diff options
author | Matt Caswell <matt@openssl.org> | 2021-01-13 12:39:40 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-02-05 15:20:36 +0000 |
commit | 5b64ce89b0859956387cda1d56718d2a5f09d928 (patch) | |
tree | 842aef9e8c3f1b2b0d86ff75414ed475d6ec7125 | |
parent | 9ca08f91e9817892c3545612a91d38687e593e14 (diff) |
Remove OPENSSL_NO_DH guards from libssl
This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that
libssl is entirely using the EVP APIs and implementations can be plugged
in via providers it is no longer needed to disable DH at compile time in
libssl. Instead it should detect at runtime whether DH is available from
the loaded providers.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
-rw-r--r-- | ssl/s3_lib.c | 32 | ||||
-rw-r--r-- | ssl/ssl_cert.c | 3 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 23 | ||||
-rw-r--r-- | ssl/ssl_local.h | 2 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 11 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 2 | ||||
-rw-r--r-- | ssl/t1_lib.c | 2 | ||||
-rw-r--r-- | ssl/tls_depr.c | 32 |
8 files changed, 40 insertions, 67 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a6c87ad75d..4152ef5dcb 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3360,12 +3360,10 @@ void ssl3_free(SSL *s) ssl3_cleanup_key_block(s); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.peer_tmp); s->s3.peer_tmp = NULL; EVP_PKEY_free(s->s3.tmp.pkey); s->s3.tmp.pkey = NULL; -#endif ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); ssl_evp_md_free(s->s3.tmp.new_hash); @@ -3396,10 +3394,8 @@ int ssl3_clear(SSL *s) OPENSSL_free(s->s3.tmp.peer_sigalgs); OPENSSL_free(s->s3.tmp.peer_cert_sigalgs); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.tmp.pkey); EVP_PKEY_free(s->s3.peer_tmp); -#endif /* !OPENSSL_NO_EC */ ssl3_free_digest_list(s); @@ -3452,7 +3448,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_FLAGS: ret = (int)(s->s3.flags); break; -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { EVP_PKEY *pkdh = NULL; @@ -3477,7 +3473,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; return 1; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { if (parg == NULL) { @@ -3610,7 +3606,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } return ssl_cert_set_current(s->cert, larg); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_GET_GROUPS: { uint16_t *clist; @@ -3656,7 +3651,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_NEGOTIATED_GROUP: ret = tls1_group_id2nid(s->s3.group_id, 1); break; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3707,7 +3701,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 1; case SSL_CTRL_GET_PEER_TMP_KEY: -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) if (s->session == NULL || s->s3.peer_tmp == NULL) { return 0; } else { @@ -3715,12 +3708,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(EVP_PKEY **)parg = s->s3.peer_tmp; return 1; } -#else - return 0; -#endif case SSL_CTRL_GET_TMP_KEY: -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) if (s->session == NULL || s->s3.tmp.pkey == NULL) { return 0; } else { @@ -3728,9 +3717,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(EVP_PKEY **)parg = s->s3.tmp.pkey; return 1; } -#else - return 0; -#endif #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: @@ -3755,7 +3741,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) int ret = 0; switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; ret = 1; @@ -3780,7 +3766,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { EVP_PKEY *pkdh = NULL; @@ -3804,7 +3790,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: ctx->cert->dh_tmp_auto = larg; return 1; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { if (parg == NULL) { @@ -3911,7 +3897,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; #endif -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_SET_GROUPS: return tls1_set_groups(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, @@ -3921,7 +3906,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_groups_list(ctx, &ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, parg); -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -4004,7 +3988,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: { ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -4820,10 +4804,8 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) goto err; } -#ifndef OPENSSL_NO_DH - if (SSL_IS_TLS13(s) && EVP_PKEY_id(privkey) == EVP_PKEY_DH) + if (SSL_IS_TLS13(s) && EVP_PKEY_is_a(privkey, "DH")) EVP_PKEY_CTX_set_dh_pad(pctx, 1); -#endif pms = OPENSSL_malloc(pmslen); if (pms == NULL) { diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 93608beddc..a9d9b9ca06 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -95,9 +95,8 @@ CERT *ssl_cert_dup(CERT *cert) ret->dh_tmp = cert->dh_tmp; EVP_PKEY_up_ref(ret->dh_tmp); } -#ifndef OPENSSL_NO_DH + ret->dh_tmp_cb = cert->dh_tmp_cb; -#endif ret->dh_tmp_auto = cert->dh_tmp_auto; for (i = 0; i < SSL_PKEY_NUM; i++) { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5adc6f71a9..a87da32c62 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3505,9 +3505,7 @@ void ssl_set_masks(SSL *s) return; dh_tmp = (c->dh_tmp != NULL -#ifndef OPENSSL_NO_DH || c->dh_tmp_cb != NULL -#endif || c->dh_tmp_auto); rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; @@ -4483,27 +4481,6 @@ int SSL_want(const SSL *s) return s->rwstate; } -/** - * \brief Set the callback for generating temporary DH keys. - * \param ctx the SSL context. - * \param dh the callback - */ - -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) -void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, - DH *(*dh) (SSL *ssl, int is_export, - int keylength)) -{ - SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); -} - -void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, - int keylength)) -{ - SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); -} -#endif - #ifndef OPENSSL_NO_PSK int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 1b8a43d131..fa1130e59d 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2009,9 +2009,7 @@ typedef struct cert_st { CERT_PKEY *key; EVP_PKEY *dh_tmp; -#ifndef OPENSSL_NO_DH DH *(*dh_tmp_cb) (SSL *ssl, int is_export, int keysize); -#endif int dh_tmp_auto; /* Flags related to certificates */ uint32_t cert_flags; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 35e45d59a1..e4007b37de 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1725,11 +1725,7 @@ static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, OPENSSL_free(extensions); extensions = NULL; - if (s->ext.tls13_cookie_len == 0 -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) - && s->s3.tmp.pkey != NULL -#endif - ) { + if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { /* * We didn't receive a cookie or a new key_share so the next * ClientHello will not change @@ -2186,10 +2182,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) save_param_start = *pkt; -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.peer_tmp); s->s3.peer_tmp = NULL; -#endif if (alg_k & SSL_PSK) { if (!tls_process_ske_psk_preamble(s, pkt)) { @@ -3569,12 +3563,11 @@ int ssl3_check_cert_and_algorithm(SSL *s) SSL_R_MISSING_RSA_ENCRYPTING_CERT); return 0; } -#ifndef OPENSSL_NO_DH + if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } -#endif return 1; } diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 8ae8ddc052..03c4d2ba81 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2466,7 +2466,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } else { pkdhp = cert->dh_tmp; } -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024)); if (pkdh == NULL) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 7328c8e2b1..1438244d32 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -191,7 +191,7 @@ static const unsigned char ecformats_default[] = { TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 }; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ +#endif /* !defined(OPENSSL_NO_EC) */ /* The default curves */ #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 7ecb61e79c..0b21ff7669 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -144,9 +144,9 @@ HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) } /* Some deprecated public APIs pass DH objects */ -# ifndef OPENSSL_NO_DH EVP_PKEY *ssl_dh_to_pkey(DH *dh) { +# ifndef OPENSSL_NO_DH EVP_PKEY *ret; if (dh == NULL) @@ -157,14 +157,16 @@ EVP_PKEY *ssl_dh_to_pkey(DH *dh) return NULL; } return ret; -} +# else + return NULL; # endif +} /* Some deprecated public APIs pass EC_KEY objects */ -# ifndef OPENSSL_NO_EC int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, void *key) { +# ifndef OPENSSL_NO_EC const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key); int nid; @@ -176,6 +178,28 @@ int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, if (nid == NID_undef) return 0; return tls1_set_groups(pext, pextlen, &nid, 1); +# else + return 0; +# endif +} + +/* + * Set the callback for generating temporary DH keys. + * ctx: the SSL context. + * dh: the callback + */ +# if !defined(OPENSSL_NO_DH) +void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, + DH *(*dh) (SSL *ssl, int is_export, + int keylength)) +{ + SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); +} + +void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, + int keylength)) +{ + SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); } # endif -#endif +#endif /* OPENSSL_NO_DEPRECATED */ |