QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-05-07 06:59:41 +00:00
Code Issues Projects Releases Wiki Activity

Deprecate SSL_CTRL_SET_TMP_DH and other related ctrls

Browse Source 
These ctrls pass around a DH object which is now deprecated, so we
deprecate the ctrls themselves.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
This commit is contained in:
Matt Caswell 2020-10-14 15:06:28 +01:00
parent 1ee22dc268
commit 1b2b475517
6 changed files with 49 additions and 34 deletions

20
include/openssl/ssl.h.in

@ -1225,9 +1225,13 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_ERROR_WANT_ASYNC 9
# define SSL_ERROR_WANT_ASYNC_JOB 10
# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
# define SSL_CTRL_SET_TMP_DH 3
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_CTRL_SET_TMP_DH 3
# endif
# define SSL_CTRL_SET_TMP_ECDH 4
# define SSL_CTRL_SET_TMP_DH_CB 6
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_CTRL_SET_TMP_DH_CB 6
# endif
# define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
# define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
# define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
@ -1351,14 +1355,18 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
# define SSL_total_renegotiations(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
# define SSL_CTX_set_tmp_dh(ctx,dh) \
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_CTX_set_tmp_dh(ctx,dh) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
# endif
# define SSL_CTX_set_dh_auto(ctx, onoff) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
# define SSL_set_dh_auto(s, onoff) \
SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
# define SSL_set_tmp_dh(ssl,dh) \
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_set_tmp_dh(ssl,dh) \
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
# endif
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
@ -2129,13 +2137,17 @@ void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len);
void SSL_set_default_read_buffer_len(SSL *s, size_t len);
# ifndef OPENSSL_NO_DH
# ifndef OPENSSL_NO_DEPRECATED_3_0
/* NB: the |keylength| is only applicable when is_export is true */
OSSL_DEPRECATEDIN_3_0
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*dh) (SSL *ssl, int is_export,
int keylength));
OSSL_DEPRECATEDIN_3_0
void SSL_set_tmp_dh_callback(SSL *ssl,
DH *(*dh) (SSL *ssl, int is_export,
int keylength));
# endif
# endif
__owur const COMP_METHOD *SSL_get_current_compression(const SSL *s);

35
ssl/s3_lib.c

@ -3452,15 +3452,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ret = (int)(s->s3.flags);
break;
#ifndef OPENSSL_NO_DH
# ifndef OPENSSL_NO_DEPRECATED_3_0
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
EVP_PKEY *pkdh = NULL;
if (dh == NULL) {
if (parg == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
pkdh = ssl_dh_to_pkey(dh);
pkdh = ssl_dh_to_pkey(parg);
if (pkdh == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
return 0;
@ -3481,6 +3481,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return ret;
}
# endif
case SSL_CTRL_SET_DH_AUTO:
s->cert->dh_tmp_auto = larg;
return 1;
@ -3776,7 +3777,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
int ret = 0;
switch (cmd) {
#ifndef OPENSSL_NO_DH
#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
case SSL_CTRL_SET_TMP_DH_CB:
{
s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@ -3802,16 +3803,15 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
{
switch (cmd) {
#ifndef OPENSSL_NO_DH
#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
EVP_PKEY *pkdh = NULL;
if (dh == NULL) {
if (parg == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
pkdh = ssl_dh_to_pkey(dh);
pkdh = ssl_dh_to_pkey(parg);
if (pkdh == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
return 0;
@ -3831,10 +3831,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
#endif
case SSL_CTRL_SET_DH_AUTO:
ctx->cert->dh_tmp_auto = larg;
return 1;
#endif
#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_TMP_ECDH:
{
@ -4046,7 +4046,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
{
switch (cmd) {
#ifndef OPENSSL_NO_DH
#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
case SSL_CTRL_SET_TMP_DH_CB:
{
ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@ -5009,18 +5009,3 @@ int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey,
EVP_PKEY_CTX_free(pctx);
return rv;
}
#ifndef OPENSSL_NO_DH
EVP_PKEY *ssl_dh_to_pkey(DH *dh)
{
EVP_PKEY *ret;
if (dh == NULL)
return NULL;
ret = EVP_PKEY_new();
if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
EVP_PKEY_free(ret);
return NULL;
}
return ret;
}
#endif

2
ssl/ssl_lib.c

@ -4487,7 +4487,7 @@ int SSL_want(const SSL *s)
* \param dh the callback
*/
#ifndef OPENSSL_NO_DH
#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*dh) (SSL *ssl, int is_export,
int keylength))

5
ssl/statem/statem_srvr.c

@ -2469,15 +2469,16 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
} else {
pkdhp = cert->dh_tmp;
}
#ifndef OPENSSL_NO_DEPRECATED_3_0
if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
pkdh = ssl_dh_to_pkey(dhp);
pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024));
if (pkdh == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
pkdhp = pkdh;
}
#endif
if (pkdhp == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
goto err;

17
ssl/tls_depr.c

@ -142,5 +142,22 @@ HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
{
return ctx->old_ctx;
}
/* Some deprecated public APIs pass DH objects */
#ifndef OPENSSL_NO_DH
EVP_PKEY *ssl_dh_to_pkey(DH *dh)
{
EVP_PKEY *ret;
if (dh == NULL)
return NULL;
ret = EVP_PKEY_new();
if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
EVP_PKEY_free(ret);
return NULL;
}
return ret;
}
#endif
#endif

4
util/libssl.num

@ -16,7 +16,7 @@ SSL_get_verify_depth 16 3_0_0 EXIST::FUNCTION:
SSL_get0_dane 17 3_0_0 EXIST::FUNCTION:
SSL_CTX_sess_get_get_cb 18 3_0_0 EXIST::FUNCTION:
SSL_CTX_get_default_passwd_cb_userdata 19 3_0_0 EXIST::FUNCTION:
SSL_set_tmp_dh_callback 20 3_0_0 EXIST::FUNCTION:DH
SSL_set_tmp_dh_callback 20 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
SSL_CTX_get_verify_depth 21 3_0_0 EXIST::FUNCTION:
SSL_CTX_use_RSAPrivateKey_file 22 3_0_0 EXIST::FUNCTION:RSA
SSL_use_PrivateKey_file 23 3_0_0 EXIST::FUNCTION:
@ -152,7 +152,7 @@ i2d_SSL_SESSION 152 3_0_0 EXIST::FUNCTION:
SSL_SESSION_get_master_key 153 3_0_0 EXIST::FUNCTION:
SSL_COMP_get_compression_methods 154 3_0_0 EXIST::FUNCTION:
SSL_CTX_set_alpn_select_cb 155 3_0_0 EXIST::FUNCTION:
SSL_CTX_set_tmp_dh_callback 156 3_0_0 EXIST::FUNCTION:DH
SSL_CTX_set_tmp_dh_callback 156 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
SSL_CTX_get_default_passwd_cb 157 3_0_0 EXIST::FUNCTION:
TLSv1_server_method 158 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0,TLS1_METHOD
DTLS_server_method 159 3_0_0 EXIST::FUNCTION: