Index: .fossil-settings/ignore-glob ================================================================== --- .fossil-settings/ignore-glob +++ .fossil-settings/ignore-glob @@ -15,5 +15,6 @@ tlsBIO.o tlsIO.o tlsX509.o tls.tcl.h build/work +dh_params.h Index: Makefile.in ================================================================== --- Makefile.in +++ Makefile.in @@ -1,10 +1,10 @@ CC = @CC@ AR = @AR@ RANLIB = @RANLIB@ CFLAGS = @CFLAGS@ @SHOBJFLAGS@ -CPPFLAGS = @CPPFLAGS@ -I@srcdir@ @DEFS@ +CPPFLAGS = @CPPFLAGS@ -I@srcdir@ -I. @DEFS@ LDFLAGS = @LDFLAGS@ @SHOBJLDFLAGS@ LIBS = @LIBS@ INSTALL = @INSTALL@ PACKAGE_VERSION = @PACKAGE_VERSION@ TCL_PACKAGE_PATH = @TCL_PACKAGE_PATH@ @@ -21,11 +21,11 @@ $(AR) rcu tcltls.a.new tls.o tlsBIO.o tlsIO.o tlsX509.o $(RANLIB) tcltls.a.new mv tcltls.a.new tcltls.a # Dependencies for all our targets -tls.o: @srcdir@/tls.c @srcdir@/tlsInt.h @srcdir@/tclOpts.h @srcdir@/tls.tcl.h +tls.o: @srcdir@/tls.c @srcdir@/tlsInt.h @srcdir@/tclOpts.h @srcdir@/tls.tcl.h dh_params.h tlsBIO.o: @srcdir@/tlsBIO.c @srcdir@/tlsInt.h tlsIO.o: @srcdir@/tlsIO.c @srcdir@/tlsInt.h tlsX509.o: @srcdir@/tlsX509.c @srcdir@/tlsInt.h # Create a C-source-ified version of the script resources @@ -33,10 +33,15 @@ # this extension @srcdir@/tls.tcl.h: @srcdir@/tls.tcl xxd -i < '@srcdir@/tls.tcl' > '@srcdir@/tls.tcl.h.new' mv '@srcdir@/tls.tcl.h.new' '@srcdir@/tls.tcl.h' +# Create default DH parameters +dh_params.h: @srcdir@/gen_dh_params + @srcdir@/gen_dh_params > dh_params.h.new + mv dh_params.h.new dh_params.h + # Generic target for building files from the "srcdir" # tree -- the default target will not match paths %.o: @srcdir@/%.c $(CC) $(CPPFLAGS) $(CFLAGS) -o "$@" -c "$<" @@ -53,10 +58,11 @@ # Clean the local build directory back to what it was after unpacking the # distribution tarball distclean: clean rm -f config.log config.status + rm -f dh_params.h.new dh_params.h rm -f Makefile pkgIndex.tcl # Clean the local build directory back to only thing things that exist in # version control system mrproper: distclean ADDED gen_dh_params Index: gen_dh_params ================================================================== --- /dev/null +++ gen_dh_params @@ -0,0 +1,88 @@ +#! /usr/bin/env bash + +bits='2048' + +function openssl_dhparam() { + local output + + if [ -x "$(which openssl 2>/dev/null)" ]; then + output="$(set -o pipefail; openssl dhparam -C "$@" 2>/dev/null | sed '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d')" || return 1 + + echo "${output}" + + return 0 + fi + + return 1 +} + +function gen_dh_params_openssl() { + openssl_dhparam "${bits}" < /dev/null || return 1 + return 0 +} + +function gen_dh_params_remote() { + local input output url + + url="https://2ton.com.au/dhparam/${bits}" + + input="$(curl "${url}")" || \ + input="$(wget -O - -o /dev/null "${url}")" || return 1 + + if output="$(echo "${input}" | openssl_dhparam)"; then + echo "${output}" + + return 0 + fi + + return 1 +} + +function gen_dh_params_fallback() { + cat << \_EOF_ +DH *get_dh2048() + { + static unsigned char dh2048_p[]={ + 0xC1,0x51,0x58,0x69,0xFB,0xE8,0x6C,0x47,0x2B,0x86,0x61,0x4F, + 0x20,0x2E,0xD3,0xFC,0x19,0xEE,0xB8,0xF3,0x35,0x7D,0xBA,0x86, + 0x2A,0xC3,0xC8,0x6E,0xF4,0x99,0x75,0x65,0xD3,0x7A,0x9E,0xDF, + 0xD4,0x1F,0x88,0xE3,0x17,0xFC,0xA1,0xED,0xA2,0xB6,0x77,0x84, + 0xAA,0x08,0xF2,0x97,0x59,0x7A,0xA0,0x03,0x0D,0x3E,0x7E,0x6D, + 0x65,0x6A,0xA4,0xEA,0x54,0xA9,0x52,0x5F,0x63,0xB4,0xBC,0x98, + 0x4E,0xF6,0xE1,0xA4,0xEE,0x16,0x0A,0xB0,0x01,0xBD,0x9F,0xA1, + 0xE8,0x23,0x29,0x56,0x40,0x95,0x13,0xEB,0xCB,0xD5,0xFC,0x76, + 0x1A,0x41,0x26,0xCE,0x20,0xEB,0x30,0x10,0x17,0x07,0xE1,0x8C, + 0xAC,0x57,0x37,0x8B,0xE8,0x01,0xDE,0xA9,0xEF,0xA4,0xC2,0xA4, + 0x6E,0x48,0x25,0x11,0x33,0x11,0xD4,0x52,0x79,0x87,0x9F,0x75, + 0x61,0xF7,0x9C,0x7D,0x36,0x41,0xCB,0xEC,0x8F,0xEA,0x4A,0x47, + 0x6A,0x36,0x37,0x75,0xB9,0x8E,0xF5,0x5F,0x67,0xCF,0x1F,0xD8, + 0xCA,0x70,0x42,0xC7,0xA2,0xED,0x0F,0x7D,0xBE,0x43,0x08,0x28, + 0x66,0x3D,0xDD,0x87,0x0D,0x61,0x6E,0xD0,0xE7,0x49,0xD1,0x70, + 0xA9,0x4D,0xD5,0xFD,0xED,0xF2,0x6D,0x32,0x17,0x97,0x5B,0x06, + 0x60,0x9C,0x5F,0xA3,0x5D,0x34,0x14,0x7E,0x63,0x54,0xE4,0x7E, + 0x09,0x8F,0xBB,0x8E,0xA0,0xD0,0x96,0xAC,0x30,0x20,0x39,0x3B, + 0x8C,0x92,0x65,0x37,0x0A,0x8F,0xEC,0x72,0x8B,0x61,0x7D,0x62, + 0x24,0x54,0xE9,0x1D,0x01,0x68,0x89,0xC4,0x7B,0x3C,0x48,0x62, + 0x9B,0x83,0x11,0x3A,0x0B,0x0D,0xEF,0x5A,0xE4,0x7A,0xA0,0x69, + 0xF4,0x54,0xB5,0x5B, + }; + static unsigned char dh2048_g[]={ + 0x02, + }; + DH *dh; + + if ((dh=DH_new()) == NULL) return(NULL); + dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); + dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); + if ((dh->p == NULL) || (dh->g == NULL)) + { DH_free(dh); return(NULL); } + return(dh); + } +_EOF_ +} + +gen_dh_params_openssl && exit 0 +gen_dh_params_remote && exit 0 +gen_dh_params_fallback && exit 0 + +exit 1 Index: tls.c ================================================================== --- tls.c +++ tls.c @@ -77,54 +77,11 @@ /* * Static data structures */ #ifndef OPENSSL_NO_DH -/* code derived from output of 'openssl dhparam -C 2048' */ - -static unsigned char dh2048_p[]={ - 0xEC,0xFD,0x6F,0x66,0xD8,0xBC,0xB4,0xCB,0xD7,0xE7,0xB4,0xAE, - 0xEC,0xC0,0x06,0x25,0x40,0x9F,0x3F,0xC4,0xAC,0x34,0x19,0x36, - 0x8A,0xAB,0xA9,0xF6,0x45,0x36,0x87,0x1F,0x10,0x35,0x3F,0x90, - 0x00,0xC6,0x7A,0xE8,0x51,0xF4,0x7F,0x50,0x0F,0xC2,0x82,0x91, - 0xAD,0x60,0x1B,0x49,0xB1,0x0B,0x23,0xC3,0x37,0xAE,0x0D,0x2C, - 0x49,0xC6,0xFB,0x60,0x9D,0x50,0x2F,0x8C,0x2F,0xDE,0xE6,0x5F, - 0x53,0x8B,0x5F,0xF9,0x70,0x16,0xEE,0x51,0xD1,0xAB,0x02,0x48, - 0x61,0xF1,0xA0,0xD7,0xBD,0x04,0x24,0xF0,0xE4,0xD1,0x0A,0x4C, - 0x28,0xDC,0x22,0x78,0x7C,0xED,0x2A,0xFA,0xF4,0x57,0x7C,0xAE, - 0xDF,0x52,0xC6,0xA2,0x11,0x28,0xC5,0x3B,0xB8,0x2F,0x95,0x3F, - 0x1E,0x05,0x66,0xFE,0x7D,0x1A,0x73,0xA0,0x45,0xF8,0xBB,0x8C, - 0x64,0xB9,0xA9,0x4D,0x23,0xBE,0x20,0x60,0xA2,0xF7,0xC7,0xD8, - 0xD8,0x49,0x28,0x9A,0x81,0xAC,0xF9,0x7F,0x3C,0xFC,0xBE,0x25, - 0x5B,0x1D,0xB6,0xAB,0x08,0x06,0x11,0x8D,0x94,0x69,0x3C,0x68, - 0x98,0x5A,0x90,0xF8,0xEB,0x19,0xCA,0x9F,0x1C,0x50,0x96,0x53, - 0xEF,0xEC,0x1B,0x93,0x4F,0x53,0xB7,0xD9,0x04,0x8E,0x48,0x99, - 0x6E,0x24,0xFF,0x66,0xF5,0xB0,0xDF,0x00,0xBA,0x22,0xE2,0xB6, - 0xE3,0x3A,0xC2,0x95,0xB1,0x14,0x68,0xFB,0xA5,0x37,0x22,0x78, - 0x56,0x5C,0xA4,0x23,0x31,0x02,0x97,0x7D,0xA9,0x84,0x0B,0x12, - 0x26,0x58,0x2F,0x86,0x10,0xAD,0xB0,0xAB,0xB9,0x7B,0x05,0x9A, - 0xDE,0x11,0xF1,0xE7,0x34,0xC7,0x95,0x42,0x1C,0x4F,0xA9,0xA8, - 0x92,0xDF,0x3F,0x7B, - }; -static unsigned char dh2048_g[]={ - 0x02, -}; - - -static DH *get_dh2048() -{ - DH *dh=NULL; - - if ((dh=DH_new()) == NULL) return(NULL); - - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); - - if ((dh->p == NULL) || (dh->g == NULL)) - return(NULL); - return(dh); -} +#include "dh_params.h" #endif /* * Defined in Tls_Init to determine what kind of channels we are using * (old-style 8.2.0-8.3.1 or new-style 8.3.2+).