From c045469817ddd0b1891a8f0e2cf031bfc11c844f Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 27 Apr 2015 00:28:56 -0400 Subject: [PATCH] Promote a few more macros. Next batch. Mostly a bunch of deprecated things. This switches SSL_CTX_set_tmp_rsa from always failing to always succeeding. The latter is probably a safer behavior; a consumer may defensively set a temporary RSA key. We'll successfully "set it" and just never use the result. Change-Id: Idd3d6bf4fc1a20bc9a26605bb9c77c9f799f993c Reviewed-on: https://boringssl-review.googlesource.com/4566 Reviewed-by: Adam Langley --- include/openssl/ssl.h | 57 +++++++++++++++++++++++++-------------- ssl/s3_lib.c | 62 +++++++++++++++++++------------------------ 2 files changed, 65 insertions(+), 54 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 27c7449e..e12135da 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1573,16 +1573,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_ERROR_PENDING_SESSION 11 #define SSL_ERROR_PENDING_CERTIFICATE 12 -#define SSL_CTRL_NEED_TMP_RSA 1 -#define SSL_CTRL_SET_TMP_RSA 2 #define SSL_CTRL_SET_TMP_DH 3 #define SSL_CTRL_SET_TMP_ECDH 4 -#define SSL_CTRL_GET_SESSION_REUSED 8 -#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9 -#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10 -#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12 -#define SSL_CTRL_GET_FLAGS 13 #define SSL_CTRL_EXTRA_CHAIN_CERT 14 /* see tls1.h for macros based on these */ @@ -1647,17 +1640,17 @@ OPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, OPENSSL_timeval *out); * WARNING: This function breaks the usual return value convention. */ OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl); -#define SSL_session_reused(ssl) \ - SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL) -#define SSL_num_renegotiations(ssl) \ - SSL_ctrl((ssl), SSL_CTRL_GET_NUM_RENEGOTIATIONS, 0, NULL) -#define SSL_total_renegotiations(ssl) \ - SSL_ctrl((ssl), SSL_CTRL_GET_TOTAL_RENEGOTIATIONS, 0, NULL) +/* SSL_session_reused returns one if |ssl| performed an abbreviated handshake + * and zero otherwise. + * + * TODO(davidben): Hammer down the semantics of this API while a handshake, + * initial or renego, is in progress. */ +OPENSSL_EXPORT int SSL_session_reused(const SSL *ssl); + +/* SSL_total_renegotiations returns the total number of renegotiation handshakes + * peformed by |ssl|. This includes the pending renegotiation, if any. */ +OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl); -#define SSL_CTX_need_tmp_RSA(ctx) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_NEED_TMP_RSA, 0, NULL) -#define SSL_CTX_set_tmp_rsa(ctx, rsa) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_RSA, 0, (char *)rsa) #define SSL_CTX_set_tmp_dh(ctx, dh) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, (char *)dh) @@ -1669,9 +1662,6 @@ OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl); #define SSL_CTX_set_tmp_ecdh(ctx, ecdh) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, (char *)ecdh) -#define SSL_need_tmp_RSA(ssl) SSL_ctrl(ssl, SSL_CTRL_NEED_TMP_RSA, 0, NULL) -#define SSL_set_tmp_rsa(ssl, rsa) \ - SSL_ctrl(ssl, SSL_CTRL_SET_TMP_RSA, 0, (char *)rsa) #define SSL_set_tmp_dh(ssl, dh) \ SSL_ctrl(ssl, SSL_CTRL_SET_TMP_DH, 0, (char *)dh) @@ -2356,6 +2346,21 @@ OPENSSL_EXPORT int SSL_CTX_sess_cache_full(const SSL_CTX *ctx); /* SSL_cutthrough_complete calls |SSL_in_false_start|. */ OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *s); +/* SSL_num_renegotiations calls |SSL_total_renegotiations|. */ +OPENSSL_EXPORT int SSL_num_renegotiations(const SSL *ssl); + +/* SSL_CTX_need_tmp_RSA returns zero. */ +OPENSSL_EXPORT int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx); + +/* SSL_need_tmp_RSA returns zero. */ +OPENSSL_EXPORT int SSL_need_tmp_RSA(const SSL *ssl); + +/* SSL_CTX_set_tmp_rsa returns one. */ +OPENSSL_EXPORT int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa); + +/* SSL_set_tmp_rsa returns one. */ +OPENSSL_EXPORT int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa); + /* Android compatibility section. * @@ -2386,9 +2391,14 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused); * constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this * section defines a number of legacy macros. */ +#define SSL_CTRL_NEED_TMP_RSA doesnt_exist +#define SSL_CTRL_SET_TMP_RSA doesnt_exist #define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist #define SSL_CTRL_SET_TMP_DH_CB doesnt_exist #define SSL_CTRL_SET_TMP_ECDH_CB doesnt_exist +#define SSL_CTRL_GET_SESSION_REUSED doesnt_exist +#define SSL_CTRL_GET_NUM_RENEGOTIATIONS doesnt_exist +#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS doesnt_exist #define SSL_CTRL_SET_MSG_CALLBACK doesnt_exist #define SSL_CTRL_SET_MSG_CALLBACK_ARG doesnt_exist #define SSL_CTRL_SET_MTU doesnt_exist @@ -2412,6 +2422,13 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused); #define SSL_CTRL_CLEAR_OPTIONS doesnt_exist #define SSL_CTRL_CLEAR_MODE doesnt_exist +#define SSL_CTX_need_tmp_RSA SSL_CTX_need_tmp_RSA +#define SSL_need_tmp_RSA SSL_need_tmp_RSA +#define SSL_CTX_set_tmp_rsa SSL_CTX_set_tmp_rsa +#define SSL_set_tmp_rsa SSL_set_tmp_rsa +#define SSL_session_reused SSL_session_reused +#define SSL_num_renegotiations SSL_num_renegotiations +#define SSL_total_renegotiations SSL_total_renegotiations #define SSL_CTX_set_msg_callback_arg SSL_CTX_set_msg_callback_arg #define SSL_set_msg_callback_arg SSL_set_msg_callback_arg #define SSL_set_mtu SSL_set_mtu diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index d31d69d0..59e7a9a2 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -577,36 +577,38 @@ void ssl3_free(SSL *s) { static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len); +int SSL_session_reused(const SSL *ssl) { + return ssl->hit; +} + +int SSL_total_renegotiations(const SSL *ssl) { + return ssl->s3->total_renegotiations; +} + +int SSL_num_renegotiations(const SSL *ssl) { + return SSL_total_renegotiations(ssl); +} + +int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) { + return 0; +} + +int SSL_need_rsa(const SSL *ssl) { + return 0; +} + +int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) { + return 1; +} + +int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { + return 1; +} + long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { int ret = 0; switch (cmd) { - case SSL_CTRL_GET_SESSION_REUSED: - ret = s->hit; - break; - - case SSL_CTRL_GET_CLIENT_CERT_REQUEST: - break; - - case SSL_CTRL_GET_NUM_RENEGOTIATIONS: - case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: - ret = s->s3->total_renegotiations; - break; - - case SSL_CTRL_GET_FLAGS: - ret = (int)(s->s3->flags); - break; - - case SSL_CTRL_NEED_TMP_RSA: - /* Temporary RSA keys are never used. */ - ret = 0; - break; - - case SSL_CTRL_SET_TMP_RSA: - /* Temporary RSA keys are never used. */ - OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - break; - case SSL_CTRL_SET_TMP_DH: DH_free(s->cert->dh_tmp); s->cert->dh_tmp = DHparams_dup((DH *)parg); @@ -806,14 +808,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { cert = ctx->cert; switch (cmd) { - case SSL_CTRL_NEED_TMP_RSA: - /* Temporary RSA keys are never used. */ - return 0; - - case SSL_CTRL_SET_TMP_RSA: - OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - case SSL_CTRL_SET_TMP_DH: DH_free(cert->dh_tmp); cert->dh_tmp = DHparams_dup((DH *)parg);