diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a6c87ad75d..4152ef5dcb 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3360,12 +3360,10 @@ void ssl3_free(SSL *s) ssl3_cleanup_key_block(s); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.peer_tmp); s->s3.peer_tmp = NULL; EVP_PKEY_free(s->s3.tmp.pkey); s->s3.tmp.pkey = NULL; -#endif ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); ssl_evp_md_free(s->s3.tmp.new_hash); @@ -3396,10 +3394,8 @@ int ssl3_clear(SSL *s) OPENSSL_free(s->s3.tmp.peer_sigalgs); OPENSSL_free(s->s3.tmp.peer_cert_sigalgs); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.tmp.pkey); EVP_PKEY_free(s->s3.peer_tmp); -#endif /* !OPENSSL_NO_EC */ ssl3_free_digest_list(s); @@ -3452,7 +3448,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_FLAGS: ret = (int)(s->s3.flags); break; -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { EVP_PKEY *pkdh = NULL; @@ -3477,7 +3473,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; return 1; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { if (parg == NULL) { @@ -3610,7 +3606,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } return ssl_cert_set_current(s->cert, larg); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_GET_GROUPS: { uint16_t *clist; @@ -3656,7 +3651,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_NEGOTIATED_GROUP: ret = tls1_group_id2nid(s->s3.group_id, 1); break; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3707,7 +3701,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 1; case SSL_CTRL_GET_PEER_TMP_KEY: -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) if (s->session == NULL || s->s3.peer_tmp == NULL) { return 0; } else { @@ -3715,12 +3708,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(EVP_PKEY **)parg = s->s3.peer_tmp; return 1; } -#else - return 0; -#endif case SSL_CTRL_GET_TMP_KEY: -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) if (s->session == NULL || s->s3.tmp.pkey == NULL) { return 0; } else { @@ -3728,9 +3717,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(EVP_PKEY **)parg = s->s3.tmp.pkey; return 1; } -#else - return 0; -#endif #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: @@ -3755,7 +3741,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) int ret = 0; switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; ret = 1; @@ -3780,7 +3766,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { EVP_PKEY *pkdh = NULL; @@ -3804,7 +3790,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: ctx->cert->dh_tmp_auto = larg; return 1; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { if (parg == NULL) { @@ -3911,7 +3897,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; #endif -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_SET_GROUPS: return tls1_set_groups(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, @@ -3921,7 +3906,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_groups_list(ctx, &ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, parg); -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -4004,7 +3988,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: { ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -4820,10 +4804,8 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) goto err; } -#ifndef OPENSSL_NO_DH - if (SSL_IS_TLS13(s) && EVP_PKEY_id(privkey) == EVP_PKEY_DH) + if (SSL_IS_TLS13(s) && EVP_PKEY_is_a(privkey, "DH")) EVP_PKEY_CTX_set_dh_pad(pctx, 1); -#endif pms = OPENSSL_malloc(pmslen); if (pms == NULL) { diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 93608beddc..a9d9b9ca06 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -95,9 +95,8 @@ CERT *ssl_cert_dup(CERT *cert) ret->dh_tmp = cert->dh_tmp; EVP_PKEY_up_ref(ret->dh_tmp); } -#ifndef OPENSSL_NO_DH + ret->dh_tmp_cb = cert->dh_tmp_cb; -#endif ret->dh_tmp_auto = cert->dh_tmp_auto; for (i = 0; i < SSL_PKEY_NUM; i++) { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5adc6f71a9..a87da32c62 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3505,9 +3505,7 @@ void ssl_set_masks(SSL *s) return; dh_tmp = (c->dh_tmp != NULL -#ifndef OPENSSL_NO_DH || c->dh_tmp_cb != NULL -#endif || c->dh_tmp_auto); rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; @@ -4483,27 +4481,6 @@ int SSL_want(const SSL *s) return s->rwstate; } -/** - * \brief Set the callback for generating temporary DH keys. - * \param ctx the SSL context. - * \param dh the callback - */ - -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) -void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, - DH *(*dh) (SSL *ssl, int is_export, - int keylength)) -{ - SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); -} - -void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, - int keylength)) -{ - SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); -} -#endif - #ifndef OPENSSL_NO_PSK int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 1b8a43d131..fa1130e59d 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2009,9 +2009,7 @@ typedef struct cert_st { CERT_PKEY *key; EVP_PKEY *dh_tmp; -#ifndef OPENSSL_NO_DH DH *(*dh_tmp_cb) (SSL *ssl, int is_export, int keysize); -#endif int dh_tmp_auto; /* Flags related to certificates */ uint32_t cert_flags; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 35e45d59a1..e4007b37de 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1725,11 +1725,7 @@ static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, OPENSSL_free(extensions); extensions = NULL; - if (s->ext.tls13_cookie_len == 0 -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) - && s->s3.tmp.pkey != NULL -#endif - ) { + if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { /* * We didn't receive a cookie or a new key_share so the next * ClientHello will not change @@ -2186,10 +2182,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) save_param_start = *pkt; -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.peer_tmp); s->s3.peer_tmp = NULL; -#endif if (alg_k & SSL_PSK) { if (!tls_process_ske_psk_preamble(s, pkt)) { @@ -3569,12 +3563,11 @@ int ssl3_check_cert_and_algorithm(SSL *s) SSL_R_MISSING_RSA_ENCRYPTING_CERT); return 0; } -#ifndef OPENSSL_NO_DH + if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } -#endif return 1; } diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 8ae8ddc052..03c4d2ba81 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2466,7 +2466,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } else { pkdhp = cert->dh_tmp; } -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024)); if (pkdh == NULL) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 7328c8e2b1..1438244d32 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -191,7 +191,7 @@ static const unsigned char ecformats_default[] = { TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 }; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ +#endif /* !defined(OPENSSL_NO_EC) */ /* The default curves */ #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 7ecb61e79c..0b21ff7669 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -144,9 +144,9 @@ HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) } /* Some deprecated public APIs pass DH objects */ -# ifndef OPENSSL_NO_DH EVP_PKEY *ssl_dh_to_pkey(DH *dh) { +# ifndef OPENSSL_NO_DH EVP_PKEY *ret; if (dh == NULL) @@ -157,14 +157,16 @@ EVP_PKEY *ssl_dh_to_pkey(DH *dh) return NULL; } return ret; -} +# else + return NULL; # endif +} /* Some deprecated public APIs pass EC_KEY objects */ -# ifndef OPENSSL_NO_EC int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, void *key) { +# ifndef OPENSSL_NO_EC const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key); int nid; @@ -176,6 +178,28 @@ int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, if (nid == NID_undef) return 0; return tls1_set_groups(pext, pextlen, &nid, 1); +# else + return 0; +# endif +} + +/* + * Set the callback for generating temporary DH keys. + * ctx: the SSL context. + * dh: the callback + */ +# if !defined(OPENSSL_NO_DH) +void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, + DH *(*dh) (SSL *ssl, int is_export, + int keylength)) +{ + SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); +} + +void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, + int keylength)) +{ + SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); } # endif -#endif +#endif /* OPENSSL_NO_DEPRECATED */