diff options
| author | Pauli <pauli@openssl.org> | 2021-05-31 14:27:48 +1000 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-06-02 16:30:15 +1000 |
| commit | 407820c0e311efaafff7fdc8eafdff6e70f89eb2 (patch) | |
| tree | 965081d1627a52f6c77863d41ddbf697a9f78b56 | |
| parent | fd009d763a931c4cd01f5181a2b0801d205f782a (diff) | |
tls: remove TODOs
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15539)
| -rw-r--r-- | ssl/build.info | 8 | ||||
| -rw-r--r-- | ssl/d1_lib.c | 1 | ||||
| -rw-r--r-- | ssl/record/rec_layer_s3.c | 4 | ||||
| -rw-r--r-- | ssl/record/ssl3_record.c | 12 | ||||
| -rw-r--r-- | ssl/record/ssl3_record_tls13.c | 2 | ||||
| -rw-r--r-- | ssl/s3_cbc.c | 1 | ||||
| -rw-r--r-- | ssl/s3_enc.c | 1 | ||||
| -rw-r--r-- | ssl/ssl_ciph.c | 1 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 5 | ||||
| -rw-r--r-- | ssl/ssl_local.h | 2 | ||||
| -rw-r--r-- | ssl/ssl_txt.c | 1 | ||||
| -rw-r--r-- | ssl/statem/extensions.c | 2 | ||||
| -rw-r--r-- | ssl/statem/extensions_clnt.c | 8 | ||||
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 9 | ||||
| -rw-r--r-- | ssl/statem/statem_clnt.c | 9 | ||||
| -rw-r--r-- | ssl/statem/statem_srvr.c | 2 | ||||
| -rw-r--r-- | ssl/t1_enc.c | 1 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 2 | ||||
| -rw-r--r-- | ssl/tls13_enc.c | 1 |
19 files changed, 13 insertions, 59 deletions
diff --git a/ssl/build.info b/ssl/build.info index c17084b9ad..f2de0371ae 100644 --- a/ssl/build.info +++ b/ssl/build.info @@ -15,10 +15,10 @@ IF[{- !$disabled{ktls} -}] $KTLSSRC=ktls.c ENDIF -#TODO: For now we just include the libcrypto packet.c in libssl as well. We -# could either continue to do it like this, or export all the WPACKET -# symbols so that libssl can use them like any other. Probably would do -# this privately so it does not become part of the public API. +# For now we just include the libcrypto packet.c in libssl as well. We +# could either continue to do it like this, or export all the WPACKET +# symbols so that libssl can use them like any other. Probably would do +# this privately so it does not become part of the public API. SOURCE[../libssl]=\ pqueue.c ../crypto/packet.c \ statem/statem_srvr.c statem/statem_clnt.c s3_lib.c s3_enc.c record/rec_layer_s3.c \ diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 5626b7f506..f9ad4ed684 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -797,7 +797,6 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) BIO_ADDR_free(tmpclient); tmpclient = NULL; - /* TODO(size_t): convert this call */ if (BIO_write(wbio, wbuf, wreclen) < (int)wreclen) { if (BIO_should_retry(wbio)) { /* diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index a217db772a..aacd5694fc 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -295,7 +295,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, clear_sys_error(); if (s->rbio != NULL) { s->rwstate = SSL_READING; - /* TODO(size_t): Convert this function */ ret = BIO_read(s->rbio, pkt + len + left, max - left); if (ret >= 0) bioread = ret; @@ -722,7 +721,6 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */ mac_size = 0; } else { - /* TODO(siz_t): Convert me */ mac_size = EVP_MD_CTX_get_size(s->write_hash); if (mac_size < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -833,7 +831,6 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s) && !SSL_TREAT_AS_TLS13(s)) { int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx); if (mode == EVP_CIPH_CBC_MODE) { - /* TODO(size_t): Convert me */ eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx); if (eivlen <= 1) eivlen = 0; @@ -1195,7 +1192,6 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, return i; BIO_set_ktls_ctrl_msg(s->wbio, type); } - /* TODO(size_t): Convert this call */ i = BIO_write(s->wbio, (char *) &(SSL3_BUFFER_get_buf(&wb[currbuf]) [SSL3_BUFFER_get_offset(&wb[currbuf])]), diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 8c4ff01dd1..4275c19cff 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -521,7 +521,6 @@ int ssl3_get_record(SSL *s) if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) goto skip_decryption; - /* TODO(size_t): convert this to do size_t properly */ if (s->read_hash != NULL) { const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); @@ -782,7 +781,6 @@ int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr) if (rr->comp == NULL) return 0; - /* TODO(size_t): Convert this call */ i = COMP_expand_block(ssl->expand, rr->comp, SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length); if (i < 0) @@ -799,7 +797,6 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) #ifndef OPENSSL_NO_COMP int i; - /* TODO(size_t): Convert this call */ i = COMP_compress_block(ssl->compress, wr->data, (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD), wr->input, (int)wr->length); @@ -858,7 +855,6 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending, int provided = (EVP_CIPHER_get0_provider(enc) != NULL); l = rec->length; - /* TODO(size_t): Convert this call */ bs = EVP_CIPHER_CTX_get_block_size(ds); /* COMPRESS */ @@ -916,7 +912,6 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending, } } } else { - /* TODO(size_t): Convert this call */ if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) { /* Shouldn't happen */ SSLfatal(s, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR); @@ -1212,7 +1207,6 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } else { /* Legacy cipher */ - /* TODO(size_t): Convert this call */ tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input, (unsigned int)reclen[0]); if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds)) @@ -1471,7 +1465,6 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending) return 0; } - /* TODO(size_t): Convert these calls */ if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0 || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0 || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) { @@ -1546,7 +1539,6 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) rr->data = rr->input; rr->orig_len = rr->length; - /* TODO(size_t): convert this to do size_t properly */ if (s->read_hash != NULL) { const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash); @@ -1850,10 +1842,6 @@ int dtls1_get_record(SSL *s) if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) { #endif /* Check whether this is a repeat, or aged record. */ - /* - * TODO: Does it make sense to have replay protection in epoch 0 where - * we have no integrity negotiated yet? - */ if (!dtls1_record_replay_check(s, bitmap)) { rr->length = 0; rr->read = 1; diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c index 13c007ae23..3d35071847 100644 --- a/ssl/record/ssl3_record_tls13.c +++ b/ssl/record/ssl3_record_tls13.c @@ -35,7 +35,6 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, if (n_recs != 1) { /* Should not happen */ - /* TODO(TLS1.3): Support pipelining */ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } @@ -139,7 +138,6 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, return 0; } - /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */ if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0 || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 8e1c779ddb..b0e3496ba2 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -500,7 +500,6 @@ int ssl3_cbc_digest_record(const EVP_MD *md, || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0) goto err; } - /* TODO(size_t): Convert me */ ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u); if (ret && md_out_size) *md_out_size = md_out_size_u; diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 64b246eb65..2ca3f74ae7 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -499,7 +499,6 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, SSL3_RANDOM_SIZE) <= 0 || EVP_DigestUpdate(ctx, &(s->s3.server_random[0]), SSL3_RANDOM_SIZE) <= 0 - /* TODO(size_t) : convert me */ || EVP_DigestFinal_ex(ctx, buf, &n) <= 0 || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0 || EVP_DigestUpdate(ctx, p, len) <= 0 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index d7c19feedf..dd22e57c59 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1543,7 +1543,6 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, /* * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs. - * TODO(openssl-team): is there an easier way to accomplish all this? */ ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, &head, &tail); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 063134015a..c1e8e41f02 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2246,11 +2246,6 @@ int SSL_shutdown(SSL *s) int SSL_key_update(SSL *s, int updatetype) { - /* - * TODO(TLS1.3): How will applications know whether TLSv1.3 has been - * negotiated, and that it is appropriate to call SSL_key_update() instead - * of SSL_renegotiate(). - */ if (!SSL_IS_TLS13(s)) { ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION); return 0; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 28603a81ad..b222fc6a2d 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1379,7 +1379,7 @@ struct ssl_st { size_t previous_client_finished_len; unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; size_t previous_server_finished_len; - int send_connection_binding; /* TODOEKR */ + int send_connection_binding; # ifndef OPENSSL_NO_NEXTPROTONEG /* diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 8dc418ca48..01871dca8c 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -107,7 +107,6 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (x->ext.tick) { if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0) goto err; - /* TODO(size_t): Convert this call */ if (BIO_dump_indent (bp, (const char *)x->ext.tick, (int)x->ext.ticklen, 4) <= 0) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index d12e940704..f58111c95c 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -115,8 +115,6 @@ typedef struct extensions_definition_st { * messages the extension is relevant to. These flags also specify whether the * extension is relevant to a particular protocol or protocol version. * - * TODO(TLS1.3): Make sure we have a test to check the consistency of these - * * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at * the end, keep these extensions before signature_algorithm. */ diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 545b2d034f..78cc226064 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -629,7 +629,7 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) } /* - * TODO(TLS1.3): When changing to send more than one key_share we're + * When changing to send more than one key_share we're * going to need to be able to save more than one EVP_PKEY. For now * we reuse the existing tmp.pkey */ @@ -668,8 +668,8 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, tls1_get_supported_groups(s, &pgroups, &num_groups); /* - * TODO(TLS1.3): Make the number of key_shares sent configurable. For - * now, just send one + * Make the number of key_shares sent configurable. For + * now, we just send one */ if (s->s3.group_id != 0) { curve_id = s->s3.group_id; @@ -1387,7 +1387,6 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, { if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { /* We ignore this if the server sends a CertificateRequest */ - /* TODO(TLS1.3): Add support for this */ return 1; } @@ -1429,7 +1428,6 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, { if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { /* We ignore this if the server sends it in a CertificateRequest */ - /* TODO(TLS1.3): Add support for this */ return 1; } diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 51c3251635..e8e57cd5d9 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -155,10 +155,6 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, * the initial handshake and the resumption. In TLSv1.3 SNI is not * associated with the session. */ - /* - * TODO(openssl-team): if the SNI doesn't match, we MUST - * fall back to a full handshake. - */ s->servername_done = (s->session->ext.hostname != NULL) && PACKET_equal(&hostname, s->session->ext.hostname, strlen(s->session->ext.hostname)); @@ -215,10 +211,6 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 0; } - /* - * TODO(openssl-team): currently, we re-authenticate the user - * upon resumption. Instead, we MUST ignore the login. - */ if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; @@ -364,7 +356,6 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, } id_data = PACKET_data(&responder_id); - /* TODO(size_t): Convert d2i_* to size_t */ id = d2i_OCSP_RESPID(NULL, &id_data, (int)PACKET_remaining(&responder_id)); if (id == NULL) { diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 88b34c6ad1..e8e9f94651 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -168,7 +168,8 @@ static int ossl_statem_client13_read_transition(SSL *s, int mt) } if (mt == SSL3_MT_CERTIFICATE_REQUEST) { #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION -# error TODO(DTLS1.3): Restore digest for PHA before adding message. + /* Restore digest for PHA before adding message.*/ +# error Internal DTLS version error #endif if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) { s->post_handshake_auth = SSL_PHA_REQUESTED; @@ -1985,7 +1986,6 @@ static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey) return 0; } - /* TODO(size_t): Convert BN_bin2bn() calls */ if ((s->srp_ctx.N = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL)) == NULL @@ -2035,7 +2035,6 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) return 0; } - /* TODO(size_t): Convert these calls */ p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL); g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator), NULL); @@ -2573,7 +2572,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) goto err; } /* - * TODO(size_t): we use sess_len here because EVP_Digest expects an int + * We use sess_len here because EVP_Digest expects an int * but s->session->session_id_length is a size_t */ if (!EVP_Digest(s->session->ext.tick, ticklen, @@ -2853,7 +2852,6 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) pms[0] = s->client_version >> 8; pms[1] = s->client_version & 0xff; - /* TODO(size_t): Convert this function */ if (RAND_bytes_ex(s->ctx->libctx, pms + 2, pmslen - 2, 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); goto err; @@ -3059,7 +3057,6 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 /* Generate session key - * TODO(size_t): Convert this function */ || RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index a954097a39..c1c0d455e1 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1765,7 +1765,7 @@ static int tls_early_post_process_client_hello(SSL *s) /* * We don't allow resumption in a backwards compatible ClientHello. - * TODO(openssl-team): in TLS1.1+, session_id MUST be empty. + * In TLS1.1+, session_id MUST be empty. * * Versions before 0.9.7 always allow clients to resume sessions in * renegotiation. 0.9.7 and later allow this by default, but optionally diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 03a83ee9a0..51688d4f2e 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -333,7 +333,6 @@ int tls1_change_cipher_state(SSL *s, int which) p = s->s3.tmp.key_block; i = *mac_secret_size = s->s3.tmp.new_mac_secret_size; - /* TODO(size_t): convert me */ cl = EVP_CIPHER_get_key_length(c); j = cl; k = tls_iv_length_within_key_block(c); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index d22a794d37..3bc424acef 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3079,7 +3079,7 @@ static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, continue; /* - * TODO this does not differentiate between the + * This does not differentiate between the * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not * have a chain here that lets us look at the key OID in the * signing certificate. diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 53aeea446b..11e39715d8 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -402,7 +402,6 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, return 0; } - /* TODO(size_t): convert me */ keylen = EVP_CIPHER_get_key_length(ciph); if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) { uint32_t algenc; |