diff options
author | Matt Caswell <matt@openssl.org> | 2020-10-14 16:06:28 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-11-18 15:14:51 +0100 |
commit | 1b2b475517054d26a555269acacdb0ab7072bc6e (patch) | |
tree | b665eefa97e4cb1a3f5573d77627af7ad28b27df | |
parent | Convert TLS ServerKeyExchange processing to use an EVP_PKEY (diff) | |
download | openssl-1b2b475517054d26a555269acacdb0ab7072bc6e.tar.xz openssl-1b2b475517054d26a555269acacdb0ab7072bc6e.zip |
Deprecate SSL_CTRL_SET_TMP_DH and other related ctrls
These ctrls pass around a DH object which is now deprecated, so we
deprecate the ctrls themselves.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
-rw-r--r-- | include/openssl/ssl.h.in | 20 | ||||
-rw-r--r-- | ssl/s3_lib.c | 35 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 2 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 5 | ||||
-rw-r--r-- | ssl/tls_depr.c | 17 | ||||
-rw-r--r-- | util/libssl.num | 4 |
6 files changed, 49 insertions, 34 deletions
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 8a86e2d24f..cd3abd8c26 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1225,9 +1225,13 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_ERROR_WANT_ASYNC 9 # define SSL_ERROR_WANT_ASYNC_JOB 10 # define SSL_ERROR_WANT_CLIENT_HELLO_CB 11 -# define SSL_CTRL_SET_TMP_DH 3 +# ifndef OPENSSL_NO_DEPRECATED_3_0 +# define SSL_CTRL_SET_TMP_DH 3 +# endif # define SSL_CTRL_SET_TMP_ECDH 4 -# define SSL_CTRL_SET_TMP_DH_CB 6 +# ifndef OPENSSL_NO_DEPRECATED_3_0 +# define SSL_CTRL_SET_TMP_DH_CB 6 +# endif # define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9 # define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10 # define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11 @@ -1351,14 +1355,18 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL) # define SSL_total_renegotiations(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL) -# define SSL_CTX_set_tmp_dh(ctx,dh) \ +# ifndef OPENSSL_NO_DEPRECATED_3_0 +# define SSL_CTX_set_tmp_dh(ctx,dh) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh)) +# endif # define SSL_CTX_set_dh_auto(ctx, onoff) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL) # define SSL_set_dh_auto(s, onoff) \ SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL) -# define SSL_set_tmp_dh(ssl,dh) \ +# ifndef OPENSSL_NO_DEPRECATED_3_0 +# define SSL_set_tmp_dh(ssl,dh) \ SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)(dh)) +# endif # ifndef OPENSSL_NO_DEPRECATED_3_0 # define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh)) @@ -2129,13 +2137,17 @@ void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len); void SSL_set_default_read_buffer_len(SSL *s, size_t len); # ifndef OPENSSL_NO_DH +# ifndef OPENSSL_NO_DEPRECATED_3_0 /* NB: the |keylength| is only applicable when is_export is true */ +OSSL_DEPRECATEDIN_3_0 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh) (SSL *ssl, int is_export, int keylength)); +OSSL_DEPRECATEDIN_3_0 void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, int keylength)); +# endif # endif __owur const COMP_METHOD *SSL_get_current_compression(const SSL *s); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 69949202a2..664844302a 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3452,15 +3452,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = (int)(s->s3.flags); break; #ifndef OPENSSL_NO_DH +# ifndef OPENSSL_NO_DEPRECATED_3_0 case SSL_CTRL_SET_TMP_DH: { - DH *dh = (DH *)parg; EVP_PKEY *pkdh = NULL; - if (dh == NULL) { + if (parg == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - pkdh = ssl_dh_to_pkey(dh); + pkdh = ssl_dh_to_pkey(parg); if (pkdh == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; @@ -3481,6 +3481,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return ret; } +# endif case SSL_CTRL_SET_DH_AUTO: s->cert->dh_tmp_auto = larg; return 1; @@ -3776,7 +3777,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) int ret = 0; switch (cmd) { -#ifndef OPENSSL_NO_DH +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: { s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -3802,16 +3803,15 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { switch (cmd) { -#ifndef OPENSSL_NO_DH +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH: { - DH *dh = (DH *)parg; EVP_PKEY *pkdh = NULL; - if (dh == NULL) { + if (parg == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER); return 0; } - pkdh = ssl_dh_to_pkey(dh); + pkdh = ssl_dh_to_pkey(parg); if (pkdh == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 0; @@ -3831,10 +3831,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } +#endif case SSL_CTRL_SET_DH_AUTO: ctx->cert->dh_tmp_auto = larg; return 1; -#endif #ifndef OPENSSL_NO_EC case SSL_CTRL_SET_TMP_ECDH: { @@ -4046,7 +4046,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { switch (cmd) { -#ifndef OPENSSL_NO_DH +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) case SSL_CTRL_SET_TMP_DH_CB: { ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -5009,18 +5009,3 @@ int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey, EVP_PKEY_CTX_free(pctx); return rv; } - -#ifndef OPENSSL_NO_DH -EVP_PKEY *ssl_dh_to_pkey(DH *dh) -{ - EVP_PKEY *ret; - if (dh == NULL) - return NULL; - ret = EVP_PKEY_new(); - if (EVP_PKEY_set1_DH(ret, dh) <= 0) { - EVP_PKEY_free(ret); - return NULL; - } - return ret; -} -#endif diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d82baa5497..bd7b838250 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4487,7 +4487,7 @@ int SSL_want(const SSL *s) * \param dh the callback */ -#ifndef OPENSSL_NO_DH +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh) (SSL *ssl, int is_export, int keylength)) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index d45afebf07..bc2695e1ba 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2469,15 +2469,16 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } else { pkdhp = cert->dh_tmp; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { - DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024); - pkdh = ssl_dh_to_pkey(dhp); + pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024)); if (pkdh == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } pkdhp = pkdh; } +#endif if (pkdhp == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY); goto err; diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 3fcc5b6740..1ed47dd8de 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -142,5 +142,22 @@ HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx) { return ctx->old_ctx; } + +/* Some deprecated public APIs pass DH objects */ +#ifndef OPENSSL_NO_DH +EVP_PKEY *ssl_dh_to_pkey(DH *dh) +{ + EVP_PKEY *ret; + + if (dh == NULL) + return NULL; + ret = EVP_PKEY_new(); + if (EVP_PKEY_set1_DH(ret, dh) <= 0) { + EVP_PKEY_free(ret); + return NULL; + } + return ret; +} +#endif #endif diff --git a/util/libssl.num b/util/libssl.num index 193be1b7a1..8b22c719e6 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -16,7 +16,7 @@ SSL_get_verify_depth 16 3_0_0 EXIST::FUNCTION: SSL_get0_dane 17 3_0_0 EXIST::FUNCTION: SSL_CTX_sess_get_get_cb 18 3_0_0 EXIST::FUNCTION: SSL_CTX_get_default_passwd_cb_userdata 19 3_0_0 EXIST::FUNCTION: -SSL_set_tmp_dh_callback 20 3_0_0 EXIST::FUNCTION:DH +SSL_set_tmp_dh_callback 20 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH SSL_CTX_get_verify_depth 21 3_0_0 EXIST::FUNCTION: SSL_CTX_use_RSAPrivateKey_file 22 3_0_0 EXIST::FUNCTION:RSA SSL_use_PrivateKey_file 23 3_0_0 EXIST::FUNCTION: @@ -152,7 +152,7 @@ i2d_SSL_SESSION 152 3_0_0 EXIST::FUNCTION: SSL_SESSION_get_master_key 153 3_0_0 EXIST::FUNCTION: SSL_COMP_get_compression_methods 154 3_0_0 EXIST::FUNCTION: SSL_CTX_set_alpn_select_cb 155 3_0_0 EXIST::FUNCTION: -SSL_CTX_set_tmp_dh_callback 156 3_0_0 EXIST::FUNCTION:DH +SSL_CTX_set_tmp_dh_callback 156 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH SSL_CTX_get_default_passwd_cb 157 3_0_0 EXIST::FUNCTION: TLSv1_server_method 158 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0,TLS1_METHOD DTLS_server_method 159 3_0_0 EXIST::FUNCTION: |