DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Remove useless DH file configuration from TLS library wrappers

Browse source 
These operations do not really have any effect since
tls_connection_set_params() is used only in the TLS client case and the
client receives the DH parameters from the server instead of local
configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2022-04-15 23:37:23 +03:00
parent 86877bbc32
commit 4a774cf317
3 changed files with 0 additions and 131 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/crypto/tls_internal.c
View file

@ -281,13 +281,6 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1; return -1;
} }
if (tlsv1_set_dhparams(cred, params->dh_file, params->dh_blob,
params->dh_blob_len)) {
wpa_printf(MSG_INFO, "TLS: Failed to load DH parameters");
tlsv1_cred_free(cred);
return -1;
}
if (tlsv1_client_set_cred(conn->client, cred) < 0) { if (tlsv1_client_set_cred(conn->client, cred) < 0) {
tlsv1_cred_free(cred); tlsv1_cred_free(cred);
return -1; return -1;

80
src/crypto/tls_openssl.c
View file

@ -3940,80 +3940,6 @@ static int tls_global_private_key(struct tls_data *data,
} }
static int tls_connection_dh(struct tls_connection *conn, const char *dh_file)
{
#ifdef OPENSSL_NO_DH
if (dh_file == NULL)
return 0;
wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
"dh_file specified");
return -1;
#else /* OPENSSL_NO_DH */
DH *dh;
BIO *bio;
/* TODO: add support for dh_blob */
if (dh_file == NULL)
return 0;
if (conn == NULL)
return -1;
bio = BIO_new_file(dh_file, "r");
if (bio == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
dh_file, ERR_error_string(ERR_get_error(), NULL));
return -1;
}
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
#ifndef OPENSSL_NO_DSA
while (dh == NULL) {
DSA *dsa;
wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
" trying to parse as DSA params", dh_file,
ERR_error_string(ERR_get_error(), NULL));
bio = BIO_new_file(dh_file, "r");
if (bio == NULL)
break;
dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (!dsa) {
wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
"'%s': %s", dh_file,
ERR_error_string(ERR_get_error(), NULL));
break;
}
wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
if (dh == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
"params into DH params");
break;
}
break;
}
#endif /* !OPENSSL_NO_DSA */
if (dh == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
"'%s'", dh_file);
return -1;
}
if (SSL_set_tmp_dh(conn->ssl, dh) != 1) {
wpa_printf(MSG_INFO, "TLS: Failed to set DH params from '%s': "
"%s", dh_file,
ERR_error_string(ERR_get_error(), NULL));
DH_free(dh);
return -1;
}
DH_free(dh);
return 0;
#endif /* OPENSSL_NO_DH */
}
static int tls_global_dh(struct tls_data *data, const char *dh_file) static int tls_global_dh(struct tls_data *data, const char *dh_file)
{ {
#ifdef OPENSSL_NO_DH #ifdef OPENSSL_NO_DH
@ -5225,12 +5151,6 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1; return -1;
} }
if (tls_connection_dh(conn, params->dh_file)) {
wpa_printf(MSG_INFO, "TLS: Failed to load DH file '%s'",
params->dh_file);
return -1;
}
ciphers = params->openssl_ciphers; ciphers = params->openssl_ciphers;
#ifdef CONFIG_SUITEB #ifdef CONFIG_SUITEB
#ifdef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL

44
src/crypto/tls_wolfssl.c
View file

@ -420,44 +420,6 @@ static int tls_connection_set_subject_match(struct tls_connection *conn,
} }
static int tls_connection_dh(struct tls_connection *conn, const char *dh_file,
const u8 *dh_blob, size_t blob_len)
{
if (!dh_file && !dh_blob)
return 0;
wolfSSL_set_accept_state(conn->ssl);
if (dh_blob) {
if (wolfSSL_SetTmpDH_buffer(conn->ssl, dh_blob, blob_len,
SSL_FILETYPE_ASN1) < 0) {
wpa_printf(MSG_INFO, "SSL: use DH DER blob failed");
return -1;
}
wpa_printf(MSG_DEBUG, "SSL: use DH blob OK");
return 0;
}
if (dh_file) {
wpa_printf(MSG_INFO, "SSL: use DH PEM file: %s", dh_file);
if (wolfSSL_SetTmpDH_file(conn->ssl, dh_file,
SSL_FILETYPE_PEM) < 0) {
wpa_printf(MSG_INFO, "SSL: use DH PEM file failed");
if (wolfSSL_SetTmpDH_file(conn->ssl, dh_file,
SSL_FILETYPE_ASN1) < 0) {
wpa_printf(MSG_INFO,
"SSL: use DH DER file failed");
return -1;
}
}
wpa_printf(MSG_DEBUG, "SSL: use DH file OK");
return 0;
}
return 0;
}
static int tls_connection_client_cert(struct tls_connection *conn, static int tls_connection_client_cert(struct tls_connection *conn,
const char *client_cert, const char *client_cert,
const u8 *client_cert_blob, const u8 *client_cert_blob,
@ -1289,12 +1251,6 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1; return -1;
} }
if (tls_connection_dh(conn, params->dh_file, params->dh_blob,
params->dh_blob_len) < 0) {
wpa_printf(MSG_INFO, "Error setting DH");
return -1;
}
if (params->openssl_ciphers && if (params->openssl_ciphers &&
wolfSSL_set_cipher_list(conn->ssl, params->openssl_ciphers) != 1) { wolfSSL_set_cipher_list(conn->ssl, params->openssl_ciphers) != 1) {
wpa_printf(MSG_INFO, wpa_printf(MSG_INFO,