 +2906,31 @@ DH *ssl_get_auto_dh(SSL *s) p = BN_get_rfc3526_prime_2048(NULL); else p = BN_get_rfc2409_prime_1024(NULL); - if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { - DH_free(dhp); - BN_free(p); - BN_free(g); - return NULL; - } + if (p == NULL) + goto err; + + pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); + if (pctx == NULL + || EVP_PKEY_key_fromdata_init(pctx) != 1) + goto err; + + tmpl = OSSL_PARAM_BLD_new(); + if (tmpl == NULL + || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) + || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2)) + goto err; + + params = OSSL_PARAM_BLD_to_param(tmpl); + if (params == NULL || EVP_PKEY_fromdata(pctx, &dhp, params) != 1) + goto err; + +err: + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(tmpl); + EVP_PKEY_CTX_free(pctx); + BN_free(p); return dhp; } -#endif static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op) { |