Overview
Comment: | DH Changes for OpenSSL 3.0 Source: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275160 and https://cgit.freebsd.org/ports/tree/devel/tcltls/files/dh_params.h?id=2ed62c75d1230bbe8268a1a3c54de2972d50dcf8 |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | dh |
Files: | files | file ages | folders |
SHA3-256: |
54c35183c2d1427db6ac3b43b694300a |
User & Date: | bohagan on 2023-12-28 21:27:38 |
Other Links: | branch diff | manifest | tags |
Context
2023-12-28
| ||
23:15 | Refactored DH generation to not need a separate file for DH data. Added missing header files to generated file. check-in: d3319fd18b user: bohagan tags: dh | |
21:27 | DH Changes for OpenSSL 3.0 Source: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275160 and https://cgit.freebsd.org/ports/tree/devel/tcltls/files/dh_params.h?id=2ed62c75d1230bbe8268a1a3c54de2972d50dcf8 check-in: 54c35183c2 user: bohagan tags: dh | |
20:01 | Created DH branch check-in: 22f9df2429 user: bohagan tags: dh | |
Changes
Modified generic/gen_dh_params
from [90177a1658]
to [e07a009868].
︙ | ︙ | |||
9 10 11 12 13 14 15 | ;; bits=*) bits="`echo "${arg}" | cut -f 2 -d =`" ;; esac done | | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | | > > | 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 | ;; bits=*) bits="`echo "${arg}" | cut -f 2 -d =`" ;; esac done openssl_dhparam1() { if openssl dhparam -C "$@" | sed \ -e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/' \ -e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d' then return 0 fi return 1 } # OpenSSL 3.0 openssl-dhparam has no "-C" option, so we emulate it here openssl_dhparam3() { if openssl dhparam -text 2048 | \ sed -E -e '/^---/,/^---/d' \ -e '/(DH|prime|generator)/d' \ -e 's/([0-9a-h]{2})(:|$$)/0x\1, /g' \ -e generateddh.txt then else return 0 fi cat << \_EOF_ /* * OpenSSL no longer offers the "-C" option for its dhparam * subcommand, so we keep our own C-code here... */ static DH * get_dhParams(void) { static unsigned char dhp_2048[] = { #include "generateddh.txt" }; static unsigned char dhg_2048[] = { 0x02 }; DH *dh = DH_new(); BIGNUM *p, *g; if (dh == NULL) return NULL; p = BN_bin2bn(dhp_2048, sizeof(dhp_2048), NULL); g = BN_bin2bn(dhg_2048, sizeof(dhg_2048), NULL); if (p == NULL || g == NULL || !DH_set0_pqg(dh, p, NULL, g)) { DH_free(dh); BN_free(p); BN_free(g); return NULL; } return dh; } _EOF_ return 0 } gen_dh_params_openssl() { openssl_dhparam3 "${bits}" < /dev/null || return 1 return 0 } gen_dh_params_remote() { url="https://2ton.com.au/dhparam/${bits}" r_input="`curl -sS "${url}"`" || \ r_input="`wget -O - -o /dev/null "${url}"`" || return 1 if r_output="`echo "${r_input}" | openssl_dhparam1`"; then echo "${r_output}" return 0 fi return 1 } gen_dh_params_fallback() { cat << \_EOF_ #include <openssl/dh.h> #include <openssl/bn.h> DH *get_dhParams(void) { static unsigned char dhp[] = { _EOF_ case "${bits}" in 2048) cat << \_EOF_ 0xC1,0x51,0x58,0x69,0xFB,0xE8,0x6C,0x47,0x2B,0x86,0x61,0x4F, |
︙ | ︙ | |||
266 267 268 269 270 271 272 | echo "*****************************" >&2 echo "** Generating DH Primes. **" >&2 echo "** This will take a while. **" >&2 echo "*****************************" >&2 echo "Use OpenSSL" >&2 gen_dh_params_openssl && exit 0 | | | | 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 | echo "*****************************" >&2 echo "** Generating DH Primes. **" >&2 echo "** This will take a while. **" >&2 echo "*****************************" >&2 echo "Use OpenSSL" >&2 gen_dh_params_openssl && exit 0 #echo "Use Remote" >&2 #gen_dh_params_remote && exit 0 echo "Use fallback" >&2 gen_dh_params_fallback && exit 0 echo "Unable to generate parameters for DH of ${bits} bits" >&2 exit 1 |