From: Frederik Wedel-Heinen Date: Thu, 2 May 2024 14:21:44 +0000 (+0200) Subject: Check that both tls1.3 and dtls1.3 is disabled before removing code from compilation... X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=36561a2aa0be08ff4955ecd73e3279469d86de75;p=thirdparty%2Fopenssl.git Check that both tls1.3 and dtls1.3 is disabled before removing code from compilation path. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 4d5ea66974b..70053c57a11 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1363,7 +1363,7 @@ static int final_supported_versions(SSL_CONNECTION *s, unsigned int context, static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) { -#if !defined(OPENSSL_NO_TLS1_3) +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) if (!SSL_CONNECTION_IS_VERSION13(s)) return 1; @@ -1528,7 +1528,7 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) return 0; } } -#endif /* !defined(OPENSSL_NO_TLS1_3) */ +#endif /* !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_DTLS1_3) */ return 1; } diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index d07d2ee187f..ea8812becaf 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -617,7 +617,7 @@ EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) @@ -639,7 +639,7 @@ EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id) { unsigned char *encoded_point = NULL; @@ -700,7 +700,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) size_t i, num_groups = 0; const uint16_t *pgroups = NULL; uint16_t curve_id = 0; @@ -1044,7 +1044,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) uint32_t agesec, agems = 0; size_t binderoffset, msglen; int reshashsize = 0, pskhashsize = 0; @@ -1253,7 +1253,7 @@ EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pk ossl_unused X509 *x, ossl_unused size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) if (!s->pha_enabled) return EXT_RETURN_NOT_SENT; @@ -1853,7 +1853,7 @@ int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned int group_id; PACKET encoded_pt; EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; @@ -2066,7 +2066,7 @@ int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned int identity; if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index f90e5843645..fb4275419ac 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -561,7 +561,7 @@ int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) PACKET psk_kex_modes; unsigned int mode; @@ -605,7 +605,7 @@ int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt, int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned int group_id; PACKET key_share_list, encoded_pt; const uint16_t *clntgroups, *srvrgroups; @@ -726,7 +726,7 @@ int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt, int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned int format, version, key_share, group_id; EVP_MD_CTX *hctx; EVP_PKEY *pkey; @@ -1647,7 +1647,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned char *encodedPoint; size_t encoded_pt_len = 0; EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL; @@ -1775,6 +1775,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt, s->s3.did_kex = 1; return EXT_RETURN_SENT; #else + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; #endif } @@ -1783,7 +1784,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie; unsigned char *hmac, *hmac2; size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen; @@ -1905,6 +1906,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt, EVP_PKEY_free(pkey); return ret; #else + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; #endif }