feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

DHE Speed Up

Browse Source 
1. Also apply the setting to the client side.
2. Updated the server and client command line options to use "-2" for disabling the DHE check.
This commit is contained in:
John Safranek
2018-12-03 13:53:44 -08:00
parent 564a1ee499
commit a55f11cdd8
3 changed files with 98 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
examples/client/client.c
View File

@ -1232,6 +1232,10 @@ static void Usage(void)
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
printf("%s", msg[++msgid]); /* -0 */ printf("%s", msg[++msgid]); /* -0 */
#endif #endif
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
printf("-2 Disable DH Prime check\n");
#endif
#ifdef WOLFSSL_MULTICAST #ifdef WOLFSSL_MULTICAST
printf("%s", msg[++msgid]); /* -3 */ printf("%s", msg[++msgid]); /* -3 */
#endif #endif
@ -1351,6 +1355,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifdef WOLFSSL_MULTICAST #ifdef WOLFSSL_MULTICAST
byte mcastID = 0; byte mcastID = 0;
#endif #endif
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
int doDhKeyCheck = 1;
#endif
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
int useOcsp = 0; int useOcsp = 0;
@ -1428,7 +1436,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
while ((ch = mygetopt(argc, argv, "?:" while ((ch = mygetopt(argc, argv, "?:"
"ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz" "ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz"
"A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:" "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
"01:3:")) != -1) { "01:23:")) != -1) {
switch (ch) { switch (ch) {
case '?' : case '?' :
if(myoptarg!=NULL) { if(myoptarg!=NULL) {
@ -1816,12 +1824,21 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
earlyData = 1; earlyData = 1;
#endif #endif
break; break;
case '1' : case '1' :
lng_index = atoi(myoptarg); lng_index = atoi(myoptarg);
if(lng_index<0||lng_index>1){ if(lng_index<0||lng_index>1){
lng_index = 0; lng_index = 0;
} }
break; break;
case '2' :
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
doDhKeyCheck = 0;
#endif
break;
case '3' : case '3' :
#ifdef WOLFSSL_MULTICAST #ifdef WOLFSSL_MULTICAST
doMcast = 1; doMcast = 1;
@ -2558,6 +2575,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
} }
#endif #endif
#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
if (!doDhKeyCheck)
wolfSSL_SetEnableDhKeyTest(ssl, 0);
#endif
tcp_connect(&sockfd, host, port, dtlsUDP, dtlsSCTP, ssl); tcp_connect(&sockfd, host, port, dtlsUDP, dtlsSCTP, ssl);
if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) { if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) {
wolfSSL_free(ssl); ssl = NULL; wolfSSL_free(ssl); ssl = NULL;
@ -2841,6 +2865,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to get SSL object"); err_sys("unable to get SSL object");
} }
#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
if (!doDhKeyCheck)
wolfSSL_SetEnableDhKeyTest(sslResume, 0);
#endif
if (dtlsUDP) { if (dtlsUDP) {
#ifdef USE_WINDOWS_API #ifdef USE_WINDOWS_API
Sleep(500); Sleep(500);

27
examples/server/server.c
View File

@ -670,7 +670,10 @@ static void Usage(void)
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
printf("%s", msg[++msgId]); /* -0 */ printf("%s", msg[++msgId]); /* -0 */
#endif #endif
printf("-X Disable DH Prime check\n"); #if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
printf("-2 Disable DH Prime check\n");
#endif
#ifdef WOLFSSL_MULTICAST #ifdef WOLFSSL_MULTICAST
printf("%s", msg[++msgId]); /* -3 */ printf("%s", msg[++msgId]); /* -3 */
#endif #endif
@ -848,11 +851,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#ifdef WOLFSSL_VXWORKS #ifdef WOLFSSL_VXWORKS
useAnyAddr = 1; useAnyAddr = 1;
#else #else
/* Not Used: h, m, z, F, M, T, V, W */ /* Not Used: h, m, z, F, M, T, V, W, X */
while ((ch = mygetopt(argc, argv, "?:" while ((ch = mygetopt(argc, argv, "?:"
"abc:defgijk:l:nop:q:rstuv:wxy" "abc:defgijk:l:nop:q:rstuv:wxy"
"A:B:C:D:E:GH:IJKL:NO:PQR:S:TUVXYZ:" "A:B:C:D:E:GH:IJKL:NO:PQR:S:TUVYZ:"
"01:3:")) != -1) { "01:23:")) != -1) {
switch (ch) { switch (ch) {
case '?' : case '?' :
if(myoptarg!=NULL) { if(myoptarg!=NULL) {
@ -1158,24 +1161,26 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#endif #endif
break; break;
case 'X' :
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
doDhKeyCheck = 0;
#endif
break;
case '0' : case '0' :
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
earlyData = 1; earlyData = 1;
#endif #endif
break; break;
case '1' : case '1' :
lng_index = atoi(myoptarg); lng_index = atoi(myoptarg);
if(lng_index<0||lng_index>1){ if(lng_index<0||lng_index>1){
lng_index = 0; lng_index = 0;
} }
break; break;
case '2' :
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
doDhKeyCheck = 0;
#endif
break;
case '3' : case '3' :
#ifdef WOLFSSL_MULTICAST #ifdef WOLFSSL_MULTICAST
doMcast = 1; doMcast = 1;

82
src/internal.c
View File

@ -19600,21 +19600,31 @@ int SendClientKeyExchange(WOLFSSL* ssl)
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \ #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(WOLFSSL_OLD_PRIME_CHECK) !defined(WOLFSSL_OLD_PRIME_CHECK)
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, if (ssl->options.dhDoKeyTest &&
ssl->buffers.serverDH_P.buffer, !ssl->options.dhKeyTested)
ssl->buffers.serverDH_P.length, {
ssl->buffers.serverDH_G.buffer, ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_G.length, ssl->buffers.serverDH_P.buffer,
NULL, 0, 0, ssl->rng); ssl->buffers.serverDH_P.length,
#else ssl->buffers.serverDH_G.buffer,
ret = wc_DhSetKey(ssl->buffers.serverDH_Key, ssl->buffers.serverDH_G.length,
ssl->buffers.serverDH_P.buffer, NULL, 0, 0, ssl->rng);
ssl->buffers.serverDH_P.length, if (ret != 0) {
ssl->buffers.serverDH_G.buffer, goto exit_scke;
ssl->buffers.serverDH_G.length); }
ssl->options.dhKeyTested = 1;
}
else
#endif #endif
if (ret != 0) { {
goto exit_scke; ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
if (ret != 0) {
goto exit_scke;
}
} }
/* for DH, encSecret is Yc, agree is pre-master */ /* for DH, encSecret is Yc, agree is pre-master */
@ -19703,23 +19713,33 @@ int SendClientKeyExchange(WOLFSSL* ssl)
goto exit_scke; goto exit_scke;
} }
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \ #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(WOLFSSL_OLD_PRIME_CHECK) !defined(WOLFSSL_OLD_PRIME_CHECK)
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key, if (ssl->options.dhDoKeyTest &&
ssl->buffers.serverDH_P.buffer, !ssl->options.dhKeyTested)
ssl->buffers.serverDH_P.length, {
ssl->buffers.serverDH_G.buffer, ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_G.length, ssl->buffers.serverDH_P.buffer,
NULL, 0, 0, ssl->rng); ssl->buffers.serverDH_P.length,
#else ssl->buffers.serverDH_G.buffer,
ret = wc_DhSetKey(ssl->buffers.serverDH_Key, ssl->buffers.serverDH_G.length,
ssl->buffers.serverDH_P.buffer, NULL, 0, 0, ssl->rng);
ssl->buffers.serverDH_P.length, if (ret != 0) {
ssl->buffers.serverDH_G.buffer, goto exit_scke;
ssl->buffers.serverDH_G.length); }
#endif ssl->options.dhKeyTested = 1;
if (ret != 0) { }
goto exit_scke; else
#endif
{
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
if (ret != 0) {
goto exit_scke;
}
} }
/* for DH, encSecret is Yc, agree is pre-master */ /* for DH, encSecret is Yc, agree is pre-master */