Convert TLS auto DH parameters to use EVP_PKEY

author Matt Caswell <matt@openssl.org>

Wed, 14 Oct 2020 08:25:35 +0000 (09:25 +0100)

committer Matt Caswell <matt@openssl.org>

Wed, 18 Nov 2020 14:14:22 +0000 (14:14 +0000)
author Matt Caswell <matt@openssl.org>
Wed, 14 Oct 2020 08:25:35 +0000 (09:25 +0100)
committer Matt Caswell <matt@openssl.org>
Wed, 18 Nov 2020 14:14:22 +0000 (14:14 +0000)
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h

index 5e47320d62260d66cb237250b708b972c65712f3..67bb0a8d52de371dd00d7914733eeeb348f7e559 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2693,7 +2693,7 @@ __owur int ssl_validate_ct(SSL *s);
  #  endif
  
  #  ifndef OPENSSL_NO_DH
-__owur DH *ssl_get_auto_dh(SSL *s);
+__owur EVP_PKEY *ssl_get_auto_dh(SSL *s);
  #  endif
  
  __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c

index 9d5e73f62ce0853b6dcdba5dc1f394434c0b57fd..d45afebf075f069dab1d2690e43542aeeb3d9160 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2460,14 +2460,11 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
          DH *dh;
  
          if (s->cert->dh_tmp_auto) {
-            DH *dhp = ssl_get_auto_dh(s);
-            pkdh = EVP_PKEY_new();
-            if (pkdh == NULL || dhp == NULL) {
-                DH_free(dhp);
+            pkdh = ssl_get_auto_dh(s);
+            if (pkdh == NULL) {
                  SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                  goto err;
              }
-            EVP_PKEY_assign_DH(pkdh, dhp);
              pkdhp = pkdh;
          } else {
              pkdhp = cert->dh_tmp;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index ff80b81167716529f97d78620005e0dda355a38e..9089cb808656cf7cea0ac388ecd4b1f9fce2f7a2 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -19,6 +19,7 @@
  #include <openssl/dh.h>
  #include <openssl/bn.h>
  #include <openssl/provider.h>
+#include <openssl/param_build.h>
  #include "internal/nelem.h"
  #include "internal/evp.h"
  #include "internal/tlsgroups.h"
@@ -2873,12 +2874,15 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
      return tls1_check_chain(s, x, pk, chain, -1);
  }
  
-#ifndef OPENSSL_NO_DH
-DH *ssl_get_auto_dh(SSL *s)
+EVP_PKEY *ssl_get_auto_dh(SSL *s)
  {
-    DH *dhp;
-    BIGNUM *p, *g;
+    EVP_PKEY *dhp = NULL;
+    BIGNUM *p;
      int dh_secbits = 80;
+    EVP_PKEY_CTX *pctx = NULL;
+    OSSL_PARAM_BLD *tmpl = NULL;
+    OSSL_PARAM *params = NULL;
+
      if (s->cert->dh_tmp_auto != 2) {
          if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
              if (s->s3.tmp.new_cipher->strength_bits == 256)
@@ -2892,15 +2896,6 @@ DH *ssl_get_auto_dh(SSL *s)
          }
      }
  
-    dhp = DH_new();
-    if (dhp == NULL)
-        return NULL;
-    g = BN_new();
-    if (g == NULL || !BN_set_word(g, 2)) {
-        DH_free(dhp);
-        BN_free(g);
-        return NULL;
-    }
      if (dh_secbits >= 192)
          p = BN_get_rfc3526_prime_8192(NULL);
      else if (dh_secbits >= 152)
@@ -2911,15 +2906,31 @@ DH *ssl_get_auto_dh(SSL *s)
          p = BN_get_rfc3526_prime_2048(NULL);
      else
          p = BN_get_rfc2409_prime_1024(NULL);
-    if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
-        DH_free(dhp);
-        BN_free(p);
-        BN_free(g);
-        return NULL;
-    }
+    if (p == NULL)
+        goto err;
+
+    pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq);
+    if (pctx == NULL
+            || EVP_PKEY_key_fromdata_init(pctx) != 1)
+        goto err;
+
+    tmpl = OSSL_PARAM_BLD_new();
+    if (tmpl == NULL
+            || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
+            || !OSSL_PARAM_BLD_push_uint(tmpl, OSSL_PKEY_PARAM_FFC_G, 2))
+        goto err;
+
+    params = OSSL_PARAM_BLD_to_param(tmpl);
+    if (params == NULL || EVP_PKEY_fromdata(pctx, &dhp, params) != 1)
+        goto err;
+
+err:
+    OSSL_PARAM_BLD_free_params(params);
+    OSSL_PARAM_BLD_free(tmpl);
+    EVP_PKEY_CTX_free(pctx);
+    BN_free(p);
      return dhp;
  }
-#endif
  
  static int ssl_security_cert_key(SSL *s, SSL_CTX *ctx, X509 *x, int op)
  {
author	Matt Caswell <matt@openssl.org>
	Wed, 14 Oct 2020 08:25:35 +0000 (09:25 +0100)
committer	Matt Caswell <matt@openssl.org>
	Wed, 18 Nov 2020 14:14:22 +0000 (14:14 +0000)
ssl/ssl_local.h		patch \| blob \| blame \| history
ssl/statem/statem_srvr.c		patch \| blob \| blame \| history
ssl/t1_lib.c		patch \| blob \| blame \| history