From: Matt Caswell Date: Wed, 13 Jan 2021 12:39:40 +0000 (+0000) Subject: Remove OPENSSL_NO_DH guards from libssl X-Git-Tag: openssl-3.0.0-alpha12~119 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5b64ce89b0859956387cda1d56718d2a5f09d928;p=thirdparty%2Fopenssl.git Remove OPENSSL_NO_DH guards from libssl This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that libssl is entirely using the EVP APIs and implementations can be plugged in via providers it is no longer needed to disable DH at compile time in libssl. Instead it should detect at runtime whether DH is available from the loaded providers. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13916) --- diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a6c87ad75d3..4152ef5dcb2 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3360,12 +3360,10 @@ void ssl3_free(SSL *s) ssl3_cleanup_key_block(s); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.peer_tmp); s->s3.peer_tmp = NULL; EVP_PKEY_free(s->s3.tmp.pkey); s->s3.tmp.pkey = NULL; -#endif ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); ssl_evp_md_free(s->s3.tmp.new_hash); @@ -3396,10 +3394,8 @@ int ssl3_clear(SSL *s) OPENSSL_free(s->s3.tmp.peer_sigalgs); OPENSSL_free(s->s3.tmp.peer_cert_sigalgs); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.tmp.pkey); EVP_PKEY_free(s->s3.peer_tmp); -#endif /* !OPENSSL_NO_EC */ ssl3_free_digest_list(s); @@ -3452,7 +3448,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_FLAGS: ret = (int)(s->s3.flags); break; -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { EVP_PKEY *pkdh = NULL; @@ -3477,7 +3473,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; return 1; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { if (parg == NULL) { @@ -3610,7 +3606,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } return ssl_cert_set_current(s->cert, larg); -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_GET_GROUPS: { uint16_t *clist; @@ -3656,7 +3651,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_NEGOTIATED_GROUP: ret = tls1_group_id2nid(s->s3.group_id, 1); break; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3707,7 +3701,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 1; case SSL_CTRL_GET_PEER_TMP_KEY: -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) if (s->session == NULL || s->s3.peer_tmp == NULL) { return 0; } else { @@ -3715,12 +3708,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(EVP_PKEY **)parg = s->s3.peer_tmp; return 1; } -#else - return 0; -#endif case SSL_CTRL_GET_TMP_KEY: -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) if (s->session == NULL || s->s3.tmp.pkey == NULL) { return 0; } else { @@ -3728,9 +3717,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(EVP_PKEY **)parg = s->s3.tmp.pkey; return 1; } -#else - return 0; -#endif #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: @@ -3755,7 +3741,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) int ret = 0; switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; ret = 1; @@ -3780,7 +3766,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { EVP_PKEY *pkdh = NULL; @@ -3804,7 +3790,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_DH_AUTO: ctx->cert->dh_tmp_auto = larg; return 1; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_ECDH: { if (parg == NULL) { @@ -3911,7 +3897,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; #endif -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) case SSL_CTRL_SET_GROUPS: return tls1_set_groups(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, @@ -3921,7 +3906,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_groups_list(ctx, &ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, parg); -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -4004,7 +3988,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { switch (cmd) { -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: { ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -4820,10 +4804,8 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) goto err; } -#ifndef OPENSSL_NO_DH - if (SSL_IS_TLS13(s) && EVP_PKEY_id(privkey) == EVP_PKEY_DH) + if (SSL_IS_TLS13(s) && EVP_PKEY_is_a(privkey, "DH")) EVP_PKEY_CTX_set_dh_pad(pctx, 1); -#endif pms = OPENSSL_malloc(pmslen); if (pms == NULL) { diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 93608beddca..a9d9b9ca06e 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -95,9 +95,8 @@ CERT *ssl_cert_dup(CERT *cert) ret->dh_tmp = cert->dh_tmp; EVP_PKEY_up_ref(ret->dh_tmp); } -#ifndef OPENSSL_NO_DH + ret->dh_tmp_cb = cert->dh_tmp_cb; -#endif ret->dh_tmp_auto = cert->dh_tmp_auto; for (i = 0; i < SSL_PKEY_NUM; i++) { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5adc6f71a9b..a87da32c625 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3505,9 +3505,7 @@ void ssl_set_masks(SSL *s) return; dh_tmp = (c->dh_tmp != NULL -#ifndef OPENSSL_NO_DH || c->dh_tmp_cb != NULL -#endif || c->dh_tmp_auto); rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; @@ -4483,27 +4481,6 @@ int SSL_want(const SSL *s) return s->rwstate; } -/** - * \brief Set the callback for generating temporary DH keys. - * \param ctx the SSL context. - * \param dh the callback - */ - -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) -void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, - DH *(*dh) (SSL *ssl, int is_export, - int keylength)) -{ - SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); -} - -void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, - int keylength)) -{ - SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); -} -#endif - #ifndef OPENSSL_NO_PSK int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) { diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 1b8a43d131c..fa1130e59df 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2009,9 +2009,7 @@ typedef struct cert_st { CERT_PKEY *key; EVP_PKEY *dh_tmp; -#ifndef OPENSSL_NO_DH DH *(*dh_tmp_cb) (SSL *ssl, int is_export, int keysize); -#endif int dh_tmp_auto; /* Flags related to certificates */ uint32_t cert_flags; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 35e45d59a19..e4007b37deb 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1725,11 +1725,7 @@ static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, OPENSSL_free(extensions); extensions = NULL; - if (s->ext.tls13_cookie_len == 0 -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) - && s->s3.tmp.pkey != NULL -#endif - ) { + if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { /* * We didn't receive a cookie or a new key_share so the next * ClientHello will not change @@ -2186,10 +2182,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) save_param_start = *pkt; -#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EVP_PKEY_free(s->s3.peer_tmp); s->s3.peer_tmp = NULL; -#endif if (alg_k & SSL_PSK) { if (!tls_process_ske_psk_preamble(s, pkt)) { @@ -3569,12 +3563,11 @@ int ssl3_check_cert_and_algorithm(SSL *s) SSL_R_MISSING_RSA_ENCRYPTING_CERT); return 0; } -#ifndef OPENSSL_NO_DH + if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } -#endif return 1; } diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 8ae8ddc0521..03c4d2ba810 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2466,7 +2466,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } else { pkdhp = cert->dh_tmp; } -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#if !defined(OPENSSL_NO_DEPRECATED_3_0) if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024)); if (pkdh == NULL) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 7328c8e2b17..1438244d320 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -191,7 +191,7 @@ static const unsigned char ecformats_default[] = { TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 }; -#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */ +#endif /* !defined(OPENSSL_NO_EC) */ /* The default curves */ #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 7ecb61e79ca..0b21ff76696 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -144,9 +144,9 @@ HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) } /* Some deprecated public APIs pass DH objects */ -# ifndef OPENSSL_NO_DH EVP_PKEY *ssl_dh_to_pkey(DH *dh) { +# ifndef OPENSSL_NO_DH EVP_PKEY *ret; if (dh == NULL) @@ -157,14 +157,16 @@ EVP_PKEY *ssl_dh_to_pkey(DH *dh) return NULL; } return ret; -} +# else + return NULL; # endif +} /* Some deprecated public APIs pass EC_KEY objects */ -# ifndef OPENSSL_NO_EC int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, void *key) { +# ifndef OPENSSL_NO_EC const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key); int nid; @@ -176,6 +178,28 @@ int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen, if (nid == NID_undef) return 0; return tls1_set_groups(pext, pextlen, &nid, 1); +# else + return 0; +# endif +} + +/* + * Set the callback for generating temporary DH keys. + * ctx: the SSL context. + * dh: the callback + */ +# if !defined(OPENSSL_NO_DH) +void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, + DH *(*dh) (SSL *ssl, int is_export, + int keylength)) +{ + SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); +} + +void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, + int keylength)) +{ + SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); } # endif -#endif +#endif /* OPENSSL_NO_DEPRECATED */