diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2014-05-31 10:49:29 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-05-31 10:49:29 +0000 |
commit | 7d33e491ced254b4911a3c223bee944add414f9f (patch) | |
tree | 4f7010eb3632050d44210b8faa88b38d3a0654a1 /lib/libssl | |
parent | bfd6ef1d500dac8515b5b20643749b6aa98a2660 (diff) |
TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.
ok tedu@
Diffstat (limited to 'lib/libssl')
-rw-r--r-- | lib/libssl/d1_clnt.c | 19 | ||||
-rw-r--r-- | lib/libssl/d1_srvr.c | 19 | ||||
-rw-r--r-- | lib/libssl/s23_clnt.c | 2 | ||||
-rw-r--r-- | lib/libssl/s3_clnt.c | 29 | ||||
-rw-r--r-- | lib/libssl/s3_lib.c | 14 | ||||
-rw-r--r-- | lib/libssl/s3_srvr.c | 27 | ||||
-rw-r--r-- | lib/libssl/ssl.h | 12 | ||||
-rw-r--r-- | lib/libssl/ssl3.h | 2 | ||||
-rw-r--r-- | lib/libssl/ssl_asn1.c | 16 | ||||
-rw-r--r-- | lib/libssl/ssl_lib.c | 10 | ||||
-rw-r--r-- | lib/libssl/ssl_locl.h | 4 | ||||
-rw-r--r-- | lib/libssl/ssl_sess.c | 16 | ||||
-rw-r--r-- | lib/libssl/ssl_txt.c | 2 | ||||
-rw-r--r-- | lib/libssl/t1_lib.c | 6 | ||||
-rw-r--r-- | lib/libssl/tls1.h | 2 |
15 files changed, 0 insertions, 180 deletions
diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c index e8b43f3268f..fe5f1aa200f 100644 --- a/lib/libssl/d1_clnt.c +++ b/lib/libssl/d1_clnt.c @@ -382,7 +382,6 @@ dtls1_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: -#ifndef OPENSSL_NO_TLSEXT ret = ssl3_check_finished(s); if (ret <= 0) goto end; @@ -395,14 +394,12 @@ dtls1_connect(SSL *s) s->init_num = 0; break; } -#endif /* Check if it is anon DH or PSK */ if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { ret = ssl3_get_server_certificate(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT if (s->tlsext_status_expected) s->state = SSL3_ST_CR_CERT_STATUS_A; else @@ -411,12 +408,6 @@ dtls1_connect(SSL *s) skip = 1; s->state = SSL3_ST_CR_KEY_EXCH_A; } -#else - } else - skip = 1; - - s->state = SSL3_ST_CR_KEY_EXCH_A; -#endif s->init_num = 0; break; @@ -626,19 +617,16 @@ dtls1_connect(SSL *s) BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); #endif -#ifndef OPENSSL_NO_TLSEXT /* Allow NewSessionTicket if ticket expected */ if (s->tlsext_ticket_expected) s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; else -#endif s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; } s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT case SSL3_ST_CR_SESSION_TICKET_A: case SSL3_ST_CR_SESSION_TICKET_B: ret = ssl3_get_new_session_ticket(s); @@ -656,7 +644,6 @@ dtls1_connect(SSL *s) s->state = SSL3_ST_CR_KEY_EXCH_A; s->init_num = 0; break; -#endif case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: @@ -787,11 +774,7 @@ dtls1_client_hello(SSL *s) SSL_SESSION *sess = s->session; if ((s->session == NULL) || (s->session->ssl_version != s->version) || -#ifdef OPENSSL_NO_TLSEXT - !sess->session_id_length || -#else (!sess->session_id_length && !sess->tlsext_tick) || -#endif (s->session->not_resumable)) { if (!ssl_get_new_session(s, 0)) goto err; @@ -864,12 +847,10 @@ dtls1_client_hello(SSL *s) } *(p++) = 0; /* Add the NULL method */ -#ifndef OPENSSL_NO_TLSEXT if ((p = ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) { SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto err; } -#endif l = (p - d); d = buf; diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index 368afda77a7..24f0a2e86ea 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -415,14 +415,10 @@ dtls1_accept(SSL *s) BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, sizeof(sctpauthkey), sctpauthkey); #endif -#ifndef OPENSSL_NO_TLSEXT if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; else s->state = SSL3_ST_SW_CHANGE_A; -#else - s->state = SSL3_ST_SW_CHANGE_A; -#endif } else s->state = SSL3_ST_SW_CERT_A; s->init_num = 0; @@ -437,7 +433,6 @@ dtls1_accept(SSL *s) ret = dtls1_send_server_certificate(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT if (s->tlsext_status_expected) s->state = SSL3_ST_SW_CERT_STATUS_A; else @@ -446,12 +441,6 @@ dtls1_accept(SSL *s) skip = 1; s->state = SSL3_ST_SW_KEY_EXCH_A; } -#else - } else - skip = 1; - - s->state = SSL3_ST_SW_KEY_EXCH_A; -#endif s->init_num = 0; break; @@ -680,16 +669,13 @@ dtls1_accept(SSL *s) dtls1_stop_timer(s); if (s->hit) s->state = SSL_ST_OK; -#ifndef OPENSSL_NO_TLSEXT else if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; -#endif else s->state = SSL3_ST_SW_CHANGE_A; s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT case SSL3_ST_SW_SESSION_TICKET_A: case SSL3_ST_SW_SESSION_TICKET_B: ret = dtls1_send_newsession_ticket(s); @@ -708,7 +694,6 @@ dtls1_accept(SSL *s) s->init_num = 0; break; -#endif case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: @@ -971,12 +956,10 @@ dtls1_send_server_hello(SSL *s) *(p++) = s->s3->tmp.new_compression->id; #endif -#ifndef OPENSSL_NO_TLSEXT if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) { SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return -1; } -#endif /* do the header */ l = (p - d); @@ -1532,7 +1515,6 @@ dtls1_send_server_certificate(SSL *s) return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); } -#ifndef OPENSSL_NO_TLSEXT int dtls1_send_newsession_ticket(SSL *s) { @@ -1638,4 +1620,3 @@ dtls1_send_newsession_ticket(SSL *s) /* SSL3_ST_SW_SESSION_TICKET_B */ return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); } -#endif diff --git a/lib/libssl/s23_clnt.c b/lib/libssl/s23_clnt.c index 5361d5bea8f..16c30c083ab 100644 --- a/lib/libssl/s23_clnt.c +++ b/lib/libssl/s23_clnt.c @@ -431,7 +431,6 @@ ssl23_client_hello(SSL *s) /* Add the NULL method */ *(p++) = 0; -#ifndef OPENSSL_NO_TLSEXT /* TLS extensions*/ if (ssl_prepare_clienthello_tlsext(s) <= 0) { SSLerr(SSL_F_SSL23_CLIENT_HELLO, @@ -443,7 +442,6 @@ ssl23_client_hello(SSL *s) SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); return -1; } -#endif l = p - d; diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index bda14069c1c..66a7ec0d382 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -316,12 +316,10 @@ ssl3_connect(SSL *s) if (s->hit) { s->state = SSL3_ST_CR_FINISHED_A; -#ifndef OPENSSL_NO_TLSEXT if (s->tlsext_ticket_expected) { /* receive renewed session ticket */ s->state = SSL3_ST_CR_SESSION_TICKET_A; } -#endif } else s->state = SSL3_ST_CR_CERT_A; s->init_num = 0; @@ -329,7 +327,6 @@ ssl3_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: -#ifndef OPENSSL_NO_TLSEXT ret = ssl3_check_finished(s); if (ret <= 0) goto end; @@ -342,7 +339,6 @@ ssl3_connect(SSL *s) s->init_num = 0; break; } -#endif /* Check if it is anon DH/ECDH or PSK */ if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && @@ -351,7 +347,6 @@ ssl3_connect(SSL *s) ret = ssl3_get_server_certificate(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT if (s->tlsext_status_expected) s->state = SSL3_ST_CR_CERT_STATUS_A; else @@ -360,12 +355,6 @@ ssl3_connect(SSL *s) skip = 1; s->state = SSL3_ST_CR_KEY_EXCH_A; } -#else - } else - skip = 1; - - s->state = SSL3_ST_CR_KEY_EXCH_A; -#endif s->init_num = 0; break; @@ -536,20 +525,17 @@ ssl3_connect(SSL *s) s->s3->delay_buf_pop_ret = 0; } } else { -#ifndef OPENSSL_NO_TLSEXT /* Allow NewSessionTicket if ticket expected */ if (s->tlsext_ticket_expected) s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; else -#endif s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; } s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT case SSL3_ST_CR_SESSION_TICKET_A: case SSL3_ST_CR_SESSION_TICKET_B: ret = ssl3_get_new_session_ticket(s); @@ -567,7 +553,6 @@ ssl3_connect(SSL *s) s->state = SSL3_ST_CR_KEY_EXCH_A; s->init_num = 0; break; -#endif case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: @@ -681,11 +666,7 @@ ssl3_client_hello(SSL *s) SSL_SESSION *sess = s->session; if ((sess == NULL) || (sess->ssl_version != s->version) || -#ifdef OPENSSL_NO_TLSEXT - !sess->session_id_length || -#else (!sess->session_id_length && !sess->tlsext_tick) || -#endif (sess->not_resumable)) { if (!ssl_get_new_session(s, 0)) goto err; @@ -791,7 +772,6 @@ ssl3_client_hello(SSL *s) #endif *(p++) = 0; /* Add the NULL method */ -#ifndef OPENSSL_NO_TLSEXT /* TLS extensions*/ if (ssl_prepare_clienthello_tlsext(s) <= 0) { SSLerr(SSL_F_SSL3_CLIENT_HELLO, @@ -804,7 +784,6 @@ ssl3_client_hello(SSL *s) ERR_R_INTERNAL_ERROR); goto err; } -#endif l = (p - d); d = buf; @@ -892,7 +871,6 @@ ssl3_get_server_hello(SSL *s) goto f_err; } -#ifndef OPENSSL_NO_TLSEXT /* * Check if we want to resume the session based on external * pre-shared secret @@ -907,7 +885,6 @@ ssl3_get_server_hello(SSL *s) pref_cipher : ssl_get_cipher_by_char(s, p + j); } } -#endif /* OPENSSL_NO_TLSEXT */ if (j != 0 && j == s->session->session_id_length && memcmp(p, s->session->session_id, j) == 0) { @@ -1033,7 +1010,6 @@ ssl3_get_server_hello(SSL *s) } #endif -#ifndef OPENSSL_NO_TLSEXT /* TLS extensions*/ if (s->version >= SSL3_VERSION) { if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) { @@ -1049,7 +1025,6 @@ ssl3_get_server_hello(SSL *s) goto err; } } -#endif if (p != (d + n)) { /* wrong packet length */ @@ -1876,7 +1851,6 @@ ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) return (X509_NAME_cmp(*a, *b)); } -#ifndef OPENSSL_NO_TLSEXT int ssl3_get_new_session_ticket(SSL *s) { @@ -2018,7 +1992,6 @@ f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); return (-1); } -#endif int ssl3_get_server_done(SSL *s) @@ -2930,7 +2903,6 @@ ssl3_send_next_proto(SSL *s) * session tickets we have to check the next message to be sure. */ -#ifndef OPENSSL_NO_TLSEXT int ssl3_check_finished(SSL *s) { @@ -2953,7 +2925,6 @@ ssl3_check_finished(SSL *s) return (1); } -#endif int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 477c53b15bc..72492a33329 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -151,11 +151,9 @@ #include <stdio.h> #include <openssl/objects.h> #include "ssl_locl.h" -#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_EC #include "../crypto/ec/ec_lcl.h" #endif /* OPENSSL_NO_EC */ -#endif /* OPENSSL_NO_TLSEXT */ #include <openssl/md5.h> #include <openssl/dh.h> @@ -2383,11 +2381,9 @@ ssl3_clear(SSL *s) EC_KEY_free(s->s3->tmp.ecdh); s->s3->tmp.ecdh = NULL; } -#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_EC s->s3->is_probably_safari = 0; #endif /* !OPENSSL_NO_EC */ -#endif /* !OPENSSL_NO_TLSEXT */ rp = s->s3->rbuf.buf; wp = s->s3->wbuf.buf; @@ -2561,7 +2557,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (ret); } break; -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { free(s->tlsext_hostname); @@ -2657,7 +2652,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; break; -#endif /* !OPENSSL_NO_TLSEXT */ default: break; } @@ -2694,12 +2688,10 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) (EC_KEY *(*)(SSL *, int, int))fp; } break; -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_DEBUG_CB: s->tlsext_debug_cb = (void (*)(SSL *, int , int, unsigned char *, int, void *))fp; break; -#endif default: break; } @@ -2824,7 +2816,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (0); } break; -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->tlsext_servername_arg = parg; break; @@ -2865,7 +2856,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return 1; break; -#endif /* !OPENSSL_NO_TLSEXT */ /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: @@ -2916,7 +2906,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; } break; -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; @@ -2938,7 +2927,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; break; -#endif default: return (0); } @@ -3043,7 +3031,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ok = (alg_k & mask_k) && (alg_a & mask_a); } -#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_EC if ( /* @@ -3181,7 +3168,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ok = ok && ec_ok; } #endif /* OPENSSL_NO_EC */ -#endif /* OPENSSL_NO_TLSEXT */ if (!ok) continue; diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 120f92a9d39..4a6c3cb1e8b 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -357,17 +357,12 @@ ssl3_accept(SSL *s) ret = ssl3_send_server_hello(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT if (s->hit) { if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; else s->state = SSL3_ST_SW_CHANGE_A; } -#else - if (s->hit) - s->state = SSL3_ST_SW_CHANGE_A; -#endif else s->state = SSL3_ST_SW_CERT_A; s->init_num = 0; @@ -385,7 +380,6 @@ ssl3_accept(SSL *s) ret = ssl3_send_server_certificate(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT if (s->tlsext_status_expected) s->state = SSL3_ST_SW_CERT_STATUS_A; else @@ -394,12 +388,6 @@ ssl3_accept(SSL *s) skip = 1; s->state = SSL3_ST_SW_KEY_EXCH_A; } -#else - } else - skip = 1; - - s->state = SSL3_ST_SW_KEY_EXCH_A; -#endif s->init_num = 0; break; @@ -683,16 +671,13 @@ ssl3_accept(SSL *s) goto end; if (s->hit) s->state = SSL_ST_OK; -#ifndef OPENSSL_NO_TLSEXT else if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; -#endif else s->state = SSL3_ST_SW_CHANGE_A; s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT case SSL3_ST_SW_SESSION_TICKET_A: case SSL3_ST_SW_SESSION_TICKET_B: ret = ssl3_send_newsession_ticket(s); @@ -711,7 +696,6 @@ ssl3_accept(SSL *s) s->init_num = 0; break; -#endif case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: @@ -1123,7 +1107,6 @@ ssl3_get_client_hello(SSL *s) goto f_err; } -#ifndef OPENSSL_NO_TLSEXT /* TLS extensions*/ if (s->version >= SSL3_VERSION) { if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) { @@ -1191,7 +1174,6 @@ ssl3_get_client_hello(SSL *s) sk_SSL_CIPHER_dup(s->session->ciphers); } } -#endif /* * Worst case, we will use the NULL compression, but if we have other @@ -1381,11 +1363,6 @@ ssl3_send_server_hello(SSL *s) if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf = (unsigned char *)s->init_buf->data; -#ifdef OPENSSL_NO_TLSEXT - p = s->s3->server_random; - if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) - return (-1); -#endif /* Do the message type and length last */ d = p= &(buf[4]); @@ -1441,7 +1418,6 @@ ssl3_send_server_hello(SSL *s) else *(p++) = s->s3->tmp.new_compression->id; #endif -#ifndef OPENSSL_NO_TLSEXT if (ssl_prepare_serverhello_tlsext(s) <= 0) { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); @@ -1453,7 +1429,6 @@ ssl3_send_server_hello(SSL *s) ERR_R_INTERNAL_ERROR); return (-1); } -#endif /* do the header */ l = (p - d); d = buf; @@ -2928,7 +2903,6 @@ ssl3_send_server_certificate(SSL *s) return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); } -#ifndef OPENSSL_NO_TLSEXT /* send a new session ticket (not necessarily for a new session) */ int ssl3_send_newsession_ticket(SSL *s) @@ -3180,4 +3154,3 @@ ssl3_get_next_proto(SSL *s) return (1); } # endif -#endif diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index 45968ce16ab..d6f875a7977 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -504,7 +504,6 @@ struct ssl_session_st { /* These are used to make removal of session-ids more * efficient and to implement a maximum cache size. */ struct ssl_session_st *prev, *next; -#ifndef OPENSSL_NO_TLSEXT char *tlsext_hostname; #ifndef OPENSSL_NO_EC size_t tlsext_ecpointformatlist_length; @@ -516,7 +515,6 @@ struct ssl_session_st { unsigned char *tlsext_tick; /* Session ticket */ size_t tlsext_ticklen; /* Session ticket length */ long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ -#endif }; #endif @@ -841,7 +839,6 @@ struct ssl_ctx_st { ENGINE *client_cert_engine; #endif -#ifndef OPENSSL_NO_TLSEXT /* TLS extensions servername callback */ int (*tlsext_servername_callback)(SSL*, int *, void *); void *tlsext_servername_arg; @@ -862,7 +859,6 @@ struct ssl_ctx_st { int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg); void *tlsext_opaque_prf_input_callback_arg; -#endif #ifndef OPENSSL_NO_PSK char *psk_identity_hint; @@ -874,7 +870,6 @@ struct ssl_ctx_st { #endif -#ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_NEXTPROTONEG /* Next protocol negotiation information */ @@ -895,7 +890,6 @@ struct ssl_ctx_st { /* SRTP profiles we are willing to do from RFC 5764 */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; -#endif }; #endif @@ -1186,7 +1180,6 @@ struct ssl_st { int client_version; /* what was passed, used for * SSLv3/TLS rollback check */ unsigned int max_send_fragment; -#ifndef OPENSSL_NO_TLSEXT /* TLS extension debug callback */ void (*tlsext_debug_cb)(SSL *s, int client_server, int type, unsigned char *data, int len, void *arg); @@ -1259,9 +1252,6 @@ struct ssl_st { */ unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */ unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */ -#else -#define session_ctx ctx -#endif /* OPENSSL_NO_TLSEXT */ int renegotiate;/* 1 if we are renegotiating. * 2 if we are a server and are inside a handshake @@ -1467,7 +1457,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52 /* see tls1.h for macros based on these */ -#ifndef OPENSSL_NO_TLSEXT #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54 #define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 @@ -1498,7 +1487,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79 #define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80 #define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81 -#endif #define DTLS_CTRL_GET_TIMEOUT 73 #define DTLS_CTRL_HANDLE_TIMEOUT 74 diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h index 8633dae5217..c264422a364 100644 --- a/lib/libssl/ssl3.h +++ b/lib/libssl/ssl3.h @@ -519,14 +519,12 @@ typedef struct ssl3_state_st { int next_proto_neg_seen; #endif -#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_EC /* This is set to true if we believe that this is a version of Safari * running on OS X 10.6 or newer. We wish to know this because Safari * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */ char is_probably_safari; #endif /* !OPENSSL_NO_EC */ -#endif /* !OPENSSL_NO_TLSEXT */ } SSL3_STATE; #endif diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c index 566590f171f..b0da6f4bdbf 100644 --- a/lib/libssl/ssl_asn1.c +++ b/lib/libssl/ssl_asn1.c @@ -100,11 +100,9 @@ typedef struct ssl_session_asn1_st { ASN1_INTEGER time; ASN1_INTEGER timeout; ASN1_INTEGER verify_result; -#ifndef OPENSSL_NO_TLSEXT ASN1_OCTET_STRING tlsext_hostname; ASN1_INTEGER tlsext_tick_lifetime; ASN1_OCTET_STRING tlsext_tick; -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_PSK ASN1_OCTET_STRING psk_identity_hint; ASN1_OCTET_STRING psk_identity; @@ -118,10 +116,8 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0, v7 = 0, v8 = 0; unsigned char buf[4], ibuf1[LSIZE2], ibuf2[LSIZE2]; unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2]; -#ifndef OPENSSL_NO_TLSEXT int v6 = 0, v9 = 0, v10 = 0; unsigned char ibuf6[LSIZE2]; -#endif #ifndef OPENSSL_NO_COMP unsigned char cbuf; int v11 = 0; @@ -202,7 +198,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) ASN1_INTEGER_set(&a.verify_result, in->verify_result); } -#ifndef OPENSSL_NO_TLSEXT if (in->tlsext_hostname) { a.tlsext_hostname.length = strlen(in->tlsext_hostname); a.tlsext_hostname.type = V_ASN1_OCTET_STRING; @@ -219,7 +214,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.tlsext_tick_lifetime.data = ibuf6; ASN1_INTEGER_set(&a.tlsext_tick_lifetime, in->tlsext_tick_lifetime_hint); } -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_PSK if (in->psk_identity_hint) { a.psk_identity_hint.length = strlen(in->psk_identity_hint); @@ -248,7 +242,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->verify_result != X509_V_OK) M_ASN1_I2D_len_EXP_opt(&(a.verify_result), i2d_ASN1_INTEGER, 5, v5); -#ifndef OPENSSL_NO_TLSEXT if (in->tlsext_tick_lifetime_hint > 0) M_ASN1_I2D_len_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, v9); if (in->tlsext_tick) @@ -259,7 +252,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->compress_meth) M_ASN1_I2D_len_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11); #endif -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_PSK if (in->psk_identity_hint) M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7); @@ -284,22 +276,18 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) v4); if (in->verify_result != X509_V_OK) M_ASN1_I2D_put_EXP_opt(&a.verify_result, i2d_ASN1_INTEGER, 5, v5); -#ifndef OPENSSL_NO_TLSEXT if (in->tlsext_hostname) M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, v6); -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_PSK if (in->psk_identity_hint) M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7); if (in->psk_identity) M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8); #endif /* OPENSSL_NO_PSK */ -#ifndef OPENSSL_NO_TLSEXT if (in->tlsext_tick_lifetime_hint > 0) M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, v9); if (in->tlsext_tick) M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, v10); -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_COMP if (in->compress_meth) M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11); @@ -436,7 +424,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) } else ret->verify_result = X509_V_OK; -#ifndef OPENSSL_NO_TLSEXT os.length = 0; os.data = NULL; M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 6); @@ -447,7 +434,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) os.length = 0; } else ret->tlsext_hostname = NULL; -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_PSK os.length = 0; @@ -473,7 +459,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) ret->psk_identity = NULL; #endif /* OPENSSL_NO_PSK */ -#ifndef OPENSSL_NO_TLSEXT ai.length = 0; M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 9); if (ai.data != NULL) { @@ -495,7 +480,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) os.length = 0; } else ret->tlsext_tick = NULL; -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_COMP os.length = 0; os.data = NULL; diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 94792c6d515..262b5a21309 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -322,7 +322,6 @@ SSL_new(SSL_CTX *ctx) CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->ctx = ctx; -#ifndef OPENSSL_NO_TLSEXT s->tlsext_debug_cb = 0; s->tlsext_debug_arg = NULL; s->tlsext_ticket_expected = 0; @@ -337,7 +336,6 @@ SSL_new(SSL_CTX *ctx) # ifndef OPENSSL_NO_NEXTPROTONEG s->next_proto_negotiated = NULL; # endif -#endif s->verify_result = X509_V_OK; @@ -535,7 +533,6 @@ SSL_free(SSL *s) ssl_cert_free(s->cert); /* Free up if allocated */ -#ifndef OPENSSL_NO_TLSEXT free(s->tlsext_hostname); if (s->initial_ctx) SSL_CTX_free(s->initial_ctx); @@ -550,7 +547,6 @@ SSL_free(SSL *s) if (s->tlsext_ocsp_ids) sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); free(s->tlsext_ocsp_resp); -#endif if (s->client_CA != NULL) sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); @@ -1490,7 +1486,6 @@ err: } -#ifndef OPENSSL_NO_TLSEXT /* * Return a servername extension value if provided in Client Hello, or NULL. * So far, only host_name types are defined (RFC 3546). @@ -1648,7 +1643,6 @@ SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, ctx->next_proto_select_cb_arg = arg; } # endif -#endif int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, @@ -1808,7 +1802,6 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; -#ifndef OPENSSL_NO_TLSEXT ret->tlsext_servername_callback = 0; ret->tlsext_servername_arg = NULL; /* Setup RFC4507 ticket keys */ @@ -1824,7 +1817,6 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->next_protos_advertised_cb = 0; ret->next_proto_select_cb = 0; # endif -#endif #ifndef OPENSSL_NO_PSK ret->psk_identity_hint = NULL; ret->psk_client_callback = NULL; @@ -2842,10 +2834,8 @@ SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) { if (ssl->ctx == ctx) return (ssl->ctx); -#ifndef OPENSSL_NO_TLSEXT if (ctx == NULL) ctx = ssl->initial_ctx; -#endif if (ssl->cert != NULL) ssl_cert_free(ssl->cert); ssl->cert = ssl_cert_dup(ctx->cert); diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 208610dac19..ecf108d6a57 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -750,12 +750,10 @@ int ssl3_send_client_key_exchange(SSL *s); int ssl3_get_key_exchange(SSL *s); int ssl3_get_server_certificate(SSL *s); int ssl3_check_cert_and_algorithm(SSL *s); -#ifndef OPENSSL_NO_TLSEXT int ssl3_check_finished(SSL *s); # ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s); # endif -#endif int dtls1_client_hello(SSL *s); int dtls1_send_client_certificate(SSL *s); @@ -837,7 +835,6 @@ int tls1_ec_curve_id2nid(int curve_id); int tls1_ec_nid2curve_id(int nid); #endif /* OPENSSL_NO_EC */ -#ifndef OPENSSL_NO_TLSEXT unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); @@ -863,7 +860,6 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, int tls12_get_sigid(const EVP_PKEY *pk); const EVP_MD *tls12_get_hash(unsigned char hash_alg); -#endif EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md); void ssl_clear_hash_ctx(EVP_MD_CTX **hash); int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index 632d6a68600..de133a72ca5 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -208,7 +208,6 @@ SSL_SESSION_new(void) ss->prev = NULL; ss->next = NULL; ss->compress_meth = 0; -#ifndef OPENSSL_NO_TLSEXT ss->tlsext_hostname = NULL; #ifndef OPENSSL_NO_EC @@ -217,7 +216,6 @@ SSL_SESSION_new(void) ss->tlsext_ellipticcurvelist_length = 0; ss->tlsext_ellipticcurvelist = NULL; #endif -#endif CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); #ifndef OPENSSL_NO_PSK ss->psk_identity_hint = NULL; @@ -313,13 +311,11 @@ ssl_get_new_session(SSL *s, int session) SSL_SESSION_free(ss); return (0); } -#ifndef OPENSSL_NO_TLSEXT /* If RFC4507 ticket use empty session ID */ if (s->tlsext_ticket_expected) { ss->session_id_length = 0; goto sess_id_done; } -#endif /* Choose which callback will set the session ID */ CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); if (s->generate_session_id) @@ -354,7 +350,6 @@ ssl_get_new_session(SSL *s, int session) SSL_SESSION_free(ss); return (0); } -#ifndef OPENSSL_NO_TLSEXT sess_id_done: if (s->tlsext_hostname) { ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname); @@ -386,7 +381,6 @@ ssl_get_new_session(SSL *s, int session) memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); } #endif -#endif } else { ss->session_id_length = 0; } @@ -433,9 +427,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, SSL_SESSION *ret = NULL; int fatal = 0; int try_session_cache = 1; -#ifndef OPENSSL_NO_TLSEXT int r; -#endif if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; @@ -443,7 +435,6 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, if (len == 0) try_session_cache = 0; -#ifndef OPENSSL_NO_TLSEXT r = tls1_process_ticket(s, session_id, len, limit, &ret); /* sets s->tlsext_ticket_expected */ switch (r) { case -1: /* Error during processing */ @@ -459,7 +450,6 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, default: abort(); } -#endif if (try_session_cache && ret == NULL && @@ -570,13 +560,11 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, err: if (ret != NULL) { SSL_SESSION_free(ret); -#ifndef OPENSSL_NO_TLSEXT if (!try_session_cache) { /* The session was from a ticket, so we should * issue a ticket for the new session */ s->tlsext_ticket_expected = 1; } -#endif } if (fatal) return -1; @@ -701,7 +689,6 @@ SSL_SESSION_free(SSL_SESSION *ss) X509_free(ss->peer); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); -#ifndef OPENSSL_NO_TLSEXT free(ss->tlsext_hostname); free(ss->tlsext_tick); #ifndef OPENSSL_NO_EC @@ -710,7 +697,6 @@ SSL_SESSION_free(SSL_SESSION *ss) ss->tlsext_ellipticcurvelist_length = 0; free(ss->tlsext_ellipticcurvelist); #endif /* OPENSSL_NO_EC */ -#endif #ifndef OPENSSL_NO_PSK free(ss->psk_identity_hint); free(ss->psk_identity); @@ -839,7 +825,6 @@ SSL_CTX_get_timeout(const SSL_CTX *s) return (s->session_timeout); } -#ifndef OPENSSL_NO_TLSEXT int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) @@ -887,7 +872,6 @@ SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) return 0; } -#endif /* OPENSSL_NO_TLSEXT */ typedef struct timeout_param_st { SSL_CTX *ctx; diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c index 43696db8473..e58849deb58 100644 --- a/lib/libssl/ssl_txt.c +++ b/lib/libssl/ssl_txt.c @@ -169,7 +169,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) goto err; #endif -#ifndef OPENSSL_NO_TLSEXT if (x->tlsext_tick_lifetime_hint) { if (BIO_printf(bp, "\n TLS session ticket lifetime hint: %ld (seconds)", @@ -182,7 +181,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_dump_indent(bp, (char *)x->tlsext_tick, x->tlsext_ticklen, 4) <= 0) goto err; } -#endif #ifndef OPENSSL_NO_COMP if (x->compress_meth != 0) { diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 5ad69f5ce99..5d442558ddf 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -119,11 +119,9 @@ const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT; -#ifndef OPENSSL_NO_TLSEXT static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, const unsigned char *sess_id, int sesslen, SSL_SESSION **psess); -#endif SSL3_ENC_METHOD TLSv1_enc_data = { .enc = tls1_enc, @@ -200,9 +198,7 @@ tls1_new(SSL *s) void tls1_free(SSL *s) { -#ifndef OPENSSL_NO_TLSEXT free(s->tlsext_session_ticket); -#endif /* OPENSSL_NO_TLSEXT */ ssl3_free(s); } @@ -354,7 +350,6 @@ tls1_ec_nid2curve_id(int nid) } #endif /* OPENSSL_NO_EC */ -#ifndef OPENSSL_NO_TLSEXT /* List of supported signature algorithms and hashes. Should make this * customisable at some point, for now include everything we support. @@ -2315,4 +2310,3 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) return 1; } -#endif diff --git a/lib/libssl/tls1.h b/lib/libssl/tls1.h index 400deca6d4f..813bc97b318 100644 --- a/lib/libssl/tls1.h +++ b/lib/libssl/tls1.h @@ -274,7 +274,6 @@ extern "C" { #define TLSEXT_hash_sha384 5 #define TLSEXT_hash_sha512 6 -#ifndef OPENSSL_NO_TLSEXT #define TLSEXT_MAXLEN_host_name 255 @@ -353,7 +352,6 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG, 0, arg) #define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) -#endif /* PSK ciphersuites from 4279 */ #define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A |