On 01/12/2021 13:11, Shivakumar Poojari wrote:
Hi Matt,
your suggestion was very helpful, with your help I moved little forward
and blocked again.
Below code snippet I'm working on,
PEM_read_bio_DHparams and PEM_read_bio_DSAparams reading DH params and
DSA params separately, how do I read separately
with PEM_read_bio_Parameters_ex.
or
Can I modify the code to read bio in one Strech using
PEM_read_bio_Parameters_ex and update SSL_set_tmp_dh directly.
PEM_read_bio_Parameters_ex() should able to read either DH or DSA
parameters. It will detect which one it is and give you back an EVP_PKEY
object.
Internally the EVP_PKEY_object will either contain DH or DSA parameters.
You can test which one you have using:
EVP_PKEY_is_a(pkey, "DH")
or
EVP_PKEY_is_a(pkey, "DSA")
Having read the parameters into an EVP_PKEY object you can simply pass
that to SSL_set0_tmp_dh_pkey(). However this will only work if
`EVP_PKEY_is_a(pkey, "DH") returns true. If you actually have DSA
parameters then you would need to convert them using something like the
workaround I linked to. But I would question whether you really want to
continue to support this.
Matt
Please let me know your views.
Thanks,
Shivakumar
////////////////////////////////////////////////////////////////
#ifdef OPENSSL_NO_DH
if (dh_file == NULL)
return 0;
wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
"dh_file specified");
return -1;
#else /* OPENSSL_NO_DH */
DH *dh;
BIO *bio;
/* TODO: add support for dh_blob */
if (dh_file == NULL)
return 0;
if (conn == NULL)
return -1;
bio = BIO_new_file(dh_file, "r");
if (bio == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
dh_file, ERR_error_string(ERR_get_error(), NULL));
return -1;
}
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
#ifndef OPENSSL_NO_DSA
while (dh == NULL) {
DSA *dsa;
wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
" trying to parse as DSA params", dh_file,
ERR_error_string(ERR_get_error(), NULL));
bio = BIO_new_file(dh_file, "r");
if (bio == NULL)
break;
dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (!dsa) {
wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
"'%s': %s", dh_file,
ERR_error_string(ERR_get_error(), NULL));
break;
}
wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
if (dh == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
"params into DH params");
break;
}
break;
}
#endif /* !OPENSSL_NO_DSA */
if (dh == NULL) {
wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
"'%s'", dh_file);
return -1;
////////////////////////////////////////////////////////////////
------------------------------------------------------------------------
*From:* openssl-users <openssl-users-bounces@xxxxxxxxxxx> on behalf of
Matt Caswell <matt@xxxxxxxxxxx>
*Sent:* Monday, November 29, 2021 8:40 PM
*To:* openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
*Subject:* [EXTERNAL] Re: Need Replacement for Deprecated function.
On 29/11/2021 12:35, Shivakumar Poojari wrote:
Hi All,
We are upgrading our code to openssl 3.0.
Need Replacement for below Deprecated function.
SSL_use_RSAPrivateKey_ASN1();
Use SSL_use_PrivateKey_ASN1();
PEM_read_bio_DHparams();
PEM_read_bio_DSAparams();
Use PEM_read_bio_Parameters_ex() for these two.
DSA_dup_DH();
There is no replacement for this. Why do you need it? Generally this is
a bad idea.
If you really need to do it there is a workaround:
https://clicktime.symantec.com/3RFqPpzm8EUTsqiRi1524Xo6H2?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2Fbc42cf51c8b2a22282bb3cdf6303e230dc7b7873%2Fapps%2Fdhparam.c%23L352-L400
<https://clicktime.symantec.com/3RFqPpzm8EUTsqiRi1524Xo6H2?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2Fbc42cf51c8b2a22282bb3cdf6303e230dc7b7873%2Fapps%2Fdhparam.c%23L352-L400>
DSA_free();
You shouldn't need to call this anymore because you shouldn't have any
DSA objects anymore. Instead you should only be using EVP_PKEY objects.
To free those you use EVP_PKEY_free();
SSL_set_tmp_dh();
SSL_set0_tmp_dh_pkey(). Although you might be able to just remove it
completely. These functions set the DH parameters to a specific set of
values. Mostly you can instead just use the default built-in ones.
DH_free();
As per DSA_free();
SSL_CTX_set_tmp_dh();
SSL_CTX_set0_tmp_dh_pkey() - but same comments as for SSL_set_tmp_dh()
apply.
Matt
I'm not able to find proper replacement, Please help me out
Thanks,
Shiva Kumar
Notice: This e-mail together with any attachments may contain
information of Ribbon Communications Inc. and its Affiliates that is
confidential and/or proprietary for the sole use of the intended
recipient. Any review, disclosure, reliance or distribution by others or
forwarding without express permission is strictly prohibited. If you are
not the intended recipient, please notify the sender immediately and
then delete all copies, including any attachments.
Notice: This e-mail together with any attachments may contain
information of Ribbon Communications Inc. and its Affiliates that is
confidential and/or proprietary for the sole use of the intended
recipient. Any review, disclosure, reliance or distribution by others or
forwarding without express permission is strictly prohibited. If you are
not the intended recipient, please notify the sender immediately and
then delete all copies, including any attachments.
