QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-29 11:14:36 +00:00
Code Issues Projects Releases Wiki Activity

Only disabled what we need to in a no-dh build

Browse Source 
no-dh disables the low level API for DH. However, since we're now using
the high level EVP API in most places we don't need to disable quite so
much.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
This commit is contained in:
Matt Caswell 2020-10-16 16:35:44 +01:00
parent 163f6dc1f7
commit 13c453728c
10 changed files with 20 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/s_server.c
View File

@ -980,9 +980,7 @@ const OPTIONS s_server_options[] = {
{"use_srtp", OPT_SRTP_PROFILES, 's',
"Offer SRTP key management with a colon-separated profile list"},
#endif
#ifndef OPENSSL_NO_DH
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
{"nextprotoneg", OPT_NEXTPROTONEG, 's',
"Set the advertised protocols for the NPN extension (comma-separated list)"},
@ -1028,10 +1026,8 @@ int s_server_main(int argc, char *argv[])
#endif
do_server_cb server_cb;
int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
#ifndef OPENSSL_NO_DH
char *dhfile = NULL;
int no_dhe = 0;
#endif
int nocert = 0, ret = 1;
int noCApath = 0, noCAfile = 0, noCAstore = 0;
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
@ -1440,9 +1436,7 @@ int s_server_main(int argc, char *argv[])
s_quiet = s_brief = verify_args.quiet = 1;
break;
case OPT_NO_DHE:
#ifndef OPENSSL_NO_DH
no_dhe = 1;
#endif
break;
case OPT_NO_RESUME_EPHEMERAL:
no_resume_ephemeral = 1;

3
crypto/bn/bn_dh.c
View File

@ -10,7 +10,6 @@
#include "bn_local.h"
#include "internal/nelem.h"
#ifndef OPENSSL_NO_DH
# include <openssl/dh.h>
# include "crypto/bn_dh.h"
@ -1051,5 +1050,3 @@ make_dh_bn(modp_6144_p)
make_dh_bn(modp_6144_q)
make_dh_bn(modp_8192_p)
make_dh_bn(modp_8192_q)
#endif /* OPENSSL_NO_DH */

8
crypto/bn/build.info
View File

@ -101,18 +101,12 @@ IF[{- !$disabled{asm} -}]
ENDIF
ENDIF
IF[{- !$disabled{dh} -}]
$BNDH=bn_const.c
ELSE
$BNDH=
ENDIF
$COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
bn_x931p.c bn_intern.c bn_dh.c \
bn_rsa_fips186_4.c $BNDH
bn_rsa_fips186_4.c bn_const.c
SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c
IF[{- !$disabled{'deprecated-3.0'} -}]
SOURCE[../../libcrypto]=bn_depr.c

2
include/openssl/bn.h
View File

@ -527,7 +527,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
const BIGNUM *priv, const unsigned char *message,
size_t message_len, BN_CTX *ctx);
# ifndef OPENSSL_NO_DH
/* Primes from RFC 2409 */
BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn);
BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn);
@ -550,7 +549,6 @@ BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn);
# define get_rfc3526_prime_6144 BN_get_rfc3526_prime_6144
# define get_rfc3526_prime_8192 BN_get_rfc3526_prime_8192
# endif
# endif
int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);

4
ssl/s3_lib.c
View File

@ -3451,8 +3451,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_GET_FLAGS:
ret = (int)(s->s3.flags);
break;
#ifndef OPENSSL_NO_DH
# ifndef OPENSSL_NO_DEPRECATED_3_0
#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
case SSL_CTRL_SET_TMP_DH:
{
EVP_PKEY *pkdh = NULL;
@ -3477,7 +3476,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_SET_DH_AUTO:
s->cert->dh_tmp_auto = larg;
return 1;
#endif
#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_TMP_ECDH:
{

7
ssl/ssl_cert.c
View File

@ -90,14 +90,15 @@ CERT *ssl_cert_dup(CERT *cert)
OPENSSL_free(ret);
return NULL;
}
#ifndef OPENSSL_NO_DH
if (cert->dh_tmp != NULL) {
ret->dh_tmp = cert->dh_tmp;
EVP_PKEY_up_ref(ret->dh_tmp);
}
#ifndef OPENSSL_NO_DH
ret->dh_tmp_cb = cert->dh_tmp_cb;
ret->dh_tmp_auto = cert->dh_tmp_auto;
#endif
ret->dh_tmp_auto = cert->dh_tmp_auto;
for (i = 0; i < SSL_PKEY_NUM; i++) {
CERT_PKEY *cpk = cert->pkeys + i;
@ -232,9 +233,7 @@ void ssl_cert_free(CERT *c)
return;
REF_ASSERT_ISNT(i < 0);
#ifndef OPENSSL_NO_DH
EVP_PKEY_free(c->dh_tmp);
#endif
ssl_cert_clear_certs(c);
OPENSSL_free(c->conf_sigalgs);

6
ssl/ssl_lib.c
View File

@ -3504,11 +3504,11 @@ void ssl_set_masks(SSL *s)
if (c == NULL)
return;
dh_tmp = (c->dh_tmp != NULL
#ifndef OPENSSL_NO_DH
dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto);
#else
dh_tmp = 0;
|| c->dh_tmp_cb != NULL
#endif
|| c->dh_tmp_auto);
rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;

7
ssl/ssl_local.h
View File

@ -2004,11 +2004,12 @@ typedef struct cert_st {
* an index, not a pointer.
*/
CERT_PKEY *key;
# ifndef OPENSSL_NO_DH
EVP_PKEY *dh_tmp;
#ifndef OPENSSL_NO_DH
DH *(*dh_tmp_cb) (SSL *ssl, int is_export, int keysize);
#endif
int dh_tmp_auto;
# endif
/* Flags related to certificates */
uint32_t cert_flags;
CERT_PKEY pkeys[SSL_PKEY_NUM];
@ -2692,9 +2693,7 @@ void tls1_set_cert_validity(SSL *s);
__owur int ssl_validate_ct(SSL *s);
# endif
# ifndef OPENSSL_NO_DH
__owur EVP_PKEY *ssl_get_auto_dh(SSL *s);
# endif
__owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee);
__owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex,

6
ssl/statem/statem_srvr.c
View File

@ -2418,9 +2418,7 @@ int tls_construct_server_done(SSL *s, WPACKET *pkt)
int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
{
#ifndef OPENSSL_NO_DH
EVP_PKEY *pkdh = NULL;
#endif
#ifndef OPENSSL_NO_EC
unsigned char *encodedPoint = NULL;
size_t encodedlen = 0;
@ -2453,7 +2451,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
if (type & (SSL_kPSK | SSL_kRSAPSK)) {
} else
#endif /* !OPENSSL_NO_PSK */
#ifndef OPENSSL_NO_DH
if (type & (SSL_kDHE | SSL_kDHEPSK)) {
CERT *cert = s->cert;
EVP_PKEY *pkdhp = NULL;
@ -2468,7 +2465,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
} else {
pkdhp = cert->dh_tmp;
}
#ifndef OPENSSL_NO_DEPRECATED_3_0
#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024));
if (pkdh == NULL) {
@ -2513,7 +2510,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
goto err;
}
} else
#endif
#ifndef OPENSSL_NO_EC
if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {

16
util/libcrypto.num
View File

@ -214,7 +214,7 @@ s2i_ASN1_OCTET_STRING 217 3_0_0 EXIST::FUNCTION:
POLICYINFO_it 218 3_0_0 EXIST::FUNCTION:
OBJ_create 219 3_0_0 EXIST::FUNCTION:
d2i_NOTICEREF 220 3_0_0 EXIST::FUNCTION:
BN_get_rfc2409_prime_768 221 3_0_0 EXIST::FUNCTION:DH
BN_get_rfc2409_prime_768 221 3_0_0 EXIST::FUNCTION:
PEM_read_bio_PKCS8 222 3_0_0 EXIST::FUNCTION:
X509_ATTRIBUTE_new 223 3_0_0 EXIST::FUNCTION:
ASN1_STRING_TABLE_cleanup 224 3_0_0 EXIST::FUNCTION:
@ -483,7 +483,7 @@ BN_GF2m_mod_sqr_arr 492 3_0_0 EXIST::FUNCTION:EC2M
ASN1_PRINTABLESTRING_it 493 3_0_0 EXIST::FUNCTION:
BIO_f_cipher 494 3_0_0 EXIST::FUNCTION:
UI_destroy_method 495 3_0_0 EXIST::FUNCTION:
BN_get_rfc3526_prime_3072 496 3_0_0 EXIST::FUNCTION:DH
BN_get_rfc3526_prime_3072 496 3_0_0 EXIST::FUNCTION:
X509_INFO_new 497 3_0_0 EXIST::FUNCTION:
OCSP_RESPDATA_it 498 3_0_0 EXIST::FUNCTION:OCSP
X509_CRL_print 499 3_0_0 EXIST::FUNCTION:
@ -618,7 +618,7 @@ d2i_DSA_PUBKEY_fp 633 3_0_0 EXIST::FUNCTION:DSA,STDIO
OCSP_REQ_CTX_nbio_d2i 634 3_0_0 EXIST::FUNCTION:
d2i_X509_REQ_fp 635 3_0_0 EXIST::FUNCTION:STDIO
DH_OpenSSL 636 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
BN_get_rfc3526_prime_8192 637 3_0_0 EXIST::FUNCTION:DH
BN_get_rfc3526_prime_8192 637 3_0_0 EXIST::FUNCTION:
X509_REVOKED_it 638 3_0_0 EXIST::FUNCTION:
CRYPTO_THREAD_write_lock 639 3_0_0 EXIST::FUNCTION:
X509V3_NAME_from_section 640 3_0_0 EXIST::FUNCTION:
@ -888,7 +888,7 @@ EVP_read_pw_string 909 3_0_0 EXIST::FUNCTION:
i2d_ASN1_NULL 910 3_0_0 EXIST::FUNCTION:
DES_encrypt1 911 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DES
BN_mod_lshift1_quick 912 3_0_0 EXIST::FUNCTION:
BN_get_rfc3526_prime_6144 913 3_0_0 EXIST::FUNCTION:DH
BN_get_rfc3526_prime_6144 913 3_0_0 EXIST::FUNCTION:
OBJ_obj2txt 914 3_0_0 EXIST::FUNCTION:
UI_set_result 915 3_0_0 EXIST::FUNCTION:
EVP_EncodeUpdate 916 3_0_0 EXIST::FUNCTION:
@ -2129,7 +2129,7 @@ TS_RESP_CTX_set_accuracy 2174 3_0_0 EXIST::FUNCTION:TS
NETSCAPE_SPKI_get_pubkey 2175 3_0_0 EXIST::FUNCTION:
ECDSA_do_sign_ex 2176 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
OCSP_ONEREQ_get_ext 2177 3_0_0 EXIST::FUNCTION:OCSP
BN_get_rfc3526_prime_4096 2179 3_0_0 EXIST::FUNCTION:DH
BN_get_rfc3526_prime_4096 2179 3_0_0 EXIST::FUNCTION:
d2i_PKCS7_fp 2180 3_0_0 EXIST::FUNCTION:STDIO
PEM_write_bio_NETSCAPE_CERT_SEQUENCE 2181 3_0_0 EXIST::FUNCTION:
PKCS12_AUTHSAFES_it 2182 3_0_0 EXIST::FUNCTION:
@ -2471,7 +2471,7 @@ BN_GF2m_mod_div 2522 3_0_0 EXIST::FUNCTION:EC2M
i2d_USERNOTICE 2523 3_0_0 EXIST::FUNCTION:
d2i_NETSCAPE_SPKI 2524 3_0_0 EXIST::FUNCTION:
CRYPTO_mem_leaks 2525 3_0_0 EXIST::FUNCTION:CRYPTO_MDEBUG,DEPRECATEDIN_3_0
BN_get_rfc3526_prime_1536 2526 3_0_0 EXIST::FUNCTION:DH
BN_get_rfc3526_prime_1536 2526 3_0_0 EXIST::FUNCTION:
DSA_sign 2527 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA
RAND_egd 2528 3_0_0 EXIST::FUNCTION:EGD
ASN1_d2i_bio 2529 3_0_0 EXIST::FUNCTION:
@ -2579,7 +2579,7 @@ ASIdentifierChoice_it 2633 3_0_0 EXIST::FUNCTION:RFC3779
CMS_RecipientEncryptedKey_cert_cmp 2634 3_0_0 EXIST::FUNCTION:CMS
EVP_PKEY_CTX_get_app_data 2635 3_0_0 EXIST::FUNCTION:
EC_GROUP_clear_free 2636 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
BN_get_rfc2409_prime_1024 2637 3_0_0 EXIST::FUNCTION:DH
BN_get_rfc2409_prime_1024 2637 3_0_0 EXIST::FUNCTION:
CRYPTO_set_mem_functions 2638 3_0_0 EXIST::FUNCTION:
i2d_ASN1_VISIBLESTRING 2639 3_0_0 EXIST::FUNCTION:
d2i_PBKDF2PARAM 2640 3_0_0 EXIST::FUNCTION:
@ -3374,7 +3374,7 @@ EVP_EncodeFinal 3444 3_0_0 EXIST::FUNCTION:
X509_set_ex_data 3445 3_0_0 EXIST::FUNCTION:
ERR_get_next_error_library 3446 3_0_0 EXIST::FUNCTION:
OCSP_RESPONSE_print 3447 3_0_0 EXIST::FUNCTION:OCSP
BN_get_rfc3526_prime_2048 3448 3_0_0 EXIST::FUNCTION:DH
BN_get_rfc3526_prime_2048 3448 3_0_0 EXIST::FUNCTION:
BIO_new_bio_pair 3449 3_0_0 EXIST::FUNCTION:
EC_GFp_nistp256_method 3450 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,EC_NISTP_64_GCC_128
BIO_method_type 3451 3_0_0 EXIST::FUNCTION: