WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

DHE Speed Up 

1. Also apply the setting to the client side.
2. Updated the server and client command line options to use "-2" for disabling the DHE check.
pull/1946/head
John Safranek 2018-12-03 13:53:44 -08:00
parent 564a1ee499
commit a55f11cdd8
3 changed files with 98 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
examples/client/client.c
View File

@ -1232,6 +1232,10 @@ static void Usage(void)
#ifdef WOLFSSL_EARLY_DATA
printf("%s", msg[++msgid]); /* -0 */
#endif
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
printf("-2 Disable DH Prime check\n");
#endif
#ifdef WOLFSSL_MULTICAST
printf("%s", msg[++msgid]); /* -3 */
#endif
@ -1351,6 +1355,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifdef WOLFSSL_MULTICAST
byte mcastID = 0;
#endif
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
int doDhKeyCheck = 1;
#endif
#ifdef HAVE_OCSP
int useOcsp = 0;
@ -1428,7 +1436,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
while ((ch = mygetopt(argc, argv, "?:"
"ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz"
"A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
"01:3:")) != -1) {
"01:23:")) != -1) {
switch (ch) {
case '?' :
if(myoptarg!=NULL) {
@ -1816,12 +1824,21 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
earlyData = 1;
#endif
break;
case '1' :
lng_index = atoi(myoptarg);
if(lng_index<0||lng_index>1){
lng_index = 0;
}
break;
case '2' :
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
doDhKeyCheck = 0;
#endif
break;
case '3' :
#ifdef WOLFSSL_MULTICAST
doMcast = 1;
@ -2558,6 +2575,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
}
#endif
#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
if (!doDhKeyCheck)
wolfSSL_SetEnableDhKeyTest(ssl, 0);
#endif
tcp_connect(&sockfd, host, port, dtlsUDP, dtlsSCTP, ssl);
if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) {
wolfSSL_free(ssl); ssl = NULL;
@ -2841,6 +2865,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to get SSL object");
}
#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
if (!doDhKeyCheck)
wolfSSL_SetEnableDhKeyTest(sslResume, 0);
#endif
if (dtlsUDP) {
#ifdef USE_WINDOWS_API
Sleep(500);

27
examples/server/server.c
View File

@ -670,7 +670,10 @@ static void Usage(void)
#ifdef WOLFSSL_EARLY_DATA
printf("%s", msg[++msgId]); /* -0 */
#endif
printf("-X Disable DH Prime check\n");
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
printf("-2 Disable DH Prime check\n");
#endif
#ifdef WOLFSSL_MULTICAST
printf("%s", msg[++msgId]); /* -3 */
#endif
@ -848,11 +851,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#ifdef WOLFSSL_VXWORKS
useAnyAddr = 1;
#else
/* Not Used: h, m, z, F, M, T, V, W */
/* Not Used: h, m, z, F, M, T, V, W, X */
while ((ch = mygetopt(argc, argv, "?:"
"abc:defgijk:l:nop:q:rstuv:wxy"
"A:B:C:D:E:GH:IJKL:NO:PQR:S:TUVXYZ:"
"01:3:")) != -1) {
"A:B:C:D:E:GH:IJKL:NO:PQR:S:TUVYZ:"
"01:23:")) != -1) {
switch (ch) {
case '?' :
if(myoptarg!=NULL) {
@ -1158,24 +1161,26 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#endif
break;
case 'X' :
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
doDhKeyCheck = 0;
#endif
break;
case '0' :
#ifdef WOLFSSL_EARLY_DATA
earlyData = 1;
#endif
break;
case '1' :
lng_index = atoi(myoptarg);
if(lng_index<0||lng_index>1){
lng_index = 0;
}
break;
case '2' :
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
doDhKeyCheck = 0;
#endif
break;
case '3' :
#ifdef WOLFSSL_MULTICAST
doMcast = 1;

82
src/internal.c
View File

@ -19600,21 +19600,31 @@ int SendClientKeyExchange(WOLFSSL* ssl)
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(WOLFSSL_OLD_PRIME_CHECK)
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length,
NULL, 0, 0, ssl->rng);
#else
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
if (ssl->options.dhDoKeyTest &&
!ssl->options.dhKeyTested)
{
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length,
NULL, 0, 0, ssl->rng);
if (ret != 0) {
goto exit_scke;
}
ssl->options.dhKeyTested = 1;
}
else
#endif
if (ret != 0) {
goto exit_scke;
{
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
if (ret != 0) {
goto exit_scke;
}
}
/* for DH, encSecret is Yc, agree is pre-master */
@ -19703,23 +19713,33 @@ int SendClientKeyExchange(WOLFSSL* ssl)
goto exit_scke;
}
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(WOLFSSL_OLD_PRIME_CHECK)
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length,
NULL, 0, 0, ssl->rng);
#else
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
#endif
if (ret != 0) {
goto exit_scke;
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(WOLFSSL_OLD_PRIME_CHECK)
if (ssl->options.dhDoKeyTest &&
!ssl->options.dhKeyTested)
{
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length,
NULL, 0, 0, ssl->rng);
if (ret != 0) {
goto exit_scke;
}
ssl->options.dhKeyTested = 1;
}
else
#endif
{
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
if (ret != 0) {
goto exit_scke;
}
}
/* for DH, encSecret is Yc, agree is pre-master */