Get all this stuff out of the way. - OPENSSL_NO_MD5 - OPENSSL_NO_SHA - OPENSSL_NO_EC - OPENSSL_NO_ECDSA - OPENSSL_NO_ECDH - OPENSSL_NO_NEXTPROTONEG - OPENSSL_NO_DH - OPENSSL_NO_SSL3 - OPENSSL_NO_RC4 - OPENSSL_NO_RSA Also manually removed a couple instances of OPENSSL_NO_DSA that seemed to be confused anyway. Did some minor manual cleanup. (Removed a few now-pointless 'if (0)'s.) Change-Id: Id540ba97ee22ff2309ab20ceb24c7eabe766d4c4 Reviewed-on: https://boringssl-review.googlesource.com/1662 Reviewed-by: Adam Langley <agl@google.com>kris/onging/CECPQ3_patch15
@@ -224,7 +224,6 @@ IMPLEMENT_PEM_rw_const(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams) | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
static EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey) | |||
{ | |||
EC_KEY *dtmp; | |||
@@ -271,15 +270,12 @@ EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb, | |||
#endif | |||
#endif | |||
#ifndef OPENSSL_NO_DH | |||
IMPLEMENT_PEM_write_const(DHparams, DH, PEM_STRING_DHPARAMS, DHparams) | |||
/* TODO(fork): remove this code? */ | |||
/* IMPLEMENT_PEM_write_const(DHxparams, DH, PEM_STRING_DHXPARAMS, DHxparams) */ | |||
#endif | |||
IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY) |
@@ -207,7 +207,6 @@ start: | |||
} | |||
else | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
if (strcmp(name,PEM_STRING_ECPRIVATEKEY) == 0) | |||
{ | |||
d2i=(D2I_OF(void))d2i_ECPrivateKey; | |||
@@ -228,7 +227,6 @@ start: | |||
raw=1; | |||
} | |||
else | |||
#endif | |||
{ | |||
d2i=NULL; | |||
pp=NULL; | |||
@@ -262,7 +262,6 @@ int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, | |||
#endif | |||
#ifndef OPENSSL_NO_DH | |||
/* Transparently read in PKCS#3 or X9.42 DH parameters */ | |||
@@ -310,4 +309,3 @@ DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u) | |||
} | |||
#endif | |||
#endif |
@@ -78,7 +78,6 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) | |||
return(X509_NAME_cmp(ai->issuer,bi->issuer)); | |||
} | |||
#ifndef OPENSSL_NO_MD5 | |||
unsigned long X509_issuer_and_serial_hash(X509 *a) | |||
{ | |||
unsigned long ret=0; | |||
@@ -105,7 +104,6 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) | |||
EVP_MD_CTX_cleanup(&ctx); | |||
return(ret); | |||
} | |||
#endif | |||
int X509_issuer_name_cmp(const X509 *a, const X509 *b) | |||
{ | |||
@@ -122,12 +120,10 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) | |||
return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer)); | |||
} | |||
#ifndef OPENSSL_NO_SHA | |||
int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) | |||
{ | |||
return memcmp(a->sha1_hash, b->sha1_hash, 20); | |||
} | |||
#endif | |||
X509_NAME *X509_get_issuer_name(X509 *a) | |||
{ | |||
@@ -139,12 +135,10 @@ unsigned long X509_issuer_name_hash(X509 *x) | |||
return(X509_NAME_hash(x->cert_info->issuer)); | |||
} | |||
#ifndef OPENSSL_NO_MD5 | |||
unsigned long X509_issuer_name_hash_old(X509 *x) | |||
{ | |||
return(X509_NAME_hash_old(x->cert_info->issuer)); | |||
} | |||
#endif | |||
X509_NAME *X509_get_subject_name(X509 *a) | |||
{ | |||
@@ -161,14 +155,11 @@ unsigned long X509_subject_name_hash(X509 *x) | |||
return(X509_NAME_hash(x->cert_info->subject)); | |||
} | |||
#ifndef OPENSSL_NO_MD5 | |||
unsigned long X509_subject_name_hash_old(X509 *x) | |||
{ | |||
return(X509_NAME_hash_old(x->cert_info->subject)); | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_SHA | |||
/* Compare two certificates: they must be identical for | |||
* this to work. NB: Although "cmp" operations are generally | |||
* prototyped to take "const" arguments (eg. for use in | |||
@@ -199,7 +190,6 @@ int X509_cmp(const X509 *a, const X509 *b) | |||
} | |||
return rv; | |||
} | |||
#endif | |||
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) | |||
@@ -249,7 +239,6 @@ unsigned long X509_NAME_hash(X509_NAME *x) | |||
} | |||
#ifndef OPENSSL_NO_MD5 | |||
/* I now DER encode the name and hash it. Since I cache the DER encoding, | |||
* this is reasonably efficient. */ | |||
@@ -273,7 +262,6 @@ unsigned long X509_NAME_hash_old(X509_NAME *x) | |||
return(ret); | |||
} | |||
#endif | |||
/* Search a stack of X509 for a match */ | |||
X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, | |||
@@ -364,7 +352,6 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k) | |||
* flags. | |||
*/ | |||
#ifndef OPENSSL_NO_EC | |||
static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) | |||
{ | |||
@@ -484,19 +471,6 @@ int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) | |||
return check_suite_b(pk, sign_nid, &flags); | |||
} | |||
#else | |||
int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, | |||
unsigned long flags) | |||
{ | |||
return 0; | |||
} | |||
int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) | |||
{ | |||
return 0; | |||
} | |||
#endif | |||
/* Not strictly speaking an "up_ref" as a STACK doesn't have a reference | |||
* count but it has the same effect by duping the STACK and upping the ref | |||
* of each X509 structure. | |||
@@ -132,21 +132,17 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) | |||
OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, X509_R_KEY_TYPE_MISMATCH); | |||
break; | |||
case -2: | |||
#ifndef OPENSSL_NO_EC | |||
if (k->type == EVP_PKEY_EC) | |||
{ | |||
OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, ERR_R_EC_LIB); | |||
break; | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_DH | |||
if (k->type == EVP_PKEY_DH) | |||
{ | |||
/* No idea */ | |||
OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, X509_R_CANT_CHECK_DH_KEY); | |||
break; | |||
} | |||
#endif | |||
OPENSSL_PUT_ERROR(X509, X509_REQ_check_private_key, X509_R_UNKNOWN_KEY_TYPE); | |||
} | |||
@@ -345,7 +345,6 @@ int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa) | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
#ifndef OPENSSL_NO_FP_API | |||
EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey) | |||
{ | |||
@@ -386,7 +385,6 @@ int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey) | |||
{ | |||
return ASN1_i2d_bio_of_const(EC_KEY,i2d_ECPrivateKey,bp,eckey); | |||
} | |||
#endif | |||
int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md, | |||
@@ -234,9 +234,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, | |||
break; | |||
case ASN1_OP_D2I_POST: | |||
#ifndef OPENSSL_NO_SHA | |||
X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL); | |||
#endif | |||
crl->idp = X509_CRL_get_ext_d2i(crl, | |||
NID_issuing_distribution_point, NULL, NULL); | |||
if (crl->idp) | |||
@@ -300,7 +300,6 @@ int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp) | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length) | |||
{ | |||
EVP_PKEY *pkey; | |||
@@ -336,7 +335,6 @@ int i2d_EC_PUBKEY(const EC_KEY *a, unsigned char **pp) | |||
EVP_PKEY_free(pktmp); | |||
return(ret); | |||
} | |||
#endif | |||
int X509_PUBKEY_set0_param(X509_PUBKEY *pub, const ASN1_OBJECT *aobj, | |||
int ptype, void *pval, | |||
@@ -361,9 +361,7 @@ static void x509v3_cache_extensions(X509 *x) | |||
size_t i; | |||
int j; | |||
if(x->ex_flags & EXFLAG_SET) return; | |||
#ifndef OPENSSL_NO_SHA | |||
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); | |||
#endif | |||
/* V1 should mean no extensions ... */ | |||
if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; | |||
/* Handle basic constraints */ | |||
@@ -465,18 +465,14 @@ DECLARE_PEM_rw_const(DSAparams, DSA) | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
DECLARE_PEM_rw_const(ECPKParameters, EC_GROUP) | |||
DECLARE_PEM_rw_cb(ECPrivateKey, EC_KEY) | |||
DECLARE_PEM_rw(EC_PUBKEY, EC_KEY) | |||
#endif | |||
#ifndef OPENSSL_NO_DH | |||
DECLARE_PEM_rw_const(DHparams, DH) | |||
DECLARE_PEM_write_const(DHxparams, DH) | |||
#endif | |||
DECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY) | |||
@@ -506,10 +502,8 @@ OPENSSL_EXPORT EVP_PKEY *b2i_PrivateKey_bio(BIO *in); | |||
OPENSSL_EXPORT EVP_PKEY *b2i_PublicKey_bio(BIO *in); | |||
OPENSSL_EXPORT int i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk); | |||
OPENSSL_EXPORT int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk); | |||
#ifndef OPENSSL_NO_RC4 | |||
OPENSSL_EXPORT EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u); | |||
OPENSSL_EXPORT int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u); | |||
#endif | |||
void ERR_load_PEM_strings(void); | |||
@@ -441,12 +441,10 @@ struct ssl_session_st | |||
* efficient and to implement a maximum cache size. */ | |||
struct ssl_session_st *prev,*next; | |||
char *tlsext_hostname; | |||
#ifndef OPENSSL_NO_EC | |||
size_t tlsext_ecpointformatlist_length; | |||
unsigned char *tlsext_ecpointformatlist; /* peer's list */ | |||
size_t tlsext_ellipticcurvelist_length; | |||
uint16_t *tlsext_ellipticcurvelist; /* peer's list */ | |||
#endif /* OPENSSL_NO_EC */ | |||
/* RFC4507 info */ | |||
uint8_t *tlsext_tick; /* Session ticket */ | |||
size_t tlsext_ticklen; /* Session ticket length */ | |||
@@ -964,7 +962,6 @@ struct ssl_ctx_st | |||
* memory and session space. Only effective on the server side. */ | |||
char retain_only_sha256_of_client_certs; | |||
# ifndef OPENSSL_NO_NEXTPROTONEG | |||
/* Next protocol negotiation information */ | |||
/* (for experimental NPN extension). */ | |||
@@ -981,7 +978,6 @@ struct ssl_ctx_st | |||
unsigned int inlen, | |||
void *arg); | |||
void *next_proto_select_cb_arg; | |||
# endif | |||
/* ALPN information | |||
* (we are in the process of transitioning from NPN to ALPN.) */ | |||
@@ -1009,13 +1005,11 @@ struct ssl_ctx_st | |||
/* SRTP profiles we are willing to do from RFC 5764 */ | |||
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; | |||
# ifndef OPENSSL_NO_EC | |||
/* EC extension values inherited by SSL structure */ | |||
size_t tlsext_ecpointformatlist_length; | |||
uint8_t *tlsext_ecpointformatlist; | |||
size_t tlsext_ellipticcurvelist_length; | |||
uint16_t *tlsext_ellipticcurvelist; | |||
# endif /* OPENSSL_NO_EC */ | |||
/* If true, a client will advertise the Channel ID extension and a | |||
* server will echo it. */ | |||
@@ -1115,7 +1109,6 @@ OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx); | |||
* WARNING: the returned data is not guaranteed to be well formed. */ | |||
OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, uint8_t **out, size_t *out_len); | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, | |||
int (*cb) (SSL *ssl, | |||
const unsigned char **out, | |||
@@ -1129,7 +1122,6 @@ OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s, | |||
void *arg); | |||
OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *s, | |||
const uint8_t **data, unsigned *len); | |||
#endif | |||
OPENSSL_EXPORT int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, | |||
const unsigned char *in, unsigned int inlen, | |||
@@ -1376,12 +1368,10 @@ struct ssl_st | |||
/* RFC4507 session ticket expected to be received or sent */ | |||
int tlsext_ticket_expected; | |||
#ifndef OPENSSL_NO_EC | |||
size_t tlsext_ecpointformatlist_length; | |||
uint8_t *tlsext_ecpointformatlist; /* our list */ | |||
size_t tlsext_ellipticcurvelist_length; | |||
uint16_t *tlsext_ellipticcurvelist; /* our list */ | |||
#endif /* OPENSSL_NO_EC */ | |||
/* TLS Session Ticket extension override */ | |||
TLS_SESSION_TICKET_EXT *tlsext_session_ticket; | |||
@@ -1396,7 +1386,6 @@ struct ssl_st | |||
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
/* Next protocol negotiation. For the client, this is the protocol that | |||
* we sent in NextProtocol and is set when handling ServerHello | |||
* extensions. | |||
@@ -1406,7 +1395,6 @@ struct ssl_st | |||
* before the Finished message. */ | |||
uint8_t *next_proto_negotiated; | |||
size_t next_proto_negotiated_len; | |||
#endif | |||
#define session_ctx initial_ctx | |||
@@ -2228,22 +2216,18 @@ OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, | |||
OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl, | |||
RSA *(*cb)(SSL *ssl,int is_export, | |||
int keylength)); | |||
#ifndef OPENSSL_NO_DH | |||
OPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, | |||
DH *(*dh)(SSL *ssl,int is_export, | |||
int keylength)); | |||
OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl, | |||
DH *(*dh)(SSL *ssl,int is_export, | |||
int keylength)); | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
OPENSSL_EXPORT void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, | |||
EC_KEY *(*ecdh)(SSL *ssl,int is_export, | |||
int keylength)); | |||
OPENSSL_EXPORT void SSL_set_tmp_ecdh_callback(SSL *ssl, | |||
EC_KEY *(*ecdh)(SSL *ssl,int is_export, | |||
int keylength)); | |||
#endif | |||
OPENSSL_EXPORT const void *SSL_get_current_compression(SSL *s); | |||
OPENSSL_EXPORT const void *SSL_get_current_expansion(SSL *s); | |||
@@ -432,13 +432,9 @@ typedef struct ssl3_state_st | |||
/* used to hold the new cipher we are going to use */ | |||
const SSL_CIPHER *new_cipher; | |||
#ifndef OPENSSL_NO_DH | |||
DH *dh; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
EC_KEY *ecdh; /* holds short lived ECDH key */ | |||
#endif | |||
/* used when SSL_ST_FLUSH_DATA is entered */ | |||
int next_state; | |||
@@ -482,10 +478,8 @@ typedef struct ssl3_state_st | |||
unsigned char previous_server_finished_len; | |||
int send_connection_binding; /* TODOEKR */ | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
/* Set if we saw the Next Protocol Negotiation extension from our peer. */ | |||
int next_proto_neg_seen; | |||
#endif | |||
/* ALPN information | |||
* (we are in the process of transitioning from NPN to ALPN.) */ | |||
@@ -548,10 +542,8 @@ typedef struct ssl3_state_st | |||
#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) | |||
#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) | |||
#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) | |||
#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) | |||
#endif | |||
#define SSL3_ST_CW_CHANNEL_ID_A (0x220|SSL_ST_CONNECT) | |||
#define SSL3_ST_CW_CHANNEL_ID_B (0x221|SSL_ST_CONNECT) | |||
#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) | |||
@@ -598,10 +590,8 @@ typedef struct ssl3_state_st | |||
#define SSL3_ST_SR_CERT_VRFY_A (0x1A0|SSL_ST_ACCEPT) | |||
#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) | |||
#define SSL3_ST_SR_CHANGE (0x1B0|SSL_ST_ACCEPT) | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) | |||
#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) | |||
#endif | |||
#define SSL3_ST_SR_CHANNEL_ID_A (0x230|SSL_ST_ACCEPT) | |||
#define SSL3_ST_SR_CHANNEL_ID_B (0x231|SSL_ST_ACCEPT) | |||
#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) | |||
@@ -631,9 +621,7 @@ typedef struct ssl3_state_st | |||
#define SSL3_MT_FINISHED 20 | |||
#define SSL3_MT_CERTIFICATE_STATUS 22 | |||
#define SSL3_MT_SUPPLEMENTAL_DATA 23 | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
#define SSL3_MT_NEXT_PROTO 67 | |||
#endif | |||
#define SSL3_MT_ENCRYPTED_EXTENSIONS 203 | |||
#define DTLS1_MT_HELLO_VERIFY_REQUEST 3 | |||
@@ -249,10 +249,8 @@ extern "C" { | |||
/* ExtensionType value from RFC6962 */ | |||
#define TLSEXT_TYPE_certificate_timestamp 18 | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
/* This is not an IANA defined extension number */ | |||
#define TLSEXT_TYPE_next_proto_neg 13172 | |||
#endif | |||
/* This is not an IANA defined extension number */ | |||
#define TLSEXT_TYPE_channel_id 30031 | |||
@@ -259,9 +259,7 @@ struct x509_st | |||
STACK_OF(DIST_POINT) *crldp; | |||
STACK_OF(GENERAL_NAME) *altname; | |||
NAME_CONSTRAINTS *nc; | |||
#ifndef OPENSSL_NO_SHA | |||
unsigned char sha1_hash[SHA_DIGEST_LENGTH]; | |||
#endif | |||
X509_CERT_AUX *aux; | |||
} /* X509 */; | |||
@@ -433,9 +431,7 @@ struct X509_crl_st | |||
/* CRL and base CRL numbers for delta processing */ | |||
ASN1_INTEGER *crl_number; | |||
ASN1_INTEGER *base_crl_number; | |||
#ifndef OPENSSL_NO_SHA | |||
unsigned char sha1_hash[SHA_DIGEST_LENGTH]; | |||
#endif | |||
STACK_OF(GENERAL_NAMES) *issuers; | |||
const X509_CRL_METHOD *meth; | |||
void *meth_data; | |||
@@ -664,12 +660,10 @@ OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); | |||
OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); | |||
OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey); | |||
OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey); | |||
OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey); | |||
OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey); | |||
#endif | |||
OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8); | |||
OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8); | |||
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, | |||
@@ -701,12 +695,10 @@ OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa); | |||
OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); | |||
OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa); | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey); | |||
OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey); | |||
OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey); | |||
OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey); | |||
#endif | |||
OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8); | |||
OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8); | |||
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, | |||
@@ -770,11 +762,9 @@ OPENSSL_EXPORT int i2d_DSA_PUBKEY(const DSA *a,unsigned char **pp); | |||
OPENSSL_EXPORT DSA * d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp, | |||
long length); | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
OPENSSL_EXPORT int i2d_EC_PUBKEY(const EC_KEY *a, unsigned char **pp); | |||
OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, | |||
long length); | |||
#endif | |||
DECLARE_ASN1_FUNCTIONS(X509_SIG) | |||
DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO) | |||
@@ -946,10 +936,8 @@ OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a); | |||
OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b); | |||
OPENSSL_EXPORT unsigned long X509_subject_name_hash(X509 *x); | |||
#ifndef OPENSSL_NO_MD5 | |||
OPENSSL_EXPORT unsigned long X509_issuer_name_hash_old(X509 *a); | |||
OPENSSL_EXPORT unsigned long X509_subject_name_hash_old(X509 *x); | |||
#endif | |||
OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); | |||
OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); | |||
@@ -289,9 +289,7 @@ static int ssl23_client_hello(SSL *s) | |||
* answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. | |||
*/ | |||
mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1 | |||
#if !defined(OPENSSL_NO_SSL3) | |||
|SSL_OP_NO_SSLv3 | |||
#endif | |||
; | |||
#if !defined(OPENSSL_NO_TLS1_2_CLIENT) | |||
version = TLS1_2_VERSION; | |||
@@ -305,11 +303,9 @@ static int ssl23_client_hello(SSL *s) | |||
if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) | |||
version = TLS1_VERSION; | |||
mask &= ~SSL_OP_NO_TLSv1; | |||
#if !defined(OPENSSL_NO_SSL3) | |||
if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) | |||
version = SSL3_VERSION; | |||
mask &= ~SSL_OP_NO_SSLv3; | |||
#endif | |||
buf=(unsigned char *)s->init_buf->data; | |||
if (s->state == SSL23_ST_CW_CLNT_HELLO_A) | |||
@@ -65,11 +65,9 @@ | |||
static const SSL_METHOD *ssl23_get_method(int ver); | |||
static const SSL_METHOD *ssl23_get_method(int ver) | |||
{ | |||
#ifndef OPENSSL_NO_SSL3 | |||
if (ver == SSL3_VERSION) | |||
return(SSLv3_method()); | |||
else | |||
#endif | |||
if (ver == TLS1_VERSION) | |||
return(TLSv1_method()); | |||
else if (ver == TLS1_1_VERSION) | |||
@@ -561,12 +561,10 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey) | |||
{ | |||
ret=SSL_PKEY_RSA_ENC; | |||
} | |||
#ifndef OPENSSL_NO_EC | |||
else if (i == EVP_PKEY_EC) | |||
{ | |||
ret = SSL_PKEY_ECC; | |||
} | |||
#endif | |||
err: | |||
if(!pkey) EVP_PKEY_free(pk); | |||
@@ -395,10 +395,8 @@ int ssl3_connect(SSL *s) | |||
s->state=SSL3_ST_CW_FINISHED_A; | |||
if (s->s3->tlsext_channel_id_valid) | |||
s->state=SSL3_ST_CW_CHANNEL_ID_A; | |||
# if !defined(OPENSSL_NO_NEXTPROTONEG) | |||
if (s->s3->next_proto_neg_seen) | |||
s->state=SSL3_ST_CW_NEXT_PROTO_A; | |||
# endif | |||
s->init_num=0; | |||
s->session->cipher=s->s3->tmp.new_cipher; | |||
@@ -417,7 +415,6 @@ int ssl3_connect(SSL *s) | |||
break; | |||
#if !defined(OPENSSL_NO_NEXTPROTONEG) | |||
case SSL3_ST_CW_NEXT_PROTO_A: | |||
case SSL3_ST_CW_NEXT_PROTO_B: | |||
ret=ssl3_send_next_proto(s); | |||
@@ -427,7 +424,6 @@ int ssl3_connect(SSL *s) | |||
else | |||
s->state=SSL3_ST_CW_FINISHED_A; | |||
break; | |||
#endif | |||
case SSL3_ST_CW_CHANNEL_ID_A: | |||
case SSL3_ST_CW_CHANNEL_ID_B: | |||
@@ -1147,14 +1143,10 @@ int ssl3_get_server_key_exchange(SSL *s) | |||
EVP_PKEY *pkey=NULL; | |||
const EVP_MD *md = NULL; | |||
RSA *rsa=NULL; | |||
#ifndef OPENSSL_NO_DH | |||
DH *dh=NULL; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
EC_KEY *ecdh = NULL; | |||
BN_CTX *bn_ctx = NULL; | |||
EC_POINT *srvr_ecpoint = NULL; | |||
#endif | |||
CBS server_key_exchange, server_key_exchange_orig, parameter; | |||
/* use same message size as in ssl3_get_certificate_request() | |||
@@ -1210,20 +1202,16 @@ int ssl3_get_server_key_exchange(SSL *s) | |||
RSA_free(s->session->sess_cert->peer_rsa_tmp); | |||
s->session->sess_cert->peer_rsa_tmp=NULL; | |||
} | |||
#ifndef OPENSSL_NO_DH | |||
if (s->session->sess_cert->peer_dh_tmp) | |||
{ | |||
DH_free(s->session->sess_cert->peer_dh_tmp); | |||
s->session->sess_cert->peer_dh_tmp=NULL; | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
if (s->session->sess_cert->peer_ecdh_tmp) | |||
{ | |||
EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); | |||
s->session->sess_cert->peer_ecdh_tmp=NULL; | |||
} | |||
#endif | |||
} | |||
else | |||
{ | |||
@@ -1272,8 +1260,7 @@ int ssl3_get_server_key_exchange(SSL *s) | |||
} | |||
} | |||
if (0) {} | |||
else if (alg_k & SSL_kRSA) | |||
if (alg_k & SSL_kRSA) | |||
{ | |||
CBS rsa_modulus, rsa_exponent; | |||
@@ -1321,7 +1308,6 @@ int ssl3_get_server_key_exchange(SSL *s) | |||
s->session->sess_cert->peer_rsa_tmp=rsa; | |||
rsa=NULL; | |||
} | |||
#ifndef OPENSSL_NO_DH | |||
else if (alg_k & SSL_kEDH) | |||
{ | |||
CBS dh_p, dh_g, dh_Ys; | |||
@@ -1373,9 +1359,7 @@ int ssl3_get_server_key_exchange(SSL *s) | |||
s->session->sess_cert->peer_dh_tmp=dh; | |||
dh=NULL; | |||
} | |||
#endif /* !OPENSSL_NO_DH */ | |||
#ifndef OPENSSL_NO_ECDH | |||
else if (alg_k & SSL_kEECDH) | |||
{ | |||
uint16_t curve_id; | |||
@@ -1453,10 +1437,8 @@ int ssl3_get_server_key_exchange(SSL *s) | |||
if (0) ; | |||
else if (alg_a & SSL_aRSA) | |||
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | |||
#ifndef OPENSSL_NO_ECDSA | |||
else if (alg_a & SSL_aECDSA) | |||
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); | |||
#endif | |||
/* else anonymous ECDH, so no certificate or pkey. */ | |||
EC_KEY_set_public_key(ecdh, srvr_ecpoint); | |||
s->session->sess_cert->peer_ecdh_tmp=ecdh; | |||
@@ -1466,7 +1448,6 @@ int ssl3_get_server_key_exchange(SSL *s) | |||
EC_POINT_free(srvr_ecpoint); | |||
srvr_ecpoint = NULL; | |||
} | |||
#endif /* !OPENSSL_NO_ECDH */ | |||
else if (!(alg_k & SSL_kPSK)) | |||
{ | |||
@@ -1576,16 +1557,12 @@ err: | |||
EVP_PKEY_free(pkey); | |||
if (rsa != NULL) | |||
RSA_free(rsa); | |||
#ifndef OPENSSL_NO_DH | |||
if (dh != NULL) | |||
DH_free(dh); | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
BN_CTX_free(bn_ctx); | |||
EC_POINT_free(srvr_ecpoint); | |||
if (ecdh != NULL) | |||
EC_KEY_free(ecdh); | |||
#endif | |||
EVP_MD_CTX_cleanup(&md_ctx); | |||
return(-1); | |||
} | |||
@@ -1913,7 +1890,6 @@ int ssl3_send_client_key_exchange(SSL *s) | |||
unsigned long alg_a; | |||
unsigned char *q; | |||
EVP_PKEY *pkey=NULL; | |||
#ifndef OPENSSL_NO_ECDH | |||
EC_KEY *clnt_ecdh = NULL; | |||
const EC_POINT *srvr_ecpoint = NULL; | |||
EVP_PKEY *srvr_pub_pkey = NULL; | |||
@@ -1922,7 +1898,6 @@ int ssl3_send_client_key_exchange(SSL *s) | |||
BN_CTX * bn_ctx = NULL; | |||
unsigned int psk_len = 0; | |||
unsigned char psk[PSK_MAX_PSK_LEN]; | |||
#endif /* OPENSSL_NO_ECDH */ | |||
if (s->state == SSL3_ST_CW_KEY_EXCH_A) | |||
{ | |||
@@ -2008,9 +1983,7 @@ int ssl3_send_client_key_exchange(SSL *s) | |||
} | |||
} | |||
/* Fool emacs indentation */ | |||
if (0) {} | |||
else if (alg_k & SSL_kRSA) | |||
if (alg_k & SSL_kRSA) | |||
{ | |||
RSA *rsa; | |||
unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; | |||
@@ -2070,7 +2043,6 @@ int ssl3_send_client_key_exchange(SSL *s) | |||
tmp_buf,sizeof tmp_buf); | |||
OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); | |||
} | |||
#ifndef OPENSSL_NO_DH | |||
else if (alg_k & SSL_kEDH) | |||
{ | |||
DH *dh_srvr,*dh_clnt; | |||
@@ -2131,9 +2103,7 @@ int ssl3_send_client_key_exchange(SSL *s) | |||
/* perhaps clean things up a bit EAY EAY EAY EAY*/ | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
else if (alg_k & SSL_kEECDH) | |||
{ | |||
const EC_GROUP *srvr_group = NULL; | |||
@@ -2286,7 +2256,6 @@ int ssl3_send_client_key_exchange(SSL *s) | |||
EC_KEY_free(clnt_ecdh); | |||
EVP_PKEY_free(srvr_pub_pkey); | |||
} | |||
#endif /* !OPENSSL_NO_ECDH */ | |||
else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK))) | |||
{ | |||
ssl3_send_alert(s, SSL3_AL_FATAL, | |||
@@ -2302,13 +2271,11 @@ int ssl3_send_client_key_exchange(SSL *s) | |||
/* SSL3_ST_CW_KEY_EXCH_B */ | |||
return ssl_do_write(s); | |||
err: | |||
#ifndef OPENSSL_NO_ECDH | |||
BN_CTX_free(bn_ctx); | |||
if (encodedPoint != NULL) OPENSSL_free(encodedPoint); | |||
if (clnt_ecdh != NULL) | |||
EC_KEY_free(clnt_ecdh); | |||
EVP_PKEY_free(srvr_pub_pkey); | |||
#endif | |||
return(-1); | |||
} | |||
@@ -2507,9 +2474,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) | |||
EVP_PKEY *pkey=NULL; | |||
SESS_CERT *sc; | |||
RSA *rsa; | |||
#ifndef OPENSSL_NO_DH | |||
DH *dh; | |||
#endif | |||
/* we don't have a certificate */ | |||
if (!ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) | |||
@@ -2526,14 +2491,11 @@ int ssl3_check_cert_and_algorithm(SSL *s) | |||
} | |||
rsa=s->session->sess_cert->peer_rsa_tmp; | |||
#ifndef OPENSSL_NO_DH | |||
dh=s->session->sess_cert->peer_dh_tmp; | |||
#endif | |||
/* This is the passed certificate */ | |||
idx=sc->peer_cert_type; | |||
#ifndef OPENSSL_NO_ECDH | |||
if (idx == SSL_PKEY_ECC) | |||
{ | |||
if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, | |||
@@ -2552,7 +2514,6 @@ int ssl3_check_cert_and_algorithm(SSL *s) | |||
OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_ECDSA_SIGNING_CERT); | |||
goto f_err; | |||
} | |||
#endif | |||
pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); | |||
i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); | |||
EVP_PKEY_free(pkey); | |||
@@ -2570,14 +2531,12 @@ int ssl3_check_cert_and_algorithm(SSL *s) | |||
OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_RSA_ENCRYPTING_CERT); | |||
goto f_err; | |||
} | |||
#ifndef OPENSSL_NO_DH | |||
if ((alg_k & SSL_kEDH) && | |||
!(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) | |||
{ | |||
OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_DH_KEY); | |||
goto f_err; | |||
} | |||
#endif | |||
return(1); | |||
f_err: | |||
@@ -2586,7 +2545,6 @@ err: | |||
return(0); | |||
} | |||
# if !defined(OPENSSL_NO_NEXTPROTONEG) | |||
int ssl3_send_next_proto(SSL *s) | |||
{ | |||
unsigned int len, padding_len; | |||
@@ -2611,7 +2569,6 @@ int ssl3_send_next_proto(SSL *s) | |||
return ssl3_do_write(s, SSL3_RT_HANDSHAKE); | |||
} | |||
# endif /* !OPENSSL_NO_NEXTPROTONEG */ | |||
int ssl3_send_channel_id(SSL *s) | |||
{ | |||
@@ -369,10 +369,8 @@ int ssl3_setup_key_block(SSL *s) | |||
if (s->session->cipher != NULL) | |||
{ | |||
#ifndef OPENSSL_NO_RC4 | |||
if (s->session->cipher->algorithm_enc == SSL_RC4) | |||
s->s3->need_record_splitting = 0; | |||
#endif | |||
} | |||
} | |||
@@ -578,7 +578,6 @@ const SSL_CIPHER ssl3_ciphers[]={ | |||
256, | |||
}, | |||
#ifndef OPENSSL_NO_ECDH | |||
/* Cipher C007 */ | |||
{ | |||
1, | |||
@@ -722,9 +721,7 @@ const SSL_CIPHER ssl3_ciphers[]={ | |||
256, | |||
256, | |||
}, | |||
#endif /* OPENSSL_NO_ECDH */ | |||
#ifndef OPENSSL_NO_ECDH | |||
/* HMAC based TLS v1.2 ciphersuites from RFC5289 */ | |||
@@ -878,7 +875,6 @@ const SSL_CIPHER ssl3_ciphers[]={ | |||
128, | |||
}, | |||
#endif /* OPENSSL_NO_ECDH */ | |||
{ | |||
1, | |||
@@ -1014,14 +1010,10 @@ void ssl3_free(SSL *s) | |||
ssl3_release_read_buffer(s); | |||
if (s->s3->wbuf.buf != NULL) | |||
ssl3_release_write_buffer(s); | |||
#ifndef OPENSSL_NO_DH | |||
if (s->s3->tmp.dh != NULL) | |||
DH_free(s->s3->tmp.dh); | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
if (s->s3->tmp.ecdh != NULL) | |||
EC_KEY_free(s->s3->tmp.ecdh); | |||
#endif | |||
if (s->s3->tmp.ca_names != NULL) | |||
sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); | |||
@@ -1052,20 +1044,16 @@ void ssl3_clear(SSL *s) | |||
OPENSSL_free(s->s3->tmp.certificate_types); | |||
s->s3->tmp.num_certificate_types = 0; | |||
#ifndef OPENSSL_NO_DH | |||
if (s->s3->tmp.dh != NULL) | |||
{ | |||
DH_free(s->s3->tmp.dh); | |||
s->s3->tmp.dh = NULL; | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
if (s->s3->tmp.ecdh != NULL) | |||
{ | |||
EC_KEY_free(s->s3->tmp.ecdh); | |||
s->s3->tmp.ecdh = NULL; | |||
} | |||
#endif | |||
rp = s->s3->rbuf.buf; | |||
wp = s->s3->wbuf.buf; | |||
rlen = s->s3->rbuf.len; | |||
@@ -1100,14 +1088,12 @@ void ssl3_clear(SSL *s) | |||
s->s3->in_read_app_data=0; | |||
s->version = s->method->version; | |||
#if !defined(OPENSSL_NO_NEXTPROTONEG) | |||
if (s->next_proto_negotiated) | |||
{ | |||
OPENSSL_free(s->next_proto_negotiated); | |||
s->next_proto_negotiated = NULL; | |||
s->next_proto_negotiated_len = 0; | |||
} | |||
#endif | |||
s->s3->tlsext_channel_id_valid = 0; | |||
} | |||
@@ -1118,14 +1104,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
{ | |||
int ret=0; | |||
if ( | |||
cmd == SSL_CTRL_SET_TMP_RSA || | |||
if (cmd == SSL_CTRL_SET_TMP_RSA || | |||
cmd == SSL_CTRL_SET_TMP_RSA_CB || | |||
#ifndef OPENSSL_NO_DSA | |||
cmd == SSL_CTRL_SET_TMP_DH || | |||
cmd == SSL_CTRL_SET_TMP_DH_CB || | |||
#endif | |||
0) | |||
cmd == SSL_CTRL_SET_TMP_DH_CB) | |||
{ | |||
if (!ssl_cert_inst(&s->cert)) | |||
{ | |||
@@ -1168,7 +1150,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
return(ret); | |||
} | |||
break; | |||
#ifndef OPENSSL_NO_DH | |||
case SSL_CTRL_SET_TMP_DH: | |||
{ | |||
DH *dh = (DH *)parg; | |||
@@ -1203,8 +1184,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
return(ret); | |||
} | |||
break; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
case SSL_CTRL_SET_TMP_ECDH: | |||
{ | |||
EC_KEY *ecdh = NULL; | |||
@@ -1241,7 +1220,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
return(ret); | |||
} | |||
break; | |||
#endif /* !OPENSSL_NO_ECDH */ | |||
case SSL_CTRL_SET_TLSEXT_HOSTNAME: | |||
if (larg == TLSEXT_NAMETYPE_host_name) | |||
{ | |||
@@ -1333,7 +1311,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
case SSL_CTRL_SELECT_CURRENT_CERT: | |||
return ssl_cert_select_current(s->cert, (X509 *)parg); | |||
#ifndef OPENSSL_NO_EC | |||
case SSL_CTRL_GET_CURVES: | |||
{ | |||
const uint16_t *clist; | |||
@@ -1367,7 +1344,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
case SSL_CTRL_SET_ECDH_AUTO: | |||
s->cert->ecdh_tmp_auto = larg; | |||
return 1; | |||
#endif | |||
case SSL_CTRL_SET_SIGALGS: | |||
return tls1_set_sigalgs(s->cert, parg, larg, 0); | |||
@@ -1426,25 +1402,17 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
EVP_PKEY *ptmp; | |||
int rv = 0; | |||
sc = s->session->sess_cert; | |||
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) | |||
if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp | |||
&& !sc->peer_ecdh_tmp) | |||
if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp) | |||
return 0; | |||
#endif | |||
ptmp = EVP_PKEY_new(); | |||
if (!ptmp) | |||
return 0; | |||
if (0); | |||
else if (sc->peer_rsa_tmp) | |||
if (sc->peer_rsa_tmp) | |||
rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp); | |||
#ifndef OPENSSL_NO_DH | |||
else if (sc->peer_dh_tmp) | |||
rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp); | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
else if (sc->peer_ecdh_tmp) | |||
rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp); | |||
#endif | |||
if (rv) | |||
{ | |||
*(EVP_PKEY **)parg = ptmp; | |||
@@ -1453,7 +1421,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
EVP_PKEY_free(ptmp); | |||
return 0; | |||
} | |||
#ifndef OPENSSL_NO_EC | |||
case SSL_CTRL_GET_EC_POINT_FORMATS: | |||
{ | |||
SSL_SESSION *sess = s->session; | |||
@@ -1463,7 +1430,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
*pformat = sess->tlsext_ecpointformatlist; | |||
return (int)sess->tlsext_ecpointformatlist_length; | |||
} | |||
#endif | |||
case SSL_CTRL_CHANNEL_ID: | |||
s->tlsext_channel_id_enabled = 1; | |||
@@ -1510,12 +1476,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) | |||
{ | |||
int ret=0; | |||
if ( | |||
cmd == SSL_CTRL_SET_TMP_RSA_CB || | |||
#ifndef OPENSSL_NO_DSA | |||
cmd == SSL_CTRL_SET_TMP_DH_CB || | |||
#endif | |||
0) | |||
if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) | |||
{ | |||
if (!ssl_cert_inst(&s->cert)) | |||
{ | |||
@@ -1529,20 +1490,16 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) | |||
case SSL_CTRL_SET_TMP_RSA_CB: | |||
/* Ignore the callback; temporary RSA keys are never used. */ | |||
break; | |||
#ifndef OPENSSL_NO_DH | |||
case SSL_CTRL_SET_TMP_DH_CB: | |||
{ | |||
s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; | |||
} | |||
break; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
case SSL_CTRL_SET_TMP_ECDH_CB: | |||
{ | |||
s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; | |||
} | |||
break; | |||
#endif | |||
case SSL_CTRL_SET_TLSEXT_DEBUG_CB: | |||
s->tlsext_debug_cb=(void (*)(SSL *,int ,int, | |||
unsigned char *, int, void *))fp; | |||
@@ -1573,7 +1530,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
return(0); | |||
} | |||
break; | |||
#ifndef OPENSSL_NO_DH | |||
case SSL_CTRL_SET_TMP_DH: | |||
{ | |||
DH *new=NULL,*dh; | |||
@@ -1605,8 +1561,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
return(0); | |||
} | |||
break; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
case SSL_CTRL_SET_TMP_ECDH: | |||
{ | |||
EC_KEY *ecdh = NULL; | |||
@@ -1646,7 +1600,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
return(0); | |||
} | |||
break; | |||
#endif /* !OPENSSL_NO_ECDH */ | |||
case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: | |||
ctx->tlsext_servername_arg=parg; | |||
break; | |||
@@ -1681,7 +1634,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
return 1; | |||
break; | |||
#ifndef OPENSSL_NO_EC | |||
case SSL_CTRL_SET_CURVES: | |||
return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, | |||
&ctx->tlsext_ellipticcurvelist_length, | |||
@@ -1690,7 +1642,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
case SSL_CTRL_SET_ECDH_AUTO: | |||
ctx->cert->ecdh_tmp_auto = larg; | |||
return 1; | |||
#endif | |||
case SSL_CTRL_SET_SIGALGS: | |||
return tls1_set_sigalgs(ctx->cert, parg, larg, 0); | |||
@@ -1792,20 +1743,16 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) | |||
case SSL_CTRL_SET_TMP_RSA_CB: | |||
/* Ignore the callback; temporary RSA keys are never used. */ | |||
break; | |||
#ifndef OPENSSL_NO_DH | |||
case SSL_CTRL_SET_TMP_DH_CB: | |||
{ | |||
cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; | |||
} | |||
break; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
case SSL_CTRL_SET_TMP_ECDH_CB: | |||
{ | |||
cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; | |||
} | |||
break; | |||
#endif | |||
case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: | |||
ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp; | |||
break; | |||
@@ -1959,12 +1906,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, | |||
c->name); | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
/* if we are considering an ECC cipher suite that uses | |||
* an ephemeral EC key check it */ | |||
if (alg_k & SSL_kEECDH) | |||
ok = ok && tls1_check_ec_tmp_key(s, c->id); | |||
#endif /* OPENSSL_NO_EC */ | |||
if (ok && sk_SSL_CIPHER_find(allow, &cipher_index, c)) | |||
{ | |||
@@ -2004,9 +1949,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) | |||
const unsigned char *sig; | |||
size_t i, siglen; | |||
int have_rsa_sign = 0; | |||
#ifndef OPENSSL_NO_ECDSA | |||
int have_ecdsa_sign = 0; | |||
#endif | |||
/* If we have custom certificate types set, use them */ | |||
if (s->cert->client_certificate_types) | |||
@@ -2025,18 +1968,15 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) | |||
have_rsa_sign = 1; | |||
break; | |||
#ifndef OPENSSL_NO_ECDSA | |||
case TLSEXT_signature_ecdsa: | |||
have_ecdsa_sign = 1; | |||
break; | |||
#endif | |||
} | |||
} | |||
if (have_rsa_sign) | |||
p[ret++]=SSL3_CT_RSA_SIGN; | |||
#ifndef OPENSSL_NO_ECDSA | |||
/* ECDSA certs can be used with RSA cipher suites as well | |||
* so we don't need to check for SSL_kECDH or SSL_kEECDH | |||
*/ | |||
@@ -2045,7 +1985,6 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) | |||
if (have_ecdsa_sign) | |||
p[ret++]=TLS_CT_ECDSA_SIGN; | |||
} | |||
#endif | |||
return(ret); | |||
} | |||
@@ -500,9 +500,7 @@ int ssl3_accept(SSL *s) | |||
case SSL3_ST_SR_CHANGE: { | |||
char next_proto_neg = 0; | |||
char channel_id = 0; | |||
# if !defined(OPENSSL_NO_NEXTPROTONEG) | |||
next_proto_neg = s->s3->next_proto_neg_seen; | |||
# endif | |||
channel_id = s->s3->tlsext_channel_id_valid; | |||
/* At this point, the next message must be entirely | |||
@@ -521,7 +519,6 @@ int ssl3_accept(SSL *s) | |||
break; | |||
} | |||
#if !defined(OPENSSL_NO_NEXTPROTONEG) | |||
case SSL3_ST_SR_NEXT_PROTO_A: | |||
case SSL3_ST_SR_NEXT_PROTO_B: | |||
ret=ssl3_get_next_proto(s); | |||
@@ -532,7 +529,6 @@ int ssl3_accept(SSL *s) | |||
else | |||
s->state=SSL3_ST_SR_FINISHED_A; | |||
break; | |||
#endif | |||
case SSL3_ST_SR_CHANNEL_ID_A: | |||
case SSL3_ST_SR_CHANNEL_ID_B: | |||
@@ -1280,16 +1276,12 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
int j,num; | |||
unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; | |||
unsigned int u; | |||
#ifndef OPENSSL_NO_DH | |||
DH *dh=NULL,*dhp; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
EC_KEY *ecdh=NULL, *ecdhp; | |||
unsigned char *encodedPoint = NULL; | |||
int encodedlen = 0; | |||
int curve_id = 0; | |||
BN_CTX *bn_ctx = NULL; | |||
#endif | |||
const char* psk_identity_hint = NULL; | |||
size_t psk_identity_hint_len = 0; | |||
EVP_PKEY *pkey; | |||
@@ -1326,7 +1318,6 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
psk_identity_hint_len = 0; | |||
n+=2+psk_identity_hint_len; | |||
} | |||
#ifndef OPENSSL_NO_DH | |||
if (alg_k & SSL_kEDH) | |||
{ | |||
dhp=cert->dh_tmp; | |||
@@ -1378,8 +1369,6 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
r[2]=dh->pub_key; | |||
} | |||
else | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
if (alg_k & SSL_kEECDH) | |||
{ | |||
const EC_GROUP *group; | |||
@@ -1504,7 +1493,6 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
r[3]=NULL; | |||
} | |||
else | |||
#endif /* !OPENSSL_NO_ECDH */ | |||
if (!(alg_k & SSL_kPSK)) | |||
{ | |||
al=SSL_AD_HANDSHAKE_FAILURE; | |||
@@ -1561,7 +1549,6 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
} | |||
} | |||
#ifndef OPENSSL_NO_ECDH | |||
if (alg_k & SSL_kEECDH) | |||
{ | |||
/* XXX: For now, we only support named (not generic) curves. | |||
@@ -1585,7 +1572,6 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
encodedPoint = NULL; | |||
p += encodedlen; | |||
} | |||
#endif /* OPENSSL_NO_ECDH */ | |||
/* not anonymous */ | |||
if (pkey != NULL) | |||
@@ -1669,10 +1655,8 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
f_err: | |||
ssl3_send_alert(s,SSL3_AL_FATAL,al); | |||
err: | |||
#ifndef OPENSSL_NO_ECDH | |||
if (encodedPoint != NULL) OPENSSL_free(encodedPoint); | |||
BN_CTX_free(bn_ctx); | |||
#endif | |||
EVP_MD_CTX_cleanup(&md_ctx); | |||
return(-1); | |||
} | |||
@@ -1777,19 +1761,15 @@ int ssl3_get_client_key_exchange(SSL *s) | |||
RSA *rsa=NULL; | |||
uint8_t *decrypt_buf = NULL; | |||
EVP_PKEY *pkey=NULL; | |||
#ifndef OPENSSL_NO_DH | |||
BIGNUM *pub=NULL; | |||
DH *dh_srvr; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
EC_KEY *srvr_ecdh = NULL; | |||
EVP_PKEY *clnt_pub_pkey = NULL; | |||
EC_POINT *clnt_ecpoint = NULL; | |||
BN_CTX *bn_ctx = NULL; | |||
unsigned int psk_len = 0; | |||
unsigned char psk[PSK_MAX_PSK_LEN]; | |||
#endif | |||
n=s->method->ssl_get_message(s, | |||
SSL3_ST_SR_KEY_EXCH_A, | |||
@@ -2018,7 +1998,6 @@ int ssl3_get_client_key_exchange(SSL *s) | |||
premaster_secret_len = sizeof(rand_premaster_secret); | |||
} | |||
#ifndef OPENSSL_NO_DH | |||
else if (alg_k & SSL_kEDH) | |||
{ | |||
CBS dh_Yc; | |||
@@ -2071,9 +2050,7 @@ int ssl3_get_client_key_exchange(SSL *s) | |||
premaster_secret_len = dh_len; | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
else if (alg_k & SSL_kEECDH) | |||
{ | |||
int field_size = 0, ecdh_len; | |||
@@ -2168,7 +2145,6 @@ int ssl3_get_client_key_exchange(SSL *s) | |||
premaster_secret_len = ecdh_len; | |||
} | |||
#endif | |||
else if (alg_k & SSL_kPSK) | |||
{ | |||
/* For plain PSK, other_secret is a block of 0s with the same | |||
@@ -2238,13 +2214,11 @@ err: | |||
} | |||
if (decrypt_buf) | |||
OPENSSL_free(decrypt_buf); | |||
#ifndef OPENSSL_NO_ECDH | |||
EVP_PKEY_free(clnt_pub_pkey); | |||
EC_POINT_free(clnt_ecpoint); | |||
if (srvr_ecdh != NULL) | |||
EC_KEY_free(srvr_ecdh); | |||
BN_CTX_free(bn_ctx); | |||
#endif | |||
return(-1); | |||
} | |||
@@ -2712,7 +2686,6 @@ int ssl3_send_cert_status(SSL *s) | |||
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | |||
} | |||
# ifndef OPENSSL_NO_NEXTPROTONEG | |||
/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It | |||
* sets the next_proto member in s if found */ | |||
int ssl3_get_next_proto(SSL *s) | |||
@@ -2771,7 +2744,6 @@ int ssl3_get_next_proto(SSL *s) | |||
return 1; | |||
} | |||
# endif | |||
/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */ | |||
int ssl3_get_channel_id(SSL *s) | |||
@@ -161,9 +161,7 @@ void ssl_cert_set_default_md(CERT *cert) | |||
/* Set digest values to defaults */ | |||
cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); | |||
cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); | |||
#ifndef OPENSSL_NO_ECDSA | |||
cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); | |||
#endif | |||
} | |||
CERT *ssl_cert_new(void) | |||
@@ -205,7 +203,6 @@ CERT *ssl_cert_dup(CERT *cert) | |||
ret->mask_k = cert->mask_k; | |||
ret->mask_a = cert->mask_a; | |||
#ifndef OPENSSL_NO_DH | |||
if (cert->dh_tmp != NULL) | |||
{ | |||
ret->dh_tmp = DHparams_dup(cert->dh_tmp); | |||
@@ -236,9 +233,7 @@ CERT *ssl_cert_dup(CERT *cert) | |||
} | |||
} | |||
ret->dh_tmp_cb = cert->dh_tmp_cb; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
if (cert->ecdh_tmp) | |||
{ | |||
ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); | |||
@@ -250,7 +245,6 @@ CERT *ssl_cert_dup(CERT *cert) | |||
} | |||
ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; | |||
ret->ecdh_tmp_auto = cert->ecdh_tmp_auto; | |||
#endif | |||
for (i = 0; i < SSL_PKEY_NUM; i++) | |||
{ | |||
@@ -366,17 +360,11 @@ CERT *ssl_cert_dup(CERT *cert) | |||
return(ret); | |||
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) | |||
err: | |||
#endif | |||
#ifndef OPENSSL_NO_DH | |||
if (ret->dh_tmp != NULL) | |||
DH_free(ret->dh_tmp); | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
if (ret->ecdh_tmp != NULL) | |||
EC_KEY_free(ret->ecdh_tmp); | |||
#endif | |||
ssl_cert_clear_certs(ret); | |||
@@ -418,12 +406,8 @@ void ssl_cert_free(CERT *c) | |||
if(c == NULL) | |||
return; | |||
#ifndef OPENSSL_NO_DH | |||
if (c->dh_tmp) DH_free(c->dh_tmp); | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp); | |||
#endif | |||
ssl_cert_clear_certs(c); | |||
if (c->peer_sigalgs) | |||
@@ -591,14 +575,10 @@ void ssl_sess_cert_free(SESS_CERT *sc) | |||
if (sc->peer_rsa_tmp != NULL) | |||
RSA_free(sc->peer_rsa_tmp); | |||
#ifndef OPENSSL_NO_DH | |||
if (sc->peer_dh_tmp != NULL) | |||
DH_free(sc->peer_dh_tmp); | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
if (sc->peer_ecdh_tmp != NULL) | |||
EC_KEY_free(sc->peer_ecdh_tmp); | |||
#endif | |||
OPENSSL_free(sc); | |||
} | |||
@@ -289,7 +289,6 @@ int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead) | |||
(c->algorithm2 & SSL_CIPHER_ALGORITHM2_STATEFUL_AEAD) == 0) | |||
return 0; | |||
#ifndef OPENSSL_NO_AES | |||
switch (c->algorithm_enc) | |||
{ | |||
case SSL_AES128GCM: | |||
@@ -308,7 +307,6 @@ int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead) | |||
return 0; | |||
return 1; | |||
} | |||
#endif | |||
return 0; | |||
} | |||
@@ -344,7 +344,6 @@ SSL *SSL_new(SSL_CTX *ctx) | |||
s->tlsext_ocsp_resplen = -1; | |||
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); | |||
s->initial_ctx=ctx; | |||
#ifndef OPENSSL_NO_EC | |||
if (ctx->tlsext_ecpointformatlist) | |||
{ | |||
s->tlsext_ecpointformatlist = | |||
@@ -365,10 +364,7 @@ SSL *SSL_new(SSL_CTX *ctx) | |||
s->tlsext_ellipticcurvelist_length = | |||
ctx->tlsext_ellipticcurvelist_length; | |||
} | |||
#endif | |||
# ifndef OPENSSL_NO_NEXTPROTONEG | |||
s->next_proto_negotiated = NULL; | |||
# endif | |||
if (s->ctx->alpn_client_proto_list) | |||
{ | |||
@@ -672,10 +668,8 @@ void SSL_free(SSL *s) | |||
if (s->tlsext_hostname) | |||
OPENSSL_free(s->tlsext_hostname); | |||
if (s->initial_ctx) SSL_CTX_free(s->initial_ctx); | |||
#ifndef OPENSSL_NO_EC | |||
if (s->tlsext_ecpointformatlist) OPENSSL_free(s->tlsext_ecpointformatlist); | |||
if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist); | |||
#endif /* OPENSSL_NO_EC */ | |||
if (s->tlsext_ocsp_exts) | |||
sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, | |||
X509_EXTENSION_free); | |||
@@ -701,10 +695,8 @@ void SSL_free(SSL *s) | |||
if (s->ctx) SSL_CTX_free(s->ctx); | |||
#if !defined(OPENSSL_NO_NEXTPROTONEG) | |||
if (s->next_proto_negotiated) | |||
OPENSSL_free(s->next_proto_negotiated); | |||
#endif | |||
if (s->srtp_profiles) | |||
sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); | |||
@@ -1773,7 +1765,6 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsi | |||
return status; | |||
} | |||
# ifndef OPENSSL_NO_NEXTPROTONEG | |||
/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's | |||
* requested protocol for this connection and returns 0. If the client didn't | |||
* request any protocol, then *data is set to NULL. | |||
@@ -1822,7 +1813,6 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned | |||
ctx->next_proto_select_cb = cb; | |||
ctx->next_proto_select_cb_arg = arg; | |||
} | |||
# endif | |||
/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|. | |||
* |protos| must be in wire-format (i.e. a series of non-empty, 8-bit | |||
@@ -2035,10 +2025,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) | |||
ret->tlsext_status_cb = 0; | |||
ret->tlsext_status_arg = NULL; | |||
# ifndef OPENSSL_NO_NEXTPROTONEG | |||
ret->next_protos_advertised_cb = 0; | |||
ret->next_proto_select_cb = 0; | |||
# endif | |||
ret->psk_identity_hint=NULL; | |||
ret->psk_client_callback=NULL; | |||
ret->psk_server_callback=NULL; | |||
@@ -2117,12 +2105,10 @@ void SSL_CTX_free(SSL_CTX *a) | |||
if (a->psk_identity_hint) | |||
OPENSSL_free(a->psk_identity_hint); | |||
# ifndef OPENSSL_NO_EC | |||
if (a->tlsext_ecpointformatlist) | |||
OPENSSL_free(a->tlsext_ecpointformatlist); | |||
if (a->tlsext_ellipticcurvelist) | |||
OPENSSL_free(a->tlsext_ellipticcurvelist); | |||
# endif /* OPENSSL_NO_EC */ | |||
if (a->alpn_client_proto_list != NULL) | |||
OPENSSL_free(a->alpn_client_proto_list); | |||
@@ -2174,34 +2160,20 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
CERT_PKEY *cpk; | |||
int rsa_enc,rsa_sign,dh_tmp; | |||
unsigned long mask_k,mask_a; | |||
#ifndef OPENSSL_NO_ECDSA | |||
int have_ecc_cert, ecdsa_ok; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
int have_ecdh_tmp; | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
X509 *x = NULL; | |||
#endif | |||
if (c == NULL) return; | |||
#ifndef OPENSSL_NO_DH | |||
dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); | |||
#else | |||
dh_tmp=0; | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto); | |||
#endif | |||
cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); | |||
rsa_enc= cpk->valid_flags & CERT_PKEY_VALID; | |||
cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); | |||
rsa_sign= cpk->valid_flags & CERT_PKEY_SIGN; | |||
cpk= &(c->pkeys[SSL_PKEY_ECC]); | |||
#ifndef OPENSSL_NO_EC | |||
have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID; | |||
#endif | |||
mask_k=0; | |||
mask_a=0; | |||
@@ -2226,7 +2198,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
/* An ECC certificate may be usable for ECDSA cipher suites depending on | |||
* the key usage extension. */ | |||
#ifndef OPENSSL_NO_EC | |||
if (have_ecc_cert) | |||
{ | |||
cpk = &c->pkeys[SSL_PKEY_ECC]; | |||
@@ -2237,21 +2208,16 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; | |||
if (!(cpk->valid_flags & CERT_PKEY_SIGN)) | |||
ecdsa_ok = 0; | |||
#ifndef OPENSSL_NO_ECDSA | |||
if (ecdsa_ok) | |||
{ | |||
mask_a|=SSL_aECDSA; | |||
} | |||
#endif | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
if (have_ecdh_tmp) | |||
{ | |||
mask_k|=SSL_kEECDH; | |||
} | |||
#endif | |||
mask_k |= SSL_kPSK; | |||
mask_a |= SSL_aPSK; | |||
@@ -2265,7 +2231,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
#define ku_reject(x, usage) \ | |||
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) | |||
#ifndef OPENSSL_NO_EC | |||
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) | |||
{ | |||
@@ -2295,7 +2260,6 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) | |||
return 1; /* all checks are ok */ | |||
} | |||
#endif | |||
static int ssl_get_server_cert_index(const SSL *s) | |||
{ | |||
@@ -2964,7 +2928,6 @@ RSA *cb(SSL *ssl,int is_export,int keylength) | |||
* \param dh the callback | |||
*/ | |||
#ifndef OPENSSL_NO_DH | |||
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, | |||
int keylength)) | |||
{ | |||
@@ -2976,9 +2939,7 @@ void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, | |||
{ | |||
SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export, | |||
int keylength)) | |||
{ | |||
@@ -2990,7 +2951,6 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export, | |||
{ | |||
SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); | |||
} | |||
#endif | |||
int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) | |||
{ | |||
@@ -3144,11 +3104,7 @@ int ssl3_can_cutthrough(const SSL *s) | |||
return 0; | |||
/* require ALPN or NPN extension */ | |||
if (!s->s3->alpn_selected | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
&& !s->s3->next_proto_neg_seen | |||
#endif | |||
) | |||
if (!s->s3->alpn_selected && !s->s3->next_proto_neg_seen) | |||
{ | |||
return 0; | |||
} | |||
@@ -415,14 +415,12 @@ | |||
#define PENDING_SESSION -10000 | |||
#define CERTIFICATE_SELECTION_PENDING -10001 | |||
#ifndef OPENSSL_NO_EC | |||
/* From ECC-TLS draft, used in encoding the curve type in | |||
* ECParameters | |||
*/ | |||
#define EXPLICIT_PRIME_CURVE_TYPE 1 | |||
#define EXPLICIT_CHAR2_CURVE_TYPE 2 | |||
#define NAMED_CURVE_TYPE 3 | |||
#endif /* OPENSSL_NO_EC */ | |||
/* Values for the |hash_message| parameter of |s->method->ssl_get_message|. */ | |||
#define SSL_GET_MESSAGE_DONT_HASH_MESSAGE 0 | |||
@@ -463,17 +461,13 @@ typedef struct cert_st | |||
unsigned long mask_a; | |||
/* Client only */ | |||
unsigned long mask_ssl; | |||
#ifndef OPENSSL_NO_DH | |||
DH *dh_tmp; | |||
DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize); | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
EC_KEY *ecdh_tmp; | |||
/* Callback for generating ephemeral ECDH keys */ | |||
EC_KEY *(*ecdh_tmp_cb)(SSL *ssl,int is_export,int keysize); | |||
/* Select ECDH parameters automatically */ | |||
int ecdh_tmp_auto; | |||
#endif | |||
/* Flags related to certificates */ | |||
unsigned int cert_flags; | |||
CERT_PKEY pkeys[SSL_PKEY_NUM]; | |||
@@ -549,12 +543,8 @@ typedef struct sess_cert_st | |||
* so maybe we shouldn't even use the CERT_PKEY type here. */ | |||
RSA *peer_rsa_tmp; /* not used for SSL 2 */ | |||
#ifndef OPENSSL_NO_DH | |||
DH *peer_dh_tmp; /* not used for SSL 2 */ | |||
#endif | |||
#ifndef OPENSSL_NO_ECDH | |||
EC_KEY *peer_ecdh_tmp; | |||
#endif | |||
} SESS_CERT; | |||
/* Structure containing decoded values of signature algorithms extension */ | |||
struct tls_sigalgs_st | |||
@@ -990,10 +980,8 @@ int ssl3_send_client_key_exchange(SSL *s); | |||
int ssl3_get_server_key_exchange(SSL *s); | |||
int ssl3_get_server_certificate(SSL *s); | |||
int ssl3_check_cert_and_algorithm(SSL *s); | |||
# ifndef OPENSSL_NO_NEXTPROTONEG | |||
int ssl3_send_next_proto(SSL *s); | |||
int ssl3_send_channel_id(SSL *s); | |||
# endif | |||
int dtls1_client_hello(SSL *s); | |||
@@ -1007,10 +995,8 @@ int ssl3_send_server_done(SSL *s); | |||
int ssl3_get_client_certificate(SSL *s); | |||
int ssl3_get_client_key_exchange(SSL *s); | |||
int ssl3_get_cert_verify(SSL *s); | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
int ssl3_get_next_proto(SSL *s); | |||
int ssl3_get_channel_id(SSL *s); | |||
#endif | |||
int ssl23_accept(SSL *s); | |||
int ssl23_connect(SSL *s); | |||
@@ -1050,12 +1036,9 @@ int tls1_alert_code(int code); | |||
int ssl3_alert_code(int code); | |||
int ssl_ok(SSL *s); | |||
#ifndef OPENSSL_NO_ECDH | |||
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); | |||
#endif | |||
char ssl_early_callback_init(struct ssl_early_callback_ctx *ctx); | |||
#ifndef OPENSSL_NO_EC | |||
int tls1_ec_curve_id2nid(uint16_t curve_id); | |||
uint16_t tls1_ec_nid2curve_id(int nid); | |||
@@ -1078,7 +1061,6 @@ int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len, | |||
const int *curves, size_t ncurves); | |||
int tls1_check_ec_tmp_key(SSL *s, unsigned long id); | |||
#endif /* OPENSSL_NO_EC */ | |||
int tls1_shared_list(SSL *s, | |||
const unsigned char *l1, size_t l1len, | |||
@@ -710,12 +710,10 @@ void SSL_SESSION_free(SSL_SESSION *ss) | |||
if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); | |||
if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname); | |||
if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick); | |||
#ifndef OPENSSL_NO_EC | |||
ss->tlsext_ecpointformatlist_length = 0; | |||
if (ss->tlsext_ecpointformatlist != NULL) OPENSSL_free(ss->tlsext_ecpointformatlist); | |||
ss->tlsext_ellipticcurvelist_length = 0; | |||
if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist); | |||
#endif /* OPENSSL_NO_EC */ | |||
if (ss->tlsext_signed_cert_timestamp_list != NULL) | |||
OPENSSL_free(ss->tlsext_signed_cert_timestamp_list); | |||
if (ss->psk_identity_hint != NULL) | |||
@@ -101,7 +101,6 @@ case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break; | |||
case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break; | |||
case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break; | |||
#ifndef OPENSSL_NO_SSL3 | |||
/* SSLv3 additions */ | |||
case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break; | |||
case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break; | |||
@@ -169,9 +168,7 @@ case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break; | |||
case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break; | |||
case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break; | |||
case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break; | |||
#endif | |||
#if !defined(OPENSSL_NO_SSL3) | |||
/* SSLv2/v3 compatibility states */ | |||
/* client */ | |||
case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break; | |||
@@ -182,7 +179,6 @@ case SSL23_ST_CR_SRVR_HELLO_B: str="SSLv2/v3 read server hello B"; break; | |||
case SSL23_ST_SR_CLNT_HELLO: str="SSLv2/v3 read client hello"; break; | |||
case SSL23_ST_SR_V2_CLNT_HELLO: str="SSLv2/v3 read v2 client hello"; break; | |||
case SSL23_ST_SR_SWITCH_VERSION: str="SSLv2/v3 switch version"; break; | |||
#endif | |||
/* DTLS */ | |||
case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DTLS1 read hello verify request A"; break; | |||
@@ -220,7 +216,6 @@ case SSL_ST_ACCEPT: str="AINIT "; break; | |||
case SSL_ST_CONNECT: str="CINIT "; break; | |||
case SSL_ST_OK: str="SSLOK "; break; | |||
#ifndef OPENSSL_NO_SSL3 | |||
/* SSLv3 additions */ | |||
case SSL3_ST_SW_FLUSH: | |||
case SSL3_ST_CW_FLUSH: str="3FLUSH"; break; | |||
@@ -283,9 +278,7 @@ case SSL3_ST_SR_KEY_EXCH_A: str="3RCKEA"; break; | |||
case SSL3_ST_SR_KEY_EXCH_B: str="3RCKEB"; break; | |||
case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break; | |||
case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break; | |||
#endif | |||
#if !defined(OPENSSL_NO_SSL3) | |||
/* SSLv2/v3 compatibility states */ | |||
/* client */ | |||
case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break; | |||
@@ -296,7 +289,6 @@ case SSL23_ST_CR_SRVR_HELLO_B: str="23RSHA"; break; | |||
case SSL23_ST_SR_CLNT_HELLO: str="23RCH_"; break; | |||
case SSL23_ST_SR_V2_CLNT_HELLO: str="23R2CH"; break; | |||
case SSL23_ST_SR_SWITCH_VERSION: str="23RSW_"; break; | |||
#endif | |||
/* DTLS */ | |||
case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DRCHVA"; break; | |||
case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DRCHVB"; break; | |||
@@ -675,10 +675,8 @@ printf("\nkey block\n"); | |||
if (s->session->cipher != NULL) | |||
{ | |||
#ifndef OPENSSL_NO_RC4 | |||
if (s->session->cipher->algorithm_enc == SSL_RC4) | |||
s->s3->need_record_splitting = 0; | |||
#endif | |||
} | |||
} | |||
@@ -365,7 +365,6 @@ SSL_early_callback_ctx_extension_get(const struct ssl_early_callback_ctx *ctx, | |||
return 0; | |||
} | |||
#ifndef OPENSSL_NO_EC | |||
static const int nid_list[] = | |||
{ | |||
@@ -704,14 +703,6 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) | |||
#endif | |||
} | |||
#else | |||
static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) | |||
{ | |||
return 1; | |||
} | |||
#endif /* OPENSSL_NO_EC */ | |||
/* List of supported signature algorithms and hashes. Should make this | |||
@@ -720,11 +711,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) | |||
#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, | |||
#ifdef OPENSSL_NO_ECDSA | |||
#define tlsext_sigalg_ecdsa(md) /* */ | |||
#else | |||
#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, | |||
#endif | |||
#define tlsext_sigalg(md) \ | |||
tlsext_sigalg_rsa(md) \ | |||
@@ -735,9 +722,7 @@ static const uint8_t tls12_sigalgs[] = { | |||
tlsext_sigalg(TLSEXT_hash_sha384) | |||
tlsext_sigalg(TLSEXT_hash_sha256) | |||
tlsext_sigalg(TLSEXT_hash_sha224) | |||
#ifndef OPENSSL_NO_SHA | |||
tlsext_sigalg(TLSEXT_hash_sha1) | |||
#endif | |||
}; | |||
size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) | |||
{ | |||
@@ -793,7 +778,6 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, | |||
*out_alert = SSL_AD_ILLEGAL_PARAMETER; | |||
return 0; | |||
} | |||
#ifndef OPENSSL_NO_EC | |||
if (pkey->type == EVP_PKEY_EC) | |||
{ | |||
uint16_t curve_id; | |||
@@ -811,7 +795,6 @@ int tls12_check_peer_sigalg(const EVP_MD **out_md, int *out_alert, | |||
return 0; | |||
} | |||
} | |||
#endif | |||
/* Check signature matches a type we sent */ | |||
sent_sigslen = tls12_get_psigalgs(s, &sent_sigs); | |||
@@ -872,11 +855,9 @@ void ssl_set_client_disabled(SSL *s) | |||
case TLSEXT_signature_rsa: | |||
have_rsa = 1; | |||
break; | |||
#ifndef OPENSSL_NO_ECDSA | |||
case TLSEXT_signature_ecdsa: | |||
have_ecdsa = 1; | |||
break; | |||
#endif | |||
} | |||
} | |||
/* Disable auth if we don't include any appropriate signature | |||
@@ -907,7 +888,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
int extdatalen=0; | |||
unsigned char *ret = buf; | |||
unsigned char *orig = buf; | |||
#ifndef OPENSSL_NO_EC | |||
/* See if we support any ECC ciphersuites */ | |||
int using_ecc = 0; | |||
if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) | |||
@@ -929,7 +909,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
} | |||
} | |||
} | |||
#endif | |||
/* don't add extensions for SSLv3 unless doing secure renegotiation */ | |||
if (s->client_version == SSL3_VERSION | |||
@@ -1097,7 +1076,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) | |||
{ | |||
/* The client advertises an emtpy extension to indicate its | |||
@@ -1107,7 +1085,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
s2n(TLSEXT_TYPE_next_proto_neg,ret); | |||
s2n(0,ret); | |||
} | |||
#endif | |||
if (s->signed_cert_timestamps_enabled && !s->s3->tmp.finish_md_len) | |||
{ | |||
@@ -1163,7 +1140,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
ret += el; | |||
} | |||
#ifndef OPENSSL_NO_EC | |||
if (using_ecc) | |||
{ | |||
/* Add TLS extension ECPointFormats to the ClientHello message */ | |||
@@ -1213,7 +1189,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
s2n(curves[i], ret); | |||
} | |||
} | |||
#endif /* OPENSSL_NO_EC */ | |||
#ifdef TLSEXT_TYPE_padding | |||
/* Add padding to workaround bugs in F5 terminators. | |||
@@ -1258,15 +1233,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
int extdatalen=0; | |||
unsigned char *orig = buf; | |||
unsigned char *ret = buf; | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
int next_proto_neg_seen; | |||
#endif | |||
#ifndef OPENSSL_NO_EC | |||
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |||
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; | |||
int using_ecc = (alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA); | |||
using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); | |||
#endif | |||
/* don't add extensions for SSLv3, unless doing secure renegotiation */ | |||
if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) | |||
return orig; | |||
@@ -1306,7 +1277,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
ret += el; | |||
} | |||
#ifndef OPENSSL_NO_EC | |||
if (using_ecc) | |||
{ | |||
const unsigned char *plist; | |||
@@ -1332,7 +1302,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
} | |||
/* Currently the server should not respond with a SupportedCurves extension */ | |||
#endif /* OPENSSL_NO_EC */ | |||
if (s->tlsext_ticket_expected | |||
&& !(SSL_get_options(s) & SSL_OP_NO_TICKET)) | |||
@@ -1368,7 +1337,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
ret+=el; | |||
} | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
next_proto_neg_seen = s->s3->next_proto_neg_seen; | |||
s->s3->next_proto_neg_seen = 0; | |||
if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) | |||
@@ -1388,7 +1356,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c | |||
s->s3->next_proto_neg_seen = 1; | |||
} | |||
} | |||
#endif | |||
if (s->s3->alpn_selected) | |||
{ | |||
@@ -1486,9 +1453,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
s->servername_done = 0; | |||
s->tlsext_status_type = -1; | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
s->s3->next_proto_neg_seen = 0; | |||
#endif | |||
if (s->s3->alpn_selected) | |||
{ | |||
@@ -1660,7 +1625,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
} | |||
} | |||
#ifndef OPENSSL_NO_EC | |||
else if (type == TLSEXT_TYPE_ec_point_formats) | |||
{ | |||
CBS ec_point_format_list; | |||
@@ -1729,7 +1693,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
s->session->tlsext_ellipticcurvelist_length = num_curves; | |||
} | |||
} | |||
#endif /* OPENSSL_NO_EC */ | |||
else if (type == TLSEXT_TYPE_session_ticket) | |||
{ | |||
if (s->tls_session_ticket_ext_cb && | |||
@@ -1895,7 +1858,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
} | |||
#endif | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
else if (type == TLSEXT_TYPE_next_proto_neg && | |||
s->s3->tmp.finish_md_len == 0 && | |||
s->s3->alpn_selected == NULL) | |||
@@ -1924,7 +1886,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
* Finished message could have been computed.) */ | |||
s->s3->next_proto_neg_seen = 1; | |||
} | |||
#endif | |||
else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && | |||
s->ctx->alpn_select_cb && | |||
@@ -1932,10 +1893,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
{ | |||
if (!tls1_alpn_handle_client_hello(s, &extension, out_alert)) | |||
return 0; | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
/* ALPN takes precedence over NPN. */ | |||
s->s3->next_proto_neg_seen = 0; | |||
#endif | |||
} | |||
else if (type == TLSEXT_TYPE_channel_id && | |||
@@ -2009,7 +1968,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, CBS *cbs) | |||
return 1; | |||
} | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No | |||
* elements of zero length are allowed and the set of elements must exactly fill | |||
* the length of the block. */ | |||
@@ -2028,7 +1986,6 @@ static char ssl_next_proto_validate(const CBS *cbs) | |||
} | |||
return 1; | |||
} | |||
#endif | |||
static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
{ | |||
@@ -2036,9 +1993,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
int renegotiate_seen = 0; | |||
CBS extensions; | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
s->s3->next_proto_neg_seen = 0; | |||
#endif | |||
s->tlsext_ticket_expected = 0; | |||
@@ -2097,7 +2052,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
} | |||
tlsext_servername = 1; | |||
} | |||
#ifndef OPENSSL_NO_EC | |||
else if (type == TLSEXT_TYPE_ec_point_formats) | |||
{ | |||
CBS ec_point_format_list; | |||
@@ -2120,7 +2074,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
} | |||
} | |||
} | |||
#endif /* OPENSSL_NO_EC */ | |||
else if (type == TLSEXT_TYPE_session_ticket) | |||
{ | |||
if (s->tls_session_ticket_ext_cb && | |||
@@ -2156,7 +2109,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
/* Set a flag to expect a CertificateStatus message */ | |||
s->tlsext_status_expected = 1; | |||
} | |||
#ifndef OPENSSL_NO_NEXTPROTONEG | |||
else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0) { | |||
unsigned char *selected; | |||
unsigned char selected_len; | |||
@@ -2192,7 +2144,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) | |||
s->next_proto_negotiated_len = selected_len; | |||
s->s3->next_proto_neg_seen = 1; | |||
} | |||
#endif | |||
else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) | |||
{ | |||
CBS protocol_name_list, protocol_name; | |||
@@ -2335,14 +2286,12 @@ static int ssl_check_clienthello_tlsext_early(SSL *s) | |||
int ret=SSL_TLSEXT_ERR_NOACK; | |||
int al = SSL_AD_UNRECOGNIZED_NAME; | |||
#ifndef OPENSSL_NO_EC | |||
/* The handling of the ECPointFormats extension is done elsewhere, namely in | |||
* ssl3_choose_cipher in s3_lib.c. | |||
*/ | |||
/* The handling of the EllipticCurves extension is done elsewhere, namely in | |||
* ssl3_choose_cipher in s3_lib.c. | |||
*/ | |||
#endif | |||
if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) | |||
ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); | |||
@@ -2436,7 +2385,6 @@ int ssl_check_serverhello_tlsext(SSL *s) | |||
int ret=SSL_TLSEXT_ERR_NOACK; | |||
int al = SSL_AD_UNRECOGNIZED_NAME; | |||
#ifndef OPENSSL_NO_EC | |||
/* If we are client and using an elliptic curve cryptography cipher | |||
* suite, then if server returns an EC point formats lists extension | |||
* it must contain uncompressed. | |||
@@ -2467,7 +2415,6 @@ int ssl_check_serverhello_tlsext(SSL *s) | |||
} | |||
} | |||
ret = SSL_TLSEXT_ERR_OK; | |||
#endif /* OPENSSL_NO_EC */ | |||
if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) | |||
ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); | |||
@@ -2812,14 +2759,10 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) | |||
{ | |||
switch(hash_alg) | |||
{ | |||
#ifndef OPENSSL_NO_MD5 | |||
case TLSEXT_hash_md5: | |||
return EVP_md5(); | |||
#endif | |||
#ifndef OPENSSL_NO_SHA | |||
case TLSEXT_hash_sha1: | |||
return EVP_sha1(); | |||
#endif | |||
case TLSEXT_hash_sha224: | |||
return EVP_sha224(); | |||
@@ -2842,10 +2785,8 @@ static int tls12_get_pkey_idx(unsigned char sig_alg) | |||
{ | |||
case TLSEXT_signature_rsa: | |||
return SSL_PKEY_RSA_SIGN; | |||
#ifndef OPENSSL_NO_ECDSA | |||
case TLSEXT_signature_ecdsa: | |||
return SSL_PKEY_ECC; | |||
#endif | |||
} | |||
return -1; | |||
} | |||
@@ -3050,10 +2991,8 @@ int tls1_process_sigalgs(SSL *s, const CBS *sigalgs) | |||
c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); | |||
c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); | |||
} | |||
#ifndef OPENSSL_NO_ECDSA | |||
if (!c->pkeys[SSL_PKEY_ECC].digest) | |||
c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); | |||
#endif | |||
} | |||
return 1; | |||
} | |||