From 163f6dc1f70f30de46a68137c36e70cae4d95cd8 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 15 Oct 2020 16:45:54 +0100 Subject: Implement a replacement for SSL_set_tmp_dh() The old function took a DH as a parameter. In the new version we pass an EVP_PKEY instead. Similarly for the SSL_CTX version of this function. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13368) --- ssl/s3_lib.c | 20 ++------------------ ssl/ssl_conf.c | 48 ++++++++++++++++++++++++++++++++---------------- ssl/ssl_lib.c | 26 ++++++++++++++++++++++++++ ssl/tls_depr.c | 4 ++-- 4 files changed, 62 insertions(+), 36 deletions(-) (limited to 'ssl') diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 664844302a..8a572b8dd3 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3465,15 +3465,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } - if (!ssl_security(s, SSL_SECOP_TMP_DH, - EVP_PKEY_security_bits(pkdh), 0, pkdh)) { - ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL); - EVP_PKEY_free(pkdh); - return 0; - } - EVP_PKEY_free(s->cert->dh_tmp); - s->cert->dh_tmp = pkdh; - return 1; + return SSL_set0_tmp_dh_pkey(s, pkdh); } break; case SSL_CTRL_SET_TMP_DH_CB: @@ -3816,15 +3808,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; } - if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, - EVP_PKEY_security_bits(pkdh), 0, pkdh)) { - ERR_raise(ERR_LIB_SSL, SSL_R_DH_KEY_TOO_SMALL); - EVP_PKEY_free(pkdh); - return 0; - } - EVP_PKEY_free(ctx->cert->dh_tmp); - ctx->cert->dh_tmp = pkdh; - return 1; + return SSL_CTX_set0_tmp_dh_pkey(ctx, pkdh); } case SSL_CTRL_SET_TMP_DH_CB: { diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 2311df5d84..2e8240c73b 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -11,7 +11,8 @@ #include "ssl_local.h" #include #include -#include +#include +#include #include "internal/nelem.h" /* @@ -574,34 +575,51 @@ static int cmd_ClientCAStore(SSL_CONF_CTX *cctx, const char *value) return cmd_RequestCAStore(cctx, value); } -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) -/* TODO(3.0): We need a 3.0 friendly way of doing this */ static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value) { int rv = 0; - DH *dh = NULL; + EVP_PKEY *dhpkey = NULL; BIO *in = NULL; - if (cctx->ctx || cctx->ssl) { + SSL_CTX *sslctx = (cctx->ssl != NULL) ? cctx->ssl->ctx : cctx->ctx; + OSSL_DECODER_CTX *decoderctx = NULL; + + if (cctx->ctx != NULL || cctx->ssl != NULL) { in = BIO_new(BIO_s_file()); if (in == NULL) goto end; if (BIO_read_filename(in, value) <= 0) goto end; - dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); - if (dh == NULL) + + decoderctx + = OSSL_DECODER_CTX_new_by_EVP_PKEY(&dhpkey, "PEM", NULL, "DH", + OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, + sslctx->libctx, sslctx->propq); + if (decoderctx == NULL + || !OSSL_DECODER_from_bio(decoderctx, in)) { + OSSL_DECODER_CTX_free(decoderctx); + goto end; + } + OSSL_DECODER_CTX_free(decoderctx); + + if (dhpkey == NULL) goto end; - } else + } else { return 1; - if (cctx->ctx) - rv = SSL_CTX_set_tmp_dh(cctx->ctx, dh); - if (cctx->ssl) - rv = SSL_set_tmp_dh(cctx->ssl, dh); + } + + if (cctx->ctx != NULL) { + if ((rv = SSL_CTX_set0_tmp_dh_pkey(cctx->ctx, dhpkey)) > 0) + dhpkey = NULL; + } + if (cctx->ssl != NULL) { + if ((rv = SSL_set0_tmp_dh_pkey(cctx->ssl, dhpkey)) > 0) + dhpkey = NULL; + } end: - DH_free(dh); + EVP_PKEY_free(dhpkey); BIO_free(in); return rv > 0; } -#endif static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) { @@ -727,11 +745,9 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD(ClientCAStore, NULL, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_STORE), -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_FILE), -#endif SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0), SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER), }; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index bd7b838250..8f6771da3d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5955,3 +5955,29 @@ void ssl_evp_md_free(const EVP_MD *md) EVP_MD_free((EVP_MD *)md); } } + +int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey) +{ + if (!ssl_security(s, SSL_SECOP_TMP_DH, + EVP_PKEY_security_bits(dhpkey), 0, dhpkey)) { + SSLerr(0, SSL_R_DH_KEY_TOO_SMALL); + EVP_PKEY_free(dhpkey); + return 0; + } + EVP_PKEY_free(s->cert->dh_tmp); + s->cert->dh_tmp = dhpkey; + return 1; +} + +int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey) +{ + if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, + EVP_PKEY_security_bits(dhpkey), 0, dhpkey)) { + SSLerr(0, SSL_R_DH_KEY_TOO_SMALL); + EVP_PKEY_free(dhpkey); + return 0; + } + EVP_PKEY_free(ctx->cert->dh_tmp); + ctx->cert->dh_tmp = dhpkey; + return 1; +} diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 1ed47dd8de..6f2103ad91 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -144,7 +144,7 @@ HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) } /* Some deprecated public APIs pass DH objects */ -#ifndef OPENSSL_NO_DH +# ifndef OPENSSL_NO_DH EVP_PKEY *ssl_dh_to_pkey(DH *dh) { EVP_PKEY *ret; @@ -158,6 +158,6 @@ EVP_PKEY *ssl_dh_to_pkey(DH *dh) } return ret; } -#endif +# endif #endif -- cgit v1.2.3