Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
btwise
openssl
提交
e2b420fd
O
openssl
项目概览
btwise
/
openssl
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
e2b420fd
编写于
12月 17, 2015
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Server side EVP_PKEY DH support
Reviewed-by:
N
Matt Caswell
<
matt@openssl.org
>
上级
6c4e6670
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
85 addition
and
88 deletion
+85
-88
include/openssl/ssl.h
include/openssl/ssl.h
+1
-1
ssl/s3_lib.c
ssl/s3_lib.c
+25
-24
ssl/ssl_cert.c
ssl/ssl_cert.c
+3
-22
ssl/ssl_locl.h
ssl/ssl_locl.h
+1
-1
ssl/statem/statem_srvr.c
ssl/statem/statem_srvr.c
+55
-40
未找到文件。
include/openssl/ssl.h
浏览文件 @
e2b420fd
...
...
@@ -1836,7 +1836,7 @@ __owur const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
/* Sanity check of curve server selects */
# define SSL_SECOP_CURVE_CHECK (6 | SSL_SECOP_OTHER_CURVE)
/* Temporary DH key */
# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_
DH
)
# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_
PKEY
)
/* SSL/TLS version */
# define SSL_SECOP_VERSION (9 | SSL_SECOP_OTHER_NONE)
/* Session tickets */
...
...
ssl/s3_lib.c
浏览文件 @
e2b420fd
...
...
@@ -3488,21 +3488,24 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case
SSL_CTRL_SET_TMP_DH
:
{
DH
*
dh
=
(
DH
*
)
parg
;
EVP_PKEY
*
pkdh
=
NULL
;
if
(
dh
==
NULL
)
{
SSLerr
(
SSL_F_SSL3_CTRL
,
ERR_R_PASSED_NULL_PARAMETER
);
return
(
ret
);
}
pkdh
=
ssl_dh_to_pkey
(
dh
);
if
(
pkdh
==
NULL
)
{
SSLerr
(
SSL_F_SSL3_CTRL
,
ERR_R_MALLOC_FAILURE
);
return
0
;
}
if
(
!
ssl_security
(
s
,
SSL_SECOP_TMP_DH
,
DH_security_bits
(
dh
),
0
,
dh
))
{
EVP_PKEY_security_bits
(
pkdh
),
0
,
pk
dh
))
{
SSLerr
(
SSL_F_SSL3_CTRL
,
SSL_R_DH_KEY_TOO_SMALL
);
return
(
ret
);
EVP_PKEY_free
(
pkdh
);
return
ret
;
}
if
((
dh
=
DHparams_dup
(
dh
))
==
NULL
)
{
SSLerr
(
SSL_F_SSL3_CTRL
,
ERR_R_DH_LIB
);
return
(
ret
);
}
DH_free
(
s
->
cert
->
dh_tmp
);
s
->
cert
->
dh_tmp
=
dh
;
EVP_PKEY_free
(
s
->
cert
->
dh_tmp
);
s
->
cert
->
dh_tmp
=
pkdh
;
ret
=
1
;
}
break
;
...
...
@@ -3851,27 +3854,25 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
#ifndef OPENSSL_NO_DH
case
SSL_CTRL_SET_TMP_DH
:
{
DH
*
new
=
NULL
,
*
dh
;
CERT
*
cert
;
cert
=
ctx
->
cert
;
dh
=
(
DH
*
)
parg
;
if
(
!
ssl_ctx_security
(
ctx
,
SSL_SECOP_TMP_DH
,
DH_security_bits
(
dh
),
0
,
dh
))
{
SSLerr
(
SSL_F_SSL3_CTX_CTRL
,
SSL_R_DH_KEY_TOO_SMALL
);
DH
*
dh
=
(
DH
*
)
parg
;
EVP_PKEY
*
pkdh
=
NULL
;
if
(
dh
==
NULL
)
{
SSLerr
(
SSL_F_SSL3_CTX_CTRL
,
ERR_R_PASSED_NULL_PARAMETER
);
return
0
;
}
if
((
new
=
DHparams_dup
(
dh
))
==
NULL
)
{
SSLerr
(
SSL_F_SSL3_CTX_CTRL
,
ERR_R_DH_LIB
);
pkdh
=
ssl_dh_to_pkey
(
dh
);
if
(
pkdh
==
NULL
)
{
SSLerr
(
SSL_F_SSL3_CTX_CTRL
,
ERR_R_MALLOC_FAILURE
);
return
0
;
}
if
(
!
DH_generate_key
(
new
))
{
SSLerr
(
SSL_F_SSL3_CTX_CTRL
,
ERR_R_DH_LIB
);
DH_free
(
new
);
return
0
;
if
(
!
ssl_ctx_security
(
ctx
,
SSL_SECOP_TMP_DH
,
EVP_PKEY_security_bits
(
pkdh
),
0
,
pkdh
))
{
SSLerr
(
SSL_F_SSL3_CTX_CTRL
,
SSL_R_DH_KEY_TOO_SMALL
);
EVP_PKEY_free
(
pkdh
);
return
1
;
}
DH_free
(
cert
->
dh_tmp
);
c
ert
->
dh_tmp
=
new
;
EVP_PKEY_free
(
ctx
->
cert
->
dh_tmp
);
c
tx
->
cert
->
dh_tmp
=
pkdh
;
return
1
;
}
/*
...
...
ssl/ssl_cert.c
浏览文件 @
e2b420fd
...
...
@@ -197,27 +197,8 @@ CERT *ssl_cert_dup(CERT *cert)
#ifndef OPENSSL_NO_DH
if
(
cert
->
dh_tmp
!=
NULL
)
{
ret
->
dh_tmp
=
DHparams_dup
(
cert
->
dh_tmp
);
if
(
ret
->
dh_tmp
==
NULL
)
{
SSLerr
(
SSL_F_SSL_CERT_DUP
,
ERR_R_DH_LIB
);
goto
err
;
}
if
(
cert
->
dh_tmp
->
priv_key
)
{
BIGNUM
*
b
=
BN_dup
(
cert
->
dh_tmp
->
priv_key
);
if
(
!
b
)
{
SSLerr
(
SSL_F_SSL_CERT_DUP
,
ERR_R_BN_LIB
);
goto
err
;
}
ret
->
dh_tmp
->
priv_key
=
b
;
}
if
(
cert
->
dh_tmp
->
pub_key
)
{
BIGNUM
*
b
=
BN_dup
(
cert
->
dh_tmp
->
pub_key
);
if
(
!
b
)
{
SSLerr
(
SSL_F_SSL_CERT_DUP
,
ERR_R_BN_LIB
);
goto
err
;
}
ret
->
dh_tmp
->
pub_key
=
b
;
}
ret
->
dh_tmp
=
cert
->
dh_tmp
;
EVP_PKEY_up_ref
(
ret
->
dh_tmp
);
}
ret
->
dh_tmp_cb
=
cert
->
dh_tmp_cb
;
ret
->
dh_tmp_auto
=
cert
->
dh_tmp_auto
;
...
...
@@ -370,7 +351,7 @@ void ssl_cert_free(CERT *c)
#endif
#ifndef OPENSSL_NO_DH
DH
_free
(
c
->
dh_tmp
);
EVP_PKEY
_free
(
c
->
dh_tmp
);
#endif
ssl_cert_clear_certs
(
c
);
...
...
ssl/ssl_locl.h
浏览文件 @
e2b420fd
...
...
@@ -1489,7 +1489,7 @@ typedef struct cert_st {
*/
CERT_PKEY
*
key
;
# ifndef OPENSSL_NO_DH
DH
*
dh_tmp
;
EVP_PKEY
*
dh_tmp
;
DH
*
(
*
dh_tmp_cb
)
(
SSL
*
ssl
,
int
is_export
,
int
keysize
);
int
dh_tmp_auto
;
# endif
...
...
ssl/statem/statem_srvr.c
浏览文件 @
e2b420fd
...
...
@@ -1714,7 +1714,7 @@ int tls_construct_server_done(SSL *s)
int
tls_construct_server_key_exchange
(
SSL
*
s
)
{
#ifndef OPENSSL_NO_DH
DH
*
dh
=
NULL
,
*
dhp
;
EVP_PKEY
*
pkdh
=
NULL
;
#endif
#ifndef OPENSSL_NO_EC
unsigned
char
*
encodedPoint
=
NULL
;
...
...
@@ -1761,49 +1761,66 @@ int tls_construct_server_key_exchange(SSL *s)
if
(
type
&
(
SSL_kDHE
|
SSL_kDHEPSK
))
{
CERT
*
cert
=
s
->
cert
;
EVP_PKEY
*
pkdhp
=
NULL
;
DH
*
dh
;
if
(
s
->
cert
->
dh_tmp_auto
)
{
dhp
=
ssl_get_auto_dh
(
s
);
if
(
dhp
==
NULL
)
{
DH
*
dhp
=
ssl_get_auto_dh
(
s
);
pkdh
=
EVP_PKEY_new
();
if
(
pkdh
==
NULL
||
dhp
==
NULL
)
{
DH_free
(
dhp
);
al
=
SSL_AD_INTERNAL_ERROR
;
SSLerr
(
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE
,
ERR_R_INTERNAL_ERROR
);
goto
f_err
;
}
}
else
dhp
=
cert
->
dh_tmp
;
if
((
dhp
==
NULL
)
&&
(
s
->
cert
->
dh_tmp_cb
!=
NULL
))
dhp
=
s
->
cert
->
dh_tmp_cb
(
s
,
0
,
1024
);
if
(
dhp
==
NULL
)
{
EVP_PKEY_assign_DH
(
pkdh
,
dhp
);
pkdhp
=
pkdh
;
}
else
{
pkdhp
=
cert
->
dh_tmp
;
}
if
((
pkdhp
==
NULL
)
&&
(
s
->
cert
->
dh_tmp_cb
!=
NULL
))
{
DH
*
dhp
=
s
->
cert
->
dh_tmp_cb
(
s
,
0
,
1024
);
pkdh
=
ssl_dh_to_pkey
(
dhp
);
if
(
pkdh
==
NULL
)
{
al
=
SSL_AD_INTERNAL_ERROR
;
SSLerr
(
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE
,
ERR_R_INTERNAL_ERROR
);
goto
f_err
;
}
pkdhp
=
pkdh
;
}
if
(
pkdhp
==
NULL
)
{
al
=
SSL_AD_HANDSHAKE_FAILURE
;
SSLerr
(
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE
,
SSL_R_MISSING_TMP_DH_KEY
);
goto
f_err
;
}
if
(
!
ssl_security
(
s
,
SSL_SECOP_TMP_DH
,
DH_security_bits
(
dhp
),
0
,
dhp
))
{
EVP_PKEY_security_bits
(
pkdhp
),
0
,
pk
dhp
))
{
al
=
SSL_AD_HANDSHAKE_FAILURE
;
SSLerr
(
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE
,
SSL_R_DH_KEY_TOO_SMALL
);
goto
f_err
;
}
if
(
s
->
s3
->
tmp
.
dh
!=
NULL
)
{
if
(
s
->
s3
->
tmp
.
pkey
!=
NULL
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
if
(
s
->
cert
->
dh_tmp_auto
)
dh
=
dhp
;
else
if
((
dh
=
DHparams_dup
(
dhp
))
==
NULL
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE
,
ERR_R_DH_LIB
);
goto
err
;
}
s
->
s3
->
tmp
.
pkey
=
ssl_generate_pkey
(
pkdhp
,
NID_undef
);
s
->
s3
->
tmp
.
dh
=
dh
;
if
(
!
DH_generate_key
(
dh
))
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE
,
ERR_R_DH_LIB
);
if
(
s
->
s3
->
tmp
.
pkey
==
NULL
)
{
SSLerr
(
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE
,
ERR_R_EVP_LIB
);
goto
err
;
}
dh
=
EVP_PKEY_get0_DH
(
s
->
s3
->
tmp
.
pkey
);
EVP_PKEY_free
(
pkdh
);
pkdh
=
NULL
;
r
[
0
]
=
dh
->
p
;
r
[
1
]
=
dh
->
g
;
r
[
2
]
=
dh
->
pub_key
;
...
...
@@ -2018,6 +2035,9 @@ int tls_construct_server_key_exchange(SSL *s)
f_err:
ssl3_send_alert
(
s
,
SSL3_AL_FATAL
,
al
);
err:
#ifndef OPENSSL_NO_DH
EVP_PKEY_free
(
pkdh
);
#endif
#ifndef OPENSSL_NO_EC
OPENSSL_free
(
encodedPoint
);
#endif
...
...
@@ -2107,10 +2127,6 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
RSA
*
rsa
=
NULL
;
EVP_PKEY
*
pkey
=
NULL
;
#endif
#ifndef OPENSSL_NO_DH
BIGNUM
*
pub
=
NULL
;
DH
*
dh_srvr
;
#endif
#ifndef OPENSSL_NO_EC
EVP_PKEY
*
ckey
=
NULL
;
#endif
...
...
@@ -2334,7 +2350,8 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
#endif
#ifndef OPENSSL_NO_DH
if
(
alg_k
&
(
SSL_kDHE
|
SSL_kDHEPSK
))
{
unsigned
char
shared
[(
OPENSSL_DH_MAX_MODULUS_BITS
+
7
)
/
8
];
EVP_PKEY
*
skey
=
NULL
;
DH
*
cdh
;
if
(
!
PACKET_get_net_2
(
pkt
,
&
i
))
{
if
(
alg_k
&
(
SSL_kDHE
|
SSL_kDHEPSK
))
{
...
...
@@ -2350,13 +2367,13 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG
);
goto
err
;
}
if
(
s
->
s3
->
tmp
.
dh
==
NULL
)
{
skey
=
s
->
s3
->
tmp
.
pkey
;
if
(
skey
==
NULL
)
{
al
=
SSL_AD_HANDSHAKE_FAILURE
;
SSLerr
(
SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE
,
SSL_R_MISSING_TMP_DH_KEY
);
goto
f_err
;
}
else
dh_srvr
=
s
->
s3
->
tmp
.
dh
;
}
if
(
PACKET_remaining
(
pkt
)
==
0L
)
{
al
=
SSL_AD_HANDSHAKE_FAILURE
;
...
...
@@ -2371,29 +2388,27 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
ERR_R_INTERNAL_ERROR
);
goto
f_err
;
}
pub
=
BN_bin2bn
(
data
,
i
,
NULL
);
if
(
pub
==
NULL
)
{
ckey
=
EVP_PKEY_new
(
);
if
(
ckey
==
NULL
||
EVP_PKEY_copy_parameters
(
ckey
,
skey
)
==
0
)
{
SSLerr
(
SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE
,
SSL_R_BN_LIB
);
goto
err
;
}
i
=
DH_compute_key
(
shared
,
pub
,
dh_srvr
);
if
(
i
<=
0
)
{
SSLerr
(
SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE
,
ERR_R_DH_LIB
);
BN_clear_free
(
pub
);
cdh
=
EVP_PKEY_get0_DH
(
ckey
);
cdh
->
pub_key
=
BN_bin2bn
(
data
,
i
,
NULL
);
if
(
cdh
->
pub_key
==
NULL
)
{
SSLerr
(
SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE
,
SSL_R_BN_LIB
);
goto
err
;
}
DH_free
(
s
->
s3
->
tmp
.
dh
);
s
->
s3
->
tmp
.
dh
=
NULL
;
BN_clear_free
(
pub
);
pub
=
NULL
;
if
(
!
ssl_generate_master_secret
(
s
,
shared
,
i
,
0
))
{
if
(
ssl_derive
(
s
,
skey
,
ckey
)
==
0
)
{
al
=
SSL_AD_INTERNAL_ERROR
;
SSLerr
(
SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE
,
ERR_R_INTERNAL_ERROR
);
goto
f_err
;
}
EVP_PKEY_free
(
ckey
);
ckey
=
NULL
;
}
else
#endif
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
