diff options
author | Matt Caswell <matt@openssl.org> | 2020-10-16 16:35:44 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-11-18 14:14:52 +0000 |
commit | 13c453728c076d5c1a65a5fd9424e15a9964d755 (patch) | |
tree | 2adfcc10718f85bab39f1ffcbdb5dff63efe6b69 /ssl | |
parent | 163f6dc1f70f30de46a68137c36e70cae4d95cd8 (diff) |
Only disabled what we need to in a no-dh build
no-dh disables the low level API for DH. However, since we're now using
the high level EVP API in most places we don't need to disable quite so
much.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_lib.c | 4 | ||||
-rw-r--r-- | ssl/ssl_cert.c | 7 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 6 | ||||
-rw-r--r-- | ssl/ssl_local.h | 7 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 6 |
5 files changed, 11 insertions, 19 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 8a572b8dd3..d67aa31d46 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3451,8 +3451,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_FLAGS: ret = (int)(s->s3.flags); break; -#ifndef OPENSSL_NO_DH -# ifndef OPENSSL_NO_DEPRECATED_3_0 +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { EVP_PKEY *pkdh = NULL; @@ -3477,7 +3476,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; return 1; -#endif #ifndef OPENSSL_NO_EC case SSL_CTRL_SET_TMP_ECDH: { diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index ee56e681b4..4f085dd7e6 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -90,14 +90,15 @@ CERT *ssl_cert_dup(CERT *cert) OPENSSL_free(ret); return NULL; } -#ifndef OPENSSL_NO_DH + if (cert->dh_tmp != NULL) { ret->dh_tmp = cert->dh_tmp; EVP_PKEY_up_ref(ret->dh_tmp); } +#ifndef OPENSSL_NO_DH ret->dh_tmp_cb = cert->dh_tmp_cb; - ret->dh_tmp_auto = cert->dh_tmp_auto; #endif + ret->dh_tmp_auto = cert->dh_tmp_auto; for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = cert->pkeys + i; @@ -232,9 +233,7 @@ void ssl_cert_free(CERT *c) return; REF_ASSERT_ISNT(i < 0); -#ifndef OPENSSL_NO_DH EVP_PKEY_free(c->dh_tmp); -#endif ssl_cert_clear_certs(c); OPENSSL_free(c->conf_sigalgs); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 8f6771da3d..bb0eec9b5f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3504,11 +3504,11 @@ void ssl_set_masks(SSL *s) if (c == NULL) return; + dh_tmp = (c->dh_tmp != NULL #ifndef OPENSSL_NO_DH - dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto); -#else - dh_tmp = 0; + || c->dh_tmp_cb != NULL #endif + || c->dh_tmp_auto); rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 67bb0a8d52..a14d97b8e9 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2004,11 +2004,12 @@ typedef struct cert_st { * an index, not a pointer. */ CERT_PKEY *key; -# ifndef OPENSSL_NO_DH + EVP_PKEY *dh_tmp; +#ifndef OPENSSL_NO_DH DH *(*dh_tmp_cb) (SSL *ssl, int is_export, int keysize); +#endif int dh_tmp_auto; -# endif /* Flags related to certificates */ uint32_t cert_flags; CERT_PKEY pkeys[SSL_PKEY_NUM]; @@ -2692,9 +2693,7 @@ void tls1_set_cert_validity(SSL *s); __owur int ssl_validate_ct(SSL *s); # endif -# ifndef OPENSSL_NO_DH __owur EVP_PKEY *ssl_get_auto_dh(SSL *s); -# endif __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee); __owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex, diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index b6baff28ea..c478c5a7e8 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2418,9 +2418,7 @@ int tls_construct_server_done(SSL *s, WPACKET *pkt) int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) { -#ifndef OPENSSL_NO_DH EVP_PKEY *pkdh = NULL; -#endif #ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; size_t encodedlen = 0; @@ -2453,7 +2451,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) if (type & (SSL_kPSK | SSL_kRSAPSK)) { } else #endif /* !OPENSSL_NO_PSK */ -#ifndef OPENSSL_NO_DH if (type & (SSL_kDHE | SSL_kDHEPSK)) { CERT *cert = s->cert; EVP_PKEY *pkdhp = NULL; @@ -2468,7 +2465,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } else { pkdhp = cert->dh_tmp; } -#ifndef OPENSSL_NO_DEPRECATED_3_0 +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024)); if (pkdh == NULL) { @@ -2513,7 +2510,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) goto err; } } else -#endif #ifndef OPENSSL_NO_EC if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { |