Check-in [83b1dea4d4]
Overview
Comment:Updated references to DH parameter bit sizes and ensure error messages are printed if generating fails entirely
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 83b1dea4d46e2bd47d767d3c3ce468ec07215faf
User & Date: rkeene on 2017-04-18 14:29:27
Other Links: manifest | tags
Context
2017-04-18
14:39
Updated gen_dh_params to support specifying a number of bits -- currently the only supported value is 2048 check-in: b128e0d4e4 user: rkeene tags: trunk
14:29
Updated references to DH parameter bit sizes and ensure error messages are printed if generating fails entirely check-in: 83b1dea4d4 user: rkeene tags: trunk
2016-12-17
15:43
Integrated -autoservername feature (addresses [0d4541b86d]) check-in: 42735119d8 user: rkeene tags: trunk
Changes

Modified gen_dh_params from [78d63b562d] to [045a249871].

1
2
3
4
5
6
7

8
9
10
11
12
13
14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15







+







#! /usr/bin/env sh

bits='2048'

openssl_dhparam() {
	if [ -x "`which openssl 2>/dev/null`" ]; then
		o_output="`openssl dhparam -C "$@" 2>/dev/null`" || return 1
		o_output="`echo "${o_output}" | sed 's/get_dh[0-9]\+/get_dhParams/'`" || return 1
		o_output="`echo "${o_output}" | sed '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'`" || return 1

		echo "${o_output}"

		return 0
	fi

32
33
34
35
36
37
38

39
40


41
42
43
44
45
46
47
33
34
35
36
37
38
39
40


41
42
43
44
45
46
47
48
49







+
-
-
+
+







		return 0
	fi

	return 1
}

gen_dh_params_fallback() {
	if [ "${bits}" = '2048' ]; then
	cat << \_EOF_
DH *get_dh2048(void) {
		cat << \_EOF_
DH *get_dhParams(void) {
	static unsigned char dhp_2048[] = {
		0xC1,0x51,0x58,0x69,0xFB,0xE8,0x6C,0x47,0x2B,0x86,0x61,0x4F,
		0x20,0x2E,0xD3,0xFC,0x19,0xEE,0xB8,0xF3,0x35,0x7D,0xBA,0x86,
		0x2A,0xC3,0xC8,0x6E,0xF4,0x99,0x75,0x65,0xD3,0x7A,0x9E,0xDF,
		0xD4,0x1F,0x88,0xE3,0x17,0xFC,0xA1,0xED,0xA2,0xB6,0x77,0x84,
		0xAA,0x08,0xF2,0x97,0x59,0x7A,0xA0,0x03,0x0D,0x3E,0x7E,0x6D,
		0x65,0x6A,0xA4,0xEA,0x54,0xA9,0x52,0x5F,0x63,0xB4,0xBC,0x98,
89
90
91
92
93
94
95





96
97
98
99
100


101
102
103
104
105
106
107
108
109
110
111
112


113
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124







+
+
+
+
+





+
+












+
+

		BN_free(dhg_bn);
		return(NULL);
	}

	return(dh);
}
_EOF_

		return 0
	fi

	return 1
}

# Enable support for giving the same DH params each time
if [ "$1" = 'fallback' ]; then
	gen_dh_params_fallback && exit 0

	echo "Unable to generate fallback parameters for DH of ${bits} bits" >&2

	exit 1
fi

echo "*****************************" >&2
echo "** Generating DH Primes.   **" >&2
echo "** This will take a while. **" >&2
echo "*****************************" >&2
gen_dh_params_openssl && exit 0
gen_dh_params_remote && exit 0
gen_dh_params_fallback && exit 0

echo "Unable to generate parameters for DH of ${bits} bits" >&2

exit 1

Modified tls.c from [347d650461] to [57028b60c1].

1177
1178
1179
1180
1181
1182
1183
1184

1185
1186
1187
1188
1189
1190
1191
1177
1178
1179
1180
1181
1182
1183

1184
1185
1186
1187
1188
1189
1190
1191







-
+







	    if (!dh) {
		Tcl_AppendResult(interp,
		    "Could not read DH parameters from file", (char *) NULL);
		SSL_CTX_free(ctx);
		return (SSL_CTX *)0;
	    }
	} else {
	    dh = get_dh2048();
	    dh = get_dhParams();
	}
	SSL_CTX_set_tmp_dh(ctx, dh);
	DH_free(dh);
    }
#endif

    /* set our certificate */