[or-cvs] Use a callback to set our DH parameters; set SSL_OP_SINGLE_...

Nick Mathewson nickm at seul.org
Mon Nov 14 19:20:49 UTC 2005 

Update of /home/or/cvsroot/tor/src/common
In directory moria:/tmp/cvs-serv15597/common

Modified Files:
	tortls.c 
Log Message:
Use a callback to set our DH parameters; set SSL_OP_SINGLE_DH_USE.

Index: tortls.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/common/tortls.c,v
retrieving revision 1.110
retrieving revision 1.111
diff -u -d -r1.110 -r1.111
--- tortls.c	25 Oct 2005 07:05:03 -0000	1.110
+++ tortls.c	14 Nov 2005 19:20:47 -0000	1.111
@@ -290,6 +290,21 @@
 #define CIPHER_LIST SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
 #endif
 
+static DH *
+dh_callback(SSL *ssl, int is_export, int keylength)
+{
+  DH *dh;
+  crypto_dh_env_t *env = crypto_dh_new();
+  crypto_dh_generate_public(env);
+  dh = _crypto_dh_env_get_dh(env);
+  notice(LD_CRYPTO, "%d references to the DH key?", dh->references);
+  ++dh->references;
+  crypto_dh_free(env);
+  --dh->references;
+  notice(LD_CRYPTO, "%d references to the DH key!", dh->references);
+  return dh;
+}
+
 /** Create a new TLS context.  If we are going to be using it as a
  * server, it must have isServer set to true, <b>identity</b> set to the
  * identity key used to sign that certificate, and <b>nickname</b> set to
@@ -352,6 +367,7 @@
       goto error;
     SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2);
 #endif
+    SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_DH_USE);
     if (!SSL_CTX_set_cipher_list(*ctx, CIPHER_LIST))
       goto error;
     if (!client_only) {
@@ -375,9 +391,7 @@
       if (!SSL_CTX_check_private_key(*ctx))
         goto error;
     }
-    dh = crypto_dh_new();
-    SSL_CTX_set_tmp_dh(*ctx, _crypto_dh_env_get_dh(dh));
-    crypto_dh_free(dh);
+    SSL_CTX_set_tmp_dh_callback(*ctx, dh_callback);
     SSL_CTX_set_verify(*ctx, SSL_VERIFY_PEER,
                        always_accept_verify_cb);
     /* let us realloc bufs that we're writing from */
@@ -438,6 +452,7 @@
   result->state = TOR_TLS_ST_HANDSHAKE;
   result->isServer = isServer;
   result->wantwrite_n = 0;
+  SSL_set_tmp_dh_callback(result->ssl,dh_callback);
   /* Not expected to get called. */
   tls_log_errors(LOG_WARN, "generating TLS context");
   return result;

More information about the tor-commits mailing list