Auto DH support.
[openssl.git] / ssl / t1_lib.c
index 31fc70e..c9e4898 100644 (file)
 #include <openssl/hmac.h>
 #include <openssl/ocsp.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#include <openssl/bn.h>
+#endif
 #include "ssl_locl.h"
 
 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
@@ -4439,3 +4443,47 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
        }
 
 #endif
+
+#ifndef OPENSSL_NO_DH
+DH *ssl_get_auto_dh(SSL *s)
+       {
+       int dh_secbits = 80;
+       if (s->cert->dh_tmp_auto == 2)
+               return DH_get_1024_160();
+       if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
+               {
+               if (s->s3->tmp.new_cipher->strength_bits == 256)
+                       dh_secbits = 128;
+               else
+                       dh_secbits = 80;
+               }
+       else
+               {
+               CERT_PKEY *cpk = ssl_get_server_send_pkey(s);
+               dh_secbits = EVP_PKEY_security_bits(cpk->privatekey);
+               }
+
+       if (dh_secbits >= 128)
+               {
+               DH *dhp = DH_new();
+               if (!dhp)
+                       return NULL;
+               dhp->g = BN_new();
+               if (dhp->g)
+                       BN_set_word(dhp->g, 2);
+               if (dh_secbits >= 192)
+                       dhp->p = get_rfc3526_prime_8192(NULL);
+               else
+                       dhp->p = get_rfc3526_prime_3072(NULL);
+               if (!dhp->p || !dhp->g)
+                       {
+                       DH_free(dhp);
+                       return NULL;
+                       }
+               return dhp;
+               }
+       if (dh_secbits >= 112)
+               return DH_get_2048_224();
+       return DH_get_1024_160();
+       }
+#endif