diff options
author | Matt Caswell <matt@openssl.org> | 2020-10-14 15:06:28 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-11-18 14:14:51 +0000 |
commit | 1b2b475517054d26a555269acacdb0ab7072bc6e (patch) | |
tree | b665eefa97e4cb1a3f5573d77627af7ad28b27df /ssl | |
parent | 1ee22dc26873e68b73b693ffb5d99a6e9644b45f (diff) |
Deprecate SSL_CTRL_SET_TMP_DH and other related ctrls
These ctrls pass around a DH object which is now deprecated, so we
deprecate the ctrls themselves.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_lib.c | 35 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 2 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 5 | ||||
-rw-r--r-- | ssl/tls_depr.c | 17 |
4 files changed, 31 insertions, 28 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 69949202a2..664844302a 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3452,15 +3452,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = (int)(s->s3.flags); break; #ifndef OPENSSL_NO_DH +# ifndef OPENSSL_NO_DEPRECATED_3_0 case SSL_CTRL_SET_TMP_DH: { - DH *dh = (DH *)parg; EVP_PKEY *pkdh = NULL; - if (dh == NULL) { + if (parg == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - pkdh = ssl_dh_to_pkey(dh); + pkdh = ssl_dh_to_pkey(parg); if (pkdh == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; @@ -3481,6 +3481,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return ret; } +# endif case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; return 1; @@ -3776,7 +3777,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) int ret = 0; switch (cmd) { -#ifndef OPENSSL_NO_DH +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: { s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -3802,16 +3803,15 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { switch (cmd) { -#ifndef OPENSSL_NO_DH +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { - DH *dh = (DH *)parg; EVP_PKEY *pkdh = NULL; - if (dh == NULL) { + if (parg == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - pkdh = ssl_dh_to_pkey(dh); + pkdh = ssl_dh_to_pkey(parg); if (pkdh == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; @@ -3831,10 +3831,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } +#endif case SSL_CTRL_SET_DH_AUTO: ctx->cert->dh_tmp_auto = larg; return 1; -#endif #ifndef OPENSSL_NO_EC case SSL_CTRL_SET_TMP_ECDH: { @@ -4046,7 +4046,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { switch (cmd) { -#ifndef OPENSSL_NO_DH +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: { ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -5009,18 +5009,3 @@ int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey, EVP_PKEY_CTX_free(pctx); return rv; } - -#ifndef OPENSSL_NO_DH -EVP_PKEY *ssl_dh_to_pkey(DH *dh) -{ - EVP_PKEY *ret; - if (dh == NULL) - return NULL; - ret = EVP_PKEY_new(); - if (EVP_PKEY_set1_DH(ret, dh) <= 0) { - EVP_PKEY_free(ret); - return NULL; - } - return ret; -} -#endif diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d82baa5497..bd7b838250 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4487,7 +4487,7 @@ int SSL_want(const SSL *s) * \param dh the callback */ -#ifndef OPENSSL_NO_DH +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh) (SSL *ssl, int is_export, int keylength)) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index d45afebf07..bc2695e1ba 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2469,15 +2469,16 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } else { pkdhp = cert->dh_tmp; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { - DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024); - pkdh = ssl_dh_to_pkey(dhp); + pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024)); if (pkdh == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } pkdhp = pkdh; } +#endif if (pkdhp == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY); goto err; diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 3fcc5b6740..1ed47dd8de 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -142,5 +142,22 @@ HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) { return ctx->old_ctx; } + +/* Some deprecated public APIs pass DH objects */ +#ifndef OPENSSL_NO_DH +EVP_PKEY *ssl_dh_to_pkey(DH *dh) +{ + EVP_PKEY *ret; + + if (dh == NULL) + return NULL; + ret = EVP_PKEY_new(); + if (EVP_PKEY_set1_DH(ret, dh) <= 0) { + EVP_PKEY_free(ret); + return NULL; + } + return ret; +} +#endif #endif |