Also include the following call to read the DH files (samples included in
source like dh1024.pem) in function load_dh_params().
////////if ((bio=BIO_new_file(file,"r")) == NULL)
////////printf("Couldn't open DH file\n");
On Fri, Aug 28, 2009 at 9:04 AM, Ram G <mydevfor...@gmail.com> wrote:
> Here is the sample program I have so far to test the concept of anonymous
> DH:
>
> 1) Start with the samples included in the source. For e.g :
> demos/ssl/serv.cpp and cli.cpp
>
> 2) Server & Client: Remove all the calls related to certificates -
>
> SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM)
> SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM)
> SSL_CTX_check_private_key(ctx))
> SSL_get_peer_certificate()
>
> etc.
>
> 3) Write a function to either load the DH params from a file or generate
> it:
>
> void load_dh_params(ctx)
> SSL_CTX *ctx;
> {
> DH *dh=NULL;
> RAND_seed(rnd_seed, sizeof rnd_seed);
> if(((dh = DH_new()) == NULL) || !DH_generate_parameters_ex(dh, 128, 5,
> NULL))
> printf("Couldn't generate DH \n");
> //Make calls to DH_check() to make sure generated params are ok
> ....
>
> if (!DH_generate_key(dh))
> printf("Couldn't generate DH key\n");
> //If you want to read from a file, use following, comment out generation
> calls above
> ////////BIO *out;
> ////////out=BIO_new(BIO_s_file());
> ////////BIO_set_fp(out,stdout,BIO_NOCLOSE);
> ////////dh = PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
> ////////BIO_free(bio);
> if(SSL_CTX_set_tmp_dh(ctx,dh)<0)
> printf("Couldn't set DH parameters\n");
> }
>
> 4) Server : Call the DH generation function
>
> ....
> ctx = SSL_CTX_new (meth);
> load_dh_params(ctx);
>
> 5) Server & client: Set the cipher
>
> SSL_CTX_set_cipher_list(ctx,"ADH-AES256-SHA");
>
> This should be enough for a very basic anonymous DH client/server program
>
> Regards
>
> Ramg
>
>
>
> On Fri, Aug 28, 2009 at 7:42 AM, Josue Andrade Gomes <
> josue.gomes.honey...@gmail.com> wrote:
>
>> I'm also interested in such sample program. Anyone?
>>
>>
>>
>> On Thu, Aug 27, 2009 at 4:39 PM, Ram G <mydevfor...@gmail.com> wrote:
>>
>>> Things are getting clearer as I dig deeper. The book "Network Security
>>> with OpenSSL" by John Viega et al has some explanation of how the DH key
>>> exchange takes place.
>>>
>>> With that knowledge, I went through the source code and found that
>>> DH_Compute_Key() is being called in s3_clnt.c and s3_srvr.c. So there is no
>>> need to call it in client applications.
>>>
>>> BRs
>>>
>>> Ramg
>>> On Thu, Aug 27, 2009 at 12:23 PM, Ram G <mydevfor...@gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> Going through various posts, I have come across references to Bodo
>>>> Moeller's example code showing SSL communication without certificates and
>>>> using anonymous DH key exchange. If anybody has that sample, can you please
>>>> forward it ?
>>>>
>>>> I have written a client and server taking help from the sample programs.
>>>> I'm generating the DH params in the server and setting it in the SSL
>>>> context. I'm setting the cipher as ADH-AES256-SHA in both server and
>>>> client.
>>>> The client and server are communicating.
>>>>
>>>> To generate the DH parameters P & G, I have done this:
>>>>
>>>> 1) Calling DH_generate_parameters() in the server will generate the
>>>> Prime P
>>>> 2) Calling DH_generate_key() performs the first step of a Diffie-Hellman
>>>> key exchange by generating private and public DH values.
>>>>
>>>> Documentation also talks about this call to generate the shared key:
>>>>
>>>> 3) Calling DH_compute_key(), these are combined with the client's public
>>>> value to compute the shared key. (My program is working even without the
>>>> DH_compute_key() call in the server - which is strange I think)
>>>>
>>>> What I'm not sure is :
>>>>
>>>> What is the call I need to make in the client to pass the client's
>>>> public key ( G (power X) mod P ) to the server ?
>>>>
>>>> I'm working on a prototype and beginning to get my hands dirty with
>>>> OpenSSL. Your help is greatly appreciated.
>>>>
>>>> -Ramg
>>>>
>>>
>>>
>>
>
