summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2020-10-14 16:06:28 +0200
committerMatt Caswell <matt@openssl.org>2020-11-18 15:14:51 +0100
commit1b2b475517054d26a555269acacdb0ab7072bc6e (patch)
treeb665eefa97e4cb1a3f5573d77627af7ad28b27df
parentConvert TLS ServerKeyExchange processing to use an EVP_PKEY (diff)
downloadopenssl-1b2b475517054d26a555269acacdb0ab7072bc6e.tar.xz
openssl-1b2b475517054d26a555269acacdb0ab7072bc6e.zip
Deprecate SSL_CTRL_SET_TMP_DH and other related ctrls
These ctrls pass around a DH object which is now deprecated, so we deprecate the ctrls themselves. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13368)
-rw-r--r--include/openssl/ssl.h.in20
-rw-r--r--ssl/s3_lib.c35
-rw-r--r--ssl/ssl_lib.c2
-rw-r--r--ssl/statem/statem_srvr.c5
-rw-r--r--ssl/tls_depr.c17
-rw-r--r--util/libssl.num4
6 files changed, 49 insertions, 34 deletions
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 8a86e2d24f..cd3abd8c26 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -1225,9 +1225,13 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_ERROR_WANT_ASYNC 9
# define SSL_ERROR_WANT_ASYNC_JOB 10
# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
-# define SSL_CTRL_SET_TMP_DH 3
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+# define SSL_CTRL_SET_TMP_DH 3
+# endif
# define SSL_CTRL_SET_TMP_ECDH 4
-# define SSL_CTRL_SET_TMP_DH_CB 6
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+# define SSL_CTRL_SET_TMP_DH_CB 6
+# endif
# define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
# define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
# define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
@@ -1351,14 +1355,18 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
# define SSL_total_renegotiations(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
-# define SSL_CTX_set_tmp_dh(ctx,dh) \
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+# define SSL_CTX_set_tmp_dh(ctx,dh) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
+# endif
# define SSL_CTX_set_dh_auto(ctx, onoff) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
# define SSL_set_dh_auto(s, onoff) \
SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
-# define SSL_set_tmp_dh(ssl,dh) \
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+# define SSL_set_tmp_dh(ssl,dh) \
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
+# endif
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
@@ -2129,13 +2137,17 @@ void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len);
void SSL_set_default_read_buffer_len(SSL *s, size_t len);
# ifndef OPENSSL_NO_DH
+# ifndef OPENSSL_NO_DEPRECATED_3_0
/* NB: the |keylength| is only applicable when is_export is true */
+OSSL_DEPRECATEDIN_3_0
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*dh) (SSL *ssl, int is_export,
int keylength));
+OSSL_DEPRECATEDIN_3_0
void SSL_set_tmp_dh_callback(SSL *ssl,
DH *(*dh) (SSL *ssl, int is_export,
int keylength));
+# endif
# endif
__owur const COMP_METHOD *SSL_get_current_compression(const SSL *s);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 69949202a2..664844302a 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3452,15 +3452,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ret = (int)(s->s3.flags);
break;
#ifndef OPENSSL_NO_DH
+# ifndef OPENSSL_NO_DEPRECATED_3_0
case SSL_CTRL_SET_TMP_DH:
{
- DH *dh = (DH *)parg;
EVP_PKEY *pkdh = NULL;
- if (dh == NULL) {
+ if (parg == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
- pkdh = ssl_dh_to_pkey(dh);
+ pkdh = ssl_dh_to_pkey(parg);
if (pkdh == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
return 0;
@@ -3481,6 +3481,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return ret;
}
+# endif
case SSL_CTRL_SET_DH_AUTO:
s->cert->dh_tmp_auto = larg;
return 1;
@@ -3776,7 +3777,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
int ret = 0;
switch (cmd) {
-#ifndef OPENSSL_NO_DH
+#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
case SSL_CTRL_SET_TMP_DH_CB:
{
s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@@ -3802,16 +3803,15 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
{
switch (cmd) {
-#ifndef OPENSSL_NO_DH
+#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
case SSL_CTRL_SET_TMP_DH:
{
- DH *dh = (DH *)parg;
EVP_PKEY *pkdh = NULL;
- if (dh == NULL) {
+ if (parg == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
- pkdh = ssl_dh_to_pkey(dh);
+ pkdh = ssl_dh_to_pkey(parg);
if (pkdh == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
return 0;
@@ -3831,10 +3831,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
+#endif
case SSL_CTRL_SET_DH_AUTO:
ctx->cert->dh_tmp_auto = larg;
return 1;
-#endif
#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_TMP_ECDH:
{
@@ -4046,7 +4046,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
{
switch (cmd) {
-#ifndef OPENSSL_NO_DH
+#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
case SSL_CTRL_SET_TMP_DH_CB:
{
ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@@ -5009,18 +5009,3 @@ int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey,
EVP_PKEY_CTX_free(pctx);
return rv;
}
-
-#ifndef OPENSSL_NO_DH
-EVP_PKEY *ssl_dh_to_pkey(DH *dh)
-{
- EVP_PKEY *ret;
- if (dh == NULL)
- return NULL;
- ret = EVP_PKEY_new();
- if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
- EVP_PKEY_free(ret);
- return NULL;
- }
- return ret;
-}
-#endif
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d82baa5497..bd7b838250 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -4487,7 +4487,7 @@ int SSL_want(const SSL *s)
* \param dh the callback
*/
-#ifndef OPENSSL_NO_DH
+#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*dh) (SSL *ssl, int is_export,
int keylength))
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d45afebf07..bc2695e1ba 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2469,15 +2469,16 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
} else {
pkdhp = cert->dh_tmp;
}
+#ifndef OPENSSL_NO_DEPRECATED_3_0
if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
- DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
- pkdh = ssl_dh_to_pkey(dhp);
+ pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024));
if (pkdh == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
pkdhp = pkdh;
}
+#endif
if (pkdhp == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY);
goto err;
diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c
index 3fcc5b6740..1ed47dd8de 100644
--- a/ssl/tls_depr.c
+++ b/ssl/tls_depr.c
@@ -142,5 +142,22 @@ HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
{
return ctx->old_ctx;
}
+
+/* Some deprecated public APIs pass DH objects */
+#ifndef OPENSSL_NO_DH
+EVP_PKEY *ssl_dh_to_pkey(DH *dh)
+{
+ EVP_PKEY *ret;
+
+ if (dh == NULL)
+ return NULL;
+ ret = EVP_PKEY_new();
+ if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
+ EVP_PKEY_free(ret);
+ return NULL;
+ }
+ return ret;
+}
+#endif
#endif
diff --git a/util/libssl.num b/util/libssl.num
index 193be1b7a1..8b22c719e6 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -16,7 +16,7 @@ SSL_get_verify_depth 16 3_0_0 EXIST::FUNCTION:
SSL_get0_dane 17 3_0_0 EXIST::FUNCTION:
SSL_CTX_sess_get_get_cb 18 3_0_0 EXIST::FUNCTION:
SSL_CTX_get_default_passwd_cb_userdata 19 3_0_0 EXIST::FUNCTION:
-SSL_set_tmp_dh_callback 20 3_0_0 EXIST::FUNCTION:DH
+SSL_set_tmp_dh_callback 20 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
SSL_CTX_get_verify_depth 21 3_0_0 EXIST::FUNCTION:
SSL_CTX_use_RSAPrivateKey_file 22 3_0_0 EXIST::FUNCTION:RSA
SSL_use_PrivateKey_file 23 3_0_0 EXIST::FUNCTION:
@@ -152,7 +152,7 @@ i2d_SSL_SESSION 152 3_0_0 EXIST::FUNCTION:
SSL_SESSION_get_master_key 153 3_0_0 EXIST::FUNCTION:
SSL_COMP_get_compression_methods 154 3_0_0 EXIST::FUNCTION:
SSL_CTX_set_alpn_select_cb 155 3_0_0 EXIST::FUNCTION:
-SSL_CTX_set_tmp_dh_callback 156 3_0_0 EXIST::FUNCTION:DH
+SSL_CTX_set_tmp_dh_callback 156 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
SSL_CTX_get_default_passwd_cb 157 3_0_0 EXIST::FUNCTION:
TLSv1_server_method 158 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0,TLS1_METHOD
DTLS_server_method 159 3_0_0 EXIST::FUNCTION: