diff options
author | Pauli <paul.dale@oracle.com> | 2020-02-03 19:05:31 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-02-20 19:04:57 +1000 |
commit | ada66e78ef535fe80e422bbbadffe8e7863d457c (patch) | |
tree | c9caa2b3cd516d99937b02d50e16fc0dda1509b8 /ssl | |
parent | 0ad05b190ebb3a62f8519c8c4c721304c2405849 (diff) |
Deprecate the low level Diffie-Hellman functions.
Use of the low level DH functions has been informally discouraged for a
long time. We now formally deprecate them.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_lib.c | 6 | ||||
-rw-r--r-- | ssl/ssl_local.h | 2 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 2 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 15 |
4 files changed, 13 insertions, 12 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 706290be9b..51f8a0f63d 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4752,7 +4752,7 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) || (dh = DH_new_by_nid(ginf->nid)) == NULL || !EVP_PKEY_assign(pkey, EVP_PKEY_DH, dh)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, - ERR_R_EVP_LIB); + ERR_R_EVP_LIB); DH_free(dh); EVP_PKEY_free(pkey); pkey = NULL; @@ -4760,7 +4760,7 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) } if (EVP_PKEY_CTX_set_dh_nid(pctx, ginf->nid) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP, - ERR_R_EVP_LIB); + ERR_R_EVP_LIB); EVP_PKEY_free(pkey); pkey = NULL; goto err; @@ -4796,7 +4796,7 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id) /* * Generate parameters from a group ID */ -EVP_PKEY *ssl_generate_param_group(uint16_t id) +EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id) { EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *pkey = NULL; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 31c01328ce..d9092161ff 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2605,7 +2605,7 @@ __owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str); __owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id); __owur int tls_valid_group(SSL *s, uint16_t group_id, int version); -__owur EVP_PKEY *ssl_generate_param_group(uint16_t id); +__owur EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id); # ifndef OPENSSL_NO_EC void tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *num_formats); diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 36201c68e4..9649420012 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -705,7 +705,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, continue; } - if ((s->s3.peer_tmp = ssl_generate_param_group(group_id)) == NULL) { + if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); return 0; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index ba2fe0802d..99459a8c6a 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2147,18 +2147,19 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) } bnpub_key = NULL; - if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, - SSL_R_DH_KEY_TOO_SMALL); - goto err; - } - if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_EVP_LIB); goto err; } + if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp), + 0, dh)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE, + SSL_R_DH_KEY_TOO_SMALL); + goto err; + } + s->s3.peer_tmp = peer_tmp; /* @@ -2213,7 +2214,7 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) return 0; } - if ((s->s3.peer_tmp = ssl_generate_param_group(curve_id)) == NULL) { + if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); return 0; |