Index: generic/gen_dh_params ================================================================== --- generic/gen_dh_params +++ generic/gen_dh_params @@ -11,33 +11,80 @@ bits="`echo "${arg}" | cut -f 2 -d =`" ;; esac done -openssl_dhparam() { +openssl_dhparam1() { if openssl dhparam -C "$@" | sed \ -e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/' \ -e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d' then return 0 fi return 1 } + +# OpenSSL 3.0 openssl-dhparam has no "-C" option, so we emulate it here +openssl_dhparam3() { + if openssl dhparam -text 2048 | \ + sed -E -e '/^---/,/^---/d' \ + -e '/(DH|prime|generator)/d' \ + -e 's/([0-9a-h]{2})(:|$$)/0x\1, /g' \ + -e generateddh.txt + then + else + return 0 + fi + + + cat << \_EOF_ +/* + * OpenSSL no longer offers the "-C" option for its dhparam + * subcommand, so we keep our own C-code here... + */ + +static DH * get_dhParams(void) { + static unsigned char dhp_2048[] = { +#include "generateddh.txt" + }; + static unsigned char dhg_2048[] = { + 0x02 + }; + DH *dh = DH_new(); + BIGNUM *p, *g; + + if (dh == NULL) + return NULL; + p = BN_bin2bn(dhp_2048, sizeof(dhp_2048), NULL); + g = BN_bin2bn(dhg_2048, sizeof(dhg_2048), NULL); + if (p == NULL || g == NULL + || !DH_set0_pqg(dh, p, NULL, g)) { + DH_free(dh); + BN_free(p); + BN_free(g); + return NULL; + } + return dh; +} +_EOF_ + + return 0 +} gen_dh_params_openssl() { - openssl_dhparam "${bits}" < /dev/null || return 1 + openssl_dhparam3 "${bits}" < /dev/null || return 1 return 0 } gen_dh_params_remote() { url="https://2ton.com.au/dhparam/${bits}" r_input="`curl -sS "${url}"`" || \ r_input="`wget -O - -o /dev/null "${url}"`" || return 1 - if r_output="`echo "${r_input}" | openssl_dhparam`"; then + if r_output="`echo "${r_input}" | openssl_dhparam1`"; then echo "${r_output}" return 0 fi @@ -44,10 +91,12 @@ return 1 } gen_dh_params_fallback() { cat << \_EOF_ +#include +#include DH *get_dhParams(void) { static unsigned char dhp[] = { _EOF_ case "${bits}" in 2048) @@ -268,13 +317,13 @@ echo "** Generating DH Primes. **" >&2 echo "** This will take a while. **" >&2 echo "*****************************" >&2 echo "Use OpenSSL" >&2 gen_dh_params_openssl && exit 0 -echo "Use Remote" >&2 -gen_dh_params_remote && exit 0 +#echo "Use Remote" >&2 +#gen_dh_params_remote && exit 0 echo "Use fallback" >&2 gen_dh_params_fallback && exit 0 echo "Unable to generate parameters for DH of ${bits} bits" >&2 exit 1 Index: generic/tls.c ================================================================== --- generic/tls.c +++ generic/tls.c @@ -1326,11 +1326,11 @@ OPTSTR("-model", model); OPTOBJ("-password", password); OPTBOOL("-post_handshake", post_handshake); OPTBOOL("-request", request); OPTBOOL("-require", require); - OPTINT("-security_level", level); + OPTINT("-securitylevel", level); OPTBOOL("-server", server); OPTSTR("-servername", servername); OPTSTR("-session_id", session_id); OPTBOOL("-ssl2", ssl2); OPTBOOL("-ssl3", ssl3); @@ -1339,11 +1339,11 @@ OPTBOOL("-tls1.2", tls1_2); OPTBOOL("-tls1.3", tls1_3); OPTOBJ("-validatecommand", vcmd); OPTOBJ("-vcmd", vcmd); - OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); + OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -securitylevel, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;