Beispiel #1
0
static int
generate_dh_params(eventer_t e, int mask, void *cl, struct timeval *now) {
  int bits = (int)(intptr_t)cl;
  if(mask != EVENTER_ASYNCH_WORK) return 0;
  switch(bits) {
  case 1024:
    if(!dh1024_tmp) dh1024_tmp = load_dh_params(dh1024_file);
    if(!dh1024_tmp) {
      mtevL(mtev_notice, "Generating 1024 bit DH parameters.\n");
      dh1024_tmp = DH_generate_parameters(1024, 2, NULL, NULL);
      mtevL(mtev_notice, "Finished generating 1024 bit DH parameters.\n");
      save_dh_params(dh1024_tmp, dh1024_file);
    }
    break;
  case 2048:
    if(!dh2048_tmp) dh2048_tmp = load_dh_params(dh2048_file);
    if(!dh2048_tmp) {
      mtevL(mtev_notice, "Generating 2048 bit DH parameters.\n");
      dh2048_tmp = DH_generate_parameters(2048, 2, NULL, NULL);
      mtevL(mtev_notice, "Finished generating 2048 bit DH parameters.\n");
      save_dh_params(dh2048_tmp, dh2048_file);
    }
    break;
  default:
    mtevFatal(mtev_error, "Unexpected DH parameter request: %d\n", bits);
  }
  return 0;
}
Beispiel #2
0
	SecureServer::SecureServer(boost::asio::io_service& ioService,
							   boost::asio::ssl::context& context,
							   const boost::asio::ip::tcp::endpoint& endpoint,
							   const std::string& chain,
							   const std::string& key,
							   const std::string& keyPassword,
							   const std::string& dhFile) throw (boost::system::system_error)
							   : ioService_(ioService), acceptor_(ioService, endpoint), context_(context), keyPassword_(keyPassword) {
		context_.set_options(context_ops);
		context_.set_password_callback(boost::bind(&SecureServer::getPassword, this));
		context_.use_certificate_chain_file(chain);
		context_.use_private_key_file(key, boost::asio::ssl::context::pem);
		if(!boost::filesystem::exists(dhFile)){
			std::cerr << "Generating tmp dh file " << dhFile << std::endl;
			
			std::unique_ptr<BIO,void(*)(BIO*)> dhBIO(BIO_new_file(dhFile.c_str(),"w"),&BIO_free_all);
			if(!dhBIO){
				throw_system_error_ssl("Could not open "+dhFile+" for writing");
			}
			std::unique_ptr<DH,void(*)(DH*)> dh(DH_generate_parameters(2048, RSA_F4, nullptr, nullptr),&DH_free);
			if(!dh){
				throw_system_error_ssl("Could not DH_generate_parameters");
			}
			if(PEM_write_bio_DHparams(dhBIO.get(),dh.get()) != 1){
				throw_system_error_ssl("Could not write DHparams");
			}
			std::cerr << "done" << std::endl;
		}
		context_.use_tmp_dh_file(dhFile);
	}
Beispiel #3
0
static int
generate_dh_parameters(int bitsize, buffer_t *output, const char **error_r)
{
    DH *dh;
    unsigned char *p;
    int len, len2;

    dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL);
    if (dh == NULL) {
        *error_r = t_strdup_printf(
                       "DH_generate_parameters(bits=%d, gen=%d) failed: %s",
                       bitsize, DH_GENERATOR, openssl_iostream_error());
        return -1;
    }

    len = i2d_DHparams(dh, NULL);
    if (len < 0) {
        *error_r = t_strdup_printf("i2d_DHparams() failed: %s",
                                   openssl_iostream_error());
        DH_free(dh);
        return -1;
    }

    buffer_append(output, &bitsize, sizeof(bitsize));
    buffer_append(output, &len, sizeof(len));

    p = buffer_append_space_unsafe(output, len);
    len2 = i2d_DHparams(dh, &p);
    i_assert(len == len2);
    DH_free(dh);
    return 0;
}
Beispiel #4
0
void avjackif::async_handshake(std::string login_username, std::string login_password, boost::asio::yield_context yield_context)
{
	auto dh = DH_new();
	DH_generate_parameters();
	DH_generate_key(dh);

}
Beispiel #5
0
void _modinit(module_t *m)
{
	MODULE_TRY_REQUEST_SYMBOL(m, regfuncs, "saslserv/main", "sasl_mech_register_funcs");

	if ((base_dhparams = DH_generate_parameters(256, 5, NULL, NULL)) == NULL)
		return;

	regfuncs->mech_register(&mech);
}
Beispiel #6
0
/*
 *	Generate an empheral DH key.  Because this can take a long
 *	time to compute, we can use precomputed parameters of the
 *	common key sizes.
 *
 *	Since few sites will bother to precompute these parameter
 *	files, we also provide a fallback to the parameters provided
 *	by the OpenSSL project.
 *
 *	These values can be static (once loaded or computed) since
 *	the OpenSSL library can efficiently generate random keys from
 *	the information provided.
 */
static DH  *
tmp_dh_cb(SSL *s, int is_export, int keylength)
{
	DH		   *r = NULL;
	static DH  *dh = NULL;
	static DH  *dh512 = NULL;
	static DH  *dh1024 = NULL;
	static DH  *dh2048 = NULL;
	static DH  *dh4096 = NULL;

	switch (keylength)
	{
		case 512:
			if (dh512 == NULL)
				dh512 = load_dh_file(keylength);
			if (dh512 == NULL)
				dh512 = load_dh_buffer(file_dh512, sizeof file_dh512);
			r = dh512;
			break;

		case 1024:
			if (dh1024 == NULL)
				dh1024 = load_dh_file(keylength);
			if (dh1024 == NULL)
				dh1024 = load_dh_buffer(file_dh1024, sizeof file_dh1024);
			r = dh1024;
			break;

		case 2048:
			if (dh2048 == NULL)
				dh2048 = load_dh_file(keylength);
			if (dh2048 == NULL)
				dh2048 = load_dh_buffer(file_dh2048, sizeof file_dh2048);
			r = dh2048;
			break;

		case 4096:
			if (dh4096 == NULL)
				dh4096 = load_dh_file(keylength);
			if (dh4096 == NULL)
				dh4096 = load_dh_buffer(file_dh4096, sizeof file_dh4096);
			r = dh4096;
			break;

		default:
			if (dh == NULL)
				dh = load_dh_file(keylength);
			r = dh;
	}

	/* this may take a long time, but it may be necessary... */
	if (r == NULL || 8 * DH_size(r) < keylength)
		r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);

	return r;
}
Beispiel #7
0
void _modinit(module_t *m)
{
	MODULE_TRY_REQUEST_SYMBOL(m, mechanisms, "saslserv/main", "sasl_mechanisms");

	if ((base_dhparams = DH_generate_parameters(256, 5, NULL, NULL)) == NULL)
		return;

	mnode = mowgli_node_create();
	mowgli_node_add(&mech, mnode, mechanisms);
}
Beispiel #8
0
/* DH: generate shared parameters
*/
static int dh_test()
    {
    DH *dh;

    ERR_clear_error();
    dh = DH_generate_parameters(256, 2, NULL, NULL);
    if (dh)
        return 1;
    return 0;
    }
Beispiel #9
0
   bool diffie_hellman::generate_params( int s, uint8_t g )
   {
        DH* dh = DH_generate_parameters( s, g, NULL, NULL );
        p.resize( BN_num_bytes( dh->p ) );
        if( p.size() )
            BN_bn2bin( dh->p, (unsigned char*)&p.front()  );
        this->g = g;

        int check;
        DH_check(dh,&check);
        DH_free(dh);

        if( check & DH_CHECK_P_NOT_SAFE_PRIME )
            return valid = false;
        return valid = true;
   }
Beispiel #10
0
static DH *
dh_generate(int size, int gen)
{
#if defined(HAVE_DH_GENERATE_PARAMETERS_EX) && HAVE_BN_GENCB
    BN_GENCB cb;
    struct ossl_generate_cb_arg cb_arg;
    struct dh_blocking_gen_arg gen_arg;
    DH *dh = DH_new();

    if (!dh) return 0;

    memset(&cb_arg, 0, sizeof(struct ossl_generate_cb_arg));
    if (rb_block_given_p())
	cb_arg.yield = 1;
    BN_GENCB_set(&cb, ossl_generate_cb_2, &cb_arg);
    gen_arg.dh = dh;
    gen_arg.size = size;
    gen_arg.gen = gen;
    gen_arg.cb = &cb;
    if (cb_arg.yield == 1) {
	/* we cannot release GVL when callback proc is supplied */
	dh_blocking_gen(&gen_arg);
    } else {
	/* there's a chance to unblock */
	rb_thread_call_without_gvl(dh_blocking_gen, &gen_arg, ossl_generate_cb_stop, &cb_arg);
    }

    if (!gen_arg.result) {
	DH_free(dh);
	if (cb_arg.state) rb_jump_tag(cb_arg.state);
	return 0;
    }
#else
    DH *dh;

    dh = DH_generate_parameters(size, gen, rb_block_given_p() ? ossl_generate_cb : NULL, NULL);
    if (!dh) return 0;
#endif

    if (!DH_generate_key(dh)) {
        DH_free(dh);
        return 0;
    }

    return dh;
}
Beispiel #11
0
/*
 * Private
 */
static DH *
dh_generate(int size, int gen)
{
    DH *dh;
    
    dh = DH_generate_parameters(size, gen,
	    rb_block_given_p() ? ossl_generate_cb : NULL,
	    NULL);
    if (!dh) return 0;

    if (!DH_generate_key(dh)) {
	DH_free(dh);
	return 0;
    }

    return dh;
}
Beispiel #12
0
/*
 *	Generate DH parameters.
 *
 *	Last resort if we can't load precomputed nor hardcoded
 *	parameters.
 */
static DH  *
generate_dh_parameters(int prime_len, int generator)
{
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
	DH		   *dh;

	if ((dh = DH_new()) == NULL)
		return NULL;

	if (DH_generate_parameters_ex(dh, prime_len, generator, NULL))
		return dh;

	DH_free(dh);
	return NULL;
#else
	return DH_generate_parameters(prime_len, generator, NULL, NULL);
#endif
}
Beispiel #13
0
NOEXPORT void cron_dh_param(void) {
    SERVICE_OPTIONS *opt;
    DH *dh;

    if(!dh_needed)
        return;

    s_log(LOG_NOTICE, "Updating DH parameters");
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
    /* generate 2048-bit DH parameters */
    dh=DH_new();
    if(!dh) {
        sslerror("DH_new");
        return;
    }
    if(!DH_generate_parameters_ex(dh, 2048, 2, NULL)) {
        DH_free(dh);
        sslerror("DH_generate_parameters_ex");
        return;
    }
#else /* OpenSSL older than 0.9.8 */
    dh=DH_generate_parameters(2048, 2, NULL, NULL);
    if(!dh) {
        sslerror("DH_generate_parameters");
        return;
    }
#endif

    /* update global dh_params for future configuration reloads */
    enter_critical_section(CRIT_DH); /* it only needs an rwlock here */
    DH_free(dh_params);
    dh_params=dh;
    leave_critical_section(CRIT_DH);

    /* set for all sections that require it */
    for(opt=service_options.next; opt; opt=opt->next)
        if(opt->option.dh_needed)
            SSL_CTX_set_tmp_dh(opt->ctx, dh);
    s_log(LOG_NOTICE, "DH parameters updated");
}
Beispiel #14
0
static bool generate_dh_parameters(int bitsize, int fd, const char *fname)
{
        DH *dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL);
	unsigned char *buf, *p;
	int len;

	if (dh == NULL)
		return FALSE;

	len = i2d_DHparams(dh, NULL);
	if (len < 0)
		i_fatal("i2d_DHparams() failed: %s", ssl_last_error());

	buf = p = i_malloc(len);
	len = i2d_DHparams(dh, &p);

	if (write_full(fd, &bitsize, sizeof(bitsize)) < 0 ||
	    write_full(fd, &len, sizeof(len)) < 0 ||
	    write_full(fd, buf, len) < 0)
		i_fatal("write_full() failed for file %s: %m", fname);
	i_free(buf);
	return TRUE;
}
Beispiel #15
0
bool OSSLDH::generateParameters(AsymmetricParameters** ppParams, void* parameters /* = NULL */, RNG* rng /* = NULL*/)
{
	if ((ppParams == NULL) || (parameters == NULL))
	{
		return false;
	}

	size_t bitLen = (size_t) parameters;

	if (bitLen < getMinKeySize() || bitLen > getMaxKeySize())
	{
		ERROR_MSG("This DH key size is not supported");

		return false;
	}

	DH* dh = DH_generate_parameters(bitLen, 2, NULL, NULL);

	if (dh == NULL)
	{
		ERROR_MSG("Failed to generate %d bit DH parameters", bitLen);

		return false;
	}

	// Store the DH parameters
	DHParameters* params = new DHParameters();

	ByteString p = OSSL::bn2ByteString(dh->p); params->setP(p);
	ByteString g = OSSL::bn2ByteString(dh->g); params->setG(g);

	*ppParams = params;

	DH_free(dh);

	return true;
}
Beispiel #16
0
static isc_result_t
openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
	DH *dh = NULL;
#if OPENSSL_VERSION_NUMBER > 0x00908000L
	BN_GENCB *cb;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
	BN_GENCB _cb;
#endif
	union {
		void *dptr;
		void (*fptr)(int);
	} u;
#else

	UNUSED(callback);
#endif

	if (generator == 0) {
		if (key->key_size == 768 ||
		    key->key_size == 1024 ||
		    key->key_size == 1536)
		{
			dh = DH_new();
			if (dh == NULL)
				return (dst__openssl_toresult(ISC_R_NOMEMORY));
			if (key->key_size == 768)
				dh->p = bn768;
			else if (key->key_size == 1024)
				dh->p = bn1024;
			else
				dh->p = bn1536;
			dh->g = bn2;
		} else
			generator = 2;
	}

	if (generator != 0) {
#if OPENSSL_VERSION_NUMBER > 0x00908000L
		dh = DH_new();
		if (dh == NULL)
			return (dst__openssl_toresult(ISC_R_NOMEMORY));
		cb = BN_GENCB_new();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
		if (cb == NULL) {
			DH_free(dh);
			return (dst__openssl_toresult(ISC_R_NOMEMORY));
		}
#endif
		if (callback == NULL) {
			BN_GENCB_set_old(cb, NULL, NULL);
		} else {
			u.fptr = callback;
			BN_GENCB_set(cb, &progress_cb, u.dptr);
		}

		if (!DH_generate_parameters_ex(dh, key->key_size, generator,
					       cb)) {
			DH_free(dh);
			BN_GENCB_free(cb);
			return (dst__openssl_toresult2(
					"DH_generate_parameters_ex",
					DST_R_OPENSSLFAILURE));
		}
		BN_GENCB_free(cb);
#else
		dh = DH_generate_parameters(key->key_size, generator,
					    NULL, NULL);
		if (dh == NULL)
			return (dst__openssl_toresult2(
					"DH_generate_parameters",
					DST_R_OPENSSLFAILURE));
#endif
	}

	if (DH_generate_key(dh) == 0) {
		DH_free(dh);
		return (dst__openssl_toresult2("DH_generate_key",
					       DST_R_OPENSSLFAILURE));
	}
	dh->flags &= ~DH_FLAG_CACHE_MONT_P;

	key->keydata.dh = dh;

	return (ISC_R_SUCCESS);
}
Beispiel #17
0
		dh_key dh_key::generate_parameters(int prime_len, int generator, generate_callback_type callback, void* callback_arg)
		{
			return take_ownership(DH_generate_parameters(prime_len, generator, callback, callback_arg));
		}
Beispiel #18
0
int main(int argc, char *argv[])
	{
	DH *a;
	DH *b=NULL;
	char buf[12];
	unsigned char *abuf=NULL,*bbuf=NULL;
	int i,alen,blen,aout,bout,ret=1;
	BIO *out;

	CRYPTO_malloc_debug_init();
	CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

#ifdef OPENSSL_SYS_WIN32
	CRYPTO_malloc_init();
#endif

	RAND_seed(rnd_seed, sizeof rnd_seed);

	out=BIO_new(BIO_s_file());
	if (out == NULL) EXIT(1);
	BIO_set_fp(out,stdout,BIO_NOCLOSE);

	a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
	if (a == NULL) goto err;

	if (!DH_check(a, &i)) goto err;
	if (i & DH_CHECK_P_NOT_PRIME)
		BIO_puts(out, "p value is not prime\n");
	if (i & DH_CHECK_P_NOT_SAFE_PRIME)
		BIO_puts(out, "p value is not a safe prime\n");
	if (i & DH_UNABLE_TO_CHECK_GENERATOR)
		BIO_puts(out, "unable to check the generator value\n");
	if (i & DH_NOT_SUITABLE_GENERATOR)
		BIO_puts(out, "the g value is not a generator\n");

	BIO_puts(out,"\np    =");
	BN_print(out,a->p);
	BIO_puts(out,"\ng    =");
	BN_print(out,a->g);
	BIO_puts(out,"\n");

	b=DH_new();
	if (b == NULL) goto err;

	b->p=BN_dup(a->p);
	b->g=BN_dup(a->g);
	if ((b->p == NULL) || (b->g == NULL)) goto err;

	/* Set a to run with normal modexp and b to use constant time */
	a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
	b->flags |= DH_FLAG_NO_EXP_CONSTTIME;

	if (!DH_generate_key(a)) goto err;
	BIO_puts(out,"pri 1=");
	BN_print(out,a->priv_key);
	BIO_puts(out,"\npub 1=");
	BN_print(out,a->pub_key);
	BIO_puts(out,"\n");

	if (!DH_generate_key(b)) goto err;
	BIO_puts(out,"pri 2=");
	BN_print(out,b->priv_key);
	BIO_puts(out,"\npub 2=");
	BN_print(out,b->pub_key);
	BIO_puts(out,"\n");

	alen=DH_size(a);
	abuf=(unsigned char *)OPENSSL_malloc(alen);
	aout=DH_compute_key(abuf,b->pub_key,a);

	BIO_puts(out,"key1 =");
	for (i=0; i<aout; i++)
		{
		sprintf(buf,"%02X",abuf[i]);
		BIO_puts(out,buf);
		}
	BIO_puts(out,"\n");

	blen=DH_size(b);
	bbuf=(unsigned char *)OPENSSL_malloc(blen);
	bout=DH_compute_key(bbuf,a->pub_key,b);

	BIO_puts(out,"key2 =");
	for (i=0; i<bout; i++)
		{
		sprintf(buf,"%02X",bbuf[i]);
		BIO_puts(out,buf);
		}
	BIO_puts(out,"\n");
	if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0))
		{
		fprintf(stderr,"Error in DH routines\n");
		ret=1;
		}
	else
		ret=0;
err:
	ERR_print_errors_fp(stderr);

	if (abuf != NULL) OPENSSL_free(abuf);
	if (bbuf != NULL) OPENSSL_free(bbuf);
	if(b != NULL) DH_free(b);
	if(a != NULL) DH_free(a);
	BIO_free(out);
	CRYPTO_cleanup_all_ex_data();
	ERR_remove_state(0);
	CRYPTO_mem_leaks_fp(stderr);
	EXIT(ret);
	return(ret);
	}
Beispiel #19
0
int MAIN(int argc, char **argv)
	{
	ENGINE *e = NULL;
	DH *dh=NULL;
	int ret=1,num=DEFBITS;
	int g=2;
	char *outfile=NULL;
	char *inrand=NULL;
	char *engine=NULL;
	BIO *out=NULL;

	apps_startup();

	if (bio_err == NULL)
		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

	if (!load_config(bio_err, NULL))
		goto end;

	argv++;
	argc--;
	for (;;)
		{
		if (argc <= 0) break;
		if (strcmp(*argv,"-out") == 0)
			{
			if (--argc < 1) goto bad;
			outfile= *(++argv);
			}
		else if (strcmp(*argv,"-2") == 0)
			g=2;
	/*	else if (strcmp(*argv,"-3") == 0)
			g=3; */
		else if (strcmp(*argv,"-5") == 0)
			g=5;
		else if (strcmp(*argv,"-engine") == 0)
			{
			if (--argc < 1) goto bad;
			engine= *(++argv);
			}
		else if (strcmp(*argv,"-rand") == 0)
			{
			if (--argc < 1) goto bad;
			inrand= *(++argv);
			}
		else
			break;
		argv++;
		argc--;
		}
	if ((argc >= 1) && ((sscanf(*argv,"%d",&num) == 0) || (num < 0)))
		{
bad:
		BIO_printf(bio_err,"usage: gendh [args] [numbits]\n");
		BIO_printf(bio_err," -out file - output the key to 'file\n");
		BIO_printf(bio_err," -2        - use 2 as the generator value\n");
	/*	BIO_printf(bio_err," -3        - use 3 as the generator value\n"); */
		BIO_printf(bio_err," -5        - use 5 as the generator value\n");
		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
		BIO_printf(bio_err,"             the random number generator\n");
		goto end;
		}
		
        e = setup_engine(bio_err, engine, 0);

	out=BIO_new(BIO_s_file());
	if (out == NULL)
		{
		ERR_print_errors(bio_err);
		goto end;
		}

	if (outfile == NULL)
		{
		BIO_set_fp(out,stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
		{
		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
		out = BIO_push(tmpbio, out);
		}
#endif
		}
	else
		{
		if (BIO_write_filename(out,outfile) <= 0)
			{
			perror(outfile);
			goto end;
			}
		}

	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
		{
		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
		}
	if (inrand != NULL)
		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
			app_RAND_load_files(inrand));

	BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
	BIO_printf(bio_err,"This is going to take a long time\n");
	dh=DH_generate_parameters(num,g,dh_cb,bio_err);
		
	if (dh == NULL) goto end;

	app_RAND_write_file(NULL, bio_err);

	if (!PEM_write_bio_DHparams(out,dh))
		goto end;
	ret=0;
end:
	if (ret != 0)
		ERR_print_errors(bio_err);
	if (out != NULL) BIO_free_all(out);
	if (dh != NULL) DH_free(dh);
	apps_shutdown();
	OPENSSL_EXIT(ret);
	}