Here is the sample program I have so far to test the concept of anonymous
DH:
1) Start with the samples included in the source. For e.g :
demos/ssl/serv.cpp and cli.cpp
2) Server & Client: Remove all the calls related to certificates -
SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM)
SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM)
SSL_CTX_check_private_key(ctx))
SSL_get_peer_certificate()
etc.
3) Write a function to either load the DH params from a file or generate it:
void load_dh_params(ctx)
SSL_CTX *ctx;
{
DH *dh=NULL;
RAND_seed(rnd_seed, sizeof rnd_seed);
if(((dh = DH_new()) == NULL) || !DH_generate_parameters_ex(dh, 128, 5,
NULL))
printf("Couldn't generate DH \n");
//Make calls to DH_check() to make sure generated params are ok
....
if (!DH_generate_key(dh))
printf("Couldn't generate DH key\n");
//If you want to read from a file, use following, comment out generation
calls above
////////BIO *out;
////////out=BIO_new(BIO_s_file());
////////BIO_set_fp(out,stdout,BIO_NOCLOSE);
////////dh = PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
////////BIO_free(bio);
if(SSL_CTX_set_tmp_dh(ctx,dh)<0)
printf("Couldn't set DH parameters\n");
}
4) Server : Call the DH generation function
....
ctx = SSL_CTX_new (meth);
load_dh_params(ctx);
5) Server & client: Set the cipher
SSL_CTX_set_cipher_list(ctx,"ADH-AES256-SHA");
This should be enough for a very basic anonymous DH client/server program
Regards
Ramg
On Fri, Aug 28, 2009 at 7:42 AM, Josue Andrade Gomes <
josue.gomes.honey...@gmail.com> wrote:
> I'm also interested in such sample program. Anyone?
>
>
>
> On Thu, Aug 27, 2009 at 4:39 PM, Ram G <mydevfor...@gmail.com> wrote:
>
>> Things are getting clearer as I dig deeper. The book "Network Security
>> with OpenSSL" by John Viega et al has some explanation of how the DH key
>> exchange takes place.
>>
>> With that knowledge, I went through the source code and found that
>> DH_Compute_Key() is being called in s3_clnt.c and s3_srvr.c. So there is no
>> need to call it in client applications.
>>
>> BRs
>>
>> Ramg
>> On Thu, Aug 27, 2009 at 12:23 PM, Ram G <mydevfor...@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> Going through various posts, I have come across references to Bodo
>>> Moeller's example code showing SSL communication without certificates and
>>> using anonymous DH key exchange. If anybody has that sample, can you please
>>> forward it ?
>>>
>>> I have written a client and server taking help from the sample programs.
>>> I'm generating the DH params in the server and setting it in the SSL
>>> context. I'm setting the cipher as ADH-AES256-SHA in both server and client.
>>> The client and server are communicating.
>>>
>>> To generate the DH parameters P & G, I have done this:
>>>
>>> 1) Calling DH_generate_parameters() in the server will generate the Prime
>>> P
>>> 2) Calling DH_generate_key() performs the first step of a Diffie-Hellman
>>> key exchange by generating private and public DH values.
>>>
>>> Documentation also talks about this call to generate the shared key:
>>>
>>> 3) Calling DH_compute_key(), these are combined with the client's public
>>> value to compute the shared key. (My program is working even without the
>>> DH_compute_key() call in the server - which is strange I think)
>>>
>>> What I'm not sure is :
>>>
>>> What is the call I need to make in the client to pass the client's public
>>> key ( G (power X) mod P ) to the server ?
>>>
>>> I'm working on a prototype and beginning to get my hands dirty with
>>> OpenSSL. Your help is greatly appreciated.
>>>
>>> -Ramg
>>>
>>
>>
>
