On Thu, Sep 19, 2024 at 21:41:44 +1000, Viktor Dukhovni via Postfix-users wrote:
> Can you build Postfix after running "makedefs" with "OPT='-g -ggdb3'",
> and set a break-point in posttls-finger at line ~1054 of tls_misc.c:
>
> 1054 if (tls_get_peer_dh_pubkey(ssl, &dh_pkey)) {
With a PQC KEM, this if evaluates to false, so the entire nid evaluation
block is skipped. But in both scenarios, PQC and X25519, the key_share
succeeds from first ClientHello, no HRR (as I'm consciously sending only
one group in these tests).
> 1055 switch (nid = EVP_PKEY_id(dh_pkey)) {
> 1056 default:
> 1057 kex_name = OBJ_nid2sn(EVP_PKEY_type(nid));
> 1058 break;
> 1059
> 1060 #if defined(EVP_PKEY_KEYMGMT)
> 1061 case EVP_PKEY_KEYMGMT:
> 1062 kex_name = EVP_PKEY_get0_type_name(dh_pkey);
> 1063 TLScontext->kex_bits = 0;
> 1064 break;
> 1065 #endif
> 1066
> 1067 case EVP_PKEY_DH:
> 1068 kex_name = "DHE";
> 1069 TLScontext->kex_bits = EVP_PKEY_bits(dh_pkey);
> 1070 break;
> 1071
> 1072 #ifndef OPENSSL_NO_EC
> 1073 case EVP_PKEY_EC:
> 1074 kex_name = "ECDHE";
> 1075 kex_curve = ec_curve_name(dh_pkey);
> 1076 break;
> 1077 #endif
>
> then single-step through the code reporting the "nid" value obtained,
> and the "case" taken, as well as "kex_name", ...
Geert
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
