diff --git a/examples/client/client.c b/examples/client/client.c index ddf5d52cc..b2d9574c2 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1232,6 +1232,10 @@ static void Usage(void) #ifdef WOLFSSL_EARLY_DATA printf("%s", msg[++msgid]); /* -0 */ #endif +#if !defined(NO_DH) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK) + printf("-2 Disable DH Prime check\n"); +#endif #ifdef WOLFSSL_MULTICAST printf("%s", msg[++msgid]); /* -3 */ #endif @@ -1351,6 +1355,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef WOLFSSL_MULTICAST byte mcastID = 0; #endif +#if !defined(NO_DH) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK) + int doDhKeyCheck = 1; +#endif #ifdef HAVE_OCSP int useOcsp = 0; @@ -1428,7 +1436,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) while ((ch = mygetopt(argc, argv, "?:" "ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz" "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:" - "01:3:")) != -1) { + "01:23:")) != -1) { switch (ch) { case '?' : if(myoptarg!=NULL) { @@ -1816,12 +1824,21 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) earlyData = 1; #endif break; + case '1' : lng_index = atoi(myoptarg); if(lng_index<0||lng_index>1){ lng_index = 0; } break; + + case '2' : + #if !defined(NO_DH) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK) + doDhKeyCheck = 0; + #endif + break; + case '3' : #ifdef WOLFSSL_MULTICAST doMcast = 1; @@ -2558,6 +2575,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } #endif +#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \ + !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) + if (!doDhKeyCheck) + wolfSSL_SetEnableDhKeyTest(ssl, 0); +#endif + + tcp_connect(&sockfd, host, port, dtlsUDP, dtlsSCTP, ssl); if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) { wolfSSL_free(ssl); ssl = NULL; @@ -2841,6 +2865,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) err_sys("unable to get SSL object"); } +#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \ + !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) + if (!doDhKeyCheck) + wolfSSL_SetEnableDhKeyTest(sslResume, 0); +#endif + if (dtlsUDP) { #ifdef USE_WINDOWS_API Sleep(500); diff --git a/examples/server/server.c b/examples/server/server.c index 057907d45..85248e86b 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -670,7 +670,10 @@ static void Usage(void) #ifdef WOLFSSL_EARLY_DATA printf("%s", msg[++msgId]); /* -0 */ #endif - printf("-X Disable DH Prime check\n"); +#if !defined(NO_DH) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK) + printf("-2 Disable DH Prime check\n"); +#endif #ifdef WOLFSSL_MULTICAST printf("%s", msg[++msgId]); /* -3 */ #endif @@ -848,11 +851,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef WOLFSSL_VXWORKS useAnyAddr = 1; #else - /* Not Used: h, m, z, F, M, T, V, W */ + /* Not Used: h, m, z, F, M, T, V, W, X */ while ((ch = mygetopt(argc, argv, "?:" "abc:defgijk:l:nop:q:rstuv:wxy" - "A:B:C:D:E:GH:IJKL:NO:PQR:S:TUVXYZ:" - "01:3:")) != -1) { + "A:B:C:D:E:GH:IJKL:NO:PQR:S:TUVYZ:" + "01:23:")) != -1) { switch (ch) { case '?' : if(myoptarg!=NULL) { @@ -1158,24 +1161,26 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif break; - case 'X' : - #if !defined(NO_DH) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK) - doDhKeyCheck = 0; - #endif - break; - case '0' : #ifdef WOLFSSL_EARLY_DATA earlyData = 1; #endif break; + case '1' : lng_index = atoi(myoptarg); if(lng_index<0||lng_index>1){ lng_index = 0; } break; + + case '2' : + #if !defined(NO_DH) && !defined(HAVE_FIPS) && \ + !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK) + doDhKeyCheck = 0; + #endif + break; + case '3' : #ifdef WOLFSSL_MULTICAST doMcast = 1; diff --git a/src/internal.c b/src/internal.c index f10e6fef0..9973dabfb 100644 --- a/src/internal.c +++ b/src/internal.c @@ -19600,21 +19600,31 @@ int SendClientKeyExchange(WOLFSSL* ssl) #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \ !defined(WOLFSSL_OLD_PRIME_CHECK) - ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length, - NULL, 0, 0, ssl->rng); - #else - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); + if (ssl->options.dhDoKeyTest && + !ssl->options.dhKeyTested) + { + ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, + ssl->buffers.serverDH_P.buffer, + ssl->buffers.serverDH_P.length, + ssl->buffers.serverDH_G.buffer, + ssl->buffers.serverDH_G.length, + NULL, 0, 0, ssl->rng); + if (ret != 0) { + goto exit_scke; + } + ssl->options.dhKeyTested = 1; + } + else #endif - if (ret != 0) { - goto exit_scke; + { + ret = wc_DhSetKey(ssl->buffers.serverDH_Key, + ssl->buffers.serverDH_P.buffer, + ssl->buffers.serverDH_P.length, + ssl->buffers.serverDH_G.buffer, + ssl->buffers.serverDH_G.length); + if (ret != 0) { + goto exit_scke; + } } /* for DH, encSecret is Yc, agree is pre-master */ @@ -19703,23 +19713,33 @@ int SendClientKeyExchange(WOLFSSL* ssl) goto exit_scke; } -#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \ - !defined(WOLFSSL_OLD_PRIME_CHECK) - ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length, - NULL, 0, 0, ssl->rng); -#else - ret = wc_DhSetKey(ssl->buffers.serverDH_Key, - ssl->buffers.serverDH_P.buffer, - ssl->buffers.serverDH_P.length, - ssl->buffers.serverDH_G.buffer, - ssl->buffers.serverDH_G.length); -#endif - if (ret != 0) { - goto exit_scke; + #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \ + !defined(WOLFSSL_OLD_PRIME_CHECK) + if (ssl->options.dhDoKeyTest && + !ssl->options.dhKeyTested) + { + ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, + ssl->buffers.serverDH_P.buffer, + ssl->buffers.serverDH_P.length, + ssl->buffers.serverDH_G.buffer, + ssl->buffers.serverDH_G.length, + NULL, 0, 0, ssl->rng); + if (ret != 0) { + goto exit_scke; + } + ssl->options.dhKeyTested = 1; + } + else + #endif + { + ret = wc_DhSetKey(ssl->buffers.serverDH_Key, + ssl->buffers.serverDH_P.buffer, + ssl->buffers.serverDH_P.length, + ssl->buffers.serverDH_G.buffer, + ssl->buffers.serverDH_G.length); + if (ret != 0) { + goto exit_scke; + } } /* for DH, encSecret is Yc, agree is pre-master */