Check that both tls1.3 and dtls1.3 is disabled before removing code from compilation path.

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22275)
author: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk> 2024-05-02 16:21:44 +0200
committer: Matt Caswell <matt@openssl.org> 2024-05-10 09:01:07 +0100
commit: 5044c68c377fd3d213ed2bbc915cf11735ff4814 (patch)
tree: 6b64d95315c827a33601b307ed295327676cd798
parent: a1a5d437535273f0a756eede2a3166614fb4a6d9 (diff)
3 files changed, 16 insertions, 14 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index ea210ab9f0..9930de9510 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1348,7 +1348,7 @@ static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent)
 
 static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
 {
-#if !defined(OPENSSL_NO_TLS1_3)
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     if (!SSL_CONNECTION_IS_VERSION13(s))
         return 1;
 
@@ -1510,7 +1510,7 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
             return 0;
         }
     }
-#endif /* !defined(OPENSSL_NO_TLS1_3) */
+#endif /* !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_DTLS1_3) */
     return 1;
 }
 
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 151e690781..560f1097ad 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -617,7 +617,7 @@ EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,
                                             unsigned int context, X509 *x,
                                             size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
 
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
@@ -639,7 +639,7 @@ EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,
     return EXT_RETURN_SENT;
 }
 
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
 static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id)
 {
     unsigned char *encoded_point = NULL;
@@ -700,7 +700,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
                                         unsigned int context, X509 *x,
                                         size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     size_t i, num_groups = 0;
     const uint16_t *pgroups = NULL;
     uint16_t curve_id = 0;
@@ -1039,7 +1039,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
                                   unsigned int context,
                                   X509 *x, size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     uint32_t agesec, agems = 0;
     size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
     unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
@@ -1241,7 +1241,7 @@ EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pk
                                                   ossl_unused X509 *x,
                                                   ossl_unused size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     if (!s->pha_enabled)
         return EXT_RETURN_NOT_SENT;
 
@@ -1817,7 +1817,7 @@ int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
                              unsigned int context, X509 *x,
                              size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     unsigned int group_id;
     PACKET encoded_pt;
     EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
@@ -2030,7 +2030,7 @@ int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,
                        unsigned int context, X509 *x,
                        size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     unsigned int identity;
 
     if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 35f9a9c39b..e880095e2d 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -556,7 +556,7 @@ int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
                                  unsigned int context,
                                  X509 *x, size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     PACKET psk_kex_modes;
     unsigned int mode;
 
@@ -600,7 +600,7 @@ int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
 int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
                              unsigned int context, X509 *x, size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     unsigned int group_id;
     PACKET key_share_list, encoded_pt;
     const uint16_t *clntgroups, *srvrgroups;
@@ -721,7 +721,7 @@ int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
 int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
                           X509 *x, size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     unsigned int format, version, key_share, group_id;
     EVP_MD_CTX *hctx;
     EVP_PKEY *pkey;
@@ -1637,7 +1637,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
                                         unsigned int context, X509 *x,
                                         size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     unsigned char *encodedPoint;
     size_t encoded_pt_len = 0;
     EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
@@ -1765,6 +1765,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
     s->s3.did_kex = 1;
     return EXT_RETURN_SENT;
 #else
+    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
     return EXT_RETURN_FAIL;
 #endif
 }
@@ -1773,7 +1774,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
                                      unsigned int context,
                                      X509 *x, size_t chainidx)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3))
     unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
     unsigned char *hmac, *hmac2;
     size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
@@ -1894,6 +1895,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
     EVP_PKEY_free(pkey);
     return ret;
 #else
+    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
     return EXT_RETURN_FAIL;
 #endif
 }
author	Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>	2024-05-02 16:21:44 +0200
committer	Matt Caswell <matt@openssl.org>	2024-05-10 09:01:07 +0100
commit	5044c68c377fd3d213ed2bbc915cf11735ff4814 (patch)
tree	6b64d95315c827a33601b307ed295327676cd798
parent	a1a5d437535273f0a756eede2a3166614fb4a6d9 (diff)