From 457112e1973251a721ae419128d7108844d3c1a3 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Wed, 27 Aug 2014 14:35:09 -0400 Subject: [PATCH] unifdef a bunch of OPENSSL_NO_* ifdefs. Get all this stuff out of the way. - OPENSSL_NO_MD5 - OPENSSL_NO_SHA - OPENSSL_NO_EC - OPENSSL_NO_ECDSA - OPENSSL_NO_ECDH - OPENSSL_NO_NEXTPROTONEG - OPENSSL_NO_DH - OPENSSL_NO_SSL3 - OPENSSL_NO_RC4 - OPENSSL_NO_RSA Also manually removed a couple instances of OPENSSL_NO_DSA that seemed to be confused anyway. Did some minor manual cleanup. (Removed a few now-pointless 'if (0)'s.) Change-Id: Id540ba97ee22ff2309ab20ceb24c7eabe766d4c4 Reviewed-on: https://boringssl-review.googlesource.com/1662 Reviewed-by: Adam Langley --- crypto/pem/pem_all.c | 4 --- crypto/pem/pem_info.c | 2 -- crypto/pem/pem_pkey.c | 2 -- crypto/x509/x509_cmp.c | 26 --------------- crypto/x509/x509_req.c | 4 --- crypto/x509/x_all.c | 2 -- crypto/x509/x_crl.c | 2 -- crypto/x509/x_pubkey.c | 2 -- crypto/x509v3/v3_purp.c | 2 -- include/openssl/pem.h | 6 ---- include/openssl/ssl.h | 16 ---------- include/openssl/ssl3.h | 12 ------- include/openssl/tls1.h | 2 -- include/openssl/x509.h | 12 ------- ssl/s23_clnt.c | 4 --- ssl/s23_meth.c | 2 -- ssl/s3_both.c | 2 -- ssl/s3_clnt.c | 47 ++------------------------- ssl/s3_enc.c | 2 -- ssl/s3_lib.c | 71 +++-------------------------------------- ssl/s3_srvr.c | 28 ---------------- ssl/ssl_cert.c | 20 ------------ ssl/ssl_ciph.c | 2 -- ssl/ssl_lib.c | 46 +------------------------- ssl/ssl_locl.h | 18 ----------- ssl/ssl_sess.c | 2 -- ssl/ssl_stat.c | 8 ----- ssl/t1_enc.c | 2 -- ssl/t1_lib.c | 61 ----------------------------------- 29 files changed, 8 insertions(+), 401 deletions(-) diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c index c1b8d6ed..24ecc62a 100644 --- a/crypto/pem/pem_all.c +++ b/crypto/pem/pem_all.c @@ -224,7 +224,6 @@ IMPLEMENT_PEM_rw_const(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams) #endif -#ifndef OPENSSL_NO_EC static EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey) { EC_KEY *dtmp; @@ -271,15 +270,12 @@ EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb, #endif -#endif -#ifndef OPENSSL_NO_DH IMPLEMENT_PEM_write_const(DHparams, DH, PEM_STRING_DHPARAMS, DHparams) /* TODO(fork): remove this code? */ /* IMPLEMENT_PEM_write_const(DHxparams, DH, PEM_STRING_DHXPARAMS, DHxparams) */ -#endif IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY) diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index 6e59a7fc..c4974c20 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -207,7 +207,6 @@ start: } else #endif -#ifndef OPENSSL_NO_EC if (strcmp(name,PEM_STRING_ECPRIVATEKEY) == 0) { d2i=(D2I_OF(void))d2i_ECPrivateKey; @@ -228,7 +227,6 @@ start: raw=1; } else -#endif { d2i=NULL; pp=NULL; diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index d0f08c8e..0ef08d0e 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -262,7 +262,6 @@ int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, #endif -#ifndef OPENSSL_NO_DH /* Transparently read in PKCS#3 or X9.42 DH parameters */ @@ -310,4 +309,3 @@ DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u) } #endif -#endif diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 57e6167e..0974ef65 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -78,7 +78,6 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) return(X509_NAME_cmp(ai->issuer,bi->issuer)); } -#ifndef OPENSSL_NO_MD5 unsigned long X509_issuer_and_serial_hash(X509 *a) { unsigned long ret=0; @@ -105,7 +104,6 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) EVP_MD_CTX_cleanup(&ctx); return(ret); } -#endif int X509_issuer_name_cmp(const X509 *a, const X509 *b) { @@ -122,12 +120,10 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer)); } -#ifndef OPENSSL_NO_SHA int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { return memcmp(a->sha1_hash, b->sha1_hash, 20); } -#endif X509_NAME *X509_get_issuer_name(X509 *a) { @@ -139,12 +135,10 @@ unsigned long X509_issuer_name_hash(X509 *x) return(X509_NAME_hash(x->cert_info->issuer)); } -#ifndef OPENSSL_NO_MD5 unsigned long X509_issuer_name_hash_old(X509 *x) { return(X509_NAME_hash_old(x->cert_info->issuer)); } -#endif X509_NAME *X509_get_subject_name(X509 *a) { @@ -161,14 +155,11 @@ unsigned long X509_subject_name_hash(X509 *x) return(X509_NAME_hash(x->cert_info->subject)); } -#ifndef OPENSSL_NO_MD5 unsigned long X509_subject_name_hash_old(X509 *x) { return(X509_NAME_hash_old(x->cert_info->subject)); } -#endif -#ifndef OPENSSL_NO_SHA /* Compare two certificates: they must be identical for * this to work. NB: Although "cmp" operations are generally * prototyped to take "const" arguments (eg. for use in @@ -199,7 +190,6 @@ int X509_cmp(const X509 *a, const X509 *b) } return rv; } -#endif int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) @@ -249,7 +239,6 @@ unsigned long X509_NAME_hash(X509_NAME *x) } -#ifndef OPENSSL_NO_MD5 /* I now DER encode the name and hash it. Since I cache the DER encoding, * this is reasonably efficient. */ @@ -273,7 +262,6 @@ unsigned long X509_NAME_hash_old(X509_NAME *x) return(ret); } -#endif /* Search a stack of X509 for a match */ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, @@ -364,7 +352,6 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k) * flags. */ -#ifndef OPENSSL_NO_EC static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) { @@ -484,19 +471,6 @@ int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) return check_suite_b(pk, sign_nid, &flags); } -#else -int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, - unsigned long flags) - { - return 0; - } - -int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) - { - return 0; - } - -#endif /* Not strictly speaking an "up_ref" as a STACK doesn't have a reference * count but it has the same effect by duping the STACK and upping the ref * of each X509 structure. diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index ccaf7296..64f2c37f 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -132,21 +132,17 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, X509_R_KEY_TYPE_MISMATCH); break; case -2: -#ifndef OPENSSL_NO_EC if (k->type == EVP_PKEY_EC) { OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, ERR_R_EC_LIB); break; } -#endif -#ifndef OPENSSL_NO_DH if (k->type == EVP_PKEY_DH) { /* No idea */ OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, X509_R_CANT_CHECK_DH_KEY); break; } -#endif OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, X509_R_UNKNOWN_KEY_TYPE); } diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 08cc79d7..cbc46e27 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -345,7 +345,6 @@ int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa) #endif -#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_FP_API EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey) { @@ -386,7 +385,6 @@ int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey) { return ASN1_i2d_bio_of_const(EC_KEY,i2d_ECPrivateKey,bp,eckey); } -#endif int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md, diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index 2f77fd73..21785dc7 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -234,9 +234,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, break; case ASN1_OP_D2I_POST: -#ifndef OPENSSL_NO_SHA X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL); -#endif crl->idp = X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, NULL, NULL); if (crl->idp) diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index 04275f76..c285aa67 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -300,7 +300,6 @@ int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp) } #endif -#ifndef OPENSSL_NO_EC EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length) { EVP_PKEY *pkey; @@ -336,7 +335,6 @@ int i2d_EC_PUBKEY(const EC_KEY *a, unsigned char **pp) EVP_PKEY_free(pktmp); return(ret); } -#endif int X509_PUBKEY_set0_param(X509_PUBKEY *pub, const ASN1_OBJECT *aobj, int ptype, void *pval, diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index feebd9a4..e08bdf4c 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -361,9 +361,7 @@ static void x509v3_cache_extensions(X509 *x) size_t i; int j; if(x->ex_flags & EXFLAG_SET) return; -#ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); -#endif /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ diff --git a/include/openssl/pem.h b/include/openssl/pem.h index 3eaac0a4..c18cedda 100644 --- a/include/openssl/pem.h +++ b/include/openssl/pem.h @@ -465,18 +465,14 @@ DECLARE_PEM_rw_const(DSAparams, DSA) #endif -#ifndef OPENSSL_NO_EC DECLARE_PEM_rw_const(ECPKParameters, EC_GROUP) DECLARE_PEM_rw_cb(ECPrivateKey, EC_KEY) DECLARE_PEM_rw(EC_PUBKEY, EC_KEY) -#endif -#ifndef OPENSSL_NO_DH DECLARE_PEM_rw_const(DHparams, DH) DECLARE_PEM_write_const(DHxparams, DH) -#endif DECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY) @@ -506,10 +502,8 @@ OPENSSL_EXPORT EVP_PKEY *b2i_PrivateKey_bio(BIO *in); OPENSSL_EXPORT EVP_PKEY *b2i_PublicKey_bio(BIO *in); OPENSSL_EXPORT int i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk); OPENSSL_EXPORT int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk); -#ifndef OPENSSL_NO_RC4 OPENSSL_EXPORT EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u); OPENSSL_EXPORT int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u); -#endif void ERR_load_PEM_strings(void); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 725bb093..de91feb1 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -441,12 +441,10 @@ struct ssl_session_st * efficient and to implement a maximum cache size. */ struct ssl_session_st *prev,*next; char *tlsext_hostname; -#ifndef OPENSSL_NO_EC size_t tlsext_ecpointformatlist_length; unsigned char *tlsext_ecpointformatlist; /* peer's list */ size_t tlsext_ellipticcurvelist_length; uint16_t *tlsext_ellipticcurvelist; /* peer's list */ -#endif /* OPENSSL_NO_EC */ /* RFC4507 info */ uint8_t *tlsext_tick; /* Session ticket */ size_t tlsext_ticklen; /* Session ticket length */ @@ -964,7 +962,6 @@ struct ssl_ctx_st * memory and session space. Only effective on the server side. */ char retain_only_sha256_of_client_certs; -# ifndef OPENSSL_NO_NEXTPROTONEG /* Next protocol negotiation information */ /* (for experimental NPN extension). */ @@ -981,7 +978,6 @@ struct ssl_ctx_st unsigned int inlen, void *arg); void *next_proto_select_cb_arg; -# endif /* ALPN information * (we are in the process of transitioning from NPN to ALPN.) */ @@ -1009,13 +1005,11 @@ struct ssl_ctx_st /* SRTP profiles we are willing to do from RFC 5764 */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; -# ifndef OPENSSL_NO_EC /* EC extension values inherited by SSL structure */ size_t tlsext_ecpointformatlist_length; uint8_t *tlsext_ecpointformatlist; size_t tlsext_ellipticcurvelist_length; uint16_t *tlsext_ellipticcurvelist; -# endif /* OPENSSL_NO_EC */ /* If true, a client will advertise the Channel ID extension and a * server will echo it. */ @@ -1115,7 +1109,6 @@ OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx); * WARNING: the returned data is not guaranteed to be well formed. */ OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, uint8_t **out, size_t *out_len); -#ifndef OPENSSL_NO_NEXTPROTONEG OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, int (*cb) (SSL *ssl, const unsigned char **out, @@ -1129,7 +1122,6 @@ OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s, void *arg); OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *s, const uint8_t **data, unsigned *len); -#endif OPENSSL_EXPORT int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, @@ -1376,12 +1368,10 @@ struct ssl_st /* RFC4507 session ticket expected to be received or sent */ int tlsext_ticket_expected; -#ifndef OPENSSL_NO_EC size_t tlsext_ecpointformatlist_length; uint8_t *tlsext_ecpointformatlist; /* our list */ size_t tlsext_ellipticcurvelist_length; uint16_t *tlsext_ellipticcurvelist; /* our list */ -#endif /* OPENSSL_NO_EC */ /* TLS Session Ticket extension override */ TLS_SESSION_TICKET_EXT *tlsext_session_ticket; @@ -1396,7 +1386,6 @@ struct ssl_st SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ -#ifndef OPENSSL_NO_NEXTPROTONEG /* Next protocol negotiation. For the client, this is the protocol that * we sent in NextProtocol and is set when handling ServerHello * extensions. @@ -1406,7 +1395,6 @@ struct ssl_st * before the Finished message. */ uint8_t *next_proto_negotiated; size_t next_proto_negotiated_len; -#endif #define session_ctx initial_ctx @@ -2228,22 +2216,18 @@ OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl,int is_export, int keylength)); -#ifndef OPENSSL_NO_DH OPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl,int is_export, int keylength)); OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl,int is_export, int keylength)); -#endif -#ifndef OPENSSL_NO_ECDH OPENSSL_EXPORT void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl,int is_export, int keylength)); OPENSSL_EXPORT void SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl,int is_export, int keylength)); -#endif OPENSSL_EXPORT const void *SSL_get_current_compression(SSL *s); OPENSSL_EXPORT const void *SSL_get_current_expansion(SSL *s); diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 4cc9f6cf..2e9b8cc2 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -432,13 +432,9 @@ typedef struct ssl3_state_st /* used to hold the new cipher we are going to use */ const SSL_CIPHER *new_cipher; -#ifndef OPENSSL_NO_DH DH *dh; -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh; /* holds short lived ECDH key */ -#endif /* used when SSL_ST_FLUSH_DATA is entered */ int next_state; @@ -482,10 +478,8 @@ typedef struct ssl3_state_st unsigned char previous_server_finished_len; int send_connection_binding; /* TODOEKR */ -#ifndef OPENSSL_NO_NEXTPROTONEG /* Set if we saw the Next Protocol Negotiation extension from our peer. */ int next_proto_neg_seen; -#endif /* ALPN information * (we are in the process of transitioning from NPN to ALPN.) */ @@ -548,10 +542,8 @@ typedef struct ssl3_state_st #define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) -#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) -#endif #define SSL3_ST_CW_CHANNEL_ID_A (0x220|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANNEL_ID_B (0x221|SSL_ST_CONNECT) #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) @@ -598,10 +590,8 @@ typedef struct ssl3_state_st #define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT) #define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANGE (0x1B0|SSL_ST_ACCEPT) -#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) -#endif #define SSL3_ST_SR_CHANNEL_ID_A (0x230|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANNEL_ID_B (0x231|SSL_ST_ACCEPT) #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) @@ -631,9 +621,7 @@ typedef struct ssl3_state_st #define SSL3_MT_FINISHED 20 #define SSL3_MT_CERTIFICATE_STATUS 22 #define SSL3_MT_SUPPLEMENTAL_DATA 23 -#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_MT_NEXT_PROTO 67 -#endif #define SSL3_MT_ENCRYPTED_EXTENSIONS 203 #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 76a12969..b8dd7ae5 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -249,10 +249,8 @@ extern "C" { /* ExtensionType value from RFC6962 */ #define TLSEXT_TYPE_certificate_timestamp 18 -#ifndef OPENSSL_NO_NEXTPROTONEG /* This is not an IANA defined extension number */ #define TLSEXT_TYPE_next_proto_neg 13172 -#endif /* This is not an IANA defined extension number */ #define TLSEXT_TYPE_channel_id 30031 diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 29fba40a..1f277f3d 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -259,9 +259,7 @@ struct x509_st STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; -#ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; -#endif X509_CERT_AUX *aux; } /* X509 */; @@ -433,9 +431,7 @@ struct X509_crl_st /* CRL and base CRL numbers for delta processing */ ASN1_INTEGER *crl_number; ASN1_INTEGER *base_crl_number; -#ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; -#endif STACK_OF(GENERAL_NAMES) *issuers; const X509_CRL_METHOD *meth; void *meth_data; @@ -664,12 +660,10 @@ OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); #endif -#ifndef OPENSSL_NO_EC OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey); OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey); OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey); OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey); -#endif OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8); OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8); OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, @@ -701,12 +695,10 @@ OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa); OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa); #endif -#ifndef OPENSSL_NO_EC OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey); OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey); OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey); OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey); -#endif OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8); OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8); OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, @@ -770,11 +762,9 @@ OPENSSL_EXPORT int i2d_DSA_PUBKEY(const DSA *a,unsigned char **pp); OPENSSL_EXPORT DSA * d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp, long length); #endif -#ifndef OPENSSL_NO_EC OPENSSL_EXPORT int i2d_EC_PUBKEY(const EC_KEY *a, unsigned char **pp); OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length); -#endif DECLARE_ASN1_FUNCTIONS(X509_SIG) DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO) @@ -946,10 +936,8 @@ OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a); OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b); OPENSSL_EXPORT unsigned long X509_subject_name_hash(X509 *x); -#ifndef OPENSSL_NO_MD5 OPENSSL_EXPORT unsigned long X509_issuer_name_hash_old(X509 *a); OPENSSL_EXPORT unsigned long X509_subject_name_hash_old(X509 *x); -#endif OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index cfa6d00d..cec6f8c8 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -289,9 +289,7 @@ static int ssl23_client_hello(SSL *s) * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. */ mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1 -#if !defined(OPENSSL_NO_SSL3) |SSL_OP_NO_SSLv3 -#endif ; #if !defined(OPENSSL_NO_TLS1_2_CLIENT) version = TLS1_2_VERSION; @@ -305,11 +303,9 @@ static int ssl23_client_hello(SSL *s) if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) version = TLS1_VERSION; mask &= ~SSL_OP_NO_TLSv1; -#if !defined(OPENSSL_NO_SSL3) if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) version = SSL3_VERSION; mask &= ~SSL_OP_NO_SSLv3; -#endif buf=(unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) diff --git a/ssl/s23_meth.c b/ssl/s23_meth.c index 5f0f8b29..f3af9598 100644 --- a/ssl/s23_meth.c +++ b/ssl/s23_meth.c @@ -65,11 +65,9 @@ static const SSL_METHOD *ssl23_get_method(int ver); static const SSL_METHOD *ssl23_get_method(int ver) { -#ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return(SSLv3_method()); else -#endif if (ver == TLS1_VERSION) return(TLSv1_method()); else if (ver == TLS1_1_VERSION) diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 7944891f..f5bd2846 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -561,12 +561,10 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey) { ret=SSL_PKEY_RSA_ENC; } -#ifndef OPENSSL_NO_EC else if (i == EVP_PKEY_EC) { ret = SSL_PKEY_ECC; } -#endif err: if(!pkey) EVP_PKEY_free(pk); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 5dce6410..63fbbeb5 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -395,10 +395,8 @@ int ssl3_connect(SSL *s) s->state=SSL3_ST_CW_FINISHED_A; if (s->s3->tlsext_channel_id_valid) s->state=SSL3_ST_CW_CHANNEL_ID_A; -# if !defined(OPENSSL_NO_NEXTPROTONEG) if (s->s3->next_proto_neg_seen) s->state=SSL3_ST_CW_NEXT_PROTO_A; -# endif s->init_num=0; s->session->cipher=s->s3->tmp.new_cipher; @@ -417,7 +415,6 @@ int ssl3_connect(SSL *s) break; -#if !defined(OPENSSL_NO_NEXTPROTONEG) case SSL3_ST_CW_NEXT_PROTO_A: case SSL3_ST_CW_NEXT_PROTO_B: ret=ssl3_send_next_proto(s); @@ -427,7 +424,6 @@ int ssl3_connect(SSL *s) else s->state=SSL3_ST_CW_FINISHED_A; break; -#endif case SSL3_ST_CW_CHANNEL_ID_A: case SSL3_ST_CW_CHANNEL_ID_B: @@ -1147,14 +1143,10 @@ int ssl3_get_server_key_exchange(SSL *s) EVP_PKEY *pkey=NULL; const EVP_MD *md = NULL; RSA *rsa=NULL; -#ifndef OPENSSL_NO_DH DH *dh=NULL; -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL; BN_CTX *bn_ctx = NULL; EC_POINT *srvr_ecpoint = NULL; -#endif CBS server_key_exchange, server_key_exchange_orig, parameter; /* use same message size as in ssl3_get_certificate_request() @@ -1210,20 +1202,16 @@ int ssl3_get_server_key_exchange(SSL *s) RSA_free(s->session->sess_cert->peer_rsa_tmp); s->session->sess_cert->peer_rsa_tmp=NULL; } -#ifndef OPENSSL_NO_DH if (s->session->sess_cert->peer_dh_tmp) { DH_free(s->session->sess_cert->peer_dh_tmp); s->session->sess_cert->peer_dh_tmp=NULL; } -#endif -#ifndef OPENSSL_NO_ECDH if (s->session->sess_cert->peer_ecdh_tmp) { EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); s->session->sess_cert->peer_ecdh_tmp=NULL; } -#endif } else { @@ -1272,8 +1260,7 @@ int ssl3_get_server_key_exchange(SSL *s) } } - if (0) {} - else if (alg_k & SSL_kRSA) + if (alg_k & SSL_kRSA) { CBS rsa_modulus, rsa_exponent; @@ -1321,7 +1308,6 @@ int ssl3_get_server_key_exchange(SSL *s) s->session->sess_cert->peer_rsa_tmp=rsa; rsa=NULL; } -#ifndef OPENSSL_NO_DH else if (alg_k & SSL_kEDH) { CBS dh_p, dh_g, dh_Ys; @@ -1373,9 +1359,7 @@ int ssl3_get_server_key_exchange(SSL *s) s->session->sess_cert->peer_dh_tmp=dh; dh=NULL; } -#endif /* !OPENSSL_NO_DH */ -#ifndef OPENSSL_NO_ECDH else if (alg_k & SSL_kEECDH) { uint16_t curve_id; @@ -1453,10 +1437,8 @@ int ssl3_get_server_key_exchange(SSL *s) if (0) ; else if (alg_a & SSL_aRSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); -#ifndef OPENSSL_NO_ECDSA else if (alg_a & SSL_aECDSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); -#endif /* else anonymous ECDH, so no certificate or pkey. */ EC_KEY_set_public_key(ecdh, srvr_ecpoint); s->session->sess_cert->peer_ecdh_tmp=ecdh; @@ -1466,7 +1448,6 @@ int ssl3_get_server_key_exchange(SSL *s) EC_POINT_free(srvr_ecpoint); srvr_ecpoint = NULL; } -#endif /* !OPENSSL_NO_ECDH */ else if (!(alg_k & SSL_kPSK)) { @@ -1576,16 +1557,12 @@ err: EVP_PKEY_free(pkey); if (rsa != NULL) RSA_free(rsa); -#ifndef OPENSSL_NO_DH if (dh != NULL) DH_free(dh); -#endif -#ifndef OPENSSL_NO_ECDH BN_CTX_free(bn_ctx); EC_POINT_free(srvr_ecpoint); if (ecdh != NULL) EC_KEY_free(ecdh); -#endif EVP_MD_CTX_cleanup(&md_ctx); return(-1); } @@ -1913,7 +1890,6 @@ int ssl3_send_client_key_exchange(SSL *s) unsigned long alg_a; unsigned char *q; EVP_PKEY *pkey=NULL; -#ifndef OPENSSL_NO_ECDH EC_KEY *clnt_ecdh = NULL; const EC_POINT *srvr_ecpoint = NULL; EVP_PKEY *srvr_pub_pkey = NULL; @@ -1922,7 +1898,6 @@ int ssl3_send_client_key_exchange(SSL *s) BN_CTX * bn_ctx = NULL; unsigned int psk_len = 0; unsigned char psk[PSK_MAX_PSK_LEN]; -#endif /* OPENSSL_NO_ECDH */ if (s->state == SSL3_ST_CW_KEY_EXCH_A) { @@ -2008,9 +1983,7 @@ int ssl3_send_client_key_exchange(SSL *s) } } - /* Fool emacs indentation */ - if (0) {} - else if (alg_k & SSL_kRSA) + if (alg_k & SSL_kRSA) { RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; @@ -2070,7 +2043,6 @@ int ssl3_send_client_key_exchange(SSL *s) tmp_buf,sizeof tmp_buf); OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); } -#ifndef OPENSSL_NO_DH else if (alg_k & SSL_kEDH) { DH *dh_srvr,*dh_clnt; @@ -2131,9 +2103,7 @@ int ssl3_send_client_key_exchange(SSL *s) /* perhaps clean things up a bit EAY EAY EAY EAY*/ } -#endif -#ifndef OPENSSL_NO_ECDH else if (alg_k & SSL_kEECDH) { const EC_GROUP *srvr_group = NULL; @@ -2286,7 +2256,6 @@ int ssl3_send_client_key_exchange(SSL *s) EC_KEY_free(clnt_ecdh); EVP_PKEY_free(srvr_pub_pkey); } -#endif /* !OPENSSL_NO_ECDH */ else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK))) { ssl3_send_alert(s, SSL3_AL_FATAL, @@ -2302,13 +2271,11 @@ int ssl3_send_client_key_exchange(SSL *s) /* SSL3_ST_CW_KEY_EXCH_B */ return ssl_do_write(s); err: -#ifndef OPENSSL_NO_ECDH BN_CTX_free(bn_ctx); if (encodedPoint != NULL) OPENSSL_free(encodedPoint); if (clnt_ecdh != NULL) EC_KEY_free(clnt_ecdh); EVP_PKEY_free(srvr_pub_pkey); -#endif return(-1); } @@ -2507,9 +2474,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) EVP_PKEY *pkey=NULL; SESS_CERT *sc; RSA *rsa; -#ifndef OPENSSL_NO_DH DH *dh; -#endif /* we don't have a certificate */ if (!ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) @@ -2526,14 +2491,11 @@ int ssl3_check_cert_and_algorithm(SSL *s) } rsa=s->session->sess_cert->peer_rsa_tmp; -#ifndef OPENSSL_NO_DH dh=s->session->sess_cert->peer_dh_tmp; -#endif /* This is the passed certificate */ idx=sc->peer_cert_type; -#ifndef OPENSSL_NO_ECDH if (idx == SSL_PKEY_ECC) { if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, @@ -2552,7 +2514,6 @@ int ssl3_check_cert_and_algorithm(SSL *s) OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_ECDSA_SIGNING_CERT); goto f_err; } -#endif pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); EVP_PKEY_free(pkey); @@ -2570,14 +2531,12 @@ int ssl3_check_cert_and_algorithm(SSL *s) OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_RSA_ENCRYPTING_CERT); goto f_err; } -#ifndef OPENSSL_NO_DH if ((alg_k & SSL_kEDH) && !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_DH_KEY); goto f_err; } -#endif return(1); f_err: @@ -2586,7 +2545,6 @@ err: return(0); } -# if !defined(OPENSSL_NO_NEXTPROTONEG) int ssl3_send_next_proto(SSL *s) { unsigned int len, padding_len; @@ -2611,7 +2569,6 @@ int ssl3_send_next_proto(SSL *s) return ssl3_do_write(s, SSL3_RT_HANDSHAKE); } -# endif /* !OPENSSL_NO_NEXTPROTONEG */ int ssl3_send_channel_id(SSL *s) { diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index e25d90c3..d574b253 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -369,10 +369,8 @@ int ssl3_setup_key_block(SSL *s) if (s->session->cipher != NULL) { -#ifndef OPENSSL_NO_RC4 if (s->session->cipher->algorithm_enc == SSL_RC4) s->s3->need_record_splitting = 0; -#endif } } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index cef94b12..50aa4bdd 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -578,7 +578,6 @@ const SSL_CIPHER ssl3_ciphers[]={ 256, }, -#ifndef OPENSSL_NO_ECDH /* Cipher C007 */ { 1, @@ -722,9 +721,7 @@ const SSL_CIPHER ssl3_ciphers[]={ 256, 256, }, -#endif /* OPENSSL_NO_ECDH */ -#ifndef OPENSSL_NO_ECDH /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ @@ -878,7 +875,6 @@ const SSL_CIPHER ssl3_ciphers[]={ 128, }, -#endif /* OPENSSL_NO_ECDH */ { 1, @@ -1014,14 +1010,10 @@ void ssl3_free(SSL *s) ssl3_release_read_buffer(s); if (s->s3->wbuf.buf != NULL) ssl3_release_write_buffer(s); -#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); -#endif -#ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) EC_KEY_free(s->s3->tmp.ecdh); -#endif if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); @@ -1052,20 +1044,16 @@ void ssl3_clear(SSL *s) OPENSSL_free(s->s3->tmp.certificate_types); s->s3->tmp.num_certificate_types = 0; -#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) { DH_free(s->s3->tmp.dh); s->s3->tmp.dh = NULL; } -#endif -#ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) { EC_KEY_free(s->s3->tmp.ecdh); s->s3->tmp.ecdh = NULL; } -#endif rp = s->s3->rbuf.buf; wp = s->s3->wbuf.buf; rlen = s->s3->rbuf.len; @@ -1100,14 +1088,12 @@ void ssl3_clear(SSL *s) s->s3->in_read_app_data=0; s->version = s->method->version; -#if !defined(OPENSSL_NO_NEXTPROTONEG) if (s->next_proto_negotiated) { OPENSSL_free(s->next_proto_negotiated); s->next_proto_negotiated = NULL; s->next_proto_negotiated_len = 0; } -#endif s->s3->tlsext_channel_id_valid = 0; } @@ -1118,14 +1104,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { int ret=0; - if ( - cmd == SSL_CTRL_SET_TMP_RSA || + if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB || -#ifndef OPENSSL_NO_DSA cmd == SSL_CTRL_SET_TMP_DH || - cmd == SSL_CTRL_SET_TMP_DH_CB || -#endif - 0) + cmd == SSL_CTRL_SET_TMP_DH_CB) { if (!ssl_cert_inst(&s->cert)) { @@ -1168,7 +1150,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return(ret); } break; -#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *dh = (DH *)parg; @@ -1203,8 +1184,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return(ret); } break; -#endif -#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_TMP_ECDH: { EC_KEY *ecdh = NULL; @@ -1241,7 +1220,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return(ret); } break; -#endif /* !OPENSSL_NO_ECDH */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { @@ -1333,7 +1311,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SELECT_CURRENT_CERT: return ssl_cert_select_current(s->cert, (X509 *)parg); -#ifndef OPENSSL_NO_EC case SSL_CTRL_GET_CURVES: { const uint16_t *clist; @@ -1367,7 +1344,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_ECDH_AUTO: s->cert->ecdh_tmp_auto = larg; return 1; -#endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -1426,25 +1402,17 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY *ptmp; int rv = 0; sc = s->session->sess_cert; -#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) - if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp - && !sc->peer_ecdh_tmp) + if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp) return 0; -#endif ptmp = EVP_PKEY_new(); if (!ptmp) return 0; - if (0); - else if (sc->peer_rsa_tmp) + if (sc->peer_rsa_tmp) rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp); -#ifndef OPENSSL_NO_DH else if (sc->peer_dh_tmp) rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp); -#endif -#ifndef OPENSSL_NO_ECDH else if (sc->peer_ecdh_tmp) rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp); -#endif if (rv) { *(EVP_PKEY **)parg = ptmp; @@ -1453,7 +1421,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY_free(ptmp); return 0; } -#ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { SSL_SESSION *sess = s->session; @@ -1463,7 +1430,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *pformat = sess->tlsext_ecpointformatlist; return (int)sess->tlsext_ecpointformatlist_length; } -#endif case SSL_CTRL_CHANNEL_ID: s->tlsext_channel_id_enabled = 1; @@ -1510,12 +1476,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) { int ret=0; - if ( - cmd == SSL_CTRL_SET_TMP_RSA_CB || -#ifndef OPENSSL_NO_DSA - cmd == SSL_CTRL_SET_TMP_DH_CB || -#endif - 0) + if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) { if (!ssl_cert_inst(&s->cert)) { @@ -1529,20 +1490,16 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) case SSL_CTRL_SET_TMP_RSA_CB: /* Ignore the callback; temporary RSA keys are never used. */ break; -#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; -#endif -#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_TMP_ECDH_CB: { s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; } break; -#endif case SSL_CTRL_SET_TLSEXT_DEBUG_CB: s->tlsext_debug_cb=(void (*)(SSL *,int ,int, unsigned char *, int, void *))fp; @@ -1573,7 +1530,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return(0); } break; -#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *new=NULL,*dh; @@ -1605,8 +1561,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return(0); } break; -#endif -#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_TMP_ECDH: { EC_KEY *ecdh = NULL; @@ -1646,7 +1600,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return(0); } break; -#endif /* !OPENSSL_NO_ECDH */ case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->tlsext_servername_arg=parg; break; @@ -1681,7 +1634,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return 1; break; -#ifndef OPENSSL_NO_EC case SSL_CTRL_SET_CURVES: return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, @@ -1690,7 +1642,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_ECDH_AUTO: ctx->cert->ecdh_tmp_auto = larg; return 1; -#endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -1792,20 +1743,16 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) case SSL_CTRL_SET_TMP_RSA_CB: /* Ignore the callback; temporary RSA keys are never used. */ break; -#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; -#endif -#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_TMP_ECDH_CB: { cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; } break; -#endif case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp; break; @@ -1959,12 +1906,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, c->name); #endif -#ifndef OPENSSL_NO_EC /* if we are considering an ECC cipher suite that uses * an ephemeral EC key check it */ if (alg_k & SSL_kEECDH) ok = ok && tls1_check_ec_tmp_key(s, c->id); -#endif /* OPENSSL_NO_EC */ if (ok && sk_SSL_CIPHER_find(allow, &cipher_index, c)) { @@ -2004,9 +1949,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) const unsigned char *sig; size_t i, siglen; int have_rsa_sign = 0; -#ifndef OPENSSL_NO_ECDSA int have_ecdsa_sign = 0; -#endif /* If we have custom certificate types set, use them */ if (s->cert->client_certificate_types) @@ -2025,18 +1968,15 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) have_rsa_sign = 1; break; -#ifndef OPENSSL_NO_ECDSA case TLSEXT_signature_ecdsa: have_ecdsa_sign = 1; break; -#endif } } if (have_rsa_sign) p[ret++]=SSL3_CT_RSA_SIGN; -#ifndef OPENSSL_NO_ECDSA /* ECDSA certs can be used with RSA cipher suites as well * so we don't need to check for SSL_kECDH or SSL_kEECDH */ @@ -2045,7 +1985,6 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) if (have_ecdsa_sign) p[ret++]=TLS_CT_ECDSA_SIGN; } -#endif return(ret); } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index e9353d14..1017f4aa 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -500,9 +500,7 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_CHANGE: { char next_proto_neg = 0; char channel_id = 0; -# if !defined(OPENSSL_NO_NEXTPROTONEG) next_proto_neg = s->s3->next_proto_neg_seen; -# endif channel_id = s->s3->tlsext_channel_id_valid; /* At this point, the next message must be entirely @@ -521,7 +519,6 @@ int ssl3_accept(SSL *s) break; } -#if !defined(OPENSSL_NO_NEXTPROTONEG) case SSL3_ST_SR_NEXT_PROTO_A: case SSL3_ST_SR_NEXT_PROTO_B: ret=ssl3_get_next_proto(s); @@ -532,7 +529,6 @@ int ssl3_accept(SSL *s) else s->state=SSL3_ST_SR_FINISHED_A; break; -#endif case SSL3_ST_SR_CHANNEL_ID_A: case SSL3_ST_SR_CHANNEL_ID_B: @@ -1280,16 +1276,12 @@ int ssl3_send_server_key_exchange(SSL *s) int j,num; unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; unsigned int u; -#ifndef OPENSSL_NO_DH DH *dh=NULL,*dhp; -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh=NULL, *ecdhp; unsigned char *encodedPoint = NULL; int encodedlen = 0; int curve_id = 0; BN_CTX *bn_ctx = NULL; -#endif const char* psk_identity_hint = NULL; size_t psk_identity_hint_len = 0; EVP_PKEY *pkey; @@ -1326,7 +1318,6 @@ int ssl3_send_server_key_exchange(SSL *s) psk_identity_hint_len = 0; n+=2+psk_identity_hint_len; } -#ifndef OPENSSL_NO_DH if (alg_k & SSL_kEDH) { dhp=cert->dh_tmp; @@ -1378,8 +1369,6 @@ int ssl3_send_server_key_exchange(SSL *s) r[2]=dh->pub_key; } else -#endif -#ifndef OPENSSL_NO_ECDH if (alg_k & SSL_kEECDH) { const EC_GROUP *group; @@ -1504,7 +1493,6 @@ int ssl3_send_server_key_exchange(SSL *s) r[3]=NULL; } else -#endif /* !OPENSSL_NO_ECDH */ if (!(alg_k & SSL_kPSK)) { al=SSL_AD_HANDSHAKE_FAILURE; @@ -1561,7 +1549,6 @@ int ssl3_send_server_key_exchange(SSL *s) } } -#ifndef OPENSSL_NO_ECDH if (alg_k & SSL_kEECDH) { /* XXX: For now, we only support named (not generic) curves. @@ -1585,7 +1572,6 @@ int ssl3_send_server_key_exchange(SSL *s) encodedPoint = NULL; p += encodedlen; } -#endif /* OPENSSL_NO_ECDH */ /* not anonymous */ if (pkey != NULL) @@ -1669,10 +1655,8 @@ int ssl3_send_server_key_exchange(SSL *s) f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: -#ifndef OPENSSL_NO_ECDH if (encodedPoint != NULL) OPENSSL_free(encodedPoint); BN_CTX_free(bn_ctx); -#endif EVP_MD_CTX_cleanup(&md_ctx); return(-1); } @@ -1777,19 +1761,15 @@ int ssl3_get_client_key_exchange(SSL *s) RSA *rsa=NULL; uint8_t *decrypt_buf = NULL; EVP_PKEY *pkey=NULL; -#ifndef OPENSSL_NO_DH BIGNUM *pub=NULL; DH *dh_srvr; -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *srvr_ecdh = NULL; EVP_PKEY *clnt_pub_pkey = NULL; EC_POINT *clnt_ecpoint = NULL; BN_CTX *bn_ctx = NULL; unsigned int psk_len = 0; unsigned char psk[PSK_MAX_PSK_LEN]; -#endif n=s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, @@ -2018,7 +1998,6 @@ int ssl3_get_client_key_exchange(SSL *s) premaster_secret_len = sizeof(rand_premaster_secret); } -#ifndef OPENSSL_NO_DH else if (alg_k & SSL_kEDH) { CBS dh_Yc; @@ -2071,9 +2050,7 @@ int ssl3_get_client_key_exchange(SSL *s) premaster_secret_len = dh_len; } -#endif -#ifndef OPENSSL_NO_ECDH else if (alg_k & SSL_kEECDH) { int field_size = 0, ecdh_len; @@ -2168,7 +2145,6 @@ int ssl3_get_client_key_exchange(SSL *s) premaster_secret_len = ecdh_len; } -#endif else if (alg_k & SSL_kPSK) { /* For plain PSK, other_secret is a block of 0s with the same @@ -2238,13 +2214,11 @@ err: } if (decrypt_buf) OPENSSL_free(decrypt_buf); -#ifndef OPENSSL_NO_ECDH EVP_PKEY_free(clnt_pub_pkey); EC_POINT_free(clnt_ecpoint); if (srvr_ecdh != NULL) EC_KEY_free(srvr_ecdh); BN_CTX_free(bn_ctx); -#endif return(-1); } @@ -2712,7 +2686,6 @@ int ssl3_send_cert_status(SSL *s) return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } -# ifndef OPENSSL_NO_NEXTPROTONEG /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It * sets the next_proto member in s if found */ int ssl3_get_next_proto(SSL *s) @@ -2771,7 +2744,6 @@ int ssl3_get_next_proto(SSL *s) return 1; } -# endif /* ssl3_get_channel_id reads and verifies a ClientID handshake message. */ int ssl3_get_channel_id(SSL *s) diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index bab0effc..5e9d41d7 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -161,9 +161,7 @@ void ssl_cert_set_default_md(CERT *cert) /* Set digest values to defaults */ cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); -#ifndef OPENSSL_NO_ECDSA cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); -#endif } CERT *ssl_cert_new(void) @@ -205,7 +203,6 @@ CERT *ssl_cert_dup(CERT *cert) ret->mask_k = cert->mask_k; ret->mask_a = cert->mask_a; -#ifndef OPENSSL_NO_DH if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); @@ -236,9 +233,7 @@ CERT *ssl_cert_dup(CERT *cert) } } ret->dh_tmp_cb = cert->dh_tmp_cb; -#endif -#ifndef OPENSSL_NO_ECDH if (cert->ecdh_tmp) { ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); @@ -250,7 +245,6 @@ CERT *ssl_cert_dup(CERT *cert) } ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; -#endif for (i = 0; i < SSL_PKEY_NUM; i++) { @@ -366,17 +360,11 @@ CERT *ssl_cert_dup(CERT *cert) return(ret); -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) err: -#endif -#ifndef OPENSSL_NO_DH if (ret->dh_tmp != NULL) DH_free(ret->dh_tmp); -#endif -#ifndef OPENSSL_NO_ECDH if (ret->ecdh_tmp != NULL) EC_KEY_free(ret->ecdh_tmp); -#endif ssl_cert_clear_certs(ret); @@ -418,12 +406,8 @@ void ssl_cert_free(CERT *c) if(c == NULL) return; -#ifndef OPENSSL_NO_DH if (c->dh_tmp) DH_free(c->dh_tmp); -#endif -#ifndef OPENSSL_NO_ECDH if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp); -#endif ssl_cert_clear_certs(c); if (c->peer_sigalgs) @@ -591,14 +575,10 @@ void ssl_sess_cert_free(SESS_CERT *sc) if (sc->peer_rsa_tmp != NULL) RSA_free(sc->peer_rsa_tmp); -#ifndef OPENSSL_NO_DH if (sc->peer_dh_tmp != NULL) DH_free(sc->peer_dh_tmp); -#endif -#ifndef OPENSSL_NO_ECDH if (sc->peer_ecdh_tmp != NULL) EC_KEY_free(sc->peer_ecdh_tmp); -#endif OPENSSL_free(sc); } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 0caed0b4..691b5fd5 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -289,7 +289,6 @@ int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead) (c->algorithm2 & SSL_CIPHER_ALGORITHM2_STATEFUL_AEAD) == 0) return 0; -#ifndef OPENSSL_NO_AES switch (c->algorithm_enc) { case SSL_AES128GCM: @@ -308,7 +307,6 @@ int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead) return 0; return 1; } -#endif return 0; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fafe5281..d6f6bdc2 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -344,7 +344,6 @@ SSL *SSL_new(SSL_CTX *ctx) s->tlsext_ocsp_resplen = -1; CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); s->initial_ctx=ctx; -#ifndef OPENSSL_NO_EC if (ctx->tlsext_ecpointformatlist) { s->tlsext_ecpointformatlist = @@ -365,10 +364,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->tlsext_ellipticcurvelist_length = ctx->tlsext_ellipticcurvelist_length; } -#endif -# ifndef OPENSSL_NO_NEXTPROTONEG s->next_proto_negotiated = NULL; -# endif if (s->ctx->alpn_client_proto_list) { @@ -672,10 +668,8 @@ void SSL_free(SSL *s) if (s->tlsext_hostname) OPENSSL_free(s->tlsext_hostname); if (s->initial_ctx) SSL_CTX_free(s->initial_ctx); -#ifndef OPENSSL_NO_EC if (s->tlsext_ecpointformatlist) OPENSSL_free(s->tlsext_ecpointformatlist); if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist); -#endif /* OPENSSL_NO_EC */ if (s->tlsext_ocsp_exts) sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); @@ -701,10 +695,8 @@ void SSL_free(SSL *s) if (s->ctx) SSL_CTX_free(s->ctx); -#if !defined(OPENSSL_NO_NEXTPROTONEG) if (s->next_proto_negotiated) OPENSSL_free(s->next_proto_negotiated); -#endif if (s->srtp_profiles) sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); @@ -1773,7 +1765,6 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsi return status; } -# ifndef OPENSSL_NO_NEXTPROTONEG /* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's * requested protocol for this connection and returns 0. If the client didn't * request any protocol, then *data is set to NULL. @@ -1822,7 +1813,6 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned ctx->next_proto_select_cb = cb; ctx->next_proto_select_cb_arg = arg; } -# endif /* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|. * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit @@ -2035,10 +2025,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->tlsext_status_cb = 0; ret->tlsext_status_arg = NULL; -# ifndef OPENSSL_NO_NEXTPROTONEG ret->next_protos_advertised_cb = 0; ret->next_proto_select_cb = 0; -# endif ret->psk_identity_hint=NULL; ret->psk_client_callback=NULL; ret->psk_server_callback=NULL; @@ -2117,12 +2105,10 @@ void SSL_CTX_free(SSL_CTX *a) if (a->psk_identity_hint) OPENSSL_free(a->psk_identity_hint); -# ifndef OPENSSL_NO_EC if (a->tlsext_ecpointformatlist) OPENSSL_free(a->tlsext_ecpointformatlist); if (a->tlsext_ellipticcurvelist) OPENSSL_free(a->tlsext_ellipticcurvelist); -# endif /* OPENSSL_NO_EC */ if (a->alpn_client_proto_list != NULL) OPENSSL_free(a->alpn_client_proto_list); @@ -2174,34 +2160,20 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) CERT_PKEY *cpk; int rsa_enc,rsa_sign,dh_tmp; unsigned long mask_k,mask_a; -#ifndef OPENSSL_NO_ECDSA int have_ecc_cert, ecdsa_ok; -#endif -#ifndef OPENSSL_NO_ECDH int have_ecdh_tmp; -#endif -#ifndef OPENSSL_NO_EC X509 *x = NULL; -#endif if (c == NULL) return; -#ifndef OPENSSL_NO_DH dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); -#else - dh_tmp=0; -#endif -#ifndef OPENSSL_NO_ECDH have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto); -#endif cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); rsa_enc= cpk->valid_flags & CERT_PKEY_VALID; cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); rsa_sign= cpk->valid_flags & CERT_PKEY_SIGN; cpk= &(c->pkeys[SSL_PKEY_ECC]); -#ifndef OPENSSL_NO_EC have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID; -#endif mask_k=0; mask_a=0; @@ -2226,7 +2198,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) /* An ECC certificate may be usable for ECDSA cipher suites depending on * the key usage extension. */ -#ifndef OPENSSL_NO_EC if (have_ecc_cert) { cpk = &c->pkeys[SSL_PKEY_ECC]; @@ -2237,21 +2208,16 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; if (!(cpk->valid_flags & CERT_PKEY_SIGN)) ecdsa_ok = 0; -#ifndef OPENSSL_NO_ECDSA if (ecdsa_ok) { mask_a|=SSL_aECDSA; } -#endif } -#endif -#ifndef OPENSSL_NO_ECDH if (have_ecdh_tmp) { mask_k|=SSL_kEECDH; } -#endif mask_k |= SSL_kPSK; mask_a |= SSL_aPSK; @@ -2265,7 +2231,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#ifndef OPENSSL_NO_EC int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { @@ -2295,7 +2260,6 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) return 1; /* all checks are ok */ } -#endif static int ssl_get_server_cert_index(const SSL *s) { @@ -2964,7 +2928,6 @@ RSA *cb(SSL *ssl,int is_export,int keylength) * \param dh the callback */ -#ifndef OPENSSL_NO_DH void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, int keylength)) { @@ -2976,9 +2939,7 @@ void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, { SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); } -#endif -#ifndef OPENSSL_NO_ECDH void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export, int keylength)) { @@ -2990,7 +2951,6 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export, { SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); } -#endif int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { @@ -3144,11 +3104,7 @@ int ssl3_can_cutthrough(const SSL *s) return 0; /* require ALPN or NPN extension */ - if (!s->s3->alpn_selected -#ifndef OPENSSL_NO_NEXTPROTONEG - && !s->s3->next_proto_neg_seen -#endif - ) + if (!s->s3->alpn_selected && !s->s3->next_proto_neg_seen) { return 0; } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 09ba1911..0aefaa44 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -415,14 +415,12 @@ #define PENDING_SESSION -10000 #define CERTIFICATE_SELECTION_PENDING -10001 -#ifndef OPENSSL_NO_EC /* From ECC-TLS draft, used in encoding the curve type in * ECParameters */ #define EXPLICIT_PRIME_CURVE_TYPE 1 #define EXPLICIT_CHAR2_CURVE_TYPE 2 #define NAMED_CURVE_TYPE 3 -#endif /* OPENSSL_NO_EC */ /* Values for the |hash_message| parameter of |s->method->ssl_get_message|. */ #define SSL_GET_MESSAGE_DONT_HASH_MESSAGE 0 @@ -463,17 +461,13 @@ typedef struct cert_st unsigned long mask_a; /* Client only */ unsigned long mask_ssl; -#ifndef OPENSSL_NO_DH DH *dh_tmp; DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize); -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh_tmp; /* Callback for generating ephemeral ECDH keys */ EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize); /* Select ECDH parameters automatically */ int ecdh_tmp_auto; -#endif /* Flags related to certificates */ unsigned int cert_flags; CERT_PKEY pkeys[SSL_PKEY_NUM]; @@ -549,12 +543,8 @@ typedef struct sess_cert_st * so maybe we shouldn't even use the CERT_PKEY type here. */ RSA *peer_rsa_tmp; /* not used for SSL 2 */ -#ifndef OPENSSL_NO_DH DH *peer_dh_tmp; /* not used for SSL 2 */ -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *peer_ecdh_tmp; -#endif } SESS_CERT; /* Structure containing decoded values of signature algorithms extension */ struct tls_sigalgs_st @@ -990,10 +980,8 @@ int ssl3_send_client_key_exchange(SSL *s); int ssl3_get_server_key_exchange(SSL *s); int ssl3_get_server_certificate(SSL *s); int ssl3_check_cert_and_algorithm(SSL *s); -# ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s); int ssl3_send_channel_id(SSL *s); -# endif int dtls1_client_hello(SSL *s); @@ -1007,10 +995,8 @@ int ssl3_send_server_done(SSL *s); int ssl3_get_client_certificate(SSL *s); int ssl3_get_client_key_exchange(SSL *s); int ssl3_get_cert_verify(SSL *s); -#ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_get_next_proto(SSL *s); int ssl3_get_channel_id(SSL *s); -#endif int ssl23_accept(SSL *s); int ssl23_connect(SSL *s); @@ -1050,12 +1036,9 @@ int tls1_alert_code(int code); int ssl3_alert_code(int code); int ssl_ok(SSL *s); -#ifndef OPENSSL_NO_ECDH int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); -#endif char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx); -#ifndef OPENSSL_NO_EC int tls1_ec_curve_id2nid(uint16_t curve_id); uint16_t tls1_ec_nid2curve_id(int nid); @@ -1078,7 +1061,6 @@ int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len, const int *curves, size_t ncurves); int tls1_check_ec_tmp_key(SSL *s, unsigned long id); -#endif /* OPENSSL_NO_EC */ int tls1_shared_list(SSL *s, const unsigned char *l1, size_t l1len, diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 56ba7c94..bc20e867 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -710,12 +710,10 @@ void SSL_SESSION_free(SSL_SESSION *ss) if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname); if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick); -#ifndef OPENSSL_NO_EC ss->tlsext_ecpointformatlist_length = 0; if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist); ss->tlsext_ellipticcurvelist_length = 0; if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist); -#endif /* OPENSSL_NO_EC */ if (ss->tlsext_signed_cert_timestamp_list != NULL) OPENSSL_free(ss->tlsext_signed_cert_timestamp_list); if (ss->psk_identity_hint != NULL) diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index 361a2fad..2f46b8c3 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -101,7 +101,6 @@ case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break; case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break; case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break; -#ifndef OPENSSL_NO_SSL3 /* SSLv3 additions */ case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break; case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break; @@ -169,9 +168,7 @@ case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break; case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break; case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break; case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break; -#endif -#if !defined(OPENSSL_NO_SSL3) /* SSLv2/v3 compatibility states */ /* client */ case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break; @@ -182,7 +179,6 @@ case SSL23_ST_CR_SRVR_HELLO_B: str="SSLv2/v3 read server hello B"; break; case SSL23_ST_SR_CLNT_HELLO: str="SSLv2/v3 read client hello"; break; case SSL23_ST_SR_V2_CLNT_HELLO: str="SSLv2/v3 read v2 client hello"; break; case SSL23_ST_SR_SWITCH_VERSION: str="SSLv2/v3 switch version"; break; -#endif /* DTLS */ case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DTLS1 read hello verify request A"; break; @@ -220,7 +216,6 @@ case SSL_ST_ACCEPT: str="AINIT "; break; case SSL_ST_CONNECT: str="CINIT "; break; case SSL_ST_OK: str="SSLOK "; break; -#ifndef OPENSSL_NO_SSL3 /* SSLv3 additions */ case SSL3_ST_SW_FLUSH: case SSL3_ST_CW_FLUSH: str="3FLUSH"; break; @@ -283,9 +278,7 @@ case SSL3_ST_SR_KEY_EXCH_A: str="3RCKEA"; break; case SSL3_ST_SR_KEY_EXCH_B: str="3RCKEB"; break; case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break; case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break; -#endif -#if !defined(OPENSSL_NO_SSL3) /* SSLv2/v3 compatibility states */ /* client */ case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break; @@ -296,7 +289,6 @@ case SSL23_ST_CR_SRVR_HELLO_B: str="23RSHA"; break; case SSL23_ST_SR_CLNT_HELLO: str="23RCH_"; break; case SSL23_ST_SR_V2_CLNT_HELLO: str="23R2CH"; break; case SSL23_ST_SR_SWITCH_VERSION: str="23RSW_"; break; -#endif /* DTLS */ case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DRCHVA"; break; case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DRCHVB"; break; diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 7bbf4463..a2d96d6f 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -675,10 +675,8 @@ printf("\nkey block\n"); if (s->session->cipher != NULL) { -#ifndef OPENSSL_NO_RC4 if (s->session->cipher->algorithm_enc == SSL_RC4) s->s3->need_record_splitting = 0; -#endif } } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index d23b41e6..cafcfa29 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -365,7 +365,6 @@ SSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx *ctx, return 0; } -#ifndef OPENSSL_NO_EC static const int nid_list[] = { @@ -704,14 +703,6 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) #endif } -#else - -static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) - { - return 1; - } - -#endif /* OPENSSL_NO_EC */ /* List of supported signature algorithms and hashes. Should make this @@ -720,11 +711,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, -#ifdef OPENSSL_NO_ECDSA -#define tlsext_sigalg_ecdsa(md) /* */ -#else #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, -#endif #define tlsext_sigalg(md) \ tlsext_sigalg_rsa(md) \ @@ -735,9 +722,7 @@ static const uint8_t tls12_sigalgs[] = { tlsext_sigalg(TLSEXT_hash_sha384) tlsext_sigalg(TLSEXT_hash_sha256) tlsext_sigalg(TLSEXT_hash_sha224) -#ifndef OPENSSL_NO_SHA tlsext_sigalg(TLSEXT_hash_sha1) -#endif }; size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) { @@ -793,7 +778,6 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, *out_alert = SSL_AD_ILLEGAL_PARAMETER; return 0; } -#ifndef OPENSSL_NO_EC if (pkey->type == EVP_PKEY_EC) { uint16_t curve_id; @@ -811,7 +795,6 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, return 0; } } -#endif /* Check signature matches a type we sent */ sent_sigslen = tls12_get_psigalgs(s, &sent_sigs); @@ -872,11 +855,9 @@ void ssl_set_client_disabled(SSL *s) case TLSEXT_signature_rsa: have_rsa = 1; break; -#ifndef OPENSSL_NO_ECDSA case TLSEXT_signature_ecdsa: have_ecdsa = 1; break; -#endif } } /* Disable auth if we don't include any appropriate signature @@ -907,7 +888,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c int extdatalen=0; unsigned char *ret = buf; unsigned char *orig = buf; -#ifndef OPENSSL_NO_EC /* See if we support any ECC ciphersuites */ int using_ecc = 0; if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) @@ -929,7 +909,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c } } } -#endif /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION @@ -1097,7 +1076,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c } #endif -#ifndef OPENSSL_NO_NEXTPROTONEG if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { /* The client advertises an emtpy extension to indicate its @@ -1107,7 +1085,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c s2n(TLSEXT_TYPE_next_proto_neg,ret); s2n(0,ret); } -#endif if (s->signed_cert_timestamps_enabled && !s->s3->tmp.finish_md_len) { @@ -1163,7 +1140,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c ret += el; } -#ifndef OPENSSL_NO_EC if (using_ecc) { /* Add TLS extension ECPointFormats to the ClientHello message */ @@ -1213,7 +1189,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c s2n(curves[i], ret); } } -#endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_padding /* Add padding to workaround bugs in F5 terminators. @@ -1258,15 +1233,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c int extdatalen=0; unsigned char *orig = buf; unsigned char *ret = buf; -#ifndef OPENSSL_NO_NEXTPROTONEG int next_proto_neg_seen; -#endif -#ifndef OPENSSL_NO_EC unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; int using_ecc = (alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); -#endif /* don't add extensions for SSLv3, unless doing secure renegotiation */ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) return orig; @@ -1306,7 +1277,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c ret += el; } -#ifndef OPENSSL_NO_EC if (using_ecc) { const unsigned char *plist; @@ -1332,7 +1302,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c } /* Currently the server should not respond with a SupportedCurves extension */ -#endif /* OPENSSL_NO_EC */ if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) @@ -1368,7 +1337,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c ret+=el; } -#ifndef OPENSSL_NO_NEXTPROTONEG next_proto_neg_seen = s->s3->next_proto_neg_seen; s->s3->next_proto_neg_seen = 0; if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) @@ -1388,7 +1356,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c s->s3->next_proto_neg_seen = 1; } } -#endif if (s->s3->alpn_selected) { @@ -1486,9 +1453,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) s->servername_done = 0; s->tlsext_status_type = -1; -#ifndef OPENSSL_NO_NEXTPROTONEG s->s3->next_proto_neg_seen = 0; -#endif if (s->s3->alpn_selected) { @@ -1660,7 +1625,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) } } -#ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { CBS ec_point_format_list; @@ -1729,7 +1693,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) s->session->tlsext_ellipticcurvelist_length = num_curves; } } -#endif /* OPENSSL_NO_EC */ else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && @@ -1895,7 +1858,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) } #endif -#ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0 && s->s3->alpn_selected == NULL) @@ -1924,7 +1886,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) * Finished message could have been computed.) */ s->s3->next_proto_neg_seen = 1; } -#endif else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && s->ctx->alpn_select_cb && @@ -1932,10 +1893,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) { if (!tls1_alpn_handle_client_hello(s, &extension, out_alert)) return 0; -#ifndef OPENSSL_NO_NEXTPROTONEG /* ALPN takes precedence over NPN. */ s->s3->next_proto_neg_seen = 0; -#endif } else if (type == TLSEXT_TYPE_channel_id && @@ -2009,7 +1968,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs) return 1; } -#ifndef OPENSSL_NO_NEXTPROTONEG /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No * elements of zero length are allowed and the set of elements must exactly fill * the length of the block. */ @@ -2028,7 +1986,6 @@ static char ssl_next_proto_validate(const CBS *cbs) } return 1; } -#endif static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) { @@ -2036,9 +1993,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) int renegotiate_seen = 0; CBS extensions; -#ifndef OPENSSL_NO_NEXTPROTONEG s->s3->next_proto_neg_seen = 0; -#endif s->tlsext_ticket_expected = 0; @@ -2097,7 +2052,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) } tlsext_servername = 1; } -#ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { CBS ec_point_format_list; @@ -2120,7 +2074,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) } } } -#endif /* OPENSSL_NO_EC */ else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && @@ -2156,7 +2109,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) /* Set a flag to expect a CertificateStatus message */ s->tlsext_status_expected = 1; } -#ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0) { unsigned char *selected; unsigned char selected_len; @@ -2192,7 +2144,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) s->next_proto_negotiated_len = selected_len; s->s3->next_proto_neg_seen = 1; } -#endif else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) { CBS protocol_name_list, protocol_name; @@ -2335,14 +2286,12 @@ static int ssl_check_clienthello_tlsext_early(SSL *s) int ret=SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; -#ifndef OPENSSL_NO_EC /* The handling of the ECPointFormats extension is done elsewhere, namely in * ssl3_choose_cipher in s3_lib.c. */ /* The handling of the EllipticCurves extension is done elsewhere, namely in * ssl3_choose_cipher in s3_lib.c. */ -#endif if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); @@ -2436,7 +2385,6 @@ int ssl_check_serverhello_tlsext(SSL *s) int ret=SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; -#ifndef OPENSSL_NO_EC /* If we are client and using an elliptic curve cryptography cipher * suite, then if server returns an EC point formats lists extension * it must contain uncompressed. @@ -2467,7 +2415,6 @@ int ssl_check_serverhello_tlsext(SSL *s) } } ret = SSL_TLSEXT_ERR_OK; -#endif /* OPENSSL_NO_EC */ if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); @@ -2812,14 +2759,10 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) { switch(hash_alg) { -#ifndef OPENSSL_NO_MD5 case TLSEXT_hash_md5: return EVP_md5(); -#endif -#ifndef OPENSSL_NO_SHA case TLSEXT_hash_sha1: return EVP_sha1(); -#endif case TLSEXT_hash_sha224: return EVP_sha224(); @@ -2842,10 +2785,8 @@ static int tls12_get_pkey_idx(unsigned char sig_alg) { case TLSEXT_signature_rsa: return SSL_PKEY_RSA_SIGN; -#ifndef OPENSSL_NO_ECDSA case TLSEXT_signature_ecdsa: return SSL_PKEY_ECC; -#endif } return -1; } @@ -3050,10 +2991,8 @@ int tls1_process_sigalgs(SSL *s, const CBS *sigalgs) c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); } -#ifndef OPENSSL_NO_ECDSA if (!c->pkeys[SSL_PKEY_ECC].digest) c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); -#endif } return 1; }