Check-in [e63b467c48]
Overview
Comment:Use env var for OpenSSL executable path. Source: https://core.tcl-lang.org/tcltls/tktview/034c8d2587
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | dh
Files: files | file ages | folders
SHA3-256: e63b467c48f0e7a70aee77dba5104b5d5ccb8911dcaa050c7967db3ba2594a67
User & Date: bohagan on 2023-12-29 00:46:02
Other Links: branch diff | manifest | tags
Context
2023-12-29
03:09
Updated to auto set DH parameters. Updated to use well known Diffie-Hellman (DH) parameters that have built-in support in OpenSSL. This means the DH parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key. Leaf check-in: d3d16ea77f user: bohagan tags: dh
00:46
Use env var for OpenSSL executable path. Source: https://core.tcl-lang.org/tcltls/tktview/034c8d2587 check-in: e63b467c48 user: bohagan tags: dh
2023-12-28
23:15
Refactored DH generation to not need a separate file for DH data. Added missing header files to generated file. check-in: d3319fd18b user: bohagan tags: dh
Changes

Modified generic/gen_dh_params from [791deedc56] to [6e6f58d906].

10
11
12
13
14
15
16





17

18
19
20
21
22
23
24
25
26
27
28





29
30
31
32
33
34
35
36

37
38
39





40
41
42
43
44
45
46
10
11
12
13
14
15
16
17
18
19
20
21

22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61







+
+
+
+
+
-
+











+
+
+
+
+







-
+



+
+
+
+
+







		bits=*)
			bits="`echo "${arg}" | cut -f 2 -d =`"
			;;
	esac
done

openssl_dhparam1() {
	dir=''
	if [ -n "${OPENSSL}" ]; then
	    dir="${OPENSSL}/"
	fi

	if openssl dhparam -C "$@" | sed	\
	if ${dir}openssl dhparam -C "$@" | sed	\
	    -e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/'	\
	    -e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'
	then
		return 0
	fi

	return 1
}

# OpenSSL 3.0 openssl-dhparam has no "-C" option, so we emulate it here
openssl_dhparam3() {
	dir=''
	if [ -n "${OPENSSL}" ]; then
	    dir="${OPENSSL}/"
	fi

	cat << \_EOF_
#include <openssl/dh.h>
#include <openssl/bn.h>
static DH *get_dhParams(void) {
	static unsigned char dhp[] = {
_EOF_

	openssl dhparam -text "$@" | \
	if ${dir}openssl dhparam -text "$@" | \
	    sed -E -e '/^---/,/^---/d' \
		-e '/(DH|prime|generator|P|G|recommended)/d' \
		-e 's/([0-9a-h]{2})(:|$$)/0x\1, /g'
	then
		break
	else
		return 1
	fi

	cat << \_EOF_
	};
	static unsigned char dhg[] = {
		0x02,
	};

275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
290
291
292
293
294
295
296






297

298
299
300
301
302
303
304







-
-
-
-
-
-

-







	if (dh == NULL) {
		return NULL;
	}

	dhp_bn = BN_bin2bn(dhp, sizeof (dhp), NULL);
	dhg_bn = BN_bin2bn(dhg, sizeof (dhg), NULL);

#ifdef TCLTLS_OPENSSL_PRE_1_1_API
	dh->p = dhp_bn;
	dh->g = dhg_bn;

	if (dhp_bn == NULL || dhg_bn == NULL) {
#else
	if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
#endif
		DH_free(dh);
		BN_free(dhp_bn);
		BN_free(dhg_bn);
		return(NULL);
	}

	return(dh);