diff options
| author | Pauli <paul.dale@oracle.com> | 2020-02-03 19:05:31 +1000 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2020-02-20 19:04:57 +1000 |
| commit | ada66e78ef535fe80e422bbbadffe8e7863d457c (patch) | |
| tree | c9caa2b3cd516d99937b02d50e16fc0dda1509b8 /ssl/statem | |
| parent | 0ad05b190ebb3a62f8519c8c4c721304c2405849 (diff) | |
Deprecate the low level Diffie-Hellman functions.
Use of the low level DH functions has been informally discouraged for a
long time. We now formally deprecate them.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)
Diffstat (limited to 'ssl/statem')
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 2 | ||||
| -rw-r--r-- | ssl/statem/statem_clnt.c | 15 |
2 files changed, 9 insertions, 8 deletions
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 36201c68e4..9649420012 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -705,7 +705,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, continue; } - if ((s->s3.peer_tmp = ssl_generate_param_group(group_id)) == NULL) { + if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); return 0; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index ba2fe0802d..99459a8c6a 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2147,18 +2147,19 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) } bnpub_key = NULL; - if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, - SSL_R_DH_KEY_TOO_SMALL); - goto err; - } - if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_EVP_LIB); goto err; } + if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp), + 0, dh)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, + SSL_R_DH_KEY_TOO_SMALL); + goto err; + } + s->s3.peer_tmp = peer_tmp; /* @@ -2213,7 +2214,7 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) return 0; } - if ((s->s3.peer_tmp = ssl_generate_param_group(curve_id)) == NULL) { + if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); return 0; |