summaryrefslogtreecommitdiffstats
path: root/usr.sbin/smtpd/ssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/smtpd/ssl.c')
-rw-r--r--usr.sbin/smtpd/ssl.c114
1 files changed, 2 insertions, 112 deletions
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c
index 819dfa14580..1b06966d9fa 100644
--- a/usr.sbin/smtpd/ssl.c
+++ b/usr.sbin/smtpd/ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.c,v 1.85 2015/12/13 09:52:44 gilles Exp $ */
+/* $OpenBSD: ssl.c,v 1.86 2016/04/21 14:27:41 jsing Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -45,9 +45,6 @@
#include "log.h"
#include "ssl.h"
-static DH *get_dh2048(void);
-static DH *get_dh_from_memory(char *, size_t);
-
void
ssl_init(void)
{
@@ -71,7 +68,6 @@ int
ssl_setup(SSL_CTX **ctxp, struct pki *pki,
int (*sni_cb)(SSL *,int *,void *), const char *ciphers)
{
- DH *dh;
SSL_CTX *ctx;
uint8_t sid[SSL_MAX_SID_CTX_LENGTH];
@@ -89,13 +85,7 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki,
if (sni_cb)
SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
- if (pki->pki_dhparams_len == 0)
- dh = get_dh2048();
- else
- dh = get_dh_from_memory(pki->pki_dhparams,
- pki->pki_dhparams_len);
- ssl_set_ephemeral_key_exchange(ctx, dh);
- DH_free(dh);
+ SSL_CTX_set_dh_auto(ctx, pki->pki_dhe);
SSL_CTX_set_ecdh_auto(ctx, 1);
@@ -333,19 +323,6 @@ ssl_load_cafile(struct ca *c, const char *pathname)
return 1;
}
-int
-ssl_load_dhparams(struct pki *p, const char *pathname)
-{
- p->pki_dhparams = ssl_load_file(pathname, &p->pki_dhparams_len, 0755);
- if (p->pki_dhparams == NULL) {
- if (errno == EACCES)
- return 0;
- log_info("info: No DH parameters found in %s: "
- "using built-in parameters", pathname);
- }
- return 1;
-}
-
const char *
ssl_to_text(const SSL *ssl)
{
@@ -371,93 +348,6 @@ ssl_error(const char *where)
}
}
-/* From OpenSSL's documentation:
- *
- * If "strong" primes were used to generate the DH parameters, it is
- * not strictly necessary to generate a new key for each handshake
- * but it does improve forward secrecy.
- *
- * -- gilles@
- */
-static DH *
-get_dh2048(void)
-{
- DH *dh;
- unsigned char dh2048_p[] = {
- 0xB2,0xE2,0x07,0x34,0x16,0xEB,0x18,0xB5,0xED,0x0F,0xD4,0xC3,
- 0xB6,0x6B,0x79,0xDF,0xA1,0x98,0x1C,0x8D,0x68,0x97,0x6C,0xDF,
- 0xFF,0x38,0x60,0xEC,0x93,0x40,0xEF,0x26,0x12,0xB8,0x1B,0x79,
- 0x68,0x72,0x47,0x8F,0x53,0x4C,0xBF,0x90,0xFF,0xE0,0x3E,0xE7,
- 0x43,0x95,0x0B,0x97,0x43,0xDA,0xB4,0xE1,0x85,0x69,0xA5,0x67,
- 0xFB,0x10,0x97,0x5A,0x0D,0x11,0xEB,0xED,0x78,0x82,0xCC,0xF5,
- 0x7A,0xCC,0x27,0x27,0x5E,0xE5,0x3D,0xBA,0x47,0x38,0xBE,0x18,
- 0xCA,0xC7,0x16,0xC7,0x7B,0x9E,0xA7,0xB0,0x80,0xAC,0x92,0x25,
- 0x36,0x16,0x8F,0x29,0xA5,0x32,0x01,0x60,0x33,0x7C,0x2C,0x2F,
- 0x49,0x7C,0x1D,0x4B,0xDA,0xBD,0xE4,0xF9,0x82,0x2B,0x71,0xCB,
- 0x07,0xE3,0xCC,0x65,0x8A,0x1A,0xAB,0x81,0x0F,0xA9,0x96,0x35,
- 0x4C,0xFD,0x42,0xFC,0xD6,0xE3,0xE8,0x2E,0x0E,0xAA,0x4D,0x75,
- 0x54,0x02,0x49,0xDD,0xC5,0x5F,0x38,0x93,0xFA,0xEF,0x7D,0xBA,
- 0x0C,0x75,0x93,0x09,0x8C,0x24,0x65,0xC6,0xF4,0xBF,0x59,0xF0,
- 0x5D,0x0A,0xA4,0x26,0x7F,0xDA,0x0F,0x41,0x3A,0x43,0x61,0xDF,
- 0x09,0x26,0xA1,0xB0,0xFE,0x8D,0xA6,0x21,0xC1,0xFD,0x41,0x65,
- 0x30,0xE7,0xE4,0xD0,0x8E,0x78,0x93,0x3C,0x3E,0x3E,0xCA,0x30,
- 0xA7,0x25,0x35,0x24,0x26,0x29,0xAC,0xCE,0x21,0x78,0x3B,0x9D,
- 0xDD,0x0B,0x44,0xD0,0x7C,0xEB,0x2F,0xDD,0xE7,0x64,0xBC,0xF7,
- 0x40,0x12,0xC8,0x35,0xFA,0x81,0xD6,0x80,0x39,0x1C,0x77,0x72,
- 0x86,0x5B,0x19,0xDC,0xCB,0xDC,0xCB,0xF6,0x54,0x6F,0xB1,0xCB,
- 0xE4,0xC3,0x05,0xD3
- };
- unsigned char dh2048_g[] = {
- 0x02
- };
-
- if ((dh = DH_new()) == NULL)
- return NULL;
-
- dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
- dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
- if (dh->p == NULL || dh->g == NULL) {
- DH_free(dh);
- return NULL;
- }
-
- return dh;
-}
-
-static DH *
-get_dh_from_memory(char *params, size_t len)
-{
- BIO *mem;
- DH *dh;
-
- mem = BIO_new_mem_buf(params, len);
- if (mem == NULL)
- return NULL;
- dh = PEM_read_bio_DHparams(mem, NULL, NULL, NULL);
- if (dh == NULL)
- goto err;
- if (dh->p == NULL || dh->g == NULL)
- goto err;
- return dh;
-
-err:
- if (mem != NULL)
- BIO_free(mem);
- if (dh != NULL)
- DH_free(dh);
- return NULL;
-}
-
-
-void
-ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh)
-{
- if (dh == NULL || !SSL_CTX_set_tmp_dh(ctx, dh)) {
- ssl_error("ssl_set_ephemeral_key_exchange");
- fatal("ssl_set_ephemeral_key_exchange: cannot set tmp dh");
- }
-}
-
int
ssl_load_pkey(const void *data, size_t datalen, char *buf, off_t len,
X509 **x509ptr, EVP_PKEY **pkeyptr)
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.