diff options
author | Ted Unangst <tedu@cvs.openbsd.org> | 2014-05-29 18:11:14 +0000 |
---|---|---|
committer | Ted Unangst <tedu@cvs.openbsd.org> | 2014-05-29 18:11:14 +0000 |
commit | da169a89eaba91f35cf947a988eb7481a0448dc6 (patch) | |
tree | fd14bcda7b1d92878c1727bd08e7f6cd8770a08a /lib/libssl | |
parent | 5bf5321b1646ba5f8f5019c8591b89ed7ddab822 (diff) |
unidef DH, ECDH, and ECDSA. there's no purpose to a libssl without them.
ok deraadt jsing
Diffstat (limited to 'lib/libssl')
-rw-r--r-- | lib/libssl/d1_clnt.c | 12 | ||||
-rw-r--r-- | lib/libssl/d1_srvr.c | 16 | ||||
-rw-r--r-- | lib/libssl/s3_clnt.c | 40 | ||||
-rw-r--r-- | lib/libssl/s3_lib.c | 36 | ||||
-rw-r--r-- | lib/libssl/s3_srvr.c | 30 | ||||
-rw-r--r-- | lib/libssl/ssl.h | 4 | ||||
-rw-r--r-- | lib/libssl/ssl3.h | 4 | ||||
-rw-r--r-- | lib/libssl/ssl_algs.c | 2 | ||||
-rw-r--r-- | lib/libssl/ssl_cert.c | 22 | ||||
-rw-r--r-- | lib/libssl/ssl_ciph.c | 11 | ||||
-rw-r--r-- | lib/libssl/ssl_lib.c | 20 | ||||
-rw-r--r-- | lib/libssl/ssl_locl.h | 10 | ||||
-rw-r--r-- | lib/libssl/t1_lib.c | 10 |
13 files changed, 0 insertions, 217 deletions
diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c index d82b099e083..4b8a11426f2 100644 --- a/lib/libssl/d1_clnt.c +++ b/lib/libssl/d1_clnt.c @@ -121,9 +121,7 @@ #include <openssl/evp.h> #include <openssl/md5.h> #include <openssl/bn.h> -#ifndef OPENSSL_NO_DH #include <openssl/dh.h> -#endif static const SSL_METHOD *dtls1_get_client_method(int ver); static int dtls1_get_hello_verify(SSL *s); @@ -958,14 +956,12 @@ dtls1_send_client_key_exchange(SSL *s) unsigned long alg_k; unsigned char *q; EVP_PKEY *pkey = NULL; -#ifndef OPENSSL_NO_ECDH EC_KEY *clnt_ecdh = NULL; const EC_POINT *srvr_ecpoint = NULL; EVP_PKEY *srvr_pub_pkey = NULL; unsigned char *encodedPoint = NULL; int encoded_pt_len = 0; BN_CTX * bn_ctx = NULL; -#endif if (s->state == SSL3_ST_CW_KEY_EXCH_A) { d = (unsigned char *)s->init_buf->data; @@ -1021,7 +1017,6 @@ dtls1_send_client_key_exchange(SSL *s) tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); } -#ifndef OPENSSL_NO_DH else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr, *dh_clnt; @@ -1071,8 +1066,6 @@ dtls1_send_client_key_exchange(SSL *s) /* perhaps clean things up a bit EAY EAY EAY EAY*/ } -#endif -#ifndef OPENSSL_NO_ECDH else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey; @@ -1236,7 +1229,6 @@ dtls1_send_client_key_exchange(SSL *s) EC_KEY_free(clnt_ecdh); EVP_PKEY_free(srvr_pub_pkey); } -#endif /* !OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_PSK else if (alg_k & SSL_kPSK) { @@ -1340,13 +1332,11 @@ psk_err: /* SSL3_ST_CW_KEY_EXCH_B */ return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); err: -#ifndef OPENSSL_NO_ECDH BN_CTX_free(bn_ctx); free(encodedPoint); if (clnt_ecdh != NULL) EC_KEY_free(clnt_ecdh); EVP_PKEY_free(srvr_pub_pkey); -#endif return (-1); } @@ -1391,7 +1381,6 @@ dtls1_send_client_verify(SSL *s) s2n(j, p); n = j + 2; } else -#ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) { if (!ECDSA_sign(pkey->save_type, &(data[MD5_DIGEST_LENGTH]), @@ -1404,7 +1393,6 @@ dtls1_send_client_verify(SSL *s) s2n(j, p); n = j + 2; } else -#endif { SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index c8bfc1b03d2..3f872de48b1 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -122,9 +122,7 @@ #include <openssl/x509.h> #include <openssl/md5.h> #include <openssl/bn.h> -#ifndef OPENSSL_NO_DH #include <openssl/dh.h> -#endif static const SSL_METHOD *dtls1_get_server_method(int ver); static int dtls1_send_hello_verify_request(SSL *s); @@ -1036,17 +1034,13 @@ dtls1_send_server_key_exchange(SSL *s) RSA *rsa; unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; unsigned int u; -#ifndef OPENSSL_NO_DH DH *dh = NULL, *dhp; -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL, *ecdhp; unsigned char *encodedPoint = NULL; int encodedlen = 0; int curve_id = 0; BN_CTX *bn_ctx = NULL; -#endif #ifndef OPENSSL_NO_PSK size_t pskhintlen = 0; #endif @@ -1093,7 +1087,6 @@ dtls1_send_server_key_exchange(SSL *s) r[1] = rsa->e; s->s3->tmp.use_rsa_tmp = 1; } else -#ifndef OPENSSL_NO_DH if (type & SSL_kEDH) { dhp = cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) @@ -1138,8 +1131,6 @@ dtls1_send_server_key_exchange(SSL *s) r[1] = dh->g; r[2] = dh->pub_key; } else -#endif -#ifndef OPENSSL_NO_ECDH if (type & SSL_kEECDH) { const EC_GROUP *group; @@ -1252,7 +1243,6 @@ dtls1_send_server_key_exchange(SSL *s) r[2] = NULL; r[3] = NULL; } else -#endif /* !OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_PSK if (type & SSL_kPSK) { pskhintlen = strlen(s->ctx->psk_identity_hint); @@ -1296,7 +1286,6 @@ dtls1_send_server_key_exchange(SSL *s) p += nr[i]; } -#ifndef OPENSSL_NO_ECDH if (type & SSL_kEECDH) { /* XXX: For now, we only support named (not generic) curves. * In this situation, the serverKeyExchange message has: @@ -1318,7 +1307,6 @@ dtls1_send_server_key_exchange(SSL *s) encodedPoint = NULL; p += encodedlen; } -#endif #ifndef OPENSSL_NO_PSK if (type & SSL_kPSK) { @@ -1376,7 +1364,6 @@ dtls1_send_server_key_exchange(SSL *s) s2n(i, p); n += i + 2; } else -#if !defined(OPENSSL_NO_ECDSA) if (pkey->type == EVP_PKEY_EC) { /* let's do ECDSA */ EVP_SignInit_ex(&md_ctx, EVP_ecdsa(), NULL); @@ -1391,7 +1378,6 @@ dtls1_send_server_key_exchange(SSL *s) s2n(i, p); n += i + 2; } else -#endif { /* Is this error check actually needed? */ al = SSL_AD_HANDSHAKE_FAILURE; @@ -1418,10 +1404,8 @@ dtls1_send_server_key_exchange(SSL *s) f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: -#ifndef OPENSSL_NO_ECDH free(encodedPoint); BN_CTX_free(bn_ctx); -#endif EVP_MD_CTX_cleanup(&md_ctx); return (-1); } diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index 602ab03fe1f..4df299de9dd 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -155,9 +155,7 @@ #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/md5.h> -#ifndef OPENSSL_NO_DH #include <openssl/dh.h> -#endif #include <openssl/bn.h> #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> @@ -1263,16 +1261,12 @@ ssl3_get_key_exchange(SSL *s) EVP_PKEY *pkey = NULL; const EVP_MD *md = NULL; RSA *rsa = NULL; -#ifndef OPENSSL_NO_DH DH *dh = NULL; -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL; BN_CTX *bn_ctx = NULL; EC_POINT *srvr_ecpoint = NULL; int curve_nid = 0; int encoded_pt_len = 0; -#endif /* * Use same message size as in ssl3_get_certificate_request() @@ -1306,18 +1300,14 @@ ssl3_get_key_exchange(SSL *s) RSA_free(s->session->sess_cert->peer_rsa_tmp); s->session->sess_cert->peer_rsa_tmp = NULL; } -#ifndef OPENSSL_NO_DH if (s->session->sess_cert->peer_dh_tmp) { DH_free(s->session->sess_cert->peer_dh_tmp); s->session->sess_cert->peer_dh_tmp = NULL; } -#endif -#ifndef OPENSSL_NO_ECDH if (s->session->sess_cert->peer_ecdh_tmp) { EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); s->session->sess_cert->peer_ecdh_tmp = NULL; } -#endif } else { s->session->sess_cert = ssl_sess_cert_new(); } @@ -1424,7 +1414,6 @@ ssl3_get_key_exchange(SSL *s) s->session->sess_cert->peer_rsa_tmp = rsa; rsa = NULL; } -#ifndef OPENSSL_NO_DH else if (alg_k & SSL_kEDH) { if ((dh = DH_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, @@ -1495,9 +1484,7 @@ ssl3_get_key_exchange(SSL *s) SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); goto f_err; } -#endif /* !OPENSSL_NO_DH */ -#ifndef OPENSSL_NO_ECDH else if (alg_k & SSL_kEECDH) { EC_GROUP *ngroup; const EC_GROUP *group; @@ -1585,12 +1572,10 @@ ssl3_get_key_exchange(SSL *s) pkey = X509_get_pubkey( s->session->sess_cert->peer_pkeys[ SSL_PKEY_RSA_ENC].x509); -#ifndef OPENSSL_NO_ECDSA else if (alg_a & SSL_aECDSA) pkey = X509_get_pubkey( s->session->sess_cert->peer_pkeys[ SSL_PKEY_ECC].x509); -#endif /* Else anonymous ECDH, so no certificate or pkey. */ EC_KEY_set_public_key(ecdh, srvr_ecpoint); s->session->sess_cert->peer_ecdh_tmp = ecdh; @@ -1605,7 +1590,6 @@ ssl3_get_key_exchange(SSL *s) SSL_R_UNEXPECTED_MESSAGE); goto f_err; } -#endif /* !OPENSSL_NO_ECDH */ /* p points to the next byte, there are 'n' bytes left */ @@ -1731,16 +1715,12 @@ ssl3_get_key_exchange(SSL *s) EVP_PKEY_free(pkey); if (rsa != NULL) RSA_free(rsa); -#ifndef OPENSSL_NO_DH if (dh != NULL) DH_free(dh); -#endif -#ifndef OPENSSL_NO_ECDH BN_CTX_free(bn_ctx); EC_POINT_free(srvr_ecpoint); if (ecdh != NULL) EC_KEY_free(ecdh); -#endif EVP_MD_CTX_cleanup(&md_ctx); return (-1); } @@ -2084,14 +2064,12 @@ ssl3_send_client_key_exchange(SSL *s) unsigned long alg_k; unsigned char *q; EVP_PKEY *pkey = NULL; -#ifndef OPENSSL_NO_ECDH EC_KEY *clnt_ecdh = NULL; const EC_POINT *srvr_ecpoint = NULL; EVP_PKEY *srvr_pub_pkey = NULL; unsigned char *encodedPoint = NULL; int encoded_pt_len = 0; BN_CTX *bn_ctx = NULL; -#endif if (s->state == SSL3_ST_CW_KEY_EXCH_A) { d = (unsigned char *)s->init_buf->data; @@ -2151,7 +2129,6 @@ ssl3_send_client_key_exchange(SSL *s) s, s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); } -#ifndef OPENSSL_NO_DH else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr, *dh_clnt; @@ -2217,9 +2194,7 @@ ssl3_send_client_key_exchange(SSL *s) /* perhaps clean things up a bit EAY EAY EAY EAY*/ } -#endif -#ifndef OPENSSL_NO_ECDH else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { const EC_GROUP *srvr_group = NULL; EC_KEY *tkey; @@ -2399,7 +2374,6 @@ ssl3_send_client_key_exchange(SSL *s) EC_KEY_free(clnt_ecdh); EVP_PKEY_free(srvr_pub_pkey); } -#endif /* !OPENSSL_NO_ECDH */ else if (alg_k & SSL_kGOST) { /* GOST key exchange message creation */ EVP_PKEY_CTX *pkey_ctx; @@ -2608,13 +2582,11 @@ ssl3_send_client_key_exchange(SSL *s) /* SSL3_ST_CW_KEY_EXCH_B */ return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); err: -#ifndef OPENSSL_NO_ECDH BN_CTX_free(bn_ctx); free(encodedPoint); if (clnt_ecdh != NULL) EC_KEY_free(clnt_ecdh); EVP_PKEY_free(srvr_pub_pkey); -#endif return (-1); } @@ -2703,7 +2675,6 @@ ssl3_send_client_verify(SSL *s) s2n(j, p); n = j + 2; } else -#ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) { if (!ECDSA_sign(pkey->save_type, &(data[MD5_DIGEST_LENGTH]), @@ -2716,7 +2687,6 @@ ssl3_send_client_verify(SSL *s) s2n(j, p); n = j + 2; } else -#endif if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) { unsigned char signbuf[64]; @@ -2836,9 +2806,7 @@ ssl3_check_cert_and_algorithm(SSL *s) EVP_PKEY *pkey = NULL; SESS_CERT *sc; RSA *rsa; -#ifndef OPENSSL_NO_DH DH *dh; -#endif alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_a = s->s3->tmp.new_cipher->algorithm_auth; @@ -2855,14 +2823,11 @@ ssl3_check_cert_and_algorithm(SSL *s) } rsa = s->session->sess_cert->peer_rsa_tmp; -#ifndef OPENSSL_NO_DH dh = s->session->sess_cert->peer_dh_tmp; -#endif /* This is the passed certificate. */ idx = sc->peer_cert_type; -#ifndef OPENSSL_NO_ECDH if (idx == SSL_PKEY_ECC) { if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, s) == 0) @@ -2874,7 +2839,6 @@ ssl3_check_cert_and_algorithm(SSL *s) return (1); } } -#endif pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509); i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); EVP_PKEY_free(pkey); @@ -2897,7 +2861,6 @@ ssl3_check_cert_and_algorithm(SSL *s) SSL_R_MISSING_RSA_ENCRYPTING_CERT); goto f_err; } -#ifndef OPENSSL_NO_DH if ((alg_k & SSL_kEDH) && !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, @@ -2913,7 +2876,6 @@ ssl3_check_cert_and_algorithm(SSL *s) SSL_R_MISSING_DH_DSA_CERT); goto f_err; } -#endif if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) { @@ -2925,7 +2887,6 @@ ssl3_check_cert_and_algorithm(SSL *s) goto f_err; } } else -#ifndef OPENSSL_NO_DH if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { if (dh == NULL || DH_size(dh) * 8 > SSL_C_EXPORT_PKEYLENGTH( @@ -2936,7 +2897,6 @@ ssl3_check_cert_and_algorithm(SSL *s) goto f_err; } } else -#endif { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index e3770bd0aec..2c15a87269b 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -157,9 +157,7 @@ #endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_TLSEXT */ #include <openssl/md5.h> -#ifndef OPENSSL_NO_DH #include <openssl/dh.h> -#endif const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; @@ -1523,7 +1521,6 @@ SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, -#ifndef OPENSSL_NO_ECDH /* Cipher C001 */ { .valid = 1, @@ -1923,9 +1920,7 @@ SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, -#endif /* OPENSSL_NO_ECDH */ -#ifndef OPENSSL_NO_ECDH /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ @@ -2187,7 +2182,6 @@ SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, -#endif /* OPENSSL_NO_ECDH */ #ifdef TEMP_GOST_TLS @@ -2343,14 +2337,10 @@ ssl3_free(SSL *s) if (s->s3->wbuf.buf != NULL) ssl3_release_write_buffer(s); free(s->s3->rrec.comp); -#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); -#endif -#ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) EC_KEY_free(s->s3->tmp.ecdh); -#endif if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); @@ -2385,18 +2375,14 @@ ssl3_clear(SSL *s) free(s->s3->rrec.comp); s->s3->rrec.comp = NULL; -#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) { DH_free(s->s3->tmp.dh); s->s3->tmp.dh = NULL; } -#endif -#ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) { EC_KEY_free(s->s3->tmp.ecdh); s->s3->tmp.ecdh = NULL; } -#endif #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_EC s->s3->is_probably_safari = 0; @@ -2505,7 +2491,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (ret); } break; -#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *dh = (DH *)parg; @@ -2540,8 +2525,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (ret); } break; -#endif -#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_TMP_ECDH: { EC_KEY *ecdh = NULL; @@ -2578,7 +2561,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (ret); } break; -#endif /* !OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { @@ -2701,21 +2683,17 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; } break; -#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; -#endif -#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_TMP_ECDH_CB: { s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; } break; -#endif #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_DEBUG_CB: s->tlsext_debug_cb = (void (*)(SSL *, int , int, @@ -2777,7 +2755,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (0); } break; -#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *new = NULL, *dh; @@ -2809,8 +2786,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (0); } break; -#endif -#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_TMP_ECDH: { EC_KEY *ecdh = NULL; @@ -2849,7 +2824,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (0); } break; -#endif /* !OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->tlsext_servername_arg = parg; @@ -2932,20 +2906,16 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; } break; -#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; -#endif -#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_TMP_ECDH_CB: { cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; } break; -#endif #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: ctx->tlsext_servername_callback = @@ -3255,7 +3225,6 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) } #endif -#ifndef OPENSSL_NO_DH if (alg_k & (SSL_kDHr|SSL_kEDH)) { p[ret++] = SSL3_CT_RSA_FIXED_DH; p[ret++] = SSL3_CT_DSS_FIXED_DH; @@ -3265,17 +3234,13 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; } -#endif /* !OPENSSL_NO_DH */ p[ret++] = SSL3_CT_RSA_SIGN; p[ret++] = SSL3_CT_DSS_SIGN; -#ifndef OPENSSL_NO_ECDH if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) { p[ret++] = TLS_CT_RSA_FIXED_ECDH; p[ret++] = TLS_CT_ECDSA_FIXED_ECDH; } -#endif -#ifndef OPENSSL_NO_ECDSA /* * ECDSA certs can be used with RSA cipher suites as well * so we don't need to check for SSL_kECDH or SSL_kEECDH @@ -3283,7 +3248,6 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) if (s->version >= TLS1_VERSION) { p[ret++] = TLS_CT_ECDSA_SIGN; } -#endif return (ret); } diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index c16f7bb2ef7..b53f27a47d8 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -159,9 +159,7 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/x509.h> -#ifndef OPENSSL_NO_DH #include <openssl/dh.h> -#endif #include <openssl/bn.h> #include <openssl/md5.h> @@ -881,18 +879,14 @@ ssl3_check_client_hello(SSL *s) * which will now be aborted. (A full SSL_clear would be too * much.) */ -#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) { DH_free(s->s3->tmp.dh); s->s3->tmp.dh = NULL; } -#endif -#ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) { EC_KEY_free(s->s3->tmp.ecdh); s->s3->tmp.ecdh = NULL; } -#endif s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; return (2); } @@ -1509,17 +1503,13 @@ ssl3_send_server_key_exchange(SSL *s) RSA *rsa; unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; unsigned int u; -#ifndef OPENSSL_NO_DH DH *dh = NULL, *dhp; -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL, *ecdhp; unsigned char *encodedPoint = NULL; int encodedlen = 0; int curve_id = 0; BN_CTX *bn_ctx = NULL; -#endif #ifndef OPENSSL_NO_PSK size_t pskhintlen = 0; #endif @@ -1570,7 +1560,6 @@ ssl3_send_server_key_exchange(SSL *s) r[1] = rsa->e; s->s3->tmp.use_rsa_tmp = 1; } else -#ifndef OPENSSL_NO_DH if (type & SSL_kEDH) { dhp = cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) @@ -1620,8 +1609,6 @@ ssl3_send_server_key_exchange(SSL *s) r[1] = dh->g; r[2] = dh->pub_key; } else -#endif -#ifndef OPENSSL_NO_ECDH if (type & SSL_kEECDH) { const EC_GROUP *group; @@ -1747,7 +1734,6 @@ ssl3_send_server_key_exchange(SSL *s) r[2] = NULL; r[3] = NULL; } else -#endif /* !OPENSSL_NO_ECDH */ #ifndef OPENSSL_NO_PSK if (type & SSL_kPSK) { pskhintlen = strlen(s->ctx->psk_identity_hint); @@ -1793,7 +1779,6 @@ ssl3_send_server_key_exchange(SSL *s) p += nr[i]; } -#ifndef OPENSSL_NO_ECDH if (type & SSL_kEECDH) { /* * XXX: For now, we only support named (not generic) @@ -1817,7 +1802,6 @@ ssl3_send_server_key_exchange(SSL *s) encodedPoint = NULL; p += encodedlen; } -#endif #ifndef OPENSSL_NO_PSK if (type & SSL_kPSK) { @@ -1926,10 +1910,8 @@ ssl3_send_server_key_exchange(SSL *s) f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: -#ifndef OPENSSL_NO_ECDH free(encodedPoint); BN_CTX_free(bn_ctx); -#endif EVP_MD_CTX_cleanup(&md_ctx); return (-1); } @@ -2042,18 +2024,14 @@ ssl3_get_client_key_exchange(SSL *s) unsigned char *p; RSA *rsa = NULL; EVP_PKEY *pkey = NULL; -#ifndef OPENSSL_NO_DH BIGNUM *pub = NULL; DH *dh_srvr; -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *srvr_ecdh = NULL; EVP_PKEY *clnt_pub_pkey = NULL; EC_POINT *clnt_ecpoint = NULL; BN_CTX *bn_ctx = NULL; -#endif n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, @@ -2173,7 +2151,6 @@ ssl3_get_client_key_exchange(SSL *s) p, i); OPENSSL_cleanse(p, i); } else -#ifndef OPENSSL_NO_DH if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { n2s(p, i); if (n != i + 2) { @@ -2229,9 +2206,7 @@ ssl3_get_client_key_exchange(SSL *s) s, s->session->master_key, p, i); OPENSSL_cleanse(p, i); } else -#endif -#ifndef OPENSSL_NO_ECDH if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { int ret = 1; int field_size = 0; @@ -2375,7 +2350,6 @@ ssl3_get_client_key_exchange(SSL *s) OPENSSL_cleanse(p, i); return (ret); } else -#endif #ifndef OPENSSL_NO_PSK if (alg_k & SSL_kPSK) { unsigned char *t = NULL; @@ -2542,13 +2516,11 @@ ssl3_get_client_key_exchange(SSL *s) f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: -#ifndef OPENSSL_NO_ECDH EVP_PKEY_free(clnt_pub_pkey); EC_POINT_free(clnt_ecpoint); if (srvr_ecdh != NULL) EC_KEY_free(srvr_ecdh); BN_CTX_free(bn_ctx); -#endif return (-1); } @@ -2722,7 +2694,6 @@ ssl3_get_cert_verify(SSL *s) goto f_err; } } else -#ifndef OPENSSL_NO_ECDSA if (pkey->type == EVP_PKEY_EC) { j = ECDSA_verify(pkey->save_type, &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), @@ -2735,7 +2706,6 @@ ssl3_get_cert_verify(SSL *s) goto f_err; } } else -#endif if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) { unsigned char signature[64]; diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index 6765e3560ae..69c0bb00e27 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1875,18 +1875,14 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export, int keylength)); -#ifndef OPENSSL_NO_DH void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export, int keylength)); void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export, int keylength)); -#endif -#ifndef OPENSSL_NO_ECDH void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)); void SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)); -#endif #ifndef OPENSSL_NO_COMP const COMP_METHOD *SSL_get_current_compression(SSL *s); diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h index 2b041d7e2f9..2840b1320fa 100644 --- a/lib/libssl/ssl3.h +++ b/lib/libssl/ssl3.h @@ -490,13 +490,9 @@ typedef struct ssl3_state_st { /* used to hold the new cipher we are going to use */ const SSL_CIPHER *new_cipher; -#ifndef OPENSSL_NO_DH DH *dh; -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh; /* holds short lived ECDH key */ -#endif /* used when SSL_ST_FLUSH_DATA is entered */ int next_state; diff --git a/lib/libssl/ssl_algs.c b/lib/libssl/ssl_algs.c index 46b3c413511..84f44889b58 100644 --- a/lib/libssl/ssl_algs.c +++ b/lib/libssl/ssl_algs.c @@ -111,9 +111,7 @@ SSL_library_init(void) EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); -#ifndef OPENSSL_NO_ECDSA EVP_add_digest(EVP_ecdsa()); -#endif #ifndef OPENSSL_NO_COMP /* This will initialise the built-in compression algorithms. The value returned is a STACK_OF(SSL_COMP), but that can diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index d8b94b1285c..f506ae685ff 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -125,9 +125,7 @@ #include <openssl/bio.h> #include <openssl/pem.h> #include <openssl/x509v3.h> -#ifndef OPENSSL_NO_DH #include <openssl/dh.h> -#endif #include <openssl/bn.h> #include "ssl_locl.h" @@ -165,9 +163,7 @@ ssl_cert_set_default_md(CERT *cert) cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); -#ifndef OPENSSL_NO_ECDSA cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); -#endif } CERT * @@ -214,7 +210,6 @@ ssl_cert_dup(CERT *cert) } ret->rsa_tmp_cb = cert->rsa_tmp_cb; -#ifndef OPENSSL_NO_DH if (cert->dh_tmp != NULL) { ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { @@ -239,9 +234,7 @@ ssl_cert_dup(CERT *cert) } } ret->dh_tmp_cb = cert->dh_tmp_cb; -#endif -#ifndef OPENSSL_NO_ECDH if (cert->ecdh_tmp) { ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); if (ret->ecdh_tmp == NULL) { @@ -250,7 +243,6 @@ ssl_cert_dup(CERT *cert) } } ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; -#endif for (i = 0; i < SSL_PKEY_NUM; i++) { if (cert->pkeys[i].x509 != NULL) { @@ -305,19 +297,13 @@ ssl_cert_dup(CERT *cert) return (ret); -#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) err: -#endif if (ret->rsa_tmp != NULL) RSA_free(ret->rsa_tmp); -#ifndef OPENSSL_NO_DH if (ret->dh_tmp != NULL) DH_free(ret->dh_tmp); -#endif -#ifndef OPENSSL_NO_ECDH if (ret->ecdh_tmp != NULL) EC_KEY_free(ret->ecdh_tmp); -#endif for (i = 0; i < SSL_PKEY_NUM; i++) { if (ret->pkeys[i].x509 != NULL) @@ -344,14 +330,10 @@ ssl_cert_free(CERT *c) if (c->rsa_tmp) RSA_free(c->rsa_tmp); -#ifndef OPENSSL_NO_DH if (c->dh_tmp) DH_free(c->dh_tmp); -#endif -#ifndef OPENSSL_NO_ECDH if (c->ecdh_tmp) EC_KEY_free(c->ecdh_tmp); -#endif for (i = 0; i < SSL_PKEY_NUM; i++) { if (c->pkeys[i].x509 != NULL) @@ -437,14 +419,10 @@ ssl_sess_cert_free(SESS_CERT *sc) if (sc->peer_rsa_tmp != NULL) RSA_free(sc->peer_rsa_tmp); -#ifndef OPENSSL_NO_DH if (sc->peer_dh_tmp != NULL) DH_free(sc->peer_dh_tmp); -#endif -#ifndef OPENSSL_NO_ECDH if (sc->peer_ecdh_tmp != NULL) EC_KEY_free(sc->peer_ecdh_tmp); -#endif free(sc); } diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 5e93a4cde1d..72061035aa2 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -708,19 +708,8 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ *auth |= SSL_aDH; -#ifdef OPENSSL_NO_DH - *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH; - *auth |= SSL_aDH; -#endif *mkey |= SSL_kKRB5; *auth |= SSL_aKRB5; -#ifdef OPENSSL_NO_ECDSA - *auth |= SSL_aECDSA; -#endif -#ifdef OPENSSL_NO_ECDH - *mkey |= SSL_kECDHe|SSL_kECDHr; - *auth |= SSL_aECDH; -#endif #ifdef OPENSSL_NO_PSK *mkey |= SSL_kPSK; *auth |= SSL_aPSK; diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 6cc02c8d7a1..d134a4f22a6 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -149,9 +149,7 @@ #include <openssl/x509v3.h> #include <openssl/rand.h> #include <openssl/ocsp.h> -#ifndef OPENSSL_NO_DH #include <openssl/dh.h> -#endif #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif @@ -2002,9 +2000,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) int rsa_tmp_export, dh_tmp_export, kl; unsigned long mask_k, mask_a, emask_k, emask_a; int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; -#ifndef OPENSSL_NO_ECDH int have_ecdh_tmp; -#endif X509 *x = NULL; EVP_PKEY *ecc_pkey = NULL; int signature_nid = 0, pk_nid = 0, md_nid = 0; @@ -2017,17 +2013,11 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); rsa_tmp_export = (c->rsa_tmp_cb != NULL || (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); -#ifndef OPENSSL_NO_DH dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); dh_tmp_export = (c->dh_tmp_cb != NULL || (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); -#else - dh_tmp = dh_tmp_export = 0; -#endif -#ifndef OPENSSL_NO_ECDH have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); -#endif cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); @@ -2128,7 +2118,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); } -#ifndef OPENSSL_NO_ECDH if (ecdh_ok) { if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { @@ -2149,21 +2138,16 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) } } } -#endif -#ifndef OPENSSL_NO_ECDSA if (ecdsa_ok) { mask_a|=SSL_aECDSA; emask_a|=SSL_aECDSA; } -#endif } -#ifndef OPENSSL_NO_ECDH if (have_ecdh_tmp) { mask_k|=SSL_kEECDH; emask_k|=SSL_kEECDH; } -#endif #ifndef OPENSSL_NO_PSK mask_k |= SSL_kPSK; @@ -3072,7 +3056,6 @@ cb(SSL *ssl, int is_export, int keylength) * \param dh the callback */ -#ifndef OPENSSL_NO_DH void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export, int keylength)) @@ -3086,9 +3069,7 @@ SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export, { SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); } -#endif -#ifndef OPENSSL_NO_ECDH void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)) @@ -3103,7 +3084,6 @@ SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export, { SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); } -#endif #ifndef OPENSSL_NO_PSK int diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 11250ba4682..d80bf958fda 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -479,15 +479,11 @@ typedef struct cert_st { unsigned long export_mask_a; RSA *rsa_tmp; RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize); -#ifndef OPENSSL_NO_DH DH *dh_tmp; DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *ecdh_tmp; /* Callback for generating ephemeral ECDH keys */ EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize); -#endif CERT_PKEY pkeys[SSL_PKEY_NUM]; @@ -507,12 +503,8 @@ typedef struct sess_cert_st { * so maybe we shouldn't even use the CERT_PKEY type here. */ RSA *peer_rsa_tmp; /* not used for SSL 2 */ -#ifndef OPENSSL_NO_DH DH *peer_dh_tmp; /* not used for SSL 2 */ -#endif -#ifndef OPENSSL_NO_ECDH EC_KEY *peer_ecdh_tmp; -#endif int references; /* actually always 1 at the moment */ } SESS_CERT; @@ -836,9 +828,7 @@ int tls1_alert_code(int code); int ssl3_alert_code(int code); int ssl_ok(SSL *s); -#ifndef OPENSSL_NO_ECDH int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); -#endif SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 1424eab6e66..b15465d5500 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -364,11 +364,7 @@ tls1_ec_nid2curve_id(int nid) #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, -#ifdef OPENSSL_NO_ECDSA -#define tlsext_sigalg_ecdsa(md) /* */ -#else #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, -#endif #define tlsext_sigalg(md) \ tlsext_sigalg_rsa(md) \ @@ -2221,9 +2217,7 @@ static tls12_lookup tls12_md[] = { static tls12_lookup tls12_sig[] = { {EVP_PKEY_RSA, TLSEXT_signature_rsa}, {EVP_PKEY_DSA, TLSEXT_signature_dsa}, -#ifndef OPENSSL_NO_ECDSA {EVP_PKEY_EC, TLSEXT_signature_ecdsa} -#endif }; static int @@ -2324,11 +2318,9 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) case TLSEXT_signature_dsa: idx = SSL_PKEY_DSA_SIGN; break; -#ifndef OPENSSL_NO_ECDSA case TLSEXT_signature_ecdsa: idx = SSL_PKEY_ECC; break; -#endif default: continue; } @@ -2353,10 +2345,8 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); } -#ifndef OPENSSL_NO_ECDSA if (!c->pkeys[SSL_PKEY_ECC].digest) c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); -#endif return 1; } |