Use built in DH parameters when available
Fall back to a hardcoded PEM blob on 1.0.1, but serialized from DH_get_2048_256.
This commit is contained in:
Steven Fackler
parent
176348630a
commit
aa0040125b
|
|
@ -1346,8 +1346,8 @@ extern {
|
||||||
pub fn CRYPTO_memcmp(a: *const c_void, b: *const c_void,
|
pub fn CRYPTO_memcmp(a: *const c_void, b: *const c_void,
|
||||||
len: size_t) -> c_int;
|
len: size_t) -> c_int;
|
||||||
|
|
||||||
|
pub fn DH_new() -> *mut DH;
|
||||||
pub fn DH_free(dh: *mut DH);
|
pub fn DH_free(dh: *mut DH);
|
||||||
|
|
||||||
#[cfg(not(ossl101))]
|
#[cfg(not(ossl101))]
|
||||||
pub fn DH_get_1024_160() -> *mut DH;
|
pub fn DH_get_1024_160() -> *mut DH;
|
||||||
#[cfg(not(ossl101))]
|
#[cfg(not(ossl101))]
|
||||||
|
|
@ -1471,6 +1471,7 @@ extern {
|
||||||
pub fn PEM_read_bio_RSAPrivateKey(bio: *mut BIO, rsa: *mut *mut RSA, callback: Option<PasswordCallback>, user_data: *mut c_void) -> *mut RSA;
|
pub fn PEM_read_bio_RSAPrivateKey(bio: *mut BIO, rsa: *mut *mut RSA, callback: Option<PasswordCallback>, user_data: *mut c_void) -> *mut RSA;
|
||||||
pub fn PEM_read_bio_RSA_PUBKEY(bio: *mut BIO, rsa: *mut *mut RSA, callback: Option<PasswordCallback>, user_data: *mut c_void) -> *mut RSA;
|
pub fn PEM_read_bio_RSA_PUBKEY(bio: *mut BIO, rsa: *mut *mut RSA, callback: Option<PasswordCallback>, user_data: *mut c_void) -> *mut RSA;
|
||||||
|
|
||||||
|
pub fn PEM_write_bio_DHparams(bio: *mut BIO, x: *mut DH) -> c_int;
|
||||||
pub fn PEM_write_bio_PrivateKey(bio: *mut BIO, pkey: *mut EVP_PKEY, cipher: *const EVP_CIPHER,
|
pub fn PEM_write_bio_PrivateKey(bio: *mut BIO, pkey: *mut EVP_PKEY, cipher: *const EVP_CIPHER,
|
||||||
kstr: *mut c_uchar, klen: c_int,
|
kstr: *mut c_uchar, klen: c_int,
|
||||||
callback: Option<PasswordCallback>,
|
callback: Option<PasswordCallback>,
|
||||||
|
|
@ -1724,5 +1725,4 @@ extern {
|
||||||
pub fn HMAC_Final(ctx: *mut HMAC_CTX,
|
pub fn HMAC_Final(ctx: *mut HMAC_CTX,
|
||||||
md: *mut c_uchar,
|
md: *mut c_uchar,
|
||||||
len: *mut c_uint) -> c_int;
|
len: *mut c_uint) -> c_int;
|
||||||
pub fn DH_new() -> *mut DH;
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -5,11 +5,25 @@ use std::ptr;
|
||||||
use std::mem;
|
use std::mem;
|
||||||
|
|
||||||
use {cvt, cvt_p};
|
use {cvt, cvt_p};
|
||||||
|
use bio::MemBio;
|
||||||
use bn::BigNum;
|
use bn::BigNum;
|
||||||
use types::OpenSslType;
|
use types::{OpenSslType, Ref};
|
||||||
|
|
||||||
type_!(Dh, ffi::DH, ffi::DH_free);
|
type_!(Dh, ffi::DH, ffi::DH_free);
|
||||||
|
|
||||||
|
impl Ref<Dh> {
|
||||||
|
/// Encodes the parameters to PEM.
|
||||||
|
pub fn to_pem(&self) -> Result<Vec<u8>, ErrorStack> {
|
||||||
|
let mem_bio = try!(MemBio::new());
|
||||||
|
|
||||||
|
unsafe {
|
||||||
|
try!(cvt(ffi::PEM_write_bio_DHparams(mem_bio.as_ptr(), self.as_ptr())));
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(mem_bio.get_buf().to_owned())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
impl Dh {
|
impl Dh {
|
||||||
pub fn from_params(p: BigNum, g: BigNum, q: BigNum) -> Result<Dh, ErrorStack> {
|
pub fn from_params(p: BigNum, g: BigNum, q: BigNum) -> Result<Dh, ErrorStack> {
|
||||||
unsafe {
|
unsafe {
|
||||||
|
|
|
||||||
|
|
@ -8,22 +8,23 @@ use pkey::PKey;
|
||||||
use x509::X509;
|
use x509::X509;
|
||||||
use types::Ref;
|
use types::Ref;
|
||||||
|
|
||||||
// apps/dh2048.pem
|
// Serialized form of DH_get_2048_256
|
||||||
|
#[cfg(any(ossl101, all(test, any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))))]
|
||||||
const DHPARAM_PEM: &'static str = r#"
|
const DHPARAM_PEM: &'static str = r#"
|
||||||
-----BEGIN DH PARAMETERS-----
|
-----BEGIN DH PARAMETERS-----
|
||||||
MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
MIICCQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX
|
||||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
1Pr330VhsqowFsPZETQJb6o79Cltgw6afCCeDGSXUXq9WoqdMGvPZ+2R+eZyW0dY
|
||||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
wCLgse9Cdb97bFv8EdRfkIi5QfVOseWbuLw5oL8SMH9cT9twxYGyP3a2Osrhyqa3
|
||||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
kC1SUmc1SIoO8TxtmlG/pKs62DR3llJNjvahZ7WkGCXZZ+FE5RQFZCUcysuD5rSG
|
||||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
9rPKP3lxUGAmwLhX9omWKFbe1AEKvQvmIcOjlgpU5xDDdfJjddcBQQOktUMwwZiv
|
||||||
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
|
EmEW0iduEXFfaTh3+tfvCcrbCUrpHhoVlwKCAQA/syybcxNNCy53UGZg7b1ITKex
|
||||||
|
jyHvIFQH9Hk6GguhJRDbwVB3vkY//0/tSqwLtVW+OmwbDGtHsbw3c79+jG9ikBIo
|
||||||
|
+MKMuxilWuMTQQAKZQGW+THHelfy3fRj5ensFEt3feYqqrioYorDdtKC1u04ZOZ5
|
||||||
|
gkKOvIMdFDSPby+Rk7UEWvJ2cWTh38lnwfs/LlWkvRv/6DucgNBSuYXRguoK2yo7
|
||||||
|
cxPT/hTISEseBSWIubfSu9LfAWGZ7NBuFVfNCRWzNTu7ZODsN3/QKDcN+StSx4kU
|
||||||
|
KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZ
|
||||||
-----END DH PARAMETERS-----
|
-----END DH PARAMETERS-----
|
||||||
|
"#;
|
||||||
These are the 2048-bit DH parameters from "More Modular Exponential
|
|
||||||
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
|
|
||||||
https://tools.ietf.org/html/rfc3526
|
|
||||||
|
|
||||||
See https://tools.ietf.org/html/rfc2412 for how they were generated."#;
|
|
||||||
|
|
||||||
fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
|
fn ctx(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
|
||||||
let mut ctx = try!(SslContextBuilder::new(method));
|
let mut ctx = try!(SslContextBuilder::new(method));
|
||||||
|
|
@ -125,7 +126,7 @@ impl SslAcceptorBuilder {
|
||||||
I::Item: AsRef<Ref<X509>>
|
I::Item: AsRef<Ref<X509>>
|
||||||
{
|
{
|
||||||
let mut ctx = try!(ctx(method));
|
let mut ctx = try!(ctx(method));
|
||||||
let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
|
let dh = try!(get_dh());
|
||||||
try!(ctx.set_tmp_dh(&dh));
|
try!(ctx.set_tmp_dh(&dh));
|
||||||
try!(setup_curves(&mut ctx));
|
try!(setup_curves(&mut ctx));
|
||||||
try!(ctx.set_cipher_list("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
|
try!(ctx.set_cipher_list("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
|
||||||
|
|
@ -202,9 +203,30 @@ impl SslAcceptorBuilder {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[cfg(ossl101)]
|
||||||
|
fn get_dh() -> Result<Dh, ErrorStack> {
|
||||||
|
Dh::from_pem(DHPARAM_PEM.as_bytes())
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(not(ossl101))]
|
||||||
|
fn get_dh() -> Result<Dh, ErrorStack> {
|
||||||
|
use ffi;
|
||||||
|
|
||||||
|
use cvt_p;
|
||||||
|
use types::OpenSslType;
|
||||||
|
|
||||||
|
// manually call into ffi to avoid forcing the features
|
||||||
|
unsafe {
|
||||||
|
cvt_p(ffi::DH_get_2048_256()).map(|p| Dh::from_ptr(p))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[cfg(ossl101)]
|
#[cfg(ossl101)]
|
||||||
fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
|
fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
|
||||||
let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1));
|
use ec_key::EcKey;
|
||||||
|
use nid;
|
||||||
|
|
||||||
|
let curve = try!(EcKey::new_by_curve_name(nid::X9_62_PRIME256V1));
|
||||||
ctx.set_tmp_ecdh(&curve)
|
ctx.set_tmp_ecdh(&curve)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -420,3 +442,15 @@ mod verify {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod test {
|
||||||
|
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
|
||||||
|
#[test]
|
||||||
|
fn check_dhparam() {
|
||||||
|
use dh::Dh;
|
||||||
|
|
||||||
|
let expected = String::from_utf8(Dh::get_2048_256().unwrap().to_pem().unwrap()).unwrap();
|
||||||
|
assert_eq!(expected.trim(), super::DHPARAM_PEM.trim());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue