summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2014-05-31 10:49:29 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2014-05-31 10:49:29 +0000
commit7d33e491ced254b4911a3c223bee944add414f9f (patch)
tree4f7010eb3632050d44210b8faa88b38d3a0654a1
parentbfd6ef1d500dac8515b5b20643749b6aa98a2660 (diff)
TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT. ok tedu@
-rw-r--r--lib/libssl/d1_clnt.c19
-rw-r--r--lib/libssl/d1_srvr.c19
-rw-r--r--lib/libssl/s23_clnt.c2
-rw-r--r--lib/libssl/s3_clnt.c29
-rw-r--r--lib/libssl/s3_lib.c14
-rw-r--r--lib/libssl/s3_srvr.c27
-rw-r--r--lib/libssl/ssl.h12
-rw-r--r--lib/libssl/ssl3.h2
-rw-r--r--lib/libssl/ssl_asn1.c16
-rw-r--r--lib/libssl/ssl_lib.c10
-rw-r--r--lib/libssl/ssl_locl.h4
-rw-r--r--lib/libssl/ssl_sess.c16
-rw-r--r--lib/libssl/ssl_txt.c2
-rw-r--r--lib/libssl/t1_lib.c6
-rw-r--r--lib/libssl/tls1.h2
15 files changed, 0 insertions, 180 deletions
diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c
index e8b43f3268f..fe5f1aa200f 100644
--- a/lib/libssl/d1_clnt.c
+++ b/lib/libssl/d1_clnt.c
@@ -382,7 +382,6 @@ dtls1_connect(SSL *s)
case SSL3_ST_CR_CERT_A:
case SSL3_ST_CR_CERT_B:
-#ifndef OPENSSL_NO_TLSEXT
ret = ssl3_check_finished(s);
if (ret <= 0)
goto end;
@@ -395,14 +394,12 @@ dtls1_connect(SSL *s)
s->init_num = 0;
break;
}
-#endif
/* Check if it is anon DH or PSK */
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
!(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
ret = ssl3_get_server_certificate(s);
if (ret <= 0)
goto end;
-#ifndef OPENSSL_NO_TLSEXT
if (s->tlsext_status_expected)
s->state = SSL3_ST_CR_CERT_STATUS_A;
else
@@ -411,12 +408,6 @@ dtls1_connect(SSL *s)
skip = 1;
s->state = SSL3_ST_CR_KEY_EXCH_A;
}
-#else
- } else
- skip = 1;
-
- s->state = SSL3_ST_CR_KEY_EXCH_A;
-#endif
s->init_num = 0;
break;
@@ -626,19 +617,16 @@ dtls1_connect(SSL *s)
BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
#endif
-#ifndef OPENSSL_NO_TLSEXT
/* Allow NewSessionTicket if ticket expected */
if (s->tlsext_ticket_expected)
s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
else
-#endif
s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
}
s->init_num = 0;
break;
-#ifndef OPENSSL_NO_TLSEXT
case SSL3_ST_CR_SESSION_TICKET_A:
case SSL3_ST_CR_SESSION_TICKET_B:
ret = ssl3_get_new_session_ticket(s);
@@ -656,7 +644,6 @@ dtls1_connect(SSL *s)
s->state = SSL3_ST_CR_KEY_EXCH_A;
s->init_num = 0;
break;
-#endif
case SSL3_ST_CR_FINISHED_A:
case SSL3_ST_CR_FINISHED_B:
@@ -787,11 +774,7 @@ dtls1_client_hello(SSL *s)
SSL_SESSION *sess = s->session;
if ((s->session == NULL) ||
(s->session->ssl_version != s->version) ||
-#ifdef OPENSSL_NO_TLSEXT
- !sess->session_id_length ||
-#else
(!sess->session_id_length && !sess->tlsext_tick) ||
-#endif
(s->session->not_resumable)) {
if (!ssl_get_new_session(s, 0))
goto err;
@@ -864,12 +847,10 @@ dtls1_client_hello(SSL *s)
}
*(p++) = 0; /* Add the NULL method */
-#ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
-#endif
l = (p - d);
d = buf;
diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c
index 368afda77a7..24f0a2e86ea 100644
--- a/lib/libssl/d1_srvr.c
+++ b/lib/libssl/d1_srvr.c
@@ -415,14 +415,10 @@ dtls1_accept(SSL *s)
BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
sizeof(sctpauthkey), sctpauthkey);
#endif
-#ifndef OPENSSL_NO_TLSEXT
if (s->tlsext_ticket_expected)
s->state = SSL3_ST_SW_SESSION_TICKET_A;
else
s->state = SSL3_ST_SW_CHANGE_A;
-#else
- s->state = SSL3_ST_SW_CHANGE_A;
-#endif
} else
s->state = SSL3_ST_SW_CERT_A;
s->init_num = 0;
@@ -437,7 +433,6 @@ dtls1_accept(SSL *s)
ret = dtls1_send_server_certificate(s);
if (ret <= 0)
goto end;
-#ifndef OPENSSL_NO_TLSEXT
if (s->tlsext_status_expected)
s->state = SSL3_ST_SW_CERT_STATUS_A;
else
@@ -446,12 +441,6 @@ dtls1_accept(SSL *s)
skip = 1;
s->state = SSL3_ST_SW_KEY_EXCH_A;
}
-#else
- } else
- skip = 1;
-
- s->state = SSL3_ST_SW_KEY_EXCH_A;
-#endif
s->init_num = 0;
break;
@@ -680,16 +669,13 @@ dtls1_accept(SSL *s)
dtls1_stop_timer(s);
if (s->hit)
s->state = SSL_ST_OK;
-#ifndef OPENSSL_NO_TLSEXT
else if (s->tlsext_ticket_expected)
s->state = SSL3_ST_SW_SESSION_TICKET_A;
-#endif
else
s->state = SSL3_ST_SW_CHANGE_A;
s->init_num = 0;
break;
-#ifndef OPENSSL_NO_TLSEXT
case SSL3_ST_SW_SESSION_TICKET_A:
case SSL3_ST_SW_SESSION_TICKET_B:
ret = dtls1_send_newsession_ticket(s);
@@ -708,7 +694,6 @@ dtls1_accept(SSL *s)
s->init_num = 0;
break;
-#endif
case SSL3_ST_SW_CHANGE_A:
case SSL3_ST_SW_CHANGE_B:
@@ -971,12 +956,10 @@ dtls1_send_server_hello(SSL *s)
*(p++) = s->s3->tmp.new_compression->id;
#endif
-#ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
-#endif
/* do the header */
l = (p - d);
@@ -1532,7 +1515,6 @@ dtls1_send_server_certificate(SSL *s)
return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
}
-#ifndef OPENSSL_NO_TLSEXT
int
dtls1_send_newsession_ticket(SSL *s)
{
@@ -1638,4 +1620,3 @@ dtls1_send_newsession_ticket(SSL *s)
/* SSL3_ST_SW_SESSION_TICKET_B */
return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
}
-#endif
diff --git a/lib/libssl/s23_clnt.c b/lib/libssl/s23_clnt.c
index 5361d5bea8f..16c30c083ab 100644
--- a/lib/libssl/s23_clnt.c
+++ b/lib/libssl/s23_clnt.c
@@ -431,7 +431,6 @@ ssl23_client_hello(SSL *s)
/* Add the NULL method */
*(p++) = 0;
-#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (ssl_prepare_clienthello_tlsext(s) <= 0) {
SSLerr(SSL_F_SSL23_CLIENT_HELLO,
@@ -443,7 +442,6 @@ ssl23_client_hello(SSL *s)
SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
-#endif
l = p - d;
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index bda14069c1c..66a7ec0d382 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -316,12 +316,10 @@ ssl3_connect(SSL *s)
if (s->hit) {
s->state = SSL3_ST_CR_FINISHED_A;
-#ifndef OPENSSL_NO_TLSEXT
if (s->tlsext_ticket_expected) {
/* receive renewed session ticket */
s->state = SSL3_ST_CR_SESSION_TICKET_A;
}
-#endif
} else
s->state = SSL3_ST_CR_CERT_A;
s->init_num = 0;
@@ -329,7 +327,6 @@ ssl3_connect(SSL *s)
case SSL3_ST_CR_CERT_A:
case SSL3_ST_CR_CERT_B:
-#ifndef OPENSSL_NO_TLSEXT
ret = ssl3_check_finished(s);
if (ret <= 0)
goto end;
@@ -342,7 +339,6 @@ ssl3_connect(SSL *s)
s->init_num = 0;
break;
}
-#endif
/* Check if it is anon DH/ECDH or PSK */
if (!(s->s3->tmp.new_cipher->algorithm_auth &
SSL_aNULL) &&
@@ -351,7 +347,6 @@ ssl3_connect(SSL *s)
ret = ssl3_get_server_certificate(s);
if (ret <= 0)
goto end;
-#ifndef OPENSSL_NO_TLSEXT
if (s->tlsext_status_expected)
s->state = SSL3_ST_CR_CERT_STATUS_A;
else
@@ -360,12 +355,6 @@ ssl3_connect(SSL *s)
skip = 1;
s->state = SSL3_ST_CR_KEY_EXCH_A;
}
-#else
- } else
- skip = 1;
-
- s->state = SSL3_ST_CR_KEY_EXCH_A;
-#endif
s->init_num = 0;
break;
@@ -536,20 +525,17 @@ ssl3_connect(SSL *s)
s->s3->delay_buf_pop_ret = 0;
}
} else {
-#ifndef OPENSSL_NO_TLSEXT
/* Allow NewSessionTicket if ticket expected */
if (s->tlsext_ticket_expected)
s->s3->tmp.next_state =
SSL3_ST_CR_SESSION_TICKET_A;
else
-#endif
s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
}
s->init_num = 0;
break;
-#ifndef OPENSSL_NO_TLSEXT
case SSL3_ST_CR_SESSION_TICKET_A:
case SSL3_ST_CR_SESSION_TICKET_B:
ret = ssl3_get_new_session_ticket(s);
@@ -567,7 +553,6 @@ ssl3_connect(SSL *s)
s->state = SSL3_ST_CR_KEY_EXCH_A;
s->init_num = 0;
break;
-#endif
case SSL3_ST_CR_FINISHED_A:
case SSL3_ST_CR_FINISHED_B:
@@ -681,11 +666,7 @@ ssl3_client_hello(SSL *s)
SSL_SESSION *sess = s->session;
if ((sess == NULL) ||
(sess->ssl_version != s->version) ||
-#ifdef OPENSSL_NO_TLSEXT
- !sess->session_id_length ||
-#else
(!sess->session_id_length && !sess->tlsext_tick) ||
-#endif
(sess->not_resumable)) {
if (!ssl_get_new_session(s, 0))
goto err;
@@ -791,7 +772,6 @@ ssl3_client_hello(SSL *s)
#endif
*(p++) = 0; /* Add the NULL method */
-#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (ssl_prepare_clienthello_tlsext(s) <= 0) {
SSLerr(SSL_F_SSL3_CLIENT_HELLO,
@@ -804,7 +784,6 @@ ssl3_client_hello(SSL *s)
ERR_R_INTERNAL_ERROR);
goto err;
}
-#endif
l = (p - d);
d = buf;
@@ -892,7 +871,6 @@ ssl3_get_server_hello(SSL *s)
goto f_err;
}
-#ifndef OPENSSL_NO_TLSEXT
/*
* Check if we want to resume the session based on external
* pre-shared secret
@@ -907,7 +885,6 @@ ssl3_get_server_hello(SSL *s)
pref_cipher : ssl_get_cipher_by_char(s, p + j);
}
}
-#endif /* OPENSSL_NO_TLSEXT */
if (j != 0 && j == s->session->session_id_length &&
memcmp(p, s->session->session_id, j) == 0) {
@@ -1033,7 +1010,6 @@ ssl3_get_server_hello(SSL *s)
}
#endif
-#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (s->version >= SSL3_VERSION) {
if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {
@@ -1049,7 +1025,6 @@ ssl3_get_server_hello(SSL *s)
goto err;
}
}
-#endif
if (p != (d + n)) {
/* wrong packet length */
@@ -1876,7 +1851,6 @@ ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
return (X509_NAME_cmp(*a, *b));
}
-#ifndef OPENSSL_NO_TLSEXT
int
ssl3_get_new_session_ticket(SSL *s)
{
@@ -2018,7 +1992,6 @@ f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return (-1);
}
-#endif
int
ssl3_get_server_done(SSL *s)
@@ -2930,7 +2903,6 @@ ssl3_send_next_proto(SSL *s)
* session tickets we have to check the next message to be sure.
*/
-#ifndef OPENSSL_NO_TLSEXT
int
ssl3_check_finished(SSL *s)
{
@@ -2953,7 +2925,6 @@ ssl3_check_finished(SSL *s)
return (1);
}
-#endif
int
ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 477c53b15bc..72492a33329 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -151,11 +151,9 @@
#include <stdio.h>
#include <openssl/objects.h>
#include "ssl_locl.h"
-#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_EC
#include "../crypto/ec/ec_lcl.h"
#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_NO_TLSEXT */
#include <openssl/md5.h>
#include <openssl/dh.h>
@@ -2383,11 +2381,9 @@ ssl3_clear(SSL *s)
EC_KEY_free(s->s3->tmp.ecdh);
s->s3->tmp.ecdh = NULL;
}
-#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_EC
s->s3->is_probably_safari = 0;
#endif /* !OPENSSL_NO_EC */
-#endif /* !OPENSSL_NO_TLSEXT */
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
@@ -2561,7 +2557,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
return (ret);
}
break;
-#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_NAMETYPE_host_name) {
free(s->tlsext_hostname);
@@ -2657,7 +2652,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ret = 1;
break;
-#endif /* !OPENSSL_NO_TLSEXT */
default:
break;
}
@@ -2694,12 +2688,10 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
(EC_KEY *(*)(SSL *, int, int))fp;
}
break;
-#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
s->tlsext_debug_cb = (void (*)(SSL *, int , int,
unsigned char *, int, void *))fp;
break;
-#endif
default:
break;
}
@@ -2824,7 +2816,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return (0);
}
break;
-#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
ctx->tlsext_servername_arg = parg;
break;
@@ -2865,7 +2856,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return 1;
break;
-#endif /* !OPENSSL_NO_TLSEXT */
/* A Thawte special :-) */
case SSL_CTRL_EXTRA_CHAIN_CERT:
@@ -2916,7 +2906,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
}
break;
-#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
ctx->tlsext_servername_callback =
(int (*)(SSL *, int *, void *))fp;
@@ -2938,7 +2927,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
break;
-#endif
default:
return (0);
}
@@ -3043,7 +3031,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ok = (alg_k & mask_k) && (alg_a & mask_a);
}
-#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_EC
if (
/*
@@ -3181,7 +3168,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ok = ok && ec_ok;
}
#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_NO_TLSEXT */
if (!ok)
continue;
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 120f92a9d39..4a6c3cb1e8b 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -357,17 +357,12 @@ ssl3_accept(SSL *s)
ret = ssl3_send_server_hello(s);
if (ret <= 0)
goto end;
-#ifndef OPENSSL_NO_TLSEXT
if (s->hit) {
if (s->tlsext_ticket_expected)
s->state = SSL3_ST_SW_SESSION_TICKET_A;
else
s->state = SSL3_ST_SW_CHANGE_A;
}
-#else
- if (s->hit)
- s->state = SSL3_ST_SW_CHANGE_A;
-#endif
else
s->state = SSL3_ST_SW_CERT_A;
s->init_num = 0;
@@ -385,7 +380,6 @@ ssl3_accept(SSL *s)
ret = ssl3_send_server_certificate(s);
if (ret <= 0)
goto end;
-#ifndef OPENSSL_NO_TLSEXT
if (s->tlsext_status_expected)
s->state = SSL3_ST_SW_CERT_STATUS_A;
else
@@ -394,12 +388,6 @@ ssl3_accept(SSL *s)
skip = 1;
s->state = SSL3_ST_SW_KEY_EXCH_A;
}
-#else
- } else
- skip = 1;
-
- s->state = SSL3_ST_SW_KEY_EXCH_A;
-#endif
s->init_num = 0;
break;
@@ -683,16 +671,13 @@ ssl3_accept(SSL *s)
goto end;
if (s->hit)
s->state = SSL_ST_OK;
-#ifndef OPENSSL_NO_TLSEXT
else if (s->tlsext_ticket_expected)
s->state = SSL3_ST_SW_SESSION_TICKET_A;
-#endif
else
s->state = SSL3_ST_SW_CHANGE_A;
s->init_num = 0;
break;
-#ifndef OPENSSL_NO_TLSEXT
case SSL3_ST_SW_SESSION_TICKET_A:
case SSL3_ST_SW_SESSION_TICKET_B:
ret = ssl3_send_newsession_ticket(s);
@@ -711,7 +696,6 @@ ssl3_accept(SSL *s)
s->init_num = 0;
break;
-#endif
case SSL3_ST_SW_CHANGE_A:
case SSL3_ST_SW_CHANGE_B:
@@ -1123,7 +1107,6 @@ ssl3_get_client_hello(SSL *s)
goto f_err;
}
-#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (s->version >= SSL3_VERSION) {
if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
@@ -1191,7 +1174,6 @@ ssl3_get_client_hello(SSL *s)
sk_SSL_CIPHER_dup(s->session->ciphers);
}
}
-#endif
/*
* Worst case, we will use the NULL compression, but if we have other
@@ -1381,11 +1363,6 @@ ssl3_send_server_hello(SSL *s)
if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
buf = (unsigned char *)s->init_buf->data;
-#ifdef OPENSSL_NO_TLSEXT
- p = s->s3->server_random;
- if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
- return (-1);
-#endif
/* Do the message type and length last */
d = p= &(buf[4]);
@@ -1441,7 +1418,6 @@ ssl3_send_server_hello(SSL *s)
else
*(p++) = s->s3->tmp.new_compression->id;
#endif
-#ifndef OPENSSL_NO_TLSEXT
if (ssl_prepare_serverhello_tlsext(s) <= 0) {
SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
SSL_R_SERVERHELLO_TLSEXT);
@@ -1453,7 +1429,6 @@ ssl3_send_server_hello(SSL *s)
ERR_R_INTERNAL_ERROR);
return (-1);
}
-#endif
/* do the header */
l = (p - d);
d = buf;
@@ -2928,7 +2903,6 @@ ssl3_send_server_certificate(SSL *s)
return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
}
-#ifndef OPENSSL_NO_TLSEXT
/* send a new session ticket (not necessarily for a new session) */
int
ssl3_send_newsession_ticket(SSL *s)
@@ -3180,4 +3154,3 @@ ssl3_get_next_proto(SSL *s)
return (1);
}
# endif
-#endif
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 45968ce16ab..d6f875a7977 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -504,7 +504,6 @@ struct ssl_session_st {
/* These are used to make removal of session-ids more
* efficient and to implement a maximum cache size. */
struct ssl_session_st *prev, *next;
-#ifndef OPENSSL_NO_TLSEXT
char *tlsext_hostname;
#ifndef OPENSSL_NO_EC
size_t tlsext_ecpointformatlist_length;
@@ -516,7 +515,6 @@ struct ssl_session_st {
unsigned char *tlsext_tick; /* Session ticket */
size_t tlsext_ticklen; /* Session ticket length */
long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
-#endif
};
#endif
@@ -841,7 +839,6 @@ struct ssl_ctx_st {
ENGINE *client_cert_engine;
#endif
-#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions servername callback */
int (*tlsext_servername_callback)(SSL*, int *, void *);
void *tlsext_servername_arg;
@@ -862,7 +859,6 @@ struct ssl_ctx_st {
int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput,
size_t len, void *arg);
void *tlsext_opaque_prf_input_callback_arg;
-#endif
#ifndef OPENSSL_NO_PSK
char *psk_identity_hint;
@@ -874,7 +870,6 @@ struct ssl_ctx_st {
#endif
-#ifndef OPENSSL_NO_TLSEXT
# ifndef OPENSSL_NO_NEXTPROTONEG
/* Next protocol negotiation information */
@@ -895,7 +890,6 @@ struct ssl_ctx_st {
/* SRTP profiles we are willing to do from RFC 5764 */
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
-#endif
};
#endif
@@ -1186,7 +1180,6 @@ struct ssl_st {
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
unsigned int max_send_fragment;
-#ifndef OPENSSL_NO_TLSEXT
/* TLS extension debug callback */
void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
unsigned char *data, int len, void *arg);
@@ -1259,9 +1252,6 @@ struct ssl_st {
*/
unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */
-#else
-#define session_ctx ctx
-#endif /* OPENSSL_NO_TLSEXT */
int renegotiate;/* 1 if we are renegotiating.
* 2 if we are a server and are inside a handshake
@@ -1467,7 +1457,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
/* see tls1.h for macros based on these */
-#ifndef OPENSSL_NO_TLSEXT
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
@@ -1498,7 +1487,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
-#endif
#define DTLS_CTRL_GET_TIMEOUT 73
#define DTLS_CTRL_HANDLE_TIMEOUT 74
diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h
index 8633dae5217..c264422a364 100644
--- a/lib/libssl/ssl3.h
+++ b/lib/libssl/ssl3.h
@@ -519,14 +519,12 @@ typedef struct ssl3_state_st {
int next_proto_neg_seen;
#endif
-#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_EC
/* This is set to true if we believe that this is a version of Safari
* running on OS X 10.6 or newer. We wish to know this because Safari
* on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
char is_probably_safari;
#endif /* !OPENSSL_NO_EC */
-#endif /* !OPENSSL_NO_TLSEXT */
} SSL3_STATE;
#endif
diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c
index 566590f171f..b0da6f4bdbf 100644
--- a/lib/libssl/ssl_asn1.c
+++ b/lib/libssl/ssl_asn1.c
@@ -100,11 +100,9 @@ typedef struct ssl_session_asn1_st {
ASN1_INTEGER time;
ASN1_INTEGER timeout;
ASN1_INTEGER verify_result;
-#ifndef OPENSSL_NO_TLSEXT
ASN1_OCTET_STRING tlsext_hostname;
ASN1_INTEGER tlsext_tick_lifetime;
ASN1_OCTET_STRING tlsext_tick;
-#endif /* OPENSSL_NO_TLSEXT */
#ifndef OPENSSL_NO_PSK
ASN1_OCTET_STRING psk_identity_hint;
ASN1_OCTET_STRING psk_identity;
@@ -118,10 +116,8 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0, v7 = 0, v8 = 0;
unsigned char buf[4], ibuf1[LSIZE2], ibuf2[LSIZE2];
unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2];
-#ifndef OPENSSL_NO_TLSEXT
int v6 = 0, v9 = 0, v10 = 0;
unsigned char ibuf6[LSIZE2];
-#endif
#ifndef OPENSSL_NO_COMP
unsigned char cbuf;
int v11 = 0;
@@ -202,7 +198,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
ASN1_INTEGER_set(&a.verify_result, in->verify_result);
}
-#ifndef OPENSSL_NO_TLSEXT
if (in->tlsext_hostname) {
a.tlsext_hostname.length = strlen(in->tlsext_hostname);
a.tlsext_hostname.type = V_ASN1_OCTET_STRING;
@@ -219,7 +214,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
a.tlsext_tick_lifetime.data = ibuf6;
ASN1_INTEGER_set(&a.tlsext_tick_lifetime, in->tlsext_tick_lifetime_hint);
}
-#endif /* OPENSSL_NO_TLSEXT */
#ifndef OPENSSL_NO_PSK
if (in->psk_identity_hint) {
a.psk_identity_hint.length = strlen(in->psk_identity_hint);
@@ -248,7 +242,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
if (in->verify_result != X509_V_OK)
M_ASN1_I2D_len_EXP_opt(&(a.verify_result), i2d_ASN1_INTEGER, 5, v5);
-#ifndef OPENSSL_NO_TLSEXT
if (in->tlsext_tick_lifetime_hint > 0)
M_ASN1_I2D_len_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, v9);
if (in->tlsext_tick)
@@ -259,7 +252,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
if (in->compress_meth)
M_ASN1_I2D_len_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
#endif
-#endif /* OPENSSL_NO_TLSEXT */
#ifndef OPENSSL_NO_PSK
if (in->psk_identity_hint)
M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7);
@@ -284,22 +276,18 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
v4);
if (in->verify_result != X509_V_OK)
M_ASN1_I2D_put_EXP_opt(&a.verify_result, i2d_ASN1_INTEGER, 5, v5);
-#ifndef OPENSSL_NO_TLSEXT
if (in->tlsext_hostname)
M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, v6);
-#endif /* OPENSSL_NO_TLSEXT */
#ifndef OPENSSL_NO_PSK
if (in->psk_identity_hint)
M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7);
if (in->psk_identity)
M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8);
#endif /* OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_TLSEXT
if (in->tlsext_tick_lifetime_hint > 0)
M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, v9);
if (in->tlsext_tick)
M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, v10);
-#endif /* OPENSSL_NO_TLSEXT */
#ifndef OPENSSL_NO_COMP
if (in->compress_meth)
M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
@@ -436,7 +424,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
} else
ret->verify_result = X509_V_OK;
-#ifndef OPENSSL_NO_TLSEXT
os.length = 0;
os.data = NULL;
M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 6);
@@ -447,7 +434,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
os.length = 0;
} else
ret->tlsext_hostname = NULL;
-#endif /* OPENSSL_NO_TLSEXT */
#ifndef OPENSSL_NO_PSK
os.length = 0;
@@ -473,7 +459,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
ret->psk_identity = NULL;
#endif /* OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_TLSEXT
ai.length = 0;
M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 9);
if (ai.data != NULL) {
@@ -495,7 +480,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
os.length = 0;
} else
ret->tlsext_tick = NULL;
-#endif /* OPENSSL_NO_TLSEXT */
#ifndef OPENSSL_NO_COMP
os.length = 0;
os.data = NULL;
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 94792c6d515..262b5a21309 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -322,7 +322,6 @@ SSL_new(SSL_CTX *ctx)
CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
s->ctx = ctx;
-#ifndef OPENSSL_NO_TLSEXT
s->tlsext_debug_cb = 0;
s->tlsext_debug_arg = NULL;
s->tlsext_ticket_expected = 0;
@@ -337,7 +336,6 @@ SSL_new(SSL_CTX *ctx)
# ifndef OPENSSL_NO_NEXTPROTONEG
s->next_proto_negotiated = NULL;
# endif
-#endif
s->verify_result = X509_V_OK;
@@ -535,7 +533,6 @@ SSL_free(SSL *s)
ssl_cert_free(s->cert);
/* Free up if allocated */
-#ifndef OPENSSL_NO_TLSEXT
free(s->tlsext_hostname);
if (s->initial_ctx)
SSL_CTX_free(s->initial_ctx);
@@ -550,7 +547,6 @@ SSL_free(SSL *s)
if (s->tlsext_ocsp_ids)
sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
free(s->tlsext_ocsp_resp);
-#endif
if (s->client_CA != NULL)
sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
@@ -1490,7 +1486,6 @@ err:
}
-#ifndef OPENSSL_NO_TLSEXT
/*
* Return a servername extension value if provided in Client Hello, or NULL.
* So far, only host_name types are defined (RFC 3546).
@@ -1648,7 +1643,6 @@ SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
ctx->next_proto_select_cb_arg = arg;
}
# endif
-#endif
int
SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
@@ -1808,7 +1802,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
-#ifndef OPENSSL_NO_TLSEXT
ret->tlsext_servername_callback = 0;
ret->tlsext_servername_arg = NULL;
/* Setup RFC4507 ticket keys */
@@ -1824,7 +1817,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
ret->next_protos_advertised_cb = 0;
ret->next_proto_select_cb = 0;
# endif
-#endif
#ifndef OPENSSL_NO_PSK
ret->psk_identity_hint = NULL;
ret->psk_client_callback = NULL;
@@ -2842,10 +2834,8 @@ SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
{
if (ssl->ctx == ctx)
return (ssl->ctx);
-#ifndef OPENSSL_NO_TLSEXT
if (ctx == NULL)
ctx = ssl->initial_ctx;
-#endif
if (ssl->cert != NULL)
ssl_cert_free(ssl->cert);
ssl->cert = ssl_cert_dup(ctx->cert);
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 208610dac19..ecf108d6a57 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -750,12 +750,10 @@ int ssl3_send_client_key_exchange(SSL *s);
int ssl3_get_key_exchange(SSL *s);
int ssl3_get_server_certificate(SSL *s);
int ssl3_check_cert_and_algorithm(SSL *s);
-#ifndef OPENSSL_NO_TLSEXT
int ssl3_check_finished(SSL *s);
# ifndef OPENSSL_NO_NEXTPROTONEG
int ssl3_send_next_proto(SSL *s);
# endif
-#endif
int dtls1_client_hello(SSL *s);
int dtls1_send_client_certificate(SSL *s);
@@ -837,7 +835,6 @@ int tls1_ec_curve_id2nid(int curve_id);
int tls1_ec_nid2curve_id(int nid);
#endif /* OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_TLSEXT
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p,
unsigned char *limit);
@@ -863,7 +860,6 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
int tls12_get_sigid(const EVP_PKEY *pk);
const EVP_MD *tls12_get_hash(unsigned char hash_alg);
-#endif
EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md);
void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p,
diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c
index 632d6a68600..de133a72ca5 100644
--- a/lib/libssl/ssl_sess.c
+++ b/lib/libssl/ssl_sess.c
@@ -208,7 +208,6 @@ SSL_SESSION_new(void)
ss->prev = NULL;
ss->next = NULL;
ss->compress_meth = 0;
-#ifndef OPENSSL_NO_TLSEXT
ss->tlsext_hostname = NULL;
#ifndef OPENSSL_NO_EC
@@ -217,7 +216,6 @@ SSL_SESSION_new(void)
ss->tlsext_ellipticcurvelist_length = 0;
ss->tlsext_ellipticcurvelist = NULL;
#endif
-#endif
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
#ifndef OPENSSL_NO_PSK
ss->psk_identity_hint = NULL;
@@ -313,13 +311,11 @@ ssl_get_new_session(SSL *s, int session)
SSL_SESSION_free(ss);
return (0);
}
-#ifndef OPENSSL_NO_TLSEXT
/* If RFC4507 ticket use empty session ID */
if (s->tlsext_ticket_expected) {
ss->session_id_length = 0;
goto sess_id_done;
}
-#endif
/* Choose which callback will set the session ID */
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
if (s->generate_session_id)
@@ -354,7 +350,6 @@ ssl_get_new_session(SSL *s, int session)
SSL_SESSION_free(ss);
return (0);
}
-#ifndef OPENSSL_NO_TLSEXT
sess_id_done:
if (s->tlsext_hostname) {
ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
@@ -386,7 +381,6 @@ ssl_get_new_session(SSL *s, int session)
memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
}
#endif
-#endif
} else {
ss->session_id_length = 0;
}
@@ -433,9 +427,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
SSL_SESSION *ret = NULL;
int fatal = 0;
int try_session_cache = 1;
-#ifndef OPENSSL_NO_TLSEXT
int r;
-#endif
if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
goto err;
@@ -443,7 +435,6 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
if (len == 0)
try_session_cache = 0;
-#ifndef OPENSSL_NO_TLSEXT
r = tls1_process_ticket(s, session_id, len, limit, &ret); /* sets s->tlsext_ticket_expected */
switch (r) {
case -1: /* Error during processing */
@@ -459,7 +450,6 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
default:
abort();
}
-#endif
if (try_session_cache &&
ret == NULL &&
@@ -570,13 +560,11 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
err:
if (ret != NULL) {
SSL_SESSION_free(ret);
-#ifndef OPENSSL_NO_TLSEXT
if (!try_session_cache) {
/* The session was from a ticket, so we should
* issue a ticket for the new session */
s->tlsext_ticket_expected = 1;
}
-#endif
}
if (fatal)
return -1;
@@ -701,7 +689,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
X509_free(ss->peer);
if (ss->ciphers != NULL)
sk_SSL_CIPHER_free(ss->ciphers);
-#ifndef OPENSSL_NO_TLSEXT
free(ss->tlsext_hostname);
free(ss->tlsext_tick);
#ifndef OPENSSL_NO_EC
@@ -710,7 +697,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
ss->tlsext_ellipticcurvelist_length = 0;
free(ss->tlsext_ellipticcurvelist);
#endif /* OPENSSL_NO_EC */
-#endif
#ifndef OPENSSL_NO_PSK
free(ss->psk_identity_hint);
free(ss->psk_identity);
@@ -839,7 +825,6 @@ SSL_CTX_get_timeout(const SSL_CTX *s)
return (s->session_timeout);
}
-#ifndef OPENSSL_NO_TLSEXT
int
SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
@@ -887,7 +872,6 @@ SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
return 0;
}
-#endif /* OPENSSL_NO_TLSEXT */
typedef struct timeout_param_st {
SSL_CTX *ctx;
diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c
index 43696db8473..e58849deb58 100644
--- a/lib/libssl/ssl_txt.c
+++ b/lib/libssl/ssl_txt.c
@@ -169,7 +169,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0)
goto err;
#endif
-#ifndef OPENSSL_NO_TLSEXT
if (x->tlsext_tick_lifetime_hint) {
if (BIO_printf(bp,
"\n TLS session ticket lifetime hint: %ld (seconds)",
@@ -182,7 +181,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
if (BIO_dump_indent(bp, (char *)x->tlsext_tick, x->tlsext_ticklen, 4) <= 0)
goto err;
}
-#endif
#ifndef OPENSSL_NO_COMP
if (x->compress_meth != 0) {
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 5ad69f5ce99..5d442558ddf 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -119,11 +119,9 @@
const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
-#ifndef OPENSSL_NO_TLSEXT
static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
const unsigned char *sess_id, int sesslen,
SSL_SESSION **psess);
-#endif
SSL3_ENC_METHOD TLSv1_enc_data = {
.enc = tls1_enc,
@@ -200,9 +198,7 @@ tls1_new(SSL *s)
void
tls1_free(SSL *s)
{
-#ifndef OPENSSL_NO_TLSEXT
free(s->tlsext_session_ticket);
-#endif /* OPENSSL_NO_TLSEXT */
ssl3_free(s);
}
@@ -354,7 +350,6 @@ tls1_ec_nid2curve_id(int nid)
}
#endif /* OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_TLSEXT
/* List of supported signature algorithms and hashes. Should make this
* customisable at some point, for now include everything we support.
@@ -2315,4 +2310,3 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
return 1;
}
-#endif
diff --git a/lib/libssl/tls1.h b/lib/libssl/tls1.h
index 400deca6d4f..813bc97b318 100644
--- a/lib/libssl/tls1.h
+++ b/lib/libssl/tls1.h
@@ -274,7 +274,6 @@ extern "C" {
#define TLSEXT_hash_sha384 5
#define TLSEXT_hash_sha512 6
-#ifndef OPENSSL_NO_TLSEXT
#define TLSEXT_MAXLEN_host_name 255
@@ -353,7 +352,6 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG, 0, arg)
#define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \
SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
-#endif
/* PSK ciphersuites from 4279 */
#define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A