Nothing calls this anymore. DHE is nearly gone. This unblocks us from making key_exchange_info only apply to the curve. Change-Id: I3099e7222a62441df6e01411767d48166a0729b1 Reviewed-on: https://boringssl-review.googlesource.com/12691 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>kris/onging/CECPQ3_patch15
@@ -2026,15 +2026,6 @@ OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl, | |||||
DH *(*dh)(SSL *ssl, int is_export, | DH *(*dh)(SSL *ssl, int is_export, | ||||
int keylength)); | int keylength)); | ||||
/* SSL_get_dhe_group_size returns the number of bits in the most recently | |||||
* completed handshake's selected group's prime, or zero if not | |||||
* applicable. Note, however, that validating this value does not ensure the | |||||
* server selected a secure group. | |||||
* | |||||
* TODO(davidben): This API currently does not work correctly if there is a | |||||
* renegotiation in progress. Fix this. */ | |||||
OPENSSL_EXPORT unsigned SSL_get_dhe_group_size(const SSL *ssl); | |||||
/* Certificate verification. | /* Certificate verification. | ||||
* | * | ||||
@@ -2424,19 +2424,6 @@ void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*callback)(SSL *ssl, int is_export, | |||||
ssl->cert->dh_tmp_cb = callback; | ssl->cert->dh_tmp_cb = callback; | ||||
} | } | ||||
unsigned SSL_get_dhe_group_size(const SSL *ssl) { | |||||
/* TODO(davidben): This checks the wrong session if there is a renegotiation in | |||||
* progress. */ | |||||
SSL_SESSION *session = SSL_get_session(ssl); | |||||
if (session == NULL || | |||||
session->cipher == NULL || | |||||
!SSL_CIPHER_is_DHE(session->cipher)) { | |||||
return 0; | |||||
} | |||||
return session->key_exchange_info; | |||||
} | |||||
int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { | int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { | ||||
if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { | if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { | ||||
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); | OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); | ||||
@@ -1368,16 +1368,6 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume) { | |||||
} | } | ||||
} | } | ||||
if (config->expect_dhe_group_size != 0) { | |||||
unsigned dhe_group_size = SSL_get_dhe_group_size(ssl); | |||||
if (static_cast<unsigned>(config->expect_dhe_group_size) != | |||||
dhe_group_size) { | |||||
fprintf(stderr, "dhe_group_size was %u, wanted %d\n", dhe_group_size, | |||||
config->expect_dhe_group_size); | |||||
return false; | |||||
} | |||||
} | |||||
uint16_t cipher_id = | uint16_t cipher_id = | ||||
static_cast<uint16_t>(SSL_CIPHER_get_id(SSL_get_current_cipher(ssl))); | static_cast<uint16_t>(SSL_CIPHER_get_id(SSL_get_current_cipher(ssl))); | ||||
if (config->expect_cipher_aes != 0 && | if (config->expect_cipher_aes != 0 && | ||||
@@ -8106,33 +8106,6 @@ func addCurveTests() { | |||||
}) | }) | ||||
} | } | ||||
func addDHEGroupSizeTests() { | |||||
testCases = append(testCases, testCase{ | |||||
name: "DHEGroupSize-Client", | |||||
config: Config{ | |||||
MaxVersion: VersionTLS12, | |||||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||||
Bugs: ProtocolBugs{ | |||||
// This is a 1234-bit prime number, generated | |||||
// with: | |||||
// openssl gendh 1234 | openssl asn1parse -i | |||||
DHGroupPrime: bigFromHex("0215C589A86BE450D1255A86D7A08877A70E124C11F0C75E476BA6A2186B1C830D4A132555973F2D5881D5F737BB800B7F417C01EC5960AEBF79478F8E0BBB6A021269BD10590C64C57F50AD8169D5488B56EE38DC5E02DA1A16ED3B5F41FEB2AD184B78A31F3A5B2BEC8441928343DA35DE3D4F89F0D4CEDE0034045084A0D1E6182E5EF7FCA325DD33CE81BE7FA87D43613E8FA7A1457099AB53"), | |||||
}, | |||||
}, | |||||
flags: []string{"-expect-dhe-group-size", "1234"}, | |||||
}) | |||||
testCases = append(testCases, testCase{ | |||||
testType: serverTest, | |||||
name: "DHEGroupSize-Server", | |||||
config: Config{ | |||||
MaxVersion: VersionTLS12, | |||||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||||
}, | |||||
// bssl_shim as a server configures a 2048-bit DHE group. | |||||
flags: []string{"-expect-dhe-group-size", "2048"}, | |||||
}) | |||||
} | |||||
func addTLS13RecordTests() { | func addTLS13RecordTests() { | ||||
testCases = append(testCases, testCase{ | testCases = append(testCases, testCase{ | ||||
name: "TLS13-RecordPadding", | name: "TLS13-RecordPadding", | ||||
@@ -9862,7 +9835,6 @@ func main() { | |||||
addCustomExtensionTests() | addCustomExtensionTests() | ||||
addRSAClientKeyExchangeTests() | addRSAClientKeyExchangeTests() | ||||
addCurveTests() | addCurveTests() | ||||
addDHEGroupSizeTests() | |||||
addSessionTicketTests() | addSessionTicketTests() | ||||
addTLS13RecordTests() | addTLS13RecordTests() | ||||
addAllStateMachineCoverageTests() | addAllStateMachineCoverageTests() | ||||
@@ -164,7 +164,6 @@ const Flag<int> kIntFlags[] = { | |||||
{ "-expect-peer-signature-algorithm", | { "-expect-peer-signature-algorithm", | ||||
&TestConfig::expect_peer_signature_algorithm }, | &TestConfig::expect_peer_signature_algorithm }, | ||||
{ "-expect-curve-id", &TestConfig::expect_curve_id }, | { "-expect-curve-id", &TestConfig::expect_curve_id }, | ||||
{ "-expect-dhe-group-size", &TestConfig::expect_dhe_group_size }, | |||||
{ "-initial-timeout-duration-ms", &TestConfig::initial_timeout_duration_ms }, | { "-initial-timeout-duration-ms", &TestConfig::initial_timeout_duration_ms }, | ||||
{ "-max-cert-list", &TestConfig::max_cert_list }, | { "-max-cert-list", &TestConfig::max_cert_list }, | ||||
{ "-expect-cipher-aes", &TestConfig::expect_cipher_aes }, | { "-expect-cipher-aes", &TestConfig::expect_cipher_aes }, | ||||
@@ -107,7 +107,6 @@ struct TestConfig { | |||||
bool enable_all_curves = false; | bool enable_all_curves = false; | ||||
bool use_sparse_dh_prime = false; | bool use_sparse_dh_prime = false; | ||||
int expect_curve_id = 0; | int expect_curve_id = 0; | ||||
int expect_dhe_group_size = 0; | |||||
bool use_old_client_cert_callback = false; | bool use_old_client_cert_callback = false; | ||||
int initial_timeout_duration_ms = 0; | int initial_timeout_duration_ms = 0; | ||||
bool use_null_client_ca_list = false; | bool use_null_client_ca_list = false; | ||||
@@ -242,10 +242,6 @@ void PrintConnectionInfo(const SSL *ssl) { | |||||
if (curve != 0) { | if (curve != 0) { | ||||
fprintf(stderr, " ECDHE curve: %s\n", SSL_get_curve_name(curve)); | fprintf(stderr, " ECDHE curve: %s\n", SSL_get_curve_name(curve)); | ||||
} | } | ||||
unsigned dhe_bits = SSL_get_dhe_group_size(ssl); | |||||
if (dhe_bits != 0) { | |||||
fprintf(stderr, " DHE group size: %u bits\n", dhe_bits); | |||||
} | |||||
uint16_t sigalg = SSL_get_peer_signature_algorithm(ssl); | uint16_t sigalg = SSL_get_peer_signature_algorithm(ssl); | ||||
if (sigalg != 0) { | if (sigalg != 0) { | ||||
fprintf(stderr, " Signature algorithm: %s\n", | fprintf(stderr, " Signature algorithm: %s\n", | ||||