Check-in [e63b467c48]
Overview
Comment:Use env var for OpenSSL executable path. Source: https://core.tcl-lang.org/tcltls/tktview/034c8d2587
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | dh
Files: files | file ages | folders
SHA3-256: e63b467c48f0e7a70aee77dba5104b5d5ccb8911dcaa050c7967db3ba2594a67
User & Date: bohagan on 2023-12-29 00:46:02
Other Links: branch diff | manifest | tags
Context
2023-12-29
03:09
Updated to auto set DH parameters. Updated to use well known Diffie-Hellman (DH) parameters that have built-in support in OpenSSL. This means the DH parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key. Closed-Leaf check-in: d3d16ea77f user: bohagan tags: dh
00:46
Use env var for OpenSSL executable path. Source: https://core.tcl-lang.org/tcltls/tktview/034c8d2587 check-in: e63b467c48 user: bohagan tags: dh
2023-12-28
23:15
Refactored DH generation to not need a separate file for DH data. Added missing header files to generated file. check-in: d3319fd18b user: bohagan tags: dh
Changes
10
11
12
13
14
15
16





17
18
19
20
21
22
23
24
25
26
27
28





29
30
31
32
33
34
35
36
37
38
39





40
41
42
43
44
45
46
		bits=*)
			bits="`echo "${arg}" | cut -f 2 -d =`"
			;;
	esac
done

openssl_dhparam1() {





	if openssl dhparam -C "$@" | sed	\
	    -e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/'	\
	    -e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'
	then
		return 0
	fi

	return 1
}

# OpenSSL 3.0 openssl-dhparam has no "-C" option, so we emulate it here
openssl_dhparam3() {





	cat << \_EOF_
#include <openssl/dh.h>
#include <openssl/bn.h>
static DH *get_dhParams(void) {
	static unsigned char dhp[] = {
_EOF_

	openssl dhparam -text "$@" | \
	    sed -E -e '/^---/,/^---/d' \
		-e '/(DH|prime|generator|P|G|recommended)/d' \
		-e 's/([0-9a-h]{2})(:|$$)/0x\1, /g'






	cat << \_EOF_
	};
	static unsigned char dhg[] = {
		0x02,
	};








>
>
>
>
>
|











>
>
>
>
>







|



>
>
>
>
>







10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
		bits=*)
			bits="`echo "${arg}" | cut -f 2 -d =`"
			;;
	esac
done

openssl_dhparam1() {
	dir=''
	if [ -n "${OPENSSL}" ]; then
	    dir="${OPENSSL}/"
	fi

	if ${dir}openssl dhparam -C "$@" | sed	\
	    -e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/'	\
	    -e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'
	then
		return 0
	fi

	return 1
}

# OpenSSL 3.0 openssl-dhparam has no "-C" option, so we emulate it here
openssl_dhparam3() {
	dir=''
	if [ -n "${OPENSSL}" ]; then
	    dir="${OPENSSL}/"
	fi

	cat << \_EOF_
#include <openssl/dh.h>
#include <openssl/bn.h>
static DH *get_dhParams(void) {
	static unsigned char dhp[] = {
_EOF_

	if ${dir}openssl dhparam -text "$@" | \
	    sed -E -e '/^---/,/^---/d' \
		-e '/(DH|prime|generator|P|G|recommended)/d' \
		-e 's/([0-9a-h]{2})(:|$$)/0x\1, /g'
	then
		break
	else
		return 1
	fi

	cat << \_EOF_
	};
	static unsigned char dhg[] = {
		0x02,
	};

275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
	if (dh == NULL) {
		return NULL;
	}

	dhp_bn = BN_bin2bn(dhp, sizeof (dhp), NULL);
	dhg_bn = BN_bin2bn(dhg, sizeof (dhg), NULL);

#ifdef TCLTLS_OPENSSL_PRE_1_1_API
	dh->p = dhp_bn;
	dh->g = dhg_bn;

	if (dhp_bn == NULL || dhg_bn == NULL) {
#else
	if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
#endif
		DH_free(dh);
		BN_free(dhp_bn);
		BN_free(dhg_bn);
		return(NULL);
	}

	return(dh);







<
<
<
<
<
<

<







290
291
292
293
294
295
296






297

298
299
300
301
302
303
304
	if (dh == NULL) {
		return NULL;
	}

	dhp_bn = BN_bin2bn(dhp, sizeof (dhp), NULL);
	dhg_bn = BN_bin2bn(dhg, sizeof (dhg), NULL);







	if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {

		DH_free(dh);
		BN_free(dhp_bn);
		BN_free(dhg_bn);
		return(NULL);
	}

	return(dh);