Make no-dh work, plus other no-dh problems found by Richard.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Ben Laurie
@@ -55,7 +55,9 @@
|
|||||||
# include <errno.h>
|
# include <errno.h>
|
||||||
# include <string.h>
|
# include <string.h>
|
||||||
#endif
|
#endif
|
||||||
#include <openssl/dh.h>
|
#ifndef OPENSSL_NO_DH
|
||||||
|
# include <openssl/dh.h>
|
||||||
|
#endif
|
||||||
#include <openssl/dsa.h>
|
#include <openssl/dsa.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#include <openssl/rsa.h>
|
#include <openssl/rsa.h>
|
||||||
@@ -125,11 +127,13 @@ static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen,
|
|||||||
DSA *dsa);
|
DSA *dsa);
|
||||||
static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
|
static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
|
||||||
DSA_SIG *sig, DSA *dsa);
|
DSA_SIG *sig, DSA *dsa);
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
|
static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
|
||||||
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
|
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
|
||||||
BN_MONT_CTX *m_ctx);
|
BN_MONT_CTX *m_ctx);
|
||||||
static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key,
|
static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key,
|
||||||
DH *dh);
|
DH *dh);
|
||||||
|
#endif
|
||||||
static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
|
static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
|
||||||
void (*f) (void));
|
void (*f) (void));
|
||||||
void ENGINE_load_cryptodev(void);
|
void ENGINE_load_cryptodev(void);
|
||||||
@@ -1364,6 +1368,7 @@ static DSA_METHOD cryptodev_dsa = {
|
|||||||
NULL /* app_data */
|
NULL /* app_data */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
static int
|
static int
|
||||||
cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
|
cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
|
||||||
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
|
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
|
||||||
@@ -1425,6 +1430,8 @@ static DH_METHOD cryptodev_dh = {
|
|||||||
NULL /* app_data */
|
NULL /* app_data */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#endif /* ndef OPENSSL_NO_DH */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* ctrl right now is just a wrapper that doesn't do much
|
* ctrl right now is just a wrapper that doesn't do much
|
||||||
* but I expect we'll want some options soon.
|
* but I expect we'll want some options soon.
|
||||||
@@ -1512,6 +1519,7 @@ void ENGINE_load_cryptodev(void)
|
|||||||
cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify;
|
cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
if (ENGINE_set_DH(engine, &cryptodev_dh)) {
|
if (ENGINE_set_DH(engine, &cryptodev_dh)) {
|
||||||
const DH_METHOD *dh_meth = DH_OpenSSL();
|
const DH_METHOD *dh_meth = DH_OpenSSL();
|
||||||
|
|
||||||
@@ -1524,6 +1532,7 @@ void ENGINE_load_cryptodev(void)
|
|||||||
cryptodev_dh.compute_key = cryptodev_dh_compute_key;
|
cryptodev_dh.compute_key = cryptodev_dh_compute_key;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
ENGINE_add(engine);
|
ENGINE_add(engine);
|
||||||
ENGINE_free(engine);
|
ENGINE_free(engine);
|
||||||
|
|||||||
12
ssl/s3_lib.c
12
ssl/s3_lib.c
@@ -4250,16 +4250,14 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
|
|||||||
|
|
||||||
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||||
{
|
{
|
||||||
CERT *cert;
|
|
||||||
|
|
||||||
cert = ctx->cert;
|
|
||||||
|
|
||||||
switch (cmd) {
|
switch (cmd) {
|
||||||
#ifndef OPENSSL_NO_DH
|
#ifndef OPENSSL_NO_DH
|
||||||
case SSL_CTRL_SET_TMP_DH:
|
case SSL_CTRL_SET_TMP_DH:
|
||||||
{
|
{
|
||||||
DH *new = NULL, *dh;
|
DH *new = NULL, *dh;
|
||||||
|
CERT *cert;
|
||||||
|
|
||||||
|
cert = ctx->cert;
|
||||||
dh = (DH *)parg;
|
dh = (DH *)parg;
|
||||||
if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
|
if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
|
||||||
DH_security_bits(dh), 0, dh)) {
|
DH_security_bits(dh), 0, dh)) {
|
||||||
@@ -4464,15 +4462,11 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
|||||||
|
|
||||||
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
|
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
|
||||||
{
|
{
|
||||||
CERT *cert;
|
|
||||||
|
|
||||||
cert = ctx->cert;
|
|
||||||
|
|
||||||
switch (cmd) {
|
switch (cmd) {
|
||||||
#ifndef OPENSSL_NO_DH
|
#ifndef OPENSSL_NO_DH
|
||||||
case SSL_CTRL_SET_TMP_DH_CB:
|
case SSL_CTRL_SET_TMP_DH_CB:
|
||||||
{
|
{
|
||||||
cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
|
cxt->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@@ -1729,7 +1729,6 @@ int tls_construct_server_key_exchange(SSL *s)
|
|||||||
int al, i;
|
int al, i;
|
||||||
unsigned long type;
|
unsigned long type;
|
||||||
int n;
|
int n;
|
||||||
CERT *cert;
|
|
||||||
BIGNUM *r[4];
|
BIGNUM *r[4];
|
||||||
int nr[4], kn;
|
int nr[4], kn;
|
||||||
BUF_MEM *buf;
|
BUF_MEM *buf;
|
||||||
@@ -1742,7 +1741,6 @@ int tls_construct_server_key_exchange(SSL *s)
|
|||||||
}
|
}
|
||||||
|
|
||||||
type = s->s3->tmp.new_cipher->algorithm_mkey;
|
type = s->s3->tmp.new_cipher->algorithm_mkey;
|
||||||
cert = s->cert;
|
|
||||||
|
|
||||||
buf = s->init_buf;
|
buf = s->init_buf;
|
||||||
|
|
||||||
@@ -1763,6 +1761,8 @@ int tls_construct_server_key_exchange(SSL *s)
|
|||||||
#endif /* !OPENSSL_NO_PSK */
|
#endif /* !OPENSSL_NO_PSK */
|
||||||
#ifndef OPENSSL_NO_DH
|
#ifndef OPENSSL_NO_DH
|
||||||
if (type & (SSL_kDHE | SSL_kDHEPSK)) {
|
if (type & (SSL_kDHE | SSL_kDHEPSK)) {
|
||||||
|
CERT *cert = s->cert;
|
||||||
|
|
||||||
if (s->cert->dh_tmp_auto) {
|
if (s->cert->dh_tmp_auto) {
|
||||||
dhp = ssl_get_auto_dh(s);
|
dhp = ssl_get_auto_dh(s);
|
||||||
if (dhp == NULL) {
|
if (dhp == NULL) {
|
||||||
|
|||||||
@@ -54,6 +54,7 @@
|
|||||||
|
|
||||||
use strict;
|
use strict;
|
||||||
use OpenSSL::Test qw/:DEFAULT cmdstr top_file top_dir/;
|
use OpenSSL::Test qw/:DEFAULT cmdstr top_file top_dir/;
|
||||||
|
use OpenSSL::Test::Utils;
|
||||||
use TLSProxy::Proxy;
|
use TLSProxy::Proxy;
|
||||||
|
|
||||||
my $test_name = "test_sslskewith0p";
|
my $test_name = "test_sslskewith0p";
|
||||||
@@ -64,6 +65,9 @@ plan skip_all => "$test_name can only be performed with OpenSSL configured share
|
|||||||
grep { /^SHARED_LIBS=/ }
|
grep { /^SHARED_LIBS=/ }
|
||||||
do { local @ARGV = ( top_file("Makefile") ); <> })[0] ne "";
|
do { local @ARGV = ( top_file("Makefile") ); <> })[0] ne "";
|
||||||
|
|
||||||
|
plan skip_all => "dh is not supported by this OpenSSL build"
|
||||||
|
if disabled("dh");
|
||||||
|
|
||||||
$ENV{OPENSSL_ENGINES} = top_dir("engines");
|
$ENV{OPENSSL_ENGINES} = top_dir("engines");
|
||||||
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
|
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
|
||||||
my $proxy = TLSProxy::Proxy->new(
|
my $proxy = TLSProxy::Proxy->new(
|
||||||
|
|||||||
Reference in New Issue
Block a user