From 15a3b000cfd59847d4b04eff075b590ae24eb85a Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Tue, 28 Apr 2015 00:05:35 -0400 Subject: [PATCH] Promote set_tmp_dh and set_tmp_ecdh to functions. BUG=404754 Change-Id: I7c75dd88fe9338b1d3b90745f742d15d6b84775a Reviewed-on: https://boringssl-review.googlesource.com/4568 Reviewed-by: Adam Langley --- crypto/err/ssl.errordata | 4 ++ include/openssl/ssl.h | 51 ++++++++++++++---------- ssl/s3_lib.c | 83 ++++++++++++++++++---------------------- 3 files changed, 72 insertions(+), 66 deletions(-) diff --git a/crypto/err/ssl.errordata b/crypto/err/ssl.errordata index adef2815..767d0787 100644 --- a/crypto/err/ssl.errordata +++ b/crypto/err/ssl.errordata @@ -3,6 +3,8 @@ SSL,function,101,SSL_CTX_new SSL,function,102,SSL_CTX_set_cipher_list SSL,function,103,SSL_CTX_set_cipher_list_tls11 SSL,function,104,SSL_CTX_set_session_id_context +SSL,function,268,SSL_CTX_set_tmp_dh +SSL,function,269,SSL_CTX_set_tmp_ecdh SSL,function,105,SSL_CTX_use_PrivateKey SSL,function,106,SSL_CTX_use_PrivateKey_ASN1 SSL,function,107,SSL_CTX_use_PrivateKey_file @@ -34,6 +36,8 @@ SSL,function,132,SSL_set_cipher_list SSL,function,133,SSL_set_fd SSL,function,134,SSL_set_rfd SSL,function,135,SSL_set_session_id_context +SSL,function,270,SSL_set_tmp_dh +SSL,function,271,SSL_set_tmp_ecdh SSL,function,136,SSL_set_wfd SSL,function,137,SSL_shutdown SSL,function,138,SSL_use_PrivateKey diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index e12135da..14fa04d2 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1573,9 +1573,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_ERROR_PENDING_SESSION 11 #define SSL_ERROR_PENDING_CERTIFICATE 12 -#define SSL_CTRL_SET_TMP_DH 3 -#define SSL_CTRL_SET_TMP_ECDH 4 - #define SSL_CTRL_EXTRA_CHAIN_CERT 14 /* see tls1.h for macros based on these */ @@ -1651,27 +1648,29 @@ OPENSSL_EXPORT int SSL_session_reused(const SSL *ssl); * peformed by |ssl|. This includes the pending renegotiation, if any. */ OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl); -#define SSL_CTX_set_tmp_dh(ctx, dh) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, (char *)dh) +/* SSL_CTX_set_tmp_dh configures |ctx| to use the group from |dh| as the group + * for DHE. Only the group is used, so |dh| needn't have a keypair. It returns + * one on success and zero on error. */ +OPENSSL_EXPORT int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh); -/* SSL_CTX_set_tmp_ecdh configures |ctx| to use the curve from |ecdh| (a const - * EC_KEY *) as the curve for ephemeral ECDH keys. For historical reasons, this - * API expects an |EC_KEY|, but only the curve is used. It returns one on - * success and zero on error. If unset, an appropriate curve will be chosen - * automatically. (This is recommended.) */ -#define SSL_CTX_set_tmp_ecdh(ctx, ecdh) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, (char *)ecdh) +/* SSL_set_tmp_dh configures |ssl| to use the group from |dh| as the group for + * DHE. Only the group is used, so |dh| needn't have a keypair. It returns one + * on success and zero on error. */ +OPENSSL_EXPORT int SSL_set_tmp_dh(SSL *ssl, const DH *dh); -#define SSL_set_tmp_dh(ssl, dh) \ - SSL_ctrl(ssl, SSL_CTRL_SET_TMP_DH, 0, (char *)dh) +/* SSL_CTX_set_tmp_ecdh configures |ctx| to use the curve from |ecdh| as the + * curve for ephemeral ECDH keys. For historical reasons, this API expects an + * |EC_KEY|, but only the curve is used. It returns one on success and zero on + * error. If unset, an appropriate curve will be chosen automatically. (This is + * recommended.) */ +OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key); -/* SSL_set_tmp_ecdh configures |ssl| to use the curve from |ecdh| (a const - * EC_KEY *) as the curve for ephemeral ECDH keys. For historical reasons, this - * API expects an |EC_KEY|, but only the curve is used. It returns one on - * success and zero on error. If unset, an appropriate curve will be chosen - * automatically. (This is recommended.) */ -#define SSL_set_tmp_ecdh(ssl, ecdh) \ - SSL_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH, 0, (char *)ecdh) +/* SSL_set_tmp_ecdh configures |ssl| to use the curve from |ecdh| as the curve + * for ephemeral ECDH keys. For historical reasons, this API expects an + * |EC_KEY|, but only the curve is used. It returns one on success and zero on + * error. If unset, an appropriate curve will be chosen automatically. (This is + * recommended.) */ +OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key); /* SSL_enable_tls_channel_id either configures a TLS server to accept TLS * client IDs from clients, or configure a client to send TLS client IDs to @@ -2393,6 +2392,8 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused); #define SSL_CTRL_NEED_TMP_RSA doesnt_exist #define SSL_CTRL_SET_TMP_RSA doesnt_exist +#define SSL_CTRL_SET_TMP_DH doesnt_exist +#define SSL_CTRL_SET_TMP_ECDH doesnt_exist #define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist #define SSL_CTRL_SET_TMP_DH_CB doesnt_exist #define SSL_CTRL_SET_TMP_ECDH_CB doesnt_exist @@ -2426,6 +2427,10 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused); #define SSL_need_tmp_RSA SSL_need_tmp_RSA #define SSL_CTX_set_tmp_rsa SSL_CTX_set_tmp_rsa #define SSL_set_tmp_rsa SSL_set_tmp_rsa +#define SSL_CTX_set_tmp_dh SSL_CTX_set_tmp_dh +#define SSL_set_tmp_dh SSL_set_tmp_dh +#define SSL_CTX_set_tmp_ecdh SSL_CTX_set_tmp_ecdh +#define SSL_set_tmp_ecdh SSL_set_tmp_ecdh #define SSL_session_reused SSL_session_reused #define SSL_num_renegotiations SSL_num_renegotiations #define SSL_total_renegotiations SSL_total_renegotiations @@ -2657,6 +2662,10 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused); #define SSL_F_dtls1_hm_fragment_new 265 #define SSL_F_ssl3_seal_record 266 #define SSL_F_ssl3_record_sequence_update 267 +#define SSL_F_SSL_CTX_set_tmp_dh 268 +#define SSL_F_SSL_CTX_set_tmp_ecdh 269 +#define SSL_F_SSL_set_tmp_dh 270 +#define SSL_F_SSL_set_tmp_ecdh 271 #define SSL_R_APP_DATA_IN_HANDSHAKE 100 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101 #define SSL_R_BAD_ALERT 102 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 59e7a9a2..63ceba86 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -605,34 +605,48 @@ int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; } +int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) { + DH_free(ctx->cert->dh_tmp); + ctx->cert->dh_tmp = DHparams_dup(dh); + if (ctx->cert->dh_tmp == NULL) { + OPENSSL_PUT_ERROR(SSL, SSL_CTX_set_tmp_dh, ERR_R_DH_LIB); + return 0; + } + return 1; +} + +int SSL_set_tmp_dh(SSL *ssl, const DH *dh) { + DH_free(ssl->cert->dh_tmp); + ssl->cert->dh_tmp = DHparams_dup(dh); + if (ssl->cert->dh_tmp == NULL) { + OPENSSL_PUT_ERROR(SSL, SSL_set_tmp_dh, ERR_R_DH_LIB); + return 0; + } + return 1; +} + +int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) { + if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { + OPENSSL_PUT_ERROR(SSL, SSL_CTX_set_tmp_ecdh, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + ctx->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); + return 1; +} + +int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) { + if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { + OPENSSL_PUT_ERROR(SSL, SSL_set_tmp_ecdh, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + ssl->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); + return 1; +} + long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { int ret = 0; switch (cmd) { - case SSL_CTRL_SET_TMP_DH: - DH_free(s->cert->dh_tmp); - s->cert->dh_tmp = DHparams_dup((DH *)parg); - if (s->cert->dh_tmp == NULL) { - OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB); - ret = 0; - break; - } - ret = 1; - break; - - case SSL_CTRL_SET_TMP_ECDH: { - /* For historical reasons, this API expects an |EC_KEY|, but only the - * group is used. */ - const EC_KEY *ec_key = (const EC_KEY *)parg; - if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { - OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER); - return ret; - } - s->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); - ret = 1; - break; - } - case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { OPENSSL_free(s->tlsext_hostname); @@ -808,27 +822,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { cert = ctx->cert; switch (cmd) { - case SSL_CTRL_SET_TMP_DH: - DH_free(cert->dh_tmp); - cert->dh_tmp = DHparams_dup((DH *)parg); - if (cert->dh_tmp == NULL) { - OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB); - return 0; - } - return 1; - - case SSL_CTRL_SET_TMP_ECDH: { - /* For historical reasons, this API expects an |EC_KEY|, but only the - * group is used. */ - const EC_KEY *ec_key = (const EC_KEY *)parg; - if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) { - OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - ctx->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); - return 1; - } - case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->tlsext_servername_arg = parg; break;