Remove SSL_get_dhe_group_size.

Nothing calls this anymore. DHE is nearly gone. This unblocks us from
making key_exchange_info only apply to the curve.

Change-Id: I3099e7222a62441df6e01411767d48166a0729b1
Reviewed-on: https://boringssl-review.googlesource.com/12691
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

include/openssl/ssl.h

@@ -2026,15 +2026,6 @@ OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl,
                                             DH *(*dh)(SSL *ssl, int is_export,
                                                       int keylength));
 
-/* SSL_get_dhe_group_size returns the number of bits in the most recently
- * completed handshake's selected group's prime, or zero if not
- * applicable. Note, however, that validating this value does not ensure the
- * server selected a secure group.
- *
- * TODO(davidben): This API currently does not work correctly if there is a
- * renegotiation in progress. Fix this. */
-OPENSSL_EXPORT unsigned SSL_get_dhe_group_size(const SSL *ssl);
-
 
 /* Certificate verification.
  *

ssl/ssl_lib.c

@@ -2424,19 +2424,6 @@ void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*callback)(SSL *ssl, int is_export,
   ssl->cert->dh_tmp_cb = callback;
 }
 
-unsigned SSL_get_dhe_group_size(const SSL *ssl) {
-  /* TODO(davidben): This checks the wrong session if there is a renegotiation in
-   * progress. */
-  SSL_SESSION *session = SSL_get_session(ssl);
-  if (session == NULL ||
-      session->cipher == NULL ||
-      !SSL_CIPHER_is_DHE(session->cipher)) {
-    return 0;
-  }
-
-  return session->key_exchange_info;
-}
-
 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
   if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);

ssl/test/bssl_shim.cc

@@ -1368,16 +1368,6 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume) {
     }
   }
 
-  if (config->expect_dhe_group_size != 0) {
-    unsigned dhe_group_size = SSL_get_dhe_group_size(ssl);
-    if (static_cast<unsigned>(config->expect_dhe_group_size) !=
-        dhe_group_size) {
-      fprintf(stderr, "dhe_group_size was %u, wanted %d\n", dhe_group_size,
-              config->expect_dhe_group_size);
-      return false;
-    }
-  }
-
   uint16_t cipher_id =
       static_cast<uint16_t>(SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)));
   if (config->expect_cipher_aes != 0 &&

ssl/test/runner/runner.go

@@ -8106,33 +8106,6 @@ func addCurveTests() {
 	})
 }
 
-func addDHEGroupSizeTests() {
-	testCases = append(testCases, testCase{
-		name: "DHEGroupSize-Client",
-		config: Config{
-			MaxVersion:   VersionTLS12,
-			CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
-			Bugs: ProtocolBugs{
-				// This is a 1234-bit prime number, generated
-				// with:
-				// openssl gendh 1234 | openssl asn1parse -i
-				DHGroupPrime: bigFromHex("0215C589A86BE450D1255A86D7A08877A70E124C11F0C75E476BA6A2186B1C830D4A132555973F2D5881D5F737BB800B7F417C01EC5960AEBF79478F8E0BBB6A021269BD10590C64C57F50AD8169D5488B56EE38DC5E02DA1A16ED3B5F41FEB2AD184B78A31F3A5B2BEC8441928343DA35DE3D4F89F0D4CEDE0034045084A0D1E6182E5EF7FCA325DD33CE81BE7FA87D43613E8FA7A1457099AB53"),
-			},
-		},
-		flags: []string{"-expect-dhe-group-size", "1234"},
-	})
-	testCases = append(testCases, testCase{
-		testType: serverTest,
-		name:     "DHEGroupSize-Server",
-		config: Config{
-			MaxVersion:   VersionTLS12,
-			CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
-		},
-		// bssl_shim as a server configures a 2048-bit DHE group.
-		flags: []string{"-expect-dhe-group-size", "2048"},
-	})
-}
-
 func addTLS13RecordTests() {
 	testCases = append(testCases, testCase{
 		name: "TLS13-RecordPadding",
@@ -9862,7 +9835,6 @@ func main() {
 	addCustomExtensionTests()
 	addRSAClientKeyExchangeTests()
 	addCurveTests()
-	addDHEGroupSizeTests()
 	addSessionTicketTests()
 	addTLS13RecordTests()
 	addAllStateMachineCoverageTests()

ssl/test/test_config.cc

@@ -164,7 +164,6 @@ const Flag<int> kIntFlags[] = {
   { "-expect-peer-signature-algorithm",
     &TestConfig::expect_peer_signature_algorithm },
   { "-expect-curve-id", &TestConfig::expect_curve_id },
-  { "-expect-dhe-group-size", &TestConfig::expect_dhe_group_size },
   { "-initial-timeout-duration-ms", &TestConfig::initial_timeout_duration_ms },
   { "-max-cert-list", &TestConfig::max_cert_list },
   { "-expect-cipher-aes", &TestConfig::expect_cipher_aes },

ssl/test/test_config.h

@@ -107,7 +107,6 @@ struct TestConfig {
   bool enable_all_curves = false;
   bool use_sparse_dh_prime = false;
   int expect_curve_id = 0;
-  int expect_dhe_group_size = 0;
   bool use_old_client_cert_callback = false;
   int initial_timeout_duration_ms = 0;
   bool use_null_client_ca_list = false;

tool/transport_common.cc

@@ -242,10 +242,6 @@ void PrintConnectionInfo(const SSL *ssl) {
   if (curve != 0) {
     fprintf(stderr, "  ECDHE curve: %s\n", SSL_get_curve_name(curve));
   }
-  unsigned dhe_bits = SSL_get_dhe_group_size(ssl);
-  if (dhe_bits != 0) {
-    fprintf(stderr, "  DHE group size: %u bits\n", dhe_bits);
-  }
   uint16_t sigalg = SSL_get_peer_signature_algorithm(ssl);
   if (sigalg != 0) {
     fprintf(stderr, "  Signature algorithm: %s\n",