kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

unifdef a bunch of OPENSSL_NO_* ifdefs. 

Get all this stuff out of the way.

- OPENSSL_NO_MD5
- OPENSSL_NO_SHA
- OPENSSL_NO_EC
- OPENSSL_NO_ECDSA
- OPENSSL_NO_ECDH
- OPENSSL_NO_NEXTPROTONEG
- OPENSSL_NO_DH
- OPENSSL_NO_SSL3
- OPENSSL_NO_RC4
- OPENSSL_NO_RSA

Also manually removed a couple instances of OPENSSL_NO_DSA that seemed to be
confused anyway. Did some minor manual cleanup. (Removed a few now-pointless
'if (0)'s.)

Change-Id: Id540ba97ee22ff2309ab20ceb24c7eabe766d4c4
Reviewed-on: https://boringssl-review.googlesource.com/1662
Reviewed-by: Adam Langley <agl@google.com>
kris/onging/CECPQ3_patch15
David Benjamin 10 years ago
committed by Adam Langley
parent
1f3591d4c7
commit
457112e197
29 changed files with 8 additions and 401 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -4
      crypto/pem/pem_all.c
  2. +0
    -2
      crypto/pem/pem_info.c
  3. +0
    -2
      crypto/pem/pem_pkey.c
  4. +0
    -26
      crypto/x509/x509_cmp.c
  5. +0
    -4
      crypto/x509/x509_req.c
  6. +0
    -2
      crypto/x509/x_all.c
  7. +0
    -2
      crypto/x509/x_crl.c
  8. +0
    -2
      crypto/x509/x_pubkey.c
  9. +0
    -2
      crypto/x509v3/v3_purp.c
  10. +0
    -6
      include/openssl/pem.h
  11. +0
    -16
      include/openssl/ssl.h
  12. +0
    -12
      include/openssl/ssl3.h
  13. +0
    -2
      include/openssl/tls1.h
  14. +0
    -12
      include/openssl/x509.h
  15. +0
    -4
      ssl/s23_clnt.c
  16. +0
    -2
      ssl/s23_meth.c
  17. +0
    -2
      ssl/s3_both.c
  18. +2
    -45
      ssl/s3_clnt.c
  19. +0
    -2
      ssl/s3_enc.c
  20. +5
    -66
      ssl/s3_lib.c
  21. +0
    -28
      ssl/s3_srvr.c
  22. +0
    -20
      ssl/ssl_cert.c
  23. +0
    -2
      ssl/ssl_ciph.c
  24. +1
    -45
      ssl/ssl_lib.c
  25. +0
    -18
      ssl/ssl_locl.h
  26. +0
    -2
      ssl/ssl_sess.c
  27. +0
    -8
      ssl/ssl_stat.c
  28. +0
    -2
      ssl/t1_enc.c
  29. +0
    -61
      ssl/t1_lib.c

+ 0
- 4
crypto/pem/pem_all.c View File

@@ -224,7 +224,6 @@ IMPLEMENT_PEM_rw_const(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)
#endif


#ifndef OPENSSL_NO_EC
static EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey)
{
EC_KEY *dtmp;
@@ -271,15 +270,12 @@ EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb,

#endif

#endif

#ifndef OPENSSL_NO_DH

IMPLEMENT_PEM_write_const(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)

/* TODO(fork): remove this code? */
/* IMPLEMENT_PEM_write_const(DHxparams, DH, PEM_STRING_DHXPARAMS, DHxparams) */

#endif

IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)

+ 0
- 2
crypto/pem/pem_info.c View File

@@ -207,7 +207,6 @@ start:
}
else
#endif
#ifndef OPENSSL_NO_EC
if (strcmp(name,PEM_STRING_ECPRIVATEKEY) == 0)
{
d2i=(D2I_OF(void))d2i_ECPrivateKey;
@@ -228,7 +227,6 @@ start:
raw=1;
}
else
#endif
{
d2i=NULL;
pp=NULL;


+ 0
- 2
crypto/pem/pem_pkey.c View File

@@ -262,7 +262,6 @@ int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,

#endif

#ifndef OPENSSL_NO_DH

/* Transparently read in PKCS#3 or X9.42 DH parameters */

@@ -310,4 +309,3 @@ DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u)
}
#endif

#endif

+ 0
- 26
crypto/x509/x509_cmp.c View File

@@ -78,7 +78,6 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
return(X509_NAME_cmp(ai->issuer,bi->issuer));
}

#ifndef OPENSSL_NO_MD5
unsigned long X509_issuer_and_serial_hash(X509 *a)
{
unsigned long ret=0;
@@ -105,7 +104,6 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
EVP_MD_CTX_cleanup(&ctx);
return(ret);
}
#endif
int X509_issuer_name_cmp(const X509 *a, const X509 *b)
{
@@ -122,12 +120,10 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
}

#ifndef OPENSSL_NO_SHA
int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
{
return memcmp(a->sha1_hash, b->sha1_hash, 20);
}
#endif

X509_NAME *X509_get_issuer_name(X509 *a)
{
@@ -139,12 +135,10 @@ unsigned long X509_issuer_name_hash(X509 *x)
return(X509_NAME_hash(x->cert_info->issuer));
}

#ifndef OPENSSL_NO_MD5
unsigned long X509_issuer_name_hash_old(X509 *x)
{
return(X509_NAME_hash_old(x->cert_info->issuer));
}
#endif

X509_NAME *X509_get_subject_name(X509 *a)
{
@@ -161,14 +155,11 @@ unsigned long X509_subject_name_hash(X509 *x)
return(X509_NAME_hash(x->cert_info->subject));
}

#ifndef OPENSSL_NO_MD5
unsigned long X509_subject_name_hash_old(X509 *x)
{
return(X509_NAME_hash_old(x->cert_info->subject));
}
#endif

#ifndef OPENSSL_NO_SHA
/* Compare two certificates: they must be identical for
* this to work. NB: Although "cmp" operations are generally
* prototyped to take "const" arguments (eg. for use in
@@ -199,7 +190,6 @@ int X509_cmp(const X509 *a, const X509 *b)
}
return rv;
}
#endif


int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
@@ -249,7 +239,6 @@ unsigned long X509_NAME_hash(X509_NAME *x)
}


#ifndef OPENSSL_NO_MD5
/* I now DER encode the name and hash it. Since I cache the DER encoding,
* this is reasonably efficient. */

@@ -273,7 +262,6 @@ unsigned long X509_NAME_hash_old(X509_NAME *x)

return(ret);
}
#endif

/* Search a stack of X509 for a match */
X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
@@ -364,7 +352,6 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
* flags.
*/

#ifndef OPENSSL_NO_EC

static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags)
{
@@ -484,19 +471,6 @@ int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags)
return check_suite_b(pk, sign_nid, &flags);
}

#else
int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
unsigned long flags)
{
return 0;
}

int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags)
{
return 0;
}

#endif
/* Not strictly speaking an "up_ref" as a STACK doesn't have a reference
* count but it has the same effect by duping the STACK and upping the ref
* of each X509 structure.


+ 0
- 4
crypto/x509/x509_req.c View File

@@ -132,21 +132,17 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, X509_R_KEY_TYPE_MISMATCH);
break;
case -2:
#ifndef OPENSSL_NO_EC
if (k->type == EVP_PKEY_EC)
{
OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, ERR_R_EC_LIB);
break;
}
#endif
#ifndef OPENSSL_NO_DH
if (k->type == EVP_PKEY_DH)
{
/* No idea */
OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, X509_R_CANT_CHECK_DH_KEY);
break;
}
#endif
OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, X509_R_UNKNOWN_KEY_TYPE);
}



+ 0
- 2
crypto/x509/x_all.c View File

@@ -345,7 +345,6 @@ int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)

#endif

#ifndef OPENSSL_NO_EC
#ifndef OPENSSL_NO_FP_API
EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey)
{
@@ -386,7 +385,6 @@ int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey)
{
return ASN1_i2d_bio_of_const(EC_KEY,i2d_ECPrivateKey,bp,eckey);
}
#endif


int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,


+ 0
- 2
crypto/x509/x_crl.c View File

@@ -234,9 +234,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
break;

case ASN1_OP_D2I_POST:
#ifndef OPENSSL_NO_SHA
X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL);
#endif
crl->idp = X509_CRL_get_ext_d2i(crl,
NID_issuing_distribution_point, NULL, NULL);
if (crl->idp)


+ 0
- 2
crypto/x509/x_pubkey.c View File

@@ -300,7 +300,6 @@ int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp)
}
#endif

#ifndef OPENSSL_NO_EC
EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length)
{
EVP_PKEY *pkey;
@@ -336,7 +335,6 @@ int i2d_EC_PUBKEY(const EC_KEY *a, unsigned char **pp)
EVP_PKEY_free(pktmp);
return(ret);
}
#endif

int X509_PUBKEY_set0_param(X509_PUBKEY *pub, const ASN1_OBJECT *aobj,
int ptype, void *pval,


+ 0
- 2
crypto/x509v3/v3_purp.c View File

@@ -361,9 +361,7 @@ static void x509v3_cache_extensions(X509 *x)
size_t i;
int j;
if(x->ex_flags & EXFLAG_SET) return;
#ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
/* V1 should mean no extensions ... */
if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
/* Handle basic constraints */


+ 0
- 6
include/openssl/pem.h View File

@@ -465,18 +465,14 @@ DECLARE_PEM_rw_const(DSAparams, DSA)

#endif

#ifndef OPENSSL_NO_EC
DECLARE_PEM_rw_const(ECPKParameters, EC_GROUP)
DECLARE_PEM_rw_cb(ECPrivateKey, EC_KEY)
DECLARE_PEM_rw(EC_PUBKEY, EC_KEY)
#endif

#ifndef OPENSSL_NO_DH

DECLARE_PEM_rw_const(DHparams, DH)
DECLARE_PEM_write_const(DHxparams, DH)

#endif

DECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY)

@@ -506,10 +502,8 @@ OPENSSL_EXPORT EVP_PKEY *b2i_PrivateKey_bio(BIO *in);
OPENSSL_EXPORT EVP_PKEY *b2i_PublicKey_bio(BIO *in);
OPENSSL_EXPORT int i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk);
OPENSSL_EXPORT int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk);
#ifndef OPENSSL_NO_RC4
OPENSSL_EXPORT EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u);
OPENSSL_EXPORT int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u);
#endif


void ERR_load_PEM_strings(void);


+ 0
- 16
include/openssl/ssl.h View File

@@ -441,12 +441,10 @@ struct ssl_session_st
* efficient and to implement a maximum cache size. */
struct ssl_session_st *prev,*next;
char *tlsext_hostname;
#ifndef OPENSSL_NO_EC
size_t tlsext_ecpointformatlist_length;
unsigned char *tlsext_ecpointformatlist; /* peer's list */
size_t tlsext_ellipticcurvelist_length;
uint16_t *tlsext_ellipticcurvelist; /* peer's list */
#endif /* OPENSSL_NO_EC */
/* RFC4507 info */
uint8_t *tlsext_tick; /* Session ticket */
size_t tlsext_ticklen; /* Session ticket length */
@@ -964,7 +962,6 @@ struct ssl_ctx_st
* memory and session space. Only effective on the server side. */
char retain_only_sha256_of_client_certs;

# ifndef OPENSSL_NO_NEXTPROTONEG
/* Next protocol negotiation information */
/* (for experimental NPN extension). */

@@ -981,7 +978,6 @@ struct ssl_ctx_st
unsigned int inlen,
void *arg);
void *next_proto_select_cb_arg;
# endif

/* ALPN information
* (we are in the process of transitioning from NPN to ALPN.) */
@@ -1009,13 +1005,11 @@ struct ssl_ctx_st

/* SRTP profiles we are willing to do from RFC 5764 */
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
# ifndef OPENSSL_NO_EC
/* EC extension values inherited by SSL structure */
size_t tlsext_ecpointformatlist_length;
uint8_t *tlsext_ecpointformatlist;
size_t tlsext_ellipticcurvelist_length;
uint16_t *tlsext_ellipticcurvelist;
# endif /* OPENSSL_NO_EC */

/* If true, a client will advertise the Channel ID extension and a
* server will echo it. */
@@ -1115,7 +1109,6 @@ OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx);
* WARNING: the returned data is not guaranteed to be well formed. */
OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, uint8_t **out, size_t *out_len);

#ifndef OPENSSL_NO_NEXTPROTONEG
OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
int (*cb) (SSL *ssl,
const unsigned char **out,
@@ -1129,7 +1122,6 @@ OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
void *arg);
OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *s,
const uint8_t **data, unsigned *len);
#endif

OPENSSL_EXPORT int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen,
@@ -1376,12 +1368,10 @@ struct ssl_st

/* RFC4507 session ticket expected to be received or sent */
int tlsext_ticket_expected;
#ifndef OPENSSL_NO_EC
size_t tlsext_ecpointformatlist_length;
uint8_t *tlsext_ecpointformatlist; /* our list */
size_t tlsext_ellipticcurvelist_length;
uint16_t *tlsext_ellipticcurvelist; /* our list */
#endif /* OPENSSL_NO_EC */

/* TLS Session Ticket extension override */
TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
@@ -1396,7 +1386,6 @@ struct ssl_st

SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */

#ifndef OPENSSL_NO_NEXTPROTONEG
/* Next protocol negotiation. For the client, this is the protocol that
* we sent in NextProtocol and is set when handling ServerHello
* extensions.
@@ -1406,7 +1395,6 @@ struct ssl_st
* before the Finished message. */
uint8_t *next_proto_negotiated;
size_t next_proto_negotiated_len;
#endif

#define session_ctx initial_ctx

@@ -2228,22 +2216,18 @@ OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl,
RSA *(*cb)(SSL *ssl,int is_export,
int keylength));
#ifndef OPENSSL_NO_DH
OPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*dh)(SSL *ssl,int is_export,
int keylength));
OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl,
DH *(*dh)(SSL *ssl,int is_export,
int keylength));
#endif
#ifndef OPENSSL_NO_ECDH
OPENSSL_EXPORT void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
EC_KEY *(*ecdh)(SSL *ssl,int is_export,
int keylength));
OPENSSL_EXPORT void SSL_set_tmp_ecdh_callback(SSL *ssl,
EC_KEY *(*ecdh)(SSL *ssl,int is_export,
int keylength));
#endif

OPENSSL_EXPORT const void *SSL_get_current_compression(SSL *s);
OPENSSL_EXPORT const void *SSL_get_current_expansion(SSL *s);


+ 0
- 12
include/openssl/ssl3.h View File

@@ -432,13 +432,9 @@ typedef struct ssl3_state_st

/* used to hold the new cipher we are going to use */
const SSL_CIPHER *new_cipher;
#ifndef OPENSSL_NO_DH
DH *dh;
#endif

#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh; /* holds short lived ECDH key */
#endif

/* used when SSL_ST_FLUSH_DATA is entered */
int next_state;
@@ -482,10 +478,8 @@ typedef struct ssl3_state_st
unsigned char previous_server_finished_len;
int send_connection_binding; /* TODOEKR */

#ifndef OPENSSL_NO_NEXTPROTONEG
/* Set if we saw the Next Protocol Negotiation extension from our peer. */
int next_proto_neg_seen;
#endif

/* ALPN information
* (we are in the process of transitioning from NPN to ALPN.) */
@@ -548,10 +542,8 @@ typedef struct ssl3_state_st
#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
#ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
#endif
#define SSL3_ST_CW_CHANNEL_ID_A (0x220|SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANNEL_ID_B (0x221|SSL_ST_CONNECT)
#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
@@ -598,10 +590,8 @@ typedef struct ssl3_state_st
#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CHANGE (0x1B0|SSL_ST_ACCEPT)
#ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
#endif
#define SSL3_ST_SR_CHANNEL_ID_A (0x230|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CHANNEL_ID_B (0x231|SSL_ST_ACCEPT)
#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
@@ -631,9 +621,7 @@ typedef struct ssl3_state_st
#define SSL3_MT_FINISHED 20
#define SSL3_MT_CERTIFICATE_STATUS 22
#define SSL3_MT_SUPPLEMENTAL_DATA 23
#ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_MT_NEXT_PROTO 67
#endif
#define SSL3_MT_ENCRYPTED_EXTENSIONS 203
#define DTLS1_MT_HELLO_VERIFY_REQUEST 3



+ 0
- 2
include/openssl/tls1.h View File

@@ -249,10 +249,8 @@ extern "C" {
/* ExtensionType value from RFC6962 */
#define TLSEXT_TYPE_certificate_timestamp 18

#ifndef OPENSSL_NO_NEXTPROTONEG
/* This is not an IANA defined extension number */
#define TLSEXT_TYPE_next_proto_neg 13172
#endif

/* This is not an IANA defined extension number */
#define TLSEXT_TYPE_channel_id 30031


+ 0
- 12
include/openssl/x509.h View File

@@ -259,9 +259,7 @@ struct x509_st
STACK_OF(DIST_POINT) *crldp;
STACK_OF(GENERAL_NAME) *altname;
NAME_CONSTRAINTS *nc;
#ifndef OPENSSL_NO_SHA
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
#endif
X509_CERT_AUX *aux;
} /* X509 */;

@@ -433,9 +431,7 @@ struct X509_crl_st
/* CRL and base CRL numbers for delta processing */
ASN1_INTEGER *crl_number;
ASN1_INTEGER *base_crl_number;
#ifndef OPENSSL_NO_SHA
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
#endif
STACK_OF(GENERAL_NAMES) *issuers;
const X509_CRL_METHOD *meth;
void *meth_data;
@@ -664,12 +660,10 @@ OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
#endif
#ifndef OPENSSL_NO_EC
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
#endif
OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
@@ -701,12 +695,10 @@ OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);
#endif
#ifndef OPENSSL_NO_EC
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
#endif
OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8);
OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
@@ -770,11 +762,9 @@ OPENSSL_EXPORT int i2d_DSA_PUBKEY(const DSA *a,unsigned char **pp);
OPENSSL_EXPORT DSA * d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp,
long length);
#endif
#ifndef OPENSSL_NO_EC
OPENSSL_EXPORT int i2d_EC_PUBKEY(const EC_KEY *a, unsigned char **pp);
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp,
long length);
#endif

DECLARE_ASN1_FUNCTIONS(X509_SIG)
DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
@@ -946,10 +936,8 @@ OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a);
OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b);
OPENSSL_EXPORT unsigned long X509_subject_name_hash(X509 *x);

#ifndef OPENSSL_NO_MD5
OPENSSL_EXPORT unsigned long X509_issuer_name_hash_old(X509 *a);
OPENSSL_EXPORT unsigned long X509_subject_name_hash_old(X509 *x);
#endif

OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b);
OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);


+ 0
- 4
ssl/s23_clnt.c View File

@@ -289,9 +289,7 @@ static int ssl23_client_hello(SSL *s)
* answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
*/
mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1
#if !defined(OPENSSL_NO_SSL3)
|SSL_OP_NO_SSLv3
#endif
;
#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
version = TLS1_2_VERSION;
@@ -305,11 +303,9 @@ static int ssl23_client_hello(SSL *s)
if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
version = TLS1_VERSION;
mask &= ~SSL_OP_NO_TLSv1;
#if !defined(OPENSSL_NO_SSL3)
if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
version = SSL3_VERSION;
mask &= ~SSL_OP_NO_SSLv3;
#endif

buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A)


+ 0
- 2
ssl/s23_meth.c View File

@@ -65,11 +65,9 @@
static const SSL_METHOD *ssl23_get_method(int ver);
static const SSL_METHOD *ssl23_get_method(int ver)
{
#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_method());
else
#endif
if (ver == TLS1_VERSION)
return(TLSv1_method());
else if (ver == TLS1_1_VERSION)


+ 0
- 2
ssl/s3_both.c View File

@@ -561,12 +561,10 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
{
ret=SSL_PKEY_RSA_ENC;
}
#ifndef OPENSSL_NO_EC
else if (i == EVP_PKEY_EC)
{
ret = SSL_PKEY_ECC;
}
#endif
err:
if(!pkey) EVP_PKEY_free(pk);


+ 2
- 45
ssl/s3_clnt.c View File

@@ -395,10 +395,8 @@ int ssl3_connect(SSL *s)
s->state=SSL3_ST_CW_FINISHED_A;
if (s->s3->tlsext_channel_id_valid)
s->state=SSL3_ST_CW_CHANNEL_ID_A;
# if !defined(OPENSSL_NO_NEXTPROTONEG)
if (s->s3->next_proto_neg_seen)
s->state=SSL3_ST_CW_NEXT_PROTO_A;
# endif
s->init_num=0;

s->session->cipher=s->s3->tmp.new_cipher;
@@ -417,7 +415,6 @@ int ssl3_connect(SSL *s)

break;

#if !defined(OPENSSL_NO_NEXTPROTONEG)
case SSL3_ST_CW_NEXT_PROTO_A:
case SSL3_ST_CW_NEXT_PROTO_B:
ret=ssl3_send_next_proto(s);
@@ -427,7 +424,6 @@ int ssl3_connect(SSL *s)
else
s->state=SSL3_ST_CW_FINISHED_A;
break;
#endif

case SSL3_ST_CW_CHANNEL_ID_A:
case SSL3_ST_CW_CHANNEL_ID_B:
@@ -1147,14 +1143,10 @@ int ssl3_get_server_key_exchange(SSL *s)
EVP_PKEY *pkey=NULL;
const EVP_MD *md = NULL;
RSA *rsa=NULL;
#ifndef OPENSSL_NO_DH
DH *dh=NULL;
#endif
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh = NULL;
BN_CTX *bn_ctx = NULL;
EC_POINT *srvr_ecpoint = NULL;
#endif
CBS server_key_exchange, server_key_exchange_orig, parameter;

/* use same message size as in ssl3_get_certificate_request()
@@ -1210,20 +1202,16 @@ int ssl3_get_server_key_exchange(SSL *s)
RSA_free(s->session->sess_cert->peer_rsa_tmp);
s->session->sess_cert->peer_rsa_tmp=NULL;
}
#ifndef OPENSSL_NO_DH
if (s->session->sess_cert->peer_dh_tmp)
{
DH_free(s->session->sess_cert->peer_dh_tmp);
s->session->sess_cert->peer_dh_tmp=NULL;
}
#endif
#ifndef OPENSSL_NO_ECDH
if (s->session->sess_cert->peer_ecdh_tmp)
{
EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
s->session->sess_cert->peer_ecdh_tmp=NULL;
}
#endif
}
else
{
@@ -1272,8 +1260,7 @@ int ssl3_get_server_key_exchange(SSL *s)
}
}

if (0) {}
else if (alg_k & SSL_kRSA)
if (alg_k & SSL_kRSA)
{
CBS rsa_modulus, rsa_exponent;

@@ -1321,7 +1308,6 @@ int ssl3_get_server_key_exchange(SSL *s)
s->session->sess_cert->peer_rsa_tmp=rsa;
rsa=NULL;
}
#ifndef OPENSSL_NO_DH
else if (alg_k & SSL_kEDH)
{
CBS dh_p, dh_g, dh_Ys;
@@ -1373,9 +1359,7 @@ int ssl3_get_server_key_exchange(SSL *s)
s->session->sess_cert->peer_dh_tmp=dh;
dh=NULL;
}
#endif /* !OPENSSL_NO_DH */

#ifndef OPENSSL_NO_ECDH
else if (alg_k & SSL_kEECDH)
{
uint16_t curve_id;
@@ -1453,10 +1437,8 @@ int ssl3_get_server_key_exchange(SSL *s)
if (0) ;
else if (alg_a & SSL_aRSA)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
#ifndef OPENSSL_NO_ECDSA
else if (alg_a & SSL_aECDSA)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
#endif
/* else anonymous ECDH, so no certificate or pkey. */
EC_KEY_set_public_key(ecdh, srvr_ecpoint);
s->session->sess_cert->peer_ecdh_tmp=ecdh;
@@ -1466,7 +1448,6 @@ int ssl3_get_server_key_exchange(SSL *s)
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}
#endif /* !OPENSSL_NO_ECDH */

else if (!(alg_k & SSL_kPSK))
{
@@ -1576,16 +1557,12 @@ err:
EVP_PKEY_free(pkey);
if (rsa != NULL)
RSA_free(rsa);
#ifndef OPENSSL_NO_DH
if (dh != NULL)
DH_free(dh);
#endif
#ifndef OPENSSL_NO_ECDH
BN_CTX_free(bn_ctx);
EC_POINT_free(srvr_ecpoint);
if (ecdh != NULL)
EC_KEY_free(ecdh);
#endif
EVP_MD_CTX_cleanup(&md_ctx);
return(-1);
}
@@ -1913,7 +1890,6 @@ int ssl3_send_client_key_exchange(SSL *s)
unsigned long alg_a;
unsigned char *q;
EVP_PKEY *pkey=NULL;
#ifndef OPENSSL_NO_ECDH
EC_KEY *clnt_ecdh = NULL;
const EC_POINT *srvr_ecpoint = NULL;
EVP_PKEY *srvr_pub_pkey = NULL;
@@ -1922,7 +1898,6 @@ int ssl3_send_client_key_exchange(SSL *s)
BN_CTX * bn_ctx = NULL;
unsigned int psk_len = 0;
unsigned char psk[PSK_MAX_PSK_LEN];
#endif /* OPENSSL_NO_ECDH */

if (s->state == SSL3_ST_CW_KEY_EXCH_A)
{
@@ -2008,9 +1983,7 @@ int ssl3_send_client_key_exchange(SSL *s)
}
}

/* Fool emacs indentation */
if (0) {}
else if (alg_k & SSL_kRSA)
if (alg_k & SSL_kRSA)
{
RSA *rsa;
unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -2070,7 +2043,6 @@ int ssl3_send_client_key_exchange(SSL *s)
tmp_buf,sizeof tmp_buf);
OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
}
#ifndef OPENSSL_NO_DH
else if (alg_k & SSL_kEDH)
{
DH *dh_srvr,*dh_clnt;
@@ -2131,9 +2103,7 @@ int ssl3_send_client_key_exchange(SSL *s)

/* perhaps clean things up a bit EAY EAY EAY EAY*/
}
#endif

#ifndef OPENSSL_NO_ECDH
else if (alg_k & SSL_kEECDH)
{
const EC_GROUP *srvr_group = NULL;
@@ -2286,7 +2256,6 @@ int ssl3_send_client_key_exchange(SSL *s)
EC_KEY_free(clnt_ecdh);
EVP_PKEY_free(srvr_pub_pkey);
}
#endif /* !OPENSSL_NO_ECDH */
else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK)))
{
ssl3_send_alert(s, SSL3_AL_FATAL,
@@ -2302,13 +2271,11 @@ int ssl3_send_client_key_exchange(SSL *s)
/* SSL3_ST_CW_KEY_EXCH_B */
return ssl_do_write(s);
err:
#ifndef OPENSSL_NO_ECDH
BN_CTX_free(bn_ctx);
if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
if (clnt_ecdh != NULL)
EC_KEY_free(clnt_ecdh);
EVP_PKEY_free(srvr_pub_pkey);
#endif
return(-1);
}

@@ -2507,9 +2474,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
EVP_PKEY *pkey=NULL;
SESS_CERT *sc;
RSA *rsa;
#ifndef OPENSSL_NO_DH
DH *dh;
#endif

/* we don't have a certificate */
if (!ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher))
@@ -2526,14 +2491,11 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}

rsa=s->session->sess_cert->peer_rsa_tmp;
#ifndef OPENSSL_NO_DH
dh=s->session->sess_cert->peer_dh_tmp;
#endif

/* This is the passed certificate */

idx=sc->peer_cert_type;
#ifndef OPENSSL_NO_ECDH
if (idx == SSL_PKEY_ECC)
{
if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
@@ -2552,7 +2514,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_ECDSA_SIGNING_CERT);
goto f_err;
}
#endif
pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
EVP_PKEY_free(pkey);
@@ -2570,14 +2531,12 @@ int ssl3_check_cert_and_algorithm(SSL *s)
OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
goto f_err;
}
#ifndef OPENSSL_NO_DH
if ((alg_k & SSL_kEDH) &&
!(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
{
OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_DH_KEY);
goto f_err;
}
#endif

return(1);
f_err:
@@ -2586,7 +2545,6 @@ err:
return(0);
}

# if !defined(OPENSSL_NO_NEXTPROTONEG)
int ssl3_send_next_proto(SSL *s)
{
unsigned int len, padding_len;
@@ -2611,7 +2569,6 @@ int ssl3_send_next_proto(SSL *s)
return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
}

# endif /* !OPENSSL_NO_NEXTPROTONEG */

int ssl3_send_channel_id(SSL *s)
{


+ 0
- 2
ssl/s3_enc.c View File

@@ -369,10 +369,8 @@ int ssl3_setup_key_block(SSL *s)

if (s->session->cipher != NULL)
{
#ifndef OPENSSL_NO_RC4
if (s->session->cipher->algorithm_enc == SSL_RC4)
s->s3->need_record_splitting = 0;
#endif
}
}



+ 5
- 66
ssl/s3_lib.c View File

@@ -578,7 +578,6 @@ const SSL_CIPHER ssl3_ciphers[]={
256,
},

#ifndef OPENSSL_NO_ECDH
/* Cipher C007 */
{
1,
@@ -722,9 +721,7 @@ const SSL_CIPHER ssl3_ciphers[]={
256,
256,
},
#endif /* OPENSSL_NO_ECDH */

#ifndef OPENSSL_NO_ECDH

/* HMAC based TLS v1.2 ciphersuites from RFC5289 */

@@ -878,7 +875,6 @@ const SSL_CIPHER ssl3_ciphers[]={
128,
},

#endif /* OPENSSL_NO_ECDH */

{
1,
@@ -1014,14 +1010,10 @@ void ssl3_free(SSL *s)
ssl3_release_read_buffer(s);
if (s->s3->wbuf.buf != NULL)
ssl3_release_write_buffer(s);
#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
DH_free(s->s3->tmp.dh);
#endif
#ifndef OPENSSL_NO_ECDH
if (s->s3->tmp.ecdh != NULL)
EC_KEY_free(s->s3->tmp.ecdh);
#endif

if (s->s3->tmp.ca_names != NULL)
sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
@@ -1052,20 +1044,16 @@ void ssl3_clear(SSL *s)
OPENSSL_free(s->s3->tmp.certificate_types);
s->s3->tmp.num_certificate_types = 0;

#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
{
DH_free(s->s3->tmp.dh);
s->s3->tmp.dh = NULL;
}
#endif
#ifndef OPENSSL_NO_ECDH
if (s->s3->tmp.ecdh != NULL)
{
EC_KEY_free(s->s3->tmp.ecdh);
s->s3->tmp.ecdh = NULL;
}
#endif
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
rlen = s->s3->rbuf.len;
@@ -1100,14 +1088,12 @@ void ssl3_clear(SSL *s)
s->s3->in_read_app_data=0;
s->version = s->method->version;

#if !defined(OPENSSL_NO_NEXTPROTONEG)
if (s->next_proto_negotiated)
{
OPENSSL_free(s->next_proto_negotiated);
s->next_proto_negotiated = NULL;
s->next_proto_negotiated_len = 0;
}
#endif

s->s3->tlsext_channel_id_valid = 0;
}
@@ -1118,14 +1104,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
{
int ret=0;

if (
cmd == SSL_CTRL_SET_TMP_RSA ||
if (cmd == SSL_CTRL_SET_TMP_RSA ||
cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#ifndef OPENSSL_NO_DSA
cmd == SSL_CTRL_SET_TMP_DH ||
cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
0)
cmd == SSL_CTRL_SET_TMP_DH_CB)
{
if (!ssl_cert_inst(&s->cert))
{
@@ -1168,7 +1150,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
return(ret);
}
break;
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
@@ -1203,8 +1184,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
return(ret);
}
break;
#endif
#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_TMP_ECDH:
{
EC_KEY *ecdh = NULL;
@@ -1241,7 +1220,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
return(ret);
}
break;
#endif /* !OPENSSL_NO_ECDH */
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_NAMETYPE_host_name)
{
@@ -1333,7 +1311,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_SELECT_CURRENT_CERT:
return ssl_cert_select_current(s->cert, (X509 *)parg);

#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_CURVES:
{
const uint16_t *clist;
@@ -1367,7 +1344,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_SET_ECDH_AUTO:
s->cert->ecdh_tmp_auto = larg;
return 1;
#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0);

@@ -1426,25 +1402,17 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
EVP_PKEY *ptmp;
int rv = 0;
sc = s->session->sess_cert;
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
&& !sc->peer_ecdh_tmp)
if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp)
return 0;
#endif
ptmp = EVP_PKEY_new();
if (!ptmp)
return 0;
if (0);
else if (sc->peer_rsa_tmp)
if (sc->peer_rsa_tmp)
rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
#ifndef OPENSSL_NO_DH
else if (sc->peer_dh_tmp)
rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
#endif
#ifndef OPENSSL_NO_ECDH
else if (sc->peer_ecdh_tmp)
rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);
#endif
if (rv)
{
*(EVP_PKEY **)parg = ptmp;
@@ -1453,7 +1421,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
EVP_PKEY_free(ptmp);
return 0;
}
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
SSL_SESSION *sess = s->session;
@@ -1463,7 +1430,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
*pformat = sess->tlsext_ecpointformatlist;
return (int)sess->tlsext_ecpointformatlist_length;
}
#endif

case SSL_CTRL_CHANNEL_ID:
s->tlsext_channel_id_enabled = 1;
@@ -1510,12 +1476,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
{
int ret=0;

if (
cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#ifndef OPENSSL_NO_DSA
cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
0)
if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB)
{
if (!ssl_cert_inst(&s->cert))
{
@@ -1529,20 +1490,16 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
case SSL_CTRL_SET_TMP_RSA_CB:
/* Ignore the callback; temporary RSA keys are never used. */
break;
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
}
break;
#endif
#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_TMP_ECDH_CB:
{
s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
}
break;
#endif
case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
s->tlsext_debug_cb=(void (*)(SSL *,int ,int,
unsigned char *, int, void *))fp;
@@ -1573,7 +1530,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return(0);
}
break;
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *new=NULL,*dh;
@@ -1605,8 +1561,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return(0);
}
break;
#endif
#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_TMP_ECDH:
{
EC_KEY *ecdh = NULL;
@@ -1646,7 +1600,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return(0);
}
break;
#endif /* !OPENSSL_NO_ECDH */
case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
ctx->tlsext_servername_arg=parg;
break;
@@ -1681,7 +1634,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return 1;
break;

#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_CURVES:
return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length,
@@ -1690,7 +1642,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
case SSL_CTRL_SET_ECDH_AUTO:
ctx->cert->ecdh_tmp_auto = larg;
return 1;
#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);

@@ -1792,20 +1743,16 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
case SSL_CTRL_SET_TMP_RSA_CB:
/* Ignore the callback; temporary RSA keys are never used. */
break;
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
}
break;
#endif
#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_TMP_ECDH_CB:
{
cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
}
break;
#endif
case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp;
break;
@@ -1959,12 +1906,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
c->name);
#endif

#ifndef OPENSSL_NO_EC
/* if we are considering an ECC cipher suite that uses
* an ephemeral EC key check it */
if (alg_k & SSL_kEECDH)
ok = ok && tls1_check_ec_tmp_key(s, c->id);
#endif /* OPENSSL_NO_EC */

if (ok && sk_SSL_CIPHER_find(allow, &cipher_index, c))
{
@@ -2004,9 +1949,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
const unsigned char *sig;
size_t i, siglen;
int have_rsa_sign = 0;
#ifndef OPENSSL_NO_ECDSA
int have_ecdsa_sign = 0;
#endif

/* If we have custom certificate types set, use them */
if (s->cert->client_certificate_types)
@@ -2025,18 +1968,15 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
have_rsa_sign = 1;
break;

#ifndef OPENSSL_NO_ECDSA
case TLSEXT_signature_ecdsa:
have_ecdsa_sign = 1;
break;
#endif
}
}

if (have_rsa_sign)
p[ret++]=SSL3_CT_RSA_SIGN;

#ifndef OPENSSL_NO_ECDSA
/* ECDSA certs can be used with RSA cipher suites as well
* so we don't need to check for SSL_kECDH or SSL_kEECDH
*/
@@ -2045,7 +1985,6 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
if (have_ecdsa_sign)
p[ret++]=TLS_CT_ECDSA_SIGN;
}
#endif
return(ret);
}



+ 0
- 28
ssl/s3_srvr.c View File

@@ -500,9 +500,7 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_CHANGE: {
char next_proto_neg = 0;
char channel_id = 0;
# if !defined(OPENSSL_NO_NEXTPROTONEG)
next_proto_neg = s->s3->next_proto_neg_seen;
# endif
channel_id = s->s3->tlsext_channel_id_valid;

/* At this point, the next message must be entirely
@@ -521,7 +519,6 @@ int ssl3_accept(SSL *s)
break;
}

#if !defined(OPENSSL_NO_NEXTPROTONEG)
case SSL3_ST_SR_NEXT_PROTO_A:
case SSL3_ST_SR_NEXT_PROTO_B:
ret=ssl3_get_next_proto(s);
@@ -532,7 +529,6 @@ int ssl3_accept(SSL *s)
else
s->state=SSL3_ST_SR_FINISHED_A;
break;
#endif

case SSL3_ST_SR_CHANNEL_ID_A:
case SSL3_ST_SR_CHANNEL_ID_B:
@@ -1280,16 +1276,12 @@ int ssl3_send_server_key_exchange(SSL *s)
int j,num;
unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
unsigned int u;
#ifndef OPENSSL_NO_DH
DH *dh=NULL,*dhp;
#endif
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh=NULL, *ecdhp;
unsigned char *encodedPoint = NULL;
int encodedlen = 0;
int curve_id = 0;
BN_CTX *bn_ctx = NULL;
#endif
const char* psk_identity_hint = NULL;
size_t psk_identity_hint_len = 0;
EVP_PKEY *pkey;
@@ -1326,7 +1318,6 @@ int ssl3_send_server_key_exchange(SSL *s)
psk_identity_hint_len = 0;
n+=2+psk_identity_hint_len;
}
#ifndef OPENSSL_NO_DH
if (alg_k & SSL_kEDH)
{
dhp=cert->dh_tmp;
@@ -1378,8 +1369,6 @@ int ssl3_send_server_key_exchange(SSL *s)
r[2]=dh->pub_key;
}
else
#endif
#ifndef OPENSSL_NO_ECDH
if (alg_k & SSL_kEECDH)
{
const EC_GROUP *group;
@@ -1504,7 +1493,6 @@ int ssl3_send_server_key_exchange(SSL *s)
r[3]=NULL;
}
else
#endif /* !OPENSSL_NO_ECDH */
if (!(alg_k & SSL_kPSK))
{
al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1561,7 +1549,6 @@ int ssl3_send_server_key_exchange(SSL *s)
}
}

#ifndef OPENSSL_NO_ECDH
if (alg_k & SSL_kEECDH)
{
/* XXX: For now, we only support named (not generic) curves.
@@ -1585,7 +1572,6 @@ int ssl3_send_server_key_exchange(SSL *s)
encodedPoint = NULL;
p += encodedlen;
}
#endif /* OPENSSL_NO_ECDH */

/* not anonymous */
if (pkey != NULL)
@@ -1669,10 +1655,8 @@ int ssl3_send_server_key_exchange(SSL *s)
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
#ifndef OPENSSL_NO_ECDH
if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
BN_CTX_free(bn_ctx);
#endif
EVP_MD_CTX_cleanup(&md_ctx);
return(-1);
}
@@ -1777,19 +1761,15 @@ int ssl3_get_client_key_exchange(SSL *s)
RSA *rsa=NULL;
uint8_t *decrypt_buf = NULL;
EVP_PKEY *pkey=NULL;
#ifndef OPENSSL_NO_DH
BIGNUM *pub=NULL;
DH *dh_srvr;
#endif

#ifndef OPENSSL_NO_ECDH
EC_KEY *srvr_ecdh = NULL;
EVP_PKEY *clnt_pub_pkey = NULL;
EC_POINT *clnt_ecpoint = NULL;
BN_CTX *bn_ctx = NULL;
unsigned int psk_len = 0;
unsigned char psk[PSK_MAX_PSK_LEN];
#endif

n=s->method->ssl_get_message(s,
SSL3_ST_SR_KEY_EXCH_A,
@@ -2018,7 +1998,6 @@ int ssl3_get_client_key_exchange(SSL *s)

premaster_secret_len = sizeof(rand_premaster_secret);
}
#ifndef OPENSSL_NO_DH
else if (alg_k & SSL_kEDH)
{
CBS dh_Yc;
@@ -2071,9 +2050,7 @@ int ssl3_get_client_key_exchange(SSL *s)

premaster_secret_len = dh_len;
}
#endif

#ifndef OPENSSL_NO_ECDH
else if (alg_k & SSL_kEECDH)
{
int field_size = 0, ecdh_len;
@@ -2168,7 +2145,6 @@ int ssl3_get_client_key_exchange(SSL *s)

premaster_secret_len = ecdh_len;
}
#endif
else if (alg_k & SSL_kPSK)
{
/* For plain PSK, other_secret is a block of 0s with the same
@@ -2238,13 +2214,11 @@ err:
}
if (decrypt_buf)
OPENSSL_free(decrypt_buf);
#ifndef OPENSSL_NO_ECDH
EVP_PKEY_free(clnt_pub_pkey);
EC_POINT_free(clnt_ecpoint);
if (srvr_ecdh != NULL)
EC_KEY_free(srvr_ecdh);
BN_CTX_free(bn_ctx);
#endif
return(-1);
}

@@ -2712,7 +2686,6 @@ int ssl3_send_cert_status(SSL *s)
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}

# ifndef OPENSSL_NO_NEXTPROTONEG
/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
* sets the next_proto member in s if found */
int ssl3_get_next_proto(SSL *s)
@@ -2771,7 +2744,6 @@ int ssl3_get_next_proto(SSL *s)

return 1;
}
# endif

/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
int ssl3_get_channel_id(SSL *s)


+ 0
- 20
ssl/ssl_cert.c View File

@@ -161,9 +161,7 @@ void ssl_cert_set_default_md(CERT *cert)
/* Set digest values to defaults */
cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
#ifndef OPENSSL_NO_ECDSA
cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
#endif
}

CERT *ssl_cert_new(void)
@@ -205,7 +203,6 @@ CERT *ssl_cert_dup(CERT *cert)
ret->mask_k = cert->mask_k;
ret->mask_a = cert->mask_a;

#ifndef OPENSSL_NO_DH
if (cert->dh_tmp != NULL)
{
ret->dh_tmp = DHparams_dup(cert->dh_tmp);
@@ -236,9 +233,7 @@ CERT *ssl_cert_dup(CERT *cert)
}
}
ret->dh_tmp_cb = cert->dh_tmp_cb;
#endif

#ifndef OPENSSL_NO_ECDH
if (cert->ecdh_tmp)
{
ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
@@ -250,7 +245,6 @@ CERT *ssl_cert_dup(CERT *cert)
}
ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;
#endif

for (i = 0; i < SSL_PKEY_NUM; i++)
{
@@ -366,17 +360,11 @@ CERT *ssl_cert_dup(CERT *cert)

return(ret);
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
err:
#endif
#ifndef OPENSSL_NO_DH
if (ret->dh_tmp != NULL)
DH_free(ret->dh_tmp);
#endif
#ifndef OPENSSL_NO_ECDH
if (ret->ecdh_tmp != NULL)
EC_KEY_free(ret->ecdh_tmp);
#endif

ssl_cert_clear_certs(ret);

@@ -418,12 +406,8 @@ void ssl_cert_free(CERT *c)
if(c == NULL)
return;

#ifndef OPENSSL_NO_DH
if (c->dh_tmp) DH_free(c->dh_tmp);
#endif
#ifndef OPENSSL_NO_ECDH
if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp);
#endif

ssl_cert_clear_certs(c);
if (c->peer_sigalgs)
@@ -591,14 +575,10 @@ void ssl_sess_cert_free(SESS_CERT *sc)

if (sc->peer_rsa_tmp != NULL)
RSA_free(sc->peer_rsa_tmp);
#ifndef OPENSSL_NO_DH
if (sc->peer_dh_tmp != NULL)
DH_free(sc->peer_dh_tmp);
#endif
#ifndef OPENSSL_NO_ECDH
if (sc->peer_ecdh_tmp != NULL)
EC_KEY_free(sc->peer_ecdh_tmp);
#endif

OPENSSL_free(sc);
}


+ 0
- 2
ssl/ssl_ciph.c View File

@@ -289,7 +289,6 @@ int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
(c->algorithm2 & SSL_CIPHER_ALGORITHM2_STATEFUL_AEAD) == 0)
return 0;

#ifndef OPENSSL_NO_AES
switch (c->algorithm_enc)
{
case SSL_AES128GCM:
@@ -308,7 +307,6 @@ int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
return 0;
return 1;
}
#endif

return 0;
}


+ 1
- 45
ssl/ssl_lib.c View File

@@ -344,7 +344,6 @@ SSL *SSL_new(SSL_CTX *ctx)
s->tlsext_ocsp_resplen = -1;
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->initial_ctx=ctx;
#ifndef OPENSSL_NO_EC
if (ctx->tlsext_ecpointformatlist)
{
s->tlsext_ecpointformatlist =
@@ -365,10 +364,7 @@ SSL *SSL_new(SSL_CTX *ctx)
s->tlsext_ellipticcurvelist_length =
ctx->tlsext_ellipticcurvelist_length;
}
#endif
# ifndef OPENSSL_NO_NEXTPROTONEG
s->next_proto_negotiated = NULL;
# endif

if (s->ctx->alpn_client_proto_list)
{
@@ -672,10 +668,8 @@ void SSL_free(SSL *s)
if (s->tlsext_hostname)
OPENSSL_free(s->tlsext_hostname);
if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
#ifndef OPENSSL_NO_EC
if (s->tlsext_ecpointformatlist) OPENSSL_free(s->tlsext_ecpointformatlist);
if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist);
#endif /* OPENSSL_NO_EC */
if (s->tlsext_ocsp_exts)
sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
X509_EXTENSION_free);
@@ -701,10 +695,8 @@ void SSL_free(SSL *s)

if (s->ctx) SSL_CTX_free(s->ctx);

#if !defined(OPENSSL_NO_NEXTPROTONEG)
if (s->next_proto_negotiated)
OPENSSL_free(s->next_proto_negotiated);
#endif

if (s->srtp_profiles)
sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
@@ -1773,7 +1765,6 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsi
return status;
}

# ifndef OPENSSL_NO_NEXTPROTONEG
/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
* requested protocol for this connection and returns 0. If the client didn't
* request any protocol, then *data is set to NULL.
@@ -1822,7 +1813,6 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned
ctx->next_proto_select_cb = cb;
ctx->next_proto_select_cb_arg = arg;
}
# endif

/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
* |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
@@ -2035,10 +2025,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->tlsext_status_cb = 0;
ret->tlsext_status_arg = NULL;

# ifndef OPENSSL_NO_NEXTPROTONEG
ret->next_protos_advertised_cb = 0;
ret->next_proto_select_cb = 0;
# endif
ret->psk_identity_hint=NULL;
ret->psk_client_callback=NULL;
ret->psk_server_callback=NULL;
@@ -2117,12 +2105,10 @@ void SSL_CTX_free(SSL_CTX *a)
if (a->psk_identity_hint)
OPENSSL_free(a->psk_identity_hint);

# ifndef OPENSSL_NO_EC
if (a->tlsext_ecpointformatlist)
OPENSSL_free(a->tlsext_ecpointformatlist);
if (a->tlsext_ellipticcurvelist)
OPENSSL_free(a->tlsext_ellipticcurvelist);
# endif /* OPENSSL_NO_EC */
if (a->alpn_client_proto_list != NULL)
OPENSSL_free(a->alpn_client_proto_list);

@@ -2174,34 +2160,20 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
CERT_PKEY *cpk;
int rsa_enc,rsa_sign,dh_tmp;
unsigned long mask_k,mask_a;
#ifndef OPENSSL_NO_ECDSA
int have_ecc_cert, ecdsa_ok;
#endif
#ifndef OPENSSL_NO_ECDH
int have_ecdh_tmp;
#endif
#ifndef OPENSSL_NO_EC
X509 *x = NULL;
#endif
if (c == NULL) return;

#ifndef OPENSSL_NO_DH
dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
#else
dh_tmp=0;
#endif

#ifndef OPENSSL_NO_ECDH
have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
#endif
cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
rsa_enc= cpk->valid_flags & CERT_PKEY_VALID;
cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
rsa_sign= cpk->valid_flags & CERT_PKEY_SIGN;
cpk= &(c->pkeys[SSL_PKEY_ECC]);
#ifndef OPENSSL_NO_EC
have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID;
#endif
mask_k=0;
mask_a=0;

@@ -2226,7 +2198,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)

/* An ECC certificate may be usable for ECDSA cipher suites depending on
* the key usage extension. */
#ifndef OPENSSL_NO_EC
if (have_ecc_cert)
{
cpk = &c->pkeys[SSL_PKEY_ECC];
@@ -2237,21 +2208,16 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
if (!(cpk->valid_flags & CERT_PKEY_SIGN))
ecdsa_ok = 0;
#ifndef OPENSSL_NO_ECDSA
if (ecdsa_ok)
{
mask_a|=SSL_aECDSA;
}
#endif
}
#endif

#ifndef OPENSSL_NO_ECDH
if (have_ecdh_tmp)
{
mask_k|=SSL_kEECDH;
}
#endif

mask_k |= SSL_kPSK;
mask_a |= SSL_aPSK;
@@ -2265,7 +2231,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
#define ku_reject(x, usage) \
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))

#ifndef OPENSSL_NO_EC

int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
{
@@ -2295,7 +2260,6 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
return 1; /* all checks are ok */
}

#endif

static int ssl_get_server_cert_index(const SSL *s)
{
@@ -2964,7 +2928,6 @@ RSA *cb(SSL *ssl,int is_export,int keylength)
* \param dh the callback
*/

#ifndef OPENSSL_NO_DH
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
int keylength))
{
@@ -2976,9 +2939,7 @@ void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
{
SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
}
#endif

#ifndef OPENSSL_NO_ECDH
void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
int keylength))
{
@@ -2990,7 +2951,6 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
{
SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
}
#endif

int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
{
@@ -3144,11 +3104,7 @@ int ssl3_can_cutthrough(const SSL *s)
return 0;

/* require ALPN or NPN extension */
if (!s->s3->alpn_selected
#ifndef OPENSSL_NO_NEXTPROTONEG
&& !s->s3->next_proto_neg_seen
#endif
)
if (!s->s3->alpn_selected && !s->s3->next_proto_neg_seen)
{
return 0;
}


+ 0
- 18
ssl/ssl_locl.h View File

@@ -415,14 +415,12 @@
#define PENDING_SESSION -10000
#define CERTIFICATE_SELECTION_PENDING -10001

#ifndef OPENSSL_NO_EC
/* From ECC-TLS draft, used in encoding the curve type in
* ECParameters
*/
#define EXPLICIT_PRIME_CURVE_TYPE 1
#define EXPLICIT_CHAR2_CURVE_TYPE 2
#define NAMED_CURVE_TYPE 3
#endif /* OPENSSL_NO_EC */

/* Values for the |hash_message| parameter of |s->method->ssl_get_message|. */
#define SSL_GET_MESSAGE_DONT_HASH_MESSAGE 0
@@ -463,17 +461,13 @@ typedef struct cert_st
unsigned long mask_a;
/* Client only */
unsigned long mask_ssl;
#ifndef OPENSSL_NO_DH
DH *dh_tmp;
DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
#endif
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh_tmp;
/* Callback for generating ephemeral ECDH keys */
EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize);
/* Select ECDH parameters automatically */
int ecdh_tmp_auto;
#endif
/* Flags related to certificates */
unsigned int cert_flags;
CERT_PKEY pkeys[SSL_PKEY_NUM];
@@ -549,12 +543,8 @@ typedef struct sess_cert_st
* so maybe we shouldn't even use the CERT_PKEY type here. */

RSA *peer_rsa_tmp; /* not used for SSL 2 */
#ifndef OPENSSL_NO_DH
DH *peer_dh_tmp; /* not used for SSL 2 */
#endif
#ifndef OPENSSL_NO_ECDH
EC_KEY *peer_ecdh_tmp;
#endif
} SESS_CERT;
/* Structure containing decoded values of signature algorithms extension */
struct tls_sigalgs_st
@@ -990,10 +980,8 @@ int ssl3_send_client_key_exchange(SSL *s);
int ssl3_get_server_key_exchange(SSL *s);
int ssl3_get_server_certificate(SSL *s);
int ssl3_check_cert_and_algorithm(SSL *s);
# ifndef OPENSSL_NO_NEXTPROTONEG
int ssl3_send_next_proto(SSL *s);
int ssl3_send_channel_id(SSL *s);
# endif

int dtls1_client_hello(SSL *s);

@@ -1007,10 +995,8 @@ int ssl3_send_server_done(SSL *s);
int ssl3_get_client_certificate(SSL *s);
int ssl3_get_client_key_exchange(SSL *s);
int ssl3_get_cert_verify(SSL *s);
#ifndef OPENSSL_NO_NEXTPROTONEG
int ssl3_get_next_proto(SSL *s);
int ssl3_get_channel_id(SSL *s);
#endif

int ssl23_accept(SSL *s);
int ssl23_connect(SSL *s);
@@ -1050,12 +1036,9 @@ int tls1_alert_code(int code);
int ssl3_alert_code(int code);
int ssl_ok(SSL *s);

#ifndef OPENSSL_NO_ECDH
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
#endif

char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx);
#ifndef OPENSSL_NO_EC
int tls1_ec_curve_id2nid(uint16_t curve_id);
uint16_t tls1_ec_nid2curve_id(int nid);

@@ -1078,7 +1061,6 @@ int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len,
const int *curves, size_t ncurves);

int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
#endif /* OPENSSL_NO_EC */

int tls1_shared_list(SSL *s,
const unsigned char *l1, size_t l1len,


+ 0
- 2
ssl/ssl_sess.c View File

@@ -710,12 +710,10 @@ void SSL_SESSION_free(SSL_SESSION *ss)
if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
#ifndef OPENSSL_NO_EC
ss->tlsext_ecpointformatlist_length = 0;
if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist);
ss->tlsext_ellipticcurvelist_length = 0;
if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
#endif /* OPENSSL_NO_EC */
if (ss->tlsext_signed_cert_timestamp_list != NULL)
OPENSSL_free(ss->tlsext_signed_cert_timestamp_list);
if (ss->psk_identity_hint != NULL)


+ 0
- 8
ssl/ssl_stat.c View File

@@ -101,7 +101,6 @@ case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;

#ifndef OPENSSL_NO_SSL3
/* SSLv3 additions */
case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break;
case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break;
@@ -169,9 +168,7 @@ case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break;
case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break;
case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
#endif

#if !defined(OPENSSL_NO_SSL3)
/* SSLv2/v3 compatibility states */
/* client */
case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break;
@@ -182,7 +179,6 @@ case SSL23_ST_CR_SRVR_HELLO_B: str="SSLv2/v3 read server hello B"; break;
case SSL23_ST_SR_CLNT_HELLO: str="SSLv2/v3 read client hello"; break;
case SSL23_ST_SR_V2_CLNT_HELLO: str="SSLv2/v3 read v2 client hello"; break;
case SSL23_ST_SR_SWITCH_VERSION: str="SSLv2/v3 switch version"; break;
#endif

/* DTLS */
case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DTLS1 read hello verify request A"; break;
@@ -220,7 +216,6 @@ case SSL_ST_ACCEPT: str="AINIT "; break;
case SSL_ST_CONNECT: str="CINIT "; break;
case SSL_ST_OK: str="SSLOK "; break;

#ifndef OPENSSL_NO_SSL3
/* SSLv3 additions */
case SSL3_ST_SW_FLUSH:
case SSL3_ST_CW_FLUSH: str="3FLUSH"; break;
@@ -283,9 +278,7 @@ case SSL3_ST_SR_KEY_EXCH_A: str="3RCKEA"; break;
case SSL3_ST_SR_KEY_EXCH_B: str="3RCKEB"; break;
case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break;
case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break;
#endif

#if !defined(OPENSSL_NO_SSL3)
/* SSLv2/v3 compatibility states */
/* client */
case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break;
@@ -296,7 +289,6 @@ case SSL23_ST_CR_SRVR_HELLO_B: str="23RSHA"; break;
case SSL23_ST_SR_CLNT_HELLO: str="23RCH_"; break;
case SSL23_ST_SR_V2_CLNT_HELLO: str="23R2CH"; break;
case SSL23_ST_SR_SWITCH_VERSION: str="23RSW_"; break;
#endif
/* DTLS */
case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DRCHVA"; break;
case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DRCHVB"; break;


+ 0
- 2
ssl/t1_enc.c View File

@@ -675,10 +675,8 @@ printf("\nkey block\n");

if (s->session->cipher != NULL)
{
#ifndef OPENSSL_NO_RC4
if (s->session->cipher->algorithm_enc == SSL_RC4)
s->s3->need_record_splitting = 0;
#endif
}
}


+ 0
- 61
ssl/t1_lib.c View File

@@ -365,7 +365,6 @@ SSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx *ctx,
return 0;
}

#ifndef OPENSSL_NO_EC

static const int nid_list[] =
{
@@ -704,14 +703,6 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
#endif
}

#else

static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
{
return 1;
}

#endif /* OPENSSL_NO_EC */


/* List of supported signature algorithms and hashes. Should make this
@@ -720,11 +711,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)

#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,

#ifdef OPENSSL_NO_ECDSA
#define tlsext_sigalg_ecdsa(md) /* */
#else
#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
#endif

#define tlsext_sigalg(md) \
tlsext_sigalg_rsa(md) \
@@ -735,9 +722,7 @@ static const uint8_t tls12_sigalgs[] = {
tlsext_sigalg(TLSEXT_hash_sha384)
tlsext_sigalg(TLSEXT_hash_sha256)
tlsext_sigalg(TLSEXT_hash_sha224)
#ifndef OPENSSL_NO_SHA
tlsext_sigalg(TLSEXT_hash_sha1)
#endif
};
size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
{
@@ -793,7 +778,6 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert,
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
}
#ifndef OPENSSL_NO_EC
if (pkey->type == EVP_PKEY_EC)
{
uint16_t curve_id;
@@ -811,7 +795,6 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert,
return 0;
}
}
#endif

/* Check signature matches a type we sent */
sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
@@ -872,11 +855,9 @@ void ssl_set_client_disabled(SSL *s)
case TLSEXT_signature_rsa:
have_rsa = 1;
break;
#ifndef OPENSSL_NO_ECDSA
case TLSEXT_signature_ecdsa:
have_ecdsa = 1;
break;
#endif
}
}
/* Disable auth if we don't include any appropriate signature
@@ -907,7 +888,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
int extdatalen=0;
unsigned char *ret = buf;
unsigned char *orig = buf;
#ifndef OPENSSL_NO_EC
/* See if we support any ECC ciphersuites */
int using_ecc = 0;
if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
@@ -929,7 +909,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
}
}
}
#endif

/* don't add extensions for SSLv3 unless doing secure renegotiation */
if (s->client_version == SSL3_VERSION
@@ -1097,7 +1076,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
}
#endif

#ifndef OPENSSL_NO_NEXTPROTONEG
if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
{
/* The client advertises an emtpy extension to indicate its
@@ -1107,7 +1085,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
s2n(TLSEXT_TYPE_next_proto_neg,ret);
s2n(0,ret);
}
#endif

if (s->signed_cert_timestamps_enabled && !s->s3->tmp.finish_md_len)
{
@@ -1163,7 +1140,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
ret += el;
}

#ifndef OPENSSL_NO_EC
if (using_ecc)
{
/* Add TLS extension ECPointFormats to the ClientHello message */
@@ -1213,7 +1189,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
s2n(curves[i], ret);
}
}
#endif /* OPENSSL_NO_EC */

#ifdef TLSEXT_TYPE_padding
/* Add padding to workaround bugs in F5 terminators.
@@ -1258,15 +1233,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
int extdatalen=0;
unsigned char *orig = buf;
unsigned char *ret = buf;
#ifndef OPENSSL_NO_NEXTPROTONEG
int next_proto_neg_seen;
#endif
#ifndef OPENSSL_NO_EC
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
int using_ecc = (alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA);
using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
#endif
/* don't add extensions for SSLv3, unless doing secure renegotiation */
if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
return orig;
@@ -1306,7 +1277,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
ret += el;
}

#ifndef OPENSSL_NO_EC
if (using_ecc)
{
const unsigned char *plist;
@@ -1332,7 +1302,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c

}
/* Currently the server should not respond with a SupportedCurves extension */
#endif /* OPENSSL_NO_EC */

if (s->tlsext_ticket_expected
&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
@@ -1368,7 +1337,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
ret+=el;
}

#ifndef OPENSSL_NO_NEXTPROTONEG
next_proto_neg_seen = s->s3->next_proto_neg_seen;
s->s3->next_proto_neg_seen = 0;
if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
@@ -1388,7 +1356,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
s->s3->next_proto_neg_seen = 1;
}
}
#endif

if (s->s3->alpn_selected)
{
@@ -1486,9 +1453,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert)

s->servername_done = 0;
s->tlsext_status_type = -1;
#ifndef OPENSSL_NO_NEXTPROTONEG
s->s3->next_proto_neg_seen = 0;
#endif

if (s->s3->alpn_selected)
{
@@ -1660,7 +1625,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert)
}
}

#ifndef OPENSSL_NO_EC
else if (type == TLSEXT_TYPE_ec_point_formats)
{
CBS ec_point_format_list;
@@ -1729,7 +1693,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert)
s->session->tlsext_ellipticcurvelist_length = num_curves;
}
}
#endif /* OPENSSL_NO_EC */
else if (type == TLSEXT_TYPE_session_ticket)
{
if (s->tls_session_ticket_ext_cb &&
@@ -1895,7 +1858,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert)
}
#endif

#ifndef OPENSSL_NO_NEXTPROTONEG
else if (type == TLSEXT_TYPE_next_proto_neg &&
s->s3->tmp.finish_md_len == 0 &&
s->s3->alpn_selected == NULL)
@@ -1924,7 +1886,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert)
* Finished message could have been computed.) */
s->s3->next_proto_neg_seen = 1;
}
#endif

else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
s->ctx->alpn_select_cb &&
@@ -1932,10 +1893,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert)
{
if (!tls1_alpn_handle_client_hello(s, &extension, out_alert))
return 0;
#ifndef OPENSSL_NO_NEXTPROTONEG
/* ALPN takes precedence over NPN. */
s->s3->next_proto_neg_seen = 0;
#endif
}

else if (type == TLSEXT_TYPE_channel_id &&
@@ -2009,7 +1968,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs)
return 1;
}

#ifndef OPENSSL_NO_NEXTPROTONEG
/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
* elements of zero length are allowed and the set of elements must exactly fill
* the length of the block. */
@@ -2028,7 +1986,6 @@ static char ssl_next_proto_validate(const CBS *cbs)
}
return 1;
}
#endif

static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert)
{
@@ -2036,9 +1993,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert)
int renegotiate_seen = 0;
CBS extensions;

#ifndef OPENSSL_NO_NEXTPROTONEG
s->s3->next_proto_neg_seen = 0;
#endif

s->tlsext_ticket_expected = 0;

@@ -2097,7 +2052,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert)
}
tlsext_servername = 1;
}
#ifndef OPENSSL_NO_EC
else if (type == TLSEXT_TYPE_ec_point_formats)
{
CBS ec_point_format_list;
@@ -2120,7 +2074,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert)
}
}
}
#endif /* OPENSSL_NO_EC */
else if (type == TLSEXT_TYPE_session_ticket)
{
if (s->tls_session_ticket_ext_cb &&
@@ -2156,7 +2109,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert)
/* Set a flag to expect a CertificateStatus message */
s->tlsext_status_expected = 1;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0) {
unsigned char *selected;
unsigned char selected_len;
@@ -2192,7 +2144,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert)
s->next_proto_negotiated_len = selected_len;
s->s3->next_proto_neg_seen = 1;
}
#endif
else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
{
CBS protocol_name_list, protocol_name;
@@ -2335,14 +2286,12 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
int ret=SSL_TLSEXT_ERR_NOACK;
int al = SSL_AD_UNRECOGNIZED_NAME;

#ifndef OPENSSL_NO_EC
/* The handling of the ECPointFormats extension is done elsewhere, namely in
* ssl3_choose_cipher in s3_lib.c.
*/
/* The handling of the EllipticCurves extension is done elsewhere, namely in
* ssl3_choose_cipher in s3_lib.c.
*/
#endif

if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
@@ -2436,7 +2385,6 @@ int ssl_check_serverhello_tlsext(SSL *s)
int ret=SSL_TLSEXT_ERR_NOACK;
int al = SSL_AD_UNRECOGNIZED_NAME;

#ifndef OPENSSL_NO_EC
/* If we are client and using an elliptic curve cryptography cipher
* suite, then if server returns an EC point formats lists extension
* it must contain uncompressed.
@@ -2467,7 +2415,6 @@ int ssl_check_serverhello_tlsext(SSL *s)
}
}
ret = SSL_TLSEXT_ERR_OK;
#endif /* OPENSSL_NO_EC */

if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
@@ -2812,14 +2759,10 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
{
switch(hash_alg)
{
#ifndef OPENSSL_NO_MD5
case TLSEXT_hash_md5:
return EVP_md5();
#endif
#ifndef OPENSSL_NO_SHA
case TLSEXT_hash_sha1:
return EVP_sha1();
#endif
case TLSEXT_hash_sha224:
return EVP_sha224();

@@ -2842,10 +2785,8 @@ static int tls12_get_pkey_idx(unsigned char sig_alg)
{
case TLSEXT_signature_rsa:
return SSL_PKEY_RSA_SIGN;
#ifndef OPENSSL_NO_ECDSA
case TLSEXT_signature_ecdsa:
return SSL_PKEY_ECC;
#endif
}
return -1;
}
@@ -3050,10 +2991,8 @@ int tls1_process_sigalgs(SSL *s, const CBS *sigalgs)
c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
}
#ifndef OPENSSL_NO_ECDSA
if (!c->pkeys[SSL_PKEY_ECC].digest)
c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
#endif
}
return 1;
}


Write Preview
Loading…
Cancel
Save