diff options
author | Matt Caswell <matt@openssl.org> | 2015-05-15 11:49:56 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-05-23 00:10:51 +0200 |
commit | e481f9b90b164fd1053015d1c4e0a0d92076d7a8 (patch) | |
tree | 2dbf5d699977893b677a18b213f31c61b59d468b | |
parent | RT266: Add HTTP proxy/CONNECT to s_client (diff) | |
download | openssl-e481f9b90b164fd1053015d1c4e0a0d92076d7a8.tar.xz openssl-e481f9b90b164fd1053015d1c4e0a0d92076d7a8.zip |
Remove support for OPENSSL_NO_TLSEXT
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
-rwxr-xr-x | Configure | 10 | ||||
-rw-r--r-- | INSTALL.VMS | 2 | ||||
-rw-r--r-- | apps/apps.c | 2 | ||||
-rw-r--r-- | apps/apps.h | 2 | ||||
-rw-r--r-- | apps/s_client.c | 68 | ||||
-rw-r--r-- | apps/s_server.c | 111 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod | 3 | ||||
-rw-r--r-- | include/openssl/ssl.h | 82 | ||||
-rw-r--r-- | include/openssl/tls1.h | 59 | ||||
-rw-r--r-- | ssl/d1_clnt.c | 12 | ||||
-rw-r--r-- | ssl/d1_srvr.c | 17 | ||||
-rw-r--r-- | ssl/s3_clnt.c | 40 | ||||
-rw-r--r-- | ssl/s3_lib.c | 45 | ||||
-rw-r--r-- | ssl/s3_srvr.c | 46 | ||||
-rw-r--r-- | ssl/ssl_asn1.c | 14 | ||||
-rw-r--r-- | ssl/ssl_cert.c | 9 | ||||
-rw-r--r-- | ssl/ssl_conf.c | 4 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 30 | ||||
-rw-r--r-- | ssl/ssl_locl.h | 50 | ||||
-rw-r--r-- | ssl/ssl_rsa.c | 6 | ||||
-rw-r--r-- | ssl/ssl_sess.c | 26 | ||||
-rw-r--r-- | ssl/ssl_txt.c | 2 | ||||
-rw-r--r-- | ssl/t1_ext.c | 6 | ||||
-rw-r--r-- | ssl/t1_lib.c | 269 | ||||
-rwxr-xr-x | util/mk1mf.pl | 2 | ||||
-rwxr-xr-x | util/mkdef.pl | 6 | ||||
-rwxr-xr-x | util/ssleay.num | 24 |
27 files changed, 328 insertions, 619 deletions
@@ -1086,10 +1086,6 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"}) $disabled{"tls1"} = "forced"; } -if (defined($disabled{"tls1"})) - { - $disabled{"tlsext"} = "forced"; - } if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) || defined($disabled{"dh"})) @@ -1097,12 +1093,6 @@ if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) $disabled{"gost"} = "forced"; } -# SRP and HEARTBEATS require TLSEXT -if (defined($disabled{"tlsext"})) - { - $disabled{"srp"} = "forced"; - $disabled{"heartbeats"} = "forced"; - } if ($target eq "TABLE") { foreach $target (sort keys %table) { diff --git a/INSTALL.VMS b/INSTALL.VMS index 084b279da8..8f0d847803 100644 --- a/INSTALL.VMS +++ b/INSTALL.VMS @@ -136,7 +136,7 @@ Currently, the logical names supported are: DES, DGRAM, DH, DSA, EC, EC2M, ECDH, ECDSA, ENGINE, ERR, GOST, HEARTBEATS, HMAC, IDEA, MD2, MD4, MD5, OCB, OCSP, PSK, RC2, RC4, RC5, RMD160, RSA, SCTP, - SEED, SOCK, SRP, SRTP, TLSEXT, WHIRLPOOL. So, for + SEED, SOCK, SRP, SRTP, WHIRLPOOL. So, for example, having the logical name OPENSSL_NO_RSA with the value YES means that the LIBCRYPTO.OLB library will not contain an RSA implementation. diff --git a/apps/apps.c b/apps/apps.c index ab6eb40579..593c036855 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2202,7 +2202,6 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret) #endif -#ifndef OPENSSL_NO_TLSEXT /*- * next_protos_parse parses a comma separated list of strings into a string * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. @@ -2238,7 +2237,6 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in) *outlen = len + 1; return out; } -#endif /* ndef OPENSSL_NO_TLSEXT */ void print_cert_checks(BIO *bio, X509 *x, const char *checkhost, diff --git a/apps/apps.h b/apps/apps.h index 7033d2e5c6..33b2e65e8c 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -514,9 +514,7 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret); void jpake_server_auth(BIO *out, BIO *conn, const char *secret); # endif -# ifndef OPENSSL_NO_TLSEXT unsigned char *next_protos_parse(unsigned short *outlen, const char *in); -# endif /* ndef OPENSSL_NO_TLSEXT */ void print_cert_checks(BIO *bio, X509 *x, const char *checkhost, diff --git a/apps/s_client.c b/apps/s_client.c index c3c5bce787..8c5412c626 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -198,9 +198,7 @@ static int c_ign_eof = 0; static int c_brief = 0; static void print_stuff(BIO *berr, SSL *con, int full); -#ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); -#endif #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ @@ -269,8 +267,6 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, } #endif -#ifndef OPENSSL_NO_TLSEXT - /* This is a context that we pass to callbacks */ typedef struct tlsextctx_st { BIO *biodebug; @@ -289,7 +285,7 @@ static int ssl_servername_cb(SSL *s, int *ad, void *arg) return SSL_TLSEXT_ERR_OK; } -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP /* This is a context that we pass to all callbacks */ typedef struct srp_arg_st { @@ -301,7 +297,7 @@ typedef struct srp_arg_st { int strength /* minimal size for N */ ; } SRP_ARG; -# define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 +# define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g) { @@ -377,7 +373,7 @@ static int ssl_srp_verify_param_cb(SSL *s, void *arg) return 0; } -# define PWD_STRLEN 1024 +# define PWD_STRLEN 1024 static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) { @@ -398,11 +394,11 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) return pass; } -# endif +#endif char *srtp_profiles = NULL; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG /* This the context that we pass to next_proto_cb */ typedef struct tlsextnextprotoctx_st { unsigned char *data; @@ -435,7 +431,7 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); return SSL_TLSEXT_ERR_OK; } -# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ +#endif /* ndef OPENSSL_NO_NEXTPROTONEG */ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, @@ -457,8 +453,6 @@ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, return 1; } -#endif - typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_XMPPHOST, OPT_VERIFY, @@ -563,7 +557,6 @@ OPTIONS s_client_options[] = { {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal mength in bits for N"}, #endif {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""}, -#ifndef OPENSSL_NO_TLSEXT {"servername", OPT_SERVERNAME, 's', "Set TLS extension servername in ClientHello"}, {"tlsextdebug", OPT_TLSEXTDEBUG, '-', @@ -573,10 +566,9 @@ OPTIONS s_client_options[] = { "types Send empty ClientHello extensions (comma-separated numbers)"}, {"alpn", OPT_ALPN, 's', "Enable ALPN extension, considering named protocols supported (comma-separated list)"}, -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG {"nextprotoneg", OPT_NEXTPROTONEG, 's', "Enable NPN extension, considering named protocols supported (comma-separated list)"}, -# endif #endif {"CRL", OPT_CRL, '<'}, {"crl_download", OPT_CRL_DOWNLOAD, '-'}, @@ -673,16 +665,14 @@ int s_client_main(int argc, char **argv) #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; #endif -#ifndef OPENSSL_NO_TLSEXT char *servername = NULL; const char *alpn_in = NULL; tlsextctx tlsextcbp = { NULL, 0 }; -# define MAX_SI_TYPES 100 +#define MAX_SI_TYPES 100 unsigned short serverinfo_types[MAX_SI_TYPES]; int serverinfo_count = 0, start = 0, len; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; -# endif #endif #ifndef OPENSSL_NO_SRP char *srppass = NULL; @@ -870,14 +860,12 @@ int s_client_main(int argc, char **argv) case OPT_DEBUG: c_debug = 1; break; -#ifndef OPENSSL_NO_TLSEXT case OPT_TLSEXTDEBUG: c_tlsextdebug = 1; break; case OPT_STATUS: c_status_req = 1; break; -#endif #ifdef WATT32 case OPT_WDEBUG: dbug_init(); @@ -1027,7 +1015,6 @@ int s_client_main(int argc, char **argv) case OPT_VERIFYCAFILE: vfyCAfile = opt_arg(); break; -#ifndef OPENSSL_NO_TLSEXT case OPT_NEXTPROTONEG: next_proto_neg_in = opt_arg(); break; @@ -1046,16 +1033,13 @@ int s_client_main(int argc, char **argv) } } break; -#endif case OPT_STARTTLS: if (!opt_pair(opt_arg(), services, &starttls_proto)) goto end; -#ifndef OPENSSL_NO_TLSEXT case OPT_SERVERNAME: servername = opt_arg(); /* meth=TLSv1_client_method(); */ break; -#endif #ifndef OPENSSL_NO_JPAKE case OPT_JPAKE: jpake_secret = opt_arg(); @@ -1101,7 +1085,7 @@ int s_client_main(int argc, char **argv) } #endif -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) next_proto.status = -1; if (next_proto_neg_in) { next_proto.data = @@ -1250,11 +1234,10 @@ int s_client_main(int argc, char **argv) if (exc) ssl_ctx_set_excert(ctx, exc); -#if !defined(OPENSSL_NO_TLSEXT) -# if !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) if (next_proto.data) SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); -# endif +#endif if (alpn_in) { unsigned short alpn_len; unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); @@ -1270,8 +1253,7 @@ int s_client_main(int argc, char **argv) } OPENSSL_free(alpn); } -#endif -#ifndef OPENSSL_NO_TLSEXT + for (i = 0; i < serverinfo_count; i++) { if (!SSL_CTX_add_client_custom_ext(ctx, serverinfo_types[i], @@ -1282,7 +1264,6 @@ int s_client_main(int argc, char **argv) serverinfo_types[i]); } } -#endif if (state) SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); @@ -1299,7 +1280,6 @@ int s_client_main(int argc, char **argv) if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain)) goto end; -#ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { tlsextcbp.biodebug = bio_err; SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); @@ -1321,7 +1301,6 @@ int s_client_main(int argc, char **argv) ssl_srp_verify_param_cb); } # endif -#endif con = SSL_new(ctx); if (sess_in) { @@ -1350,7 +1329,6 @@ int s_client_main(int argc, char **argv) if (fallback_scsv) SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); -#ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { if (!SSL_set_tlsext_host_name(con, servername)) { BIO_printf(bio_err, "Unable to set TLS servername extension.\n"); @@ -1358,7 +1336,6 @@ int s_client_main(int argc, char **argv) goto end; } } -#endif re_start: #ifdef NO_SYS_UN_H @@ -1449,7 +1426,7 @@ int s_client_main(int argc, char **argv) SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out); } -#ifndef OPENSSL_NO_TLSEXT + if (c_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_c_out); @@ -1459,7 +1436,6 @@ int s_client_main(int argc, char **argv) SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); } -#endif #ifndef OPENSSL_NO_JPAKE if (jpake_secret) jpake_client_auth(bio_c_out, sbio, jpake_secret); @@ -1680,13 +1656,13 @@ int s_client_main(int argc, char **argv) tty_on = 1; if (in_init) { in_init = 0; -#ifndef OPENSSL_NO_TLSEXT + if (servername != NULL && !SSL_session_reused(con)) { BIO_printf(bio_c_out, "Server did %sacknowledge servername extension.\n", tlsextcbp.ack ? "" : "not "); } -#endif + if (sess_out) { BIO *stmp = BIO_new_file(sess_out, "w"); if (stmp) { @@ -2028,7 +2004,7 @@ int s_client_main(int argc, char **argv) print_stuff(bio_c_out, con, 1); SSL_free(con); } -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) OPENSSL_free(next_proto.data); #endif SSL_CTX_free(ctx); @@ -2155,8 +2131,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) } #endif -#if !defined(OPENSSL_NO_TLSEXT) -# if !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) if (next_proto.status != -1) { const unsigned char *proto; unsigned int proto_len; @@ -2165,7 +2140,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_write(bio, proto, proto_len); BIO_write(bio, "\n", 1); } -# endif +#endif { const unsigned char *proto; unsigned int proto_len; @@ -2177,7 +2152,6 @@ static void print_stuff(BIO *bio, SSL *s, int full) } else BIO_printf(bio, "No ALPN negotiated\n"); } -#endif #ifndef OPENSSL_NO_SRTP { @@ -2216,8 +2190,6 @@ static void print_stuff(BIO *bio, SSL *s, int full) (void)BIO_flush(bio); } -#ifndef OPENSSL_NO_TLSEXT - static int ocsp_resp_cb(SSL *s, void *arg) { const unsigned char *p; @@ -2241,5 +2213,3 @@ static int ocsp_resp_cb(SSL *s, void *arg) OCSP_RESPONSE_free(rsp); return 1; } - -#endif diff --git a/apps/s_server.c b/apps/s_server.c index 5500ceadbc..6bbabcc5f4 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -218,9 +218,7 @@ static int bufsize = BUFSIZZ; static int accept_socket = -1; #define TEST_CERT "server.pem" -#ifndef OPENSSL_NO_TLSEXT -# define TEST_CERT2 "server2.pem" -#endif +#define TEST_CERT2 "server2.pem" extern int verify_depth, verify_return_error, verify_quiet; @@ -229,9 +227,7 @@ static int s_server_session_id_context = 1; /* anything will do */ static const char *s_cert_file = TEST_CERT, *s_key_file = NULL, *s_chain_file = NULL; -#ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; -#endif static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL; #ifdef FIONBIO static int s_nbio = 0; @@ -239,19 +235,15 @@ static int s_nbio = 0; static int s_nbio_test = 0; int s_crlf = 0; static SSL_CTX *ctx = NULL; -#ifndef OPENSSL_NO_TLSEXT static SSL_CTX *ctx2 = NULL; -#endif static int www = 0; static BIO *bio_s_out = NULL; static BIO *bio_s_msg = NULL; static int s_debug = 0; -#ifndef OPENSSL_NO_TLSEXT static int s_tlsextdebug = 0; static int s_tlsextstatus = 0; static int cert_status_cb(SSL *s, void *arg); -#endif static int no_resume_ephemeral = 0; static int s_msg = 0; static int s_quiet = 0; @@ -272,12 +264,9 @@ static long socket_mtu; static int cert_chain = 0; #endif -#ifndef OPENSSL_NO_TLSEXT static BIO *serverinfo_in = NULL; static const char *s_serverinfo_file = NULL; -#endif - #ifndef OPENSSL_NO_PSK static char *psk_identity = "Client_identity"; char *psk_key = NULL; /* by default PSK is not used */ @@ -401,11 +390,9 @@ static void s_server_init(void) s_cert_file = TEST_CERT; s_key_file = NULL; s_chain_file = NULL; -#ifndef OPENSSL_NO_TLSEXT s_cert_file2 = TEST_CERT2; s_key_file2 = NULL; ctx2 = NULL; -#endif s_nbio = 0; s_nbio_test = 0; ctx = NULL; @@ -575,8 +562,6 @@ static int ebcdic_puts(BIO *bp, const char *str) } #endif -#ifndef OPENSSL_NO_TLSEXT - /* This is a context that we pass to callbacks */ typedef struct tlsextctx_st { char *servername; @@ -732,7 +717,7 @@ static int cert_status_cb(SSL *s, void *arg) goto done; } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG /* This is the context that we pass to next_proto_cb */ typedef struct tlsextnextprotoctx_st { unsigned char *data; @@ -749,7 +734,7 @@ static int next_proto_cb(SSL *s, const unsigned char **data, return SSL_TLSEXT_ERR_OK; } -# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ +#endif /* ndef OPENSSL_NO_NEXTPROTONEG */ /* This the context that we pass to alpn_cb */ typedef struct tlsextalpnctx_st { @@ -789,7 +774,6 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, return SSL_TLSEXT_ERR_OK; } -#endif /* ndef OPENSSL_NO_TLSEXT */ static int not_resumable_sess_cb(SSL *s, int is_forward_secure) { @@ -849,10 +833,8 @@ OPTIONS s_server_options[] = { "Turn on peer certificate verification, must have a cert"}, {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT}, {"naccept", OPT_NACCEPT, 'p', "Terminate after pnum connections"}, -#ifndef OPENSSL_NO_TLSEXT {"serverinfo", OPT_SERVERINFO, 's', "PEM serverinfo file for certificate"}, -#endif {"certform", OPT_CERTFORM, 'F', "Certificate format (PEM or DER) PEM default"}, {"key", OPT_KEY, '<', @@ -924,7 +906,6 @@ OPTIONS s_server_options[] = { "Generate SSL/TLS session IDs prefixed by arg"}, {"rand", OPT_RAND, 's', "Load the file(s) into the random number generator"}, -#ifndef OPENSSL_NO_TLSEXT {"servername", OPT_SERVERNAME, 's', "Servername for HostName TLS extension"}, {"servername_fatal", OPT_SERVERNAME_FATAL, '-', @@ -935,15 +916,14 @@ OPTIONS s_server_options[] = { "-Private Key file to use for servername if not in -cert2"}, {"tlsextdebug", OPT_TLSEXTDEBUG, '-', "Hex dump of all TLS extensions received"}, -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG {"nextprotoneg", OPT_NEXTPROTONEG, 's', "Set the advertised protocols for the NPN extension (comma-separated list)"}, -# endif +#endif {"use_srtp", OPT_SRTP_PROFILES, '<', "Offer SRTP key management with a colon-separated profile list"}, {"alpn", OPT_ALPN, 's', "Set the advertised protocols for the ALPN extension (comma-separated list)"}, -#endif {"keymatexport", OPT_KEYMATEXPORT, 's', "Export keying material using label"}, {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', @@ -1016,17 +996,15 @@ int s_server_main(int argc, char *argv[]) unsigned short port = PORT; unsigned char *context = NULL; OPTION_CHOICE o; -#ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING }; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; tlsextnextprotoctx next_proto = { NULL, 0 }; -# endif +#endif const char *alpn_in = NULL; tlsextalpnctx alpn_ctx = { NULL, 0 }; -#endif #ifndef OPENSSL_NO_PSK /* by default do not send a PSK identity hint */ static char *psk_identity_hint = NULL; @@ -1122,11 +1100,9 @@ int s_server_main(int argc, char *argv[]) case OPT_CRL_DOWNLOAD: crl_download = 1; break; -#ifndef OPENSSL_NO_TLSEXT case OPT_SERVERINFO: s_serverinfo_file = opt_arg(); break; -#endif case OPT_CERTFORM: if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format)) goto opthelp; @@ -1241,7 +1217,6 @@ int s_server_main(int argc, char *argv[]) case OPT_DEBUG: s_debug = 1; break; -#ifndef OPENSSL_NO_TLSEXT case OPT_TLSEXTDEBUG: s_tlsextdebug = 1; break; @@ -1265,7 +1240,6 @@ int s_server_main(int argc, char *argv[]) goto end; } break; -#endif case OPT_MSG: s_msg = 1; break; @@ -1395,7 +1369,6 @@ int s_server_main(int argc, char *argv[]) case OPT_RAND: inrand = opt_arg(); break; -#ifndef OPENSSL_NO_TLSEXT case OPT_SERVERNAME: tlsextcbp.servername = opt_arg(); break; @@ -1408,15 +1381,14 @@ int s_server_main(int argc, char *argv[]) case OPT_KEY2: s_key_file2 = opt_arg(); break; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG case OPT_NEXTPROTONEG: next_proto_neg_in = opt_arg(); break; -# endif +#endif case OPT_ALPN: alpn_in = opt_arg(); break; -#endif #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) case OPT_JPAKE: jpake_secret = opt_arg(); @@ -1468,10 +1440,9 @@ int s_server_main(int argc, char *argv[]) if (s_key_file == NULL) s_key_file = s_cert_file; -#ifndef OPENSSL_NO_TLSEXT + if (s_key_file2 == NULL) s_key_file2 = s_cert_file2; -#endif if (!load_excert(&exc)) goto end; @@ -1497,7 +1468,7 @@ int s_server_main(int argc, char *argv[]) if (!s_chain) goto end; } -#ifndef OPENSSL_NO_TLSEXT + if (tlsextcbp.servername) { s_key2 = load_key(s_key_file2, s_key_format, 0, pass, e, "second server certificate private key file"); @@ -1514,10 +1485,8 @@ int s_server_main(int argc, char *argv[]) goto end; } } -#endif /* OPENSSL_NO_TLSEXT */ } -#if !defined(OPENSSL_NO_TLSEXT) -# if !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) if (next_proto_neg_in) { unsigned short len; next_proto.data = next_protos_parse(&len, next_proto_neg_in); @@ -1527,7 +1496,7 @@ int s_server_main(int argc, char *argv[]) } else { next_proto.data = NULL; } -# endif +#endif alpn_ctx.data = NULL; if (alpn_in) { unsigned short len; @@ -1536,7 +1505,6 @@ int s_server_main(int argc, char *argv[]) goto end; alpn_ctx.len = len; } -#endif if (crl_file) { X509_CRL *crl; @@ -1610,10 +1578,8 @@ int s_server_main(int argc, char *argv[]) s_key_file = NULL; s_dcert_file = NULL; s_dkey_file = NULL; -#ifndef OPENSSL_NO_TLSEXT s_cert_file2 = NULL; s_key_file2 = NULL; -#endif } ctx = SSL_CTX_new(meth); @@ -1678,7 +1644,7 @@ int s_server_main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } -#ifndef OPENSSL_NO_TLSEXT + if (s_cert2) { ctx2 = SSL_CTX_new(meth); if (ctx2 == NULL) { @@ -1732,14 +1698,13 @@ int s_server_main(int argc, char *argv[]) if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL)) goto end; } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG if (next_proto.data) SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); -# endif +#endif if (alpn_ctx.data) SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); -#endif #ifndef OPENSSL_NO_DH if (!no_dhe) { @@ -1765,7 +1730,7 @@ int s_server_main(int argc, char *argv[]) DH_free(dh); goto end; } -# ifndef OPENSSL_NO_TLSEXT + if (ctx2) { if (!dhfile) { DH *dh2 = load_dh_param(s_cert_file2); @@ -1786,24 +1751,22 @@ int s_server_main(int argc, char *argv[]) goto end; } } -# endif DH_free(dh); } #endif if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; -#ifndef OPENSSL_NO_TLSEXT + if (s_serverinfo_file != NULL && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) { ERR_print_errors(bio_err); goto end; } -#endif -#ifndef OPENSSL_NO_TLSEXT + if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL, build_chain)) goto end; -#endif + if (s_dcert != NULL) { if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain)) goto end; @@ -1811,21 +1774,18 @@ int s_server_main(int argc, char *argv[]) #ifndef OPENSSL_NO_RSA if (!no_tmp_rsa) { SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb); -# ifndef OPENSSL_NO_TLSEXT if (ctx2) SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb); -# endif } #endif if (no_resume_ephemeral) { SSL_CTX_set_not_resumable_session_callback(ctx, not_resumable_sess_cb); -#ifndef OPENSSL_NO_TLSEXT + if (ctx2) SSL_CTX_set_not_resumable_session_callback(ctx2, not_resumable_sess_cb); -#endif } #ifndef OPENSSL_NO_PSK # ifdef OPENSSL_NO_JPAKE @@ -1860,7 +1820,6 @@ int s_server_main(int argc, char *argv[]) SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); -#ifndef OPENSSL_NO_TLSEXT if (ctx2) { SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback); if (!SSL_CTX_set_session_id_context(ctx2, @@ -1876,7 +1835,6 @@ int s_server_main(int argc, char *argv[]) SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); } -#endif #ifndef OPENSSL_NO_SRP if (srp_verifier_file != NULL) { @@ -1898,10 +1856,9 @@ int s_server_main(int argc, char *argv[]) #endif if (CAfile != NULL) { SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); -#ifndef OPENSSL_NO_TLSEXT + if (ctx2) SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile)); -#endif } BIO_printf(bio_s_out, "ACCEPT\n"); @@ -1937,7 +1894,6 @@ int s_server_main(int argc, char *argv[]) OPENSSL_free(dpass); X509_VERIFY_PARAM_free(vpm); free_sessions(); -#ifndef OPENSSL_NO_TLSEXT OPENSSL_free(tlscstatp.host); OPENSSL_free(tlscstatp.port); OPENSSL_free(tlscstatp.path); @@ -1945,11 +1901,10 @@ int s_server_main(int argc, char *argv[]) X509_free(s_cert2); EVP_PKEY_free(s_key2); BIO_free(serverinfo_in); -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG OPENSSL_free(next_proto.data); -# endif - OPENSSL_free(alpn_ctx.data); #endif + OPENSSL_free(alpn_ctx.data); ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); SSL_CONF_CTX_free(cctx); @@ -2018,7 +1973,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) if (con == NULL) { con = SSL_new(ctx); -#ifndef OPENSSL_NO_TLSEXT + if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); @@ -2027,7 +1982,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); } -#endif + if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) { @@ -2109,12 +2064,11 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); } -#ifndef OPENSSL_NO_TLSEXT + if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } -#endif width = s + 1; for (;;) { @@ -2399,7 +2353,7 @@ static int init_ssl_connection(SSL *con) X509 *peer; long verify_error; char buf[BUFSIZ]; -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) const unsigned char *next_proto_neg; unsigned next_proto_neg_len; #endif @@ -2476,7 +2430,7 @@ static int init_ssl_connection(SSL *con) #endif BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)"); -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); if (next_proto_neg) { BIO_printf(bio_s_out, "NEXTPROTO is "); @@ -2574,12 +2528,12 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) if ((con = SSL_new(ctx)) == NULL) goto err; -#ifndef OPENSSL_NO_TLSEXT + if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } -#endif + if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) goto err; @@ -2920,12 +2874,11 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) if ((con = SSL_new(ctx)) == NULL) goto err; -#ifndef OPENSSL_NO_TLSEXT + if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } -#endif if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) { ERR_print_errors(bio_err); diff --git a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod index af203b81f0..4e9fd843fc 100644 --- a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod @@ -21,9 +21,6 @@ RFC5077 provide an enhanced session resumption capability where the server implementation is not required to maintain per session state. It only applies to TLS and there is no SSLv3 implementation. -The callback is available when the OpenSSL library was built without -I<OPENSSL_NO_TLSEXT> being defined. - The callback function I<cb> will be called for every client instigated TLS session when session ticket extension is presented in the TLS hello message. It is the responsibility of this function to create or retrieve the diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index a93145bf86..9694e24d9a 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -338,8 +338,6 @@ typedef int (*tls_session_secret_cb_fn) (SSL *s, void *secret, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); -# ifndef OPENSSL_NO_TLSEXT - /* Typedefs for handling custom extensions */ typedef int (*custom_ext_add_cb) (SSL *s, unsigned int ext_type, @@ -353,8 +351,6 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, int *al, void *parse_arg); -# endif - /* Allow initial connection to servers that don't support RI */ # define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L /* Removed from OpenSSL 0.9.8q and 1.0.0c */ @@ -771,12 +767,10 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len); # endif -# ifndef OPENSSL_NO_TLSEXT __owur int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, const unsigned char *client, unsigned int client_len); -# endif # define OPENSSL_NPN_UNSUPPORTED 0 # define OPENSSL_NPN_NEGOTIATED 1 @@ -867,7 +861,6 @@ const char *SSL_get_psk_identity_hint(const SSL *s); const char *SSL_get_psk_identity(const SSL *s); # endif -# ifndef OPENSSL_NO_TLSEXT /* Register callbacks to handle custom TLS Extensions for client or server. */ __owur int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, @@ -886,8 +879,6 @@ __owur int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, __owur int SSL_extension_supported(unsigned int ext_type); -# endif - # define SSL_NOTHING 1 # define SSL_WRITING 2 # define SSL_READING 3 @@ -1112,40 +1103,38 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_SET_MAX_CERT_LIST 51 # define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52 /* see tls1.h for macros based on these */ -# ifndef OPENSSL_NO_TLSEXT -# define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53 -# define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54 -# define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 -# define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56 -# define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57 -# define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58 -# define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59 -/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60 */ -/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61 */ -/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62 */ -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65 -# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67 -# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69 -# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70 -# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71 -# define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 -# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75 -# define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76 -# define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77 -# define SSL_CTRL_SET_SRP_ARG 78 -# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79 -# define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80 -# define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81 -# ifndef OPENSSL_NO_HEARTBEATS -# define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT 85 -# define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86 -# define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87 -# endif -# endif /* OPENSSL_NO_TLSEXT */ +# define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53 +# define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54 +# define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 +# define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56 +# define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57 +# define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58 +# define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59 +/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60 */ +/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61 */ +/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62 */ +# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63 +# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64 +# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65 +# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS 66 +# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS 67 +# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS 68 +# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS 69 +# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP 70 +# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71 +# define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 +# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75 +# define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76 +# define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77 +# define SSL_CTRL_SET_SRP_ARG 78 +# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79 +# define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80 +# define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81 +# ifndef OPENSSL_NO_HEARTBEATS +# define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT 85 +# define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86 +# define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87 +# endif # define DTLS_CTRL_GET_TIMEOUT 73 # define DTLS_CTRL_HANDLE_TIMEOUT 74 # define DTLS_CTRL_LISTEN 75 @@ -1390,15 +1379,12 @@ __owur int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, __owur int SSL_use_certificate(SSL *ssl, X509 *x); __owur int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); -# ifndef OPENSSL_NO_TLSEXT /* Set serverinfo data for the current active cert. */ __owur int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, size_t serverinfo_length); -# ifndef OPENSSL_NO_STDIO +# ifndef OPENSSL_NO_STDIO __owur int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file); -# endif /* NO_STDIO */ - -# endif +# endif /* NO_STDIO */ # ifndef OPENSSL_NO_STDIO __owur int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index d10739690e..40205e1141 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -311,9 +311,7 @@ extern "C" { # define TLSEXT_curve_P_256 23 # define TLSEXT_curve_P_384 24 -# ifndef OPENSSL_NO_TLSEXT - -# define TLSEXT_MAXLEN_host_name 255 +# define TLSEXT_MAXLEN_host_name 255 __owur const char *SSL_get_servername(const SSL *s, const int type); __owur int SSL_get_servername_type(const SSL *s); @@ -339,71 +337,70 @@ int SSL_get_shared_sigalgs(SSL *s, int idx, __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain); -# define SSL_set_tlsext_host_name(s,name) \ +# define SSL_set_tlsext_host_name(s,name) \ SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name) -# define SSL_set_tlsext_debug_callback(ssl, cb) \ +# define SSL_set_tlsext_debug_callback(ssl, cb) \ SSL_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_CB,(void (*)(void))cb) -# define SSL_set_tlsext_debug_arg(ssl, arg) \ +# define SSL_set_tlsext_debug_arg(ssl, arg) \ SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_ARG,0, (void *)arg) -# define SSL_set_tlsext_status_type(ssl, type) \ +# define SSL_set_tlsext_status_type(ssl, type) \ SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE,type, NULL) -# define SSL_get_tlsext_status_exts(ssl, arg) \ +# define SSL_get_tlsext_status_exts(ssl, arg) \ SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS,0, (void *)arg) -# define SSL_set_tlsext_status_exts(ssl, arg) \ +# define SSL_set_tlsext_status_exts(ssl, arg) \ SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS,0, (void *)arg) -# define SSL_get_tlsext_status_ids(ssl, arg) \ +# define SSL_get_tlsext_status_ids(ssl, arg) \ SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS,0, (void *)arg) -# define SSL_set_tlsext_status_ids(ssl, arg) \ +# define SSL_set_tlsext_status_ids(ssl, arg) \ SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS,0, (void *)arg) -# define SSL_get_tlsext_status_ocsp_resp(ssl, arg) \ +# define SSL_get_tlsext_status_ocsp_resp(ssl, arg) \ SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP,0, (void *)arg) -# define SSL_set_tlsext_status_ocsp_resp(ssl, arg, arglen) \ +# define SSL_set_tlsext_status_ocsp_resp(ssl, arg, arglen) \ SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,arglen, (void *)arg) -# define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \ +# define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \ SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb) -# define SSL_TLSEXT_ERR_OK 0 -# define SSL_TLSEXT_ERR_ALERT_WARNING 1 -# define SSL_TLSEXT_ERR_ALERT_FATAL 2 -# define SSL_TLSEXT_ERR_NOACK 3 +# define SSL_TLSEXT_ERR_OK 0 +# define SSL_TLSEXT_ERR_ALERT_WARNING 1 +# define SSL_TLSEXT_ERR_ALERT_FATAL 2 +# define SSL_TLSEXT_ERR_NOACK 3 -# define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \ +# define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg) -# define SSL_CTX_get_tlsext_ticket_keys(ctx, keys, keylen) \ +# define SSL_CTX_get_tlsext_ticket_keys(ctx, keys, keylen) \ SSL_CTX_ctrl((ctx),SSL_CTRL_GET_TLSEXT_TICKET_KEYS,(keylen),(keys)) -# define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \ +# define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \ SSL_CTX_ctrl((ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,(keylen),(keys)) -# define SSL_CTX_set_tlsext_status_cb(ssl, cb) \ +# define SSL_CTX_set_tlsext_status_cb(ssl, cb) \ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB,(void (*)(void))cb) -# define SSL_CTX_set_tlsext_status_arg(ssl, arg) \ +# define SSL_CTX_set_tlsext_status_arg(ssl, arg) \ SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg) -# define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \ +# define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) -# ifndef OPENSSL_NO_HEARTBEATS -# define SSL_TLSEXT_HB_ENABLED 0x01 -# define SSL_TLSEXT_HB_DONT_SEND_REQUESTS 0x02 -# define SSL_TLSEXT_HB_DONT_RECV_REQUESTS 0x04 +# ifndef OPENSSL_NO_HEARTBEATS +# define SSL_TLSEXT_HB_ENABLED 0x01 +# define SSL_TLSEXT_HB_DONT_SEND_REQUESTS 0x02 +# define SSL_TLSEXT_HB_DONT_RECV_REQUESTS 0x04 -# define SSL_get_tlsext_heartbeat_pending(ssl) \ +# define SSL_get_tlsext_heartbeat_pending(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING,0,NULL) -# define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \ +# define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \ SSL_ctrl((ssl),SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL) -# endif # endif /* PSK ciphersuites from 4279 */ diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index ed67f9d2fb..8940abc41f 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -405,7 +405,7 @@ int dtls1_connect(SSL *s) ret = ssl3_get_server_certificate(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_status_expected) s->state = SSL3_ST_CR_CERT_STATUS_A; else @@ -414,12 +414,7 @@ int dtls1_connect(SSL *s) skip = 1; s->state = SSL3_ST_CR_KEY_EXCH_A; } -#else - } else - skip = 1; - s->state = SSL3_ST_CR_KEY_EXCH_A; -#endif s->init_num = 0; break; @@ -640,21 +635,17 @@ int dtls1_connect(SSL *s) 0, NULL); #endif -#ifndef OPENSSL_NO_TLSEXT /* * Allow NewSessionTicket if ticket expected */ if (s->tlsext_ticket_expected) s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; else -#endif - s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; } s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT case SSL3_ST_CR_SESSION_TICKET_A: case SSL3_ST_CR_SESSION_TICKET_B: ret = ssl3_get_new_session_ticket(s); @@ -672,7 +663,6 @@ int dtls1_connect(SSL *s) s->state = SSL3_ST_CR_KEY_EXCH_A; s->init_num = 0; break; -#endif case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index ac2a0067cf..dfdc573d64 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -425,14 +425,10 @@ int dtls1_accept(SSL *s) BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, sizeof(sctpauthkey), sctpauthkey); #endif -#ifndef OPENSSL_NO_TLSEXT if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; else s->state = SSL3_ST_SW_CHANGE_A; -#else - s->state = SSL3_ST_SW_CHANGE_A; -#endif } else s->state = SSL3_ST_SW_CERT_A; s->init_num = 0; @@ -447,7 +443,7 @@ int dtls1_accept(SSL *s) ret = ssl3_send_server_certificate(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_status_expected) s->state = SSL3_ST_SW_CERT_STATUS_A; else @@ -456,12 +452,6 @@ int dtls1_accept(SSL *s) skip = 1; s->state = SSL3_ST_SW_KEY_EXCH_A; } -#else - } else - skip = 1; - - s->state = SSL3_ST_SW_KEY_EXCH_A; -#endif s->init_num = 0; break; @@ -712,16 +702,13 @@ int dtls1_accept(SSL *s) dtls1_stop_timer(s); if (s->hit) s->state = SSL_ST_OK; -#ifndef OPENSSL_NO_TLSEXT else if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; -#endif else s->state = SSL3_ST_SW_CHANGE_A; s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT case SSL3_ST_SW_SESSION_TICKET_A: case SSL3_ST_SW_SESSION_TICKET_B: ret = ssl3_send_newsession_ticket(s); @@ -740,8 +727,6 @@ int dtls1_accept(SSL *s) s->init_num = 0; break; -#endif - case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 4977e9c5a1..ace0838106 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -165,9 +165,7 @@ static int ssl_set_version(SSL *s); static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); -#ifndef OPENSSL_NO_TLSEXT static int ssl3_check_finished(SSL *s); -#endif static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p, int (*put_cb) (const SSL_CIPHER *, @@ -309,12 +307,10 @@ int ssl3_connect(SSL *s) if (s->hit) { s->state = SSL3_ST_CR_FINISHED_A; -#ifndef OPENSSL_NO_TLSEXT if (s->tlsext_ticket_expected) { /* receive renewed session ticket */ s->state = SSL3_ST_CR_SESSION_TICKET_A; } -#endif } else { s->state = SSL3_ST_CR_CERT_A; } @@ -322,7 +318,6 @@ int ssl3_connect(SSL *s) break; case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: -#ifndef OPENSSL_NO_TLSEXT /* Noop (ret = 0) for everything but EAP-FAST. */ ret = ssl3_check_finished(s); if (ret < 0) @@ -333,7 +328,7 @@ int ssl3_connect(SSL *s) s->init_num = 0; break; } -#endif + /* Check if it is anon DH/ECDH, SRP auth */ /* or PSK */ if (! @@ -343,7 +338,7 @@ int ssl3_connect(SSL *s) ret = ssl3_get_server_certificate(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_status_expected) s->state = SSL3_ST_CR_CERT_STATUS_A; else @@ -352,12 +347,7 @@ int ssl3_connect(SSL *s) skip = 1; s->state = SSL3_ST_CR_KEY_EXCH_A; } -#else - } else - skip = 1; - s->state = SSL3_ST_CR_KEY_EXCH_A; -#endif s->init_num = 0; break; @@ -470,7 +460,7 @@ int ssl3_connect(SSL *s) if (ret <= 0) goto end; -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) +#if defined(OPENSSL_NO_NEXTPROTONEG) s->state = SSL3_ST_CW_FINISHED_A; #else if (s->s3->next_proto_neg_seen) @@ -505,7 +495,7 @@ int ssl3_connect(SSL *s) break; -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) case SSL3_ST_CW_NEXT_PROTO_A: case SSL3_ST_CW_NEXT_PROTO_B: ret = ssl3_send_next_proto(s); @@ -538,21 +528,17 @@ int ssl3_connect(SSL *s) s->s3->delay_buf_pop_ret = 0; } } else { -#ifndef OPENSSL_NO_TLSEXT /* * Allow NewSessionTicket if ticket expected */ if (s->tlsext_ticket_expected) s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; else -#endif - s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; } s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT case SSL3_ST_CR_SESSION_TICKET_A: case SSL3_ST_CR_SESSION_TICKET_B: ret = ssl3_get_new_session_ticket(s); @@ -570,7 +556,6 @@ int ssl3_connect(SSL *s) s->state = SSL3_ST_CR_KEY_EXCH_A; s->init_num = 0; break; -#endif case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: @@ -783,15 +768,11 @@ int ssl3_client_hello(SSL *s) goto err; if ((sess == NULL) || (sess->ssl_version != s->version) || -#ifdef OPENSSL_NO_TLSEXT - !sess->session_id_length || -#else /* * In the case of EAP-FAST, we can have a pre-shared * "ticket" without a session ID. */ (!sess->session_id_length && !sess->tlsext_tick) || -#endif (sess->not_resumable)) { if (!ssl_get_new_session(s, 0)) goto err; @@ -922,7 +903,6 @@ int ssl3_client_hello(SSL *s) #endif *(p++) = 0; /* Add the NULL method */ -#ifndef OPENSSL_NO_TLSEXT /* TLS extensions */ if (ssl_prepare_clienthello_tlsext(s) <= 0) { SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); @@ -935,7 +915,6 @@ int ssl3_client_hello(SSL *s) SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto err; } -#endif l = p - d; if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) { @@ -1082,7 +1061,7 @@ int ssl3_get_server_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG); goto f_err; } -#ifndef OPENSSL_NO_TLSEXT + /* * Check if we can resume the session based on external pre-shared secret. * EAP-FAST (RFC 4851) supports two types of session resumption. @@ -1111,7 +1090,6 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } } -#endif /* OPENSSL_NO_TLSEXT */ if (j != 0 && j == s->session->session_id_length && memcmp(p, s->session->session_id, j) == 0) { @@ -1237,13 +1215,11 @@ int ssl3_get_server_hello(SSL *s) } #endif -#ifndef OPENSSL_NO_TLSEXT /* TLS extensions */ if (!ssl_parse_serverhello_tlsext(s, &p, d, n)) { SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT); goto err; } -#endif if (p != (d + n)) { /* wrong packet length */ @@ -2240,7 +2216,6 @@ static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) return (X509_NAME_cmp(*a, *b)); } -#ifndef OPENSSL_NO_TLSEXT int ssl3_get_new_session_ticket(SSL *s) { int ok, al, ret = 0, ticklen; @@ -2363,7 +2338,6 @@ int ssl3_get_cert_status(SSL *s) s->state = SSL_ST_ERR; return (-1); } -#endif int ssl3_get_server_done(SSL *s) { @@ -3457,7 +3431,6 @@ int ssl3_check_cert_and_algorithm(SSL *s) return (0); } -#ifndef OPENSSL_NO_TLSEXT /* * Normally, we can tell if the server is resuming the session from * the session ID. EAP-FAST (RFC 4851), however, relies on the next server @@ -3507,7 +3480,7 @@ static int ssl3_check_finished(SSL *s) return 0; } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s) { unsigned int len, padding_len; @@ -3530,7 +3503,6 @@ int ssl3_send_next_proto(SSL *s) return ssl3_do_write(s, SSL3_RT_HANDSHAKE); } -# endif #endif int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 78e95fc6d6..3aa9863142 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2908,9 +2908,7 @@ void ssl3_free(SSL *s) BIO_free(s->s3->handshake_buffer); if (s->s3->handshake_dgst) ssl3_free_digest_list(s); -#ifndef OPENSSL_NO_TLSEXT OPENSSL_free(s->s3->alpn_selected); -#endif #ifndef OPENSSL_NO_SRP SSL_SRP_CTX_free(s); @@ -2939,12 +2937,8 @@ void ssl3_clear(SSL *s) #ifndef OPENSSL_NO_EC EC_KEY_free(s->s3->tmp.ecdh); s->s3->tmp.ecdh = NULL; -#endif -#ifndef OPENSSL_NO_TLSEXT -# ifndef OPENSSL_NO_EC s->s3->is_probably_safari = 0; -# endif /* !OPENSSL_NO_EC */ -#endif /* !OPENSSL_NO_TLSEXT */ +#endif /* !OPENSSL_NO_EC */ init_extra = s->s3->init_extra; BIO_free(s->s3->handshake_buffer); @@ -2952,12 +2946,12 @@ void ssl3_clear(SSL *s) if (s->s3->handshake_dgst) { ssl3_free_digest_list(s); } -#if !defined(OPENSSL_NO_TLSEXT) + if (s->s3->alpn_selected) { free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; } -#endif + memset(s->s3, 0, sizeof(*s->s3)); s->s3->init_extra = init_extra; @@ -2969,7 +2963,7 @@ void ssl3_clear(SSL *s) s->s3->in_read_app_data = 0; s->version = SSL3_VERSION; -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) OPENSSL_free(s->next_proto_negotiated); s->next_proto_negotiated = NULL; s->next_proto_negotiated_len = 0; @@ -3109,7 +3103,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (ret); } #endif /* !OPENSSL_NO_EC */ -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { OPENSSL_free(s->tlsext_hostname); @@ -3172,7 +3165,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; break; -# ifndef OPENSSL_NO_HEARTBEATS +#ifndef OPENSSL_NO_HEARTBEATS case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT: if (SSL_IS_DTLS(s)) ret = dtls1_heartbeat(s); @@ -3191,9 +3184,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) s->tlsext_heartbeat &= ~SSL_TLSEXT_HB_DONT_RECV_REQUESTS; ret = 1; break; -# endif - -#endif /* !OPENSSL_NO_TLSEXT */ +#endif case SSL_CTRL_CHAIN: if (larg) @@ -3443,12 +3434,11 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) } break; #endif -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_DEBUG_CB: s->tlsext_debug_cb = (void (*)(SSL *, int, int, unsigned char *, int, void *))fp; break; -#endif + case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB: { s->not_resumable_session_cb = (int (*)(SSL *, int))fp; @@ -3578,7 +3568,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (0); } #endif /* !OPENSSL_NO_EC */ -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->tlsext_servername_arg = parg; break; @@ -3608,7 +3597,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ctx->tlsext_status_arg = parg; return 1; -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME: ctx->srp_ctx.srp_Mask |= SSL_kSRP; OPENSSL_free(ctx->srp_ctx.login); @@ -3638,9 +3627,9 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH: ctx->srp_ctx.strength = larg; break; -# endif +#endif -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC case SSL_CTRL_SET_CURVES: return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, @@ -3650,12 +3639,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, parg); -# ifndef OPENSSL_NO_EC case SSL_CTRL_SET_ECDH_AUTO: ctx->cert->ecdh_tmp_auto = larg; return 1; -# endif -# endif +#endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -3680,8 +3667,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_CHAIN_CERT_STORE: return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg); -#endif /* !OPENSSL_NO_TLSEXT */ - /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: if (ctx->extra_certs == NULL) { @@ -3759,7 +3744,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) } break; #endif -#ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; break; @@ -3775,7 +3759,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) HMAC_CTX *, int))fp; break; -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB: ctx->srp_ctx.srp_Mask |= SSL_kSRP; ctx->srp_ctx.SRP_verify_param_callback = (int (*)(SSL *, void *))fp; @@ -3790,7 +3774,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) ctx->srp_ctx.SRP_give_srp_client_pwd_callback = (char *(*)(SSL *, void *))fp; break; -# endif #endif case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB: { @@ -3927,7 +3910,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif } -#ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_EC /* * if we are considering an ECC cipher suite that uses an ephemeral @@ -3936,7 +3918,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (alg_k & SSL_kECDHE) ok = ok && tls1_check_ec_tmp_key(s, c->id); # endif /* OPENSSL_NO_EC */ -#endif /* OPENSSL_NO_TLSEXT */ if (!ok) continue; @@ -3946,7 +3927,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, c->strength_bits, 0, c)) continue; -#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT) +#if !defined(OPENSSL_NO_EC) if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) { if (!ret) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 6bc80d579b..68234ecc18 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -387,19 +387,15 @@ int ssl3_accept(SSL *s) ret = ssl3_send_server_hello(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT + if (s->hit) { if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; else s->state = SSL3_ST_SW_CHANGE_A; - } -#else - if (s->hit) - s->state = SSL3_ST_SW_CHANGE_A; -#endif - else + } else { s->state = SSL3_ST_SW_CERT_A; + } s->init_num = 0; break; @@ -414,7 +410,7 @@ int ssl3_accept(SSL *s) ret = ssl3_send_server_certificate(s); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_status_expected) s->state = SSL3_ST_SW_CERT_STATUS_A; else @@ -423,12 +419,6 @@ int ssl3_accept(SSL *s) skip = 1; s->state = SSL3_ST_SW_KEY_EXCH_A; } -#else - } else - skip = 1; - - s->state = SSL3_ST_SW_KEY_EXCH_A; -#endif s->init_num = 0; break; @@ -587,7 +577,7 @@ int ssl3_accept(SSL *s) * not sent. Also for GOST ciphersuites when the client uses * its key from the certificate for key exchange. */ -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) +#if defined(OPENSSL_NO_NEXTPROTONEG) s->state = SSL3_ST_SR_FINISHED_A; #else if (s->s3->next_proto_neg_seen) @@ -666,7 +656,7 @@ int ssl3_accept(SSL *s) if (ret <= 0) goto end; -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) +#if defined(OPENSSL_NO_NEXTPROTONEG) s->state = SSL3_ST_SR_FINISHED_A; #else if (s->s3->next_proto_neg_seen) @@ -677,7 +667,7 @@ int ssl3_accept(SSL *s) s->init_num = 0; break; -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) case SSL3_ST_SR_NEXT_PROTO_A: case SSL3_ST_SR_NEXT_PROTO_B: /* @@ -718,16 +708,13 @@ int ssl3_accept(SSL *s) goto end; if (s->hit) s->state = SSL_ST_OK; -#ifndef OPENSSL_NO_TLSEXT else if (s->tlsext_ticket_expected) s->state = SSL3_ST_SW_SESSION_TICKET_A; -#endif else s->state = SSL3_ST_SW_CHANGE_A; s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT case SSL3_ST_SW_SESSION_TICKET_A: case SSL3_ST_SW_SESSION_TICKET_B: ret = ssl3_send_newsession_ticket(s); @@ -746,8 +733,6 @@ int ssl3_accept(SSL *s) s->init_num = 0; break; -#endif - case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: @@ -790,7 +775,7 @@ int ssl3_accept(SSL *s) goto end; s->state = SSL3_ST_SW_FLUSH; if (s->hit) { -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) +#if defined(OPENSSL_NO_NEXTPROTONEG) s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; #else if (s->s3->next_proto_neg_seen) { @@ -1361,7 +1346,6 @@ int ssl3_get_client_hello(SSL *s) } } -#ifndef OPENSSL_NO_TLSEXT /* TLS extensions */ if (s->version >= SSL3_VERSION) { if (!ssl_parse_clienthello_tlsext(s, &p, d, n)) { @@ -1418,7 +1402,6 @@ int ssl3_get_client_hello(SSL *s) s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); } } -#endif /* * Worst case, we will use the NULL compression, but if we have other @@ -1602,13 +1585,13 @@ int ssl3_send_server_hello(SSL *s) if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf = (unsigned char *)s->init_buf->data; -#ifdef OPENSSL_NO_TLSEXT + p = s->s3->server_random; if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) { s->state = SSL_ST_ERR; return -1; } -#endif + /* Do the message type and length last */ d = p = ssl_handshake_start(s); @@ -1663,7 +1646,7 @@ int ssl3_send_server_hello(SSL *s) else *(p++) = s->s3->tmp.new_compression->id; #endif -#ifndef OPENSSL_NO_TLSEXT + if (ssl_prepare_serverhello_tlsext(s) <= 0) { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); s->state = SSL_ST_ERR; @@ -1677,7 +1660,7 @@ int ssl3_send_server_hello(SSL *s) s->state = SSL_ST_ERR; return -1; } -#endif + /* do the header */ l = (p - d); if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) { @@ -3266,7 +3249,6 @@ int ssl3_send_server_certificate(SSL *s) return ssl_do_write(s); } -#ifndef OPENSSL_NO_TLSEXT /* send a new session ticket (not necessarily for a new session) */ int ssl3_send_newsession_ticket(SSL *s) { @@ -3454,7 +3436,7 @@ int ssl3_send_cert_status(SSL *s) return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG /* * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. * It sets the next_proto member in s if found @@ -3533,8 +3515,6 @@ int ssl3_get_next_proto(SSL *s) return 1; } -# endif - #endif #define SSLV2_CIPHER_LEN 3 diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 51cc72af27..7b58518699 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -101,11 +101,9 @@ typedef struct { X509 *peer; ASN1_OCTET_STRING *session_id_context; long verify_result; -#ifndef OPENSSL_NO_TLSEXT ASN1_OCTET_STRING *tlsext_hostname; long tlsext_tick_lifetime_hint; ASN1_OCTET_STRING *tlsext_tick; -#endif #ifndef OPENSSL_NO_PSK ASN1_OCTET_STRING *psk_identity_hint; ASN1_OCTET_STRING *psk_identity; @@ -128,17 +126,13 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = { ASN1_EXP_OPT(SSL_SESSION_ASN1, peer, X509, 3), ASN1_EXP_OPT(SSL_SESSION_ASN1, session_id_context, ASN1_OCTET_STRING, 4), ASN1_EXP_OPT(SSL_SESSION_ASN1, verify_result, ZLONG, 5), -#ifndef OPENSSL_NO_TLSEXT ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_hostname, ASN1_OCTET_STRING, 6), -#endif #ifndef OPENSSL_NO_PSK ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity_hint, ASN1_OCTET_STRING, 7), ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity, ASN1_OCTET_STRING, 8), #endif -#ifndef OPENSSL_NO_TLSEXT ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick_lifetime_hint, ZLONG, 9), ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick, ASN1_OCTET_STRING, 10), -#endif ASN1_EXP_OPT(SSL_SESSION_ASN1, comp_id, ASN1_OCTET_STRING, 11), #ifndef OPENSSL_NO_SRP ASN1_EXP_OPT(SSL_SESSION_ASN1, srp_username, ASN1_OCTET_STRING, 12), @@ -185,9 +179,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) unsigned char comp_id_data; #endif -#ifndef OPENSSL_NO_TLSEXT ASN1_OCTET_STRING tlsext_hostname, tlsext_tick; -#endif #ifndef OPENSSL_NO_SRP ASN1_OCTET_STRING srp_username; @@ -238,7 +230,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) as.peer = in->peer; -#ifndef OPENSSL_NO_TLSEXT ssl_session_sinit(&as.tlsext_hostname, &tlsext_hostname, in->tlsext_hostname); if (in->tlsext_tick) { @@ -247,7 +238,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) } if (in->tlsext_tick_lifetime_hint > 0) as.tlsext_tick_lifetime_hint = in->tlsext_tick_lifetime_hint; -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_PSK ssl_session_sinit(&as.psk_identity_hint, &psk_identity_hint, in->psk_identity_hint); @@ -373,10 +363,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, /* NB: this defaults to zero which is X509_V_OK */ ret->verify_result = as->verify_result; -#ifndef OPENSSL_NO_TLSEXT if (!ssl_session_strndup(&ret->tlsext_hostname, as->tlsext_hostname)) goto err; -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_PSK if (!ssl_session_strndup(&ret->psk_identity_hint, as->psk_identity_hint)) @@ -385,7 +373,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, goto err; #endif -#ifndef OPENSSL_NO_TLSEXT ret->tlsext_tick_lifetime_hint = as->tlsext_tick_lifetime_hint; if (as->tlsext_tick) { ret->tlsext_tick = as->tlsext_tick->data; @@ -394,7 +381,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, } else { ret->tlsext_tick = NULL; } -#endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_COMP if (as->comp_id) { if (as->comp_id->length != 1) { diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 987b2b72c0..ab138ec491 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -265,7 +265,7 @@ CERT *ssl_cert_dup(CERT *cert) goto err; } } -#ifndef OPENSSL_NO_TLSEXT + rpk->valid_flags = 0; if (cert->pkeys[i].serverinfo != NULL) { /* Just copy everything. */ ret->pkeys[i].serverinfo = @@ -280,7 +280,6 @@ CERT *ssl_cert_dup(CERT *cert) cert->pkeys[i].serverinfo, cert->pkeys[i].serverinfo_length); } -#endif } ret->references = 1; @@ -334,12 +333,10 @@ CERT *ssl_cert_dup(CERT *cert) ret->sec_level = cert->sec_level; ret->sec_ex = cert->sec_ex; -#ifndef OPENSSL_NO_TLSEXT if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext)) goto err; if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext)) goto err; -#endif return (ret); @@ -364,11 +361,9 @@ void ssl_cert_clear_certs(CERT *c) cpk->privatekey = NULL; sk_X509_pop_free(cpk->chain, X509_free); cpk->chain = NULL; -#ifndef OPENSSL_NO_TLSEXT OPENSSL_free(cpk->serverinfo); cpk->serverinfo = NULL; cpk->serverinfo_length = 0; -#endif } } @@ -409,10 +404,8 @@ void ssl_cert_free(CERT *c) OPENSSL_free(c->ctypes); X509_STORE_free(c->verify_store); X509_STORE_free(c->chain_store); -#ifndef OPENSSL_NO_TLSEXT custom_exts_free(&c->cli_ext); custom_exts_free(&c->srv_ext); -#endif OPENSSL_free(c); } diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 59516a57f2..65ff0218d7 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -433,9 +433,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("bugs", 0), SSL_CONF_CMD_SWITCH("no_comp", 0), SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), -#ifndef OPENSSL_NO_TLSEXT SSL_CONF_CMD_SWITCH("no_ticket", 0), -#endif SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0), SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER), @@ -477,9 +475,7 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { {SSL_OP_ALL, 0}, /* bugs */ {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ -#ifndef OPENSSL_NO_TLSEXT {SSL_OP_NO_TICKET, 0}, /* no_ticket */ -#endif {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ /* legacy_renegotiation */ {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 2624b377f4..3952b6b731 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -315,7 +315,6 @@ SSL *SSL_new(SSL_CTX *ctx) CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->ctx = ctx; -#ifndef OPENSSL_NO_TLSEXT s->tlsext_debug_cb = 0; s->tlsext_debug_arg = NULL; s->tlsext_ticket_expected = 0; @@ -360,7 +359,6 @@ SSL *SSL_new(SSL_CTX *ctx) s->ctx->alpn_client_proto_list_len); s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len; } -#endif s->verify_result = X509_V_OK; @@ -557,18 +555,16 @@ void SSL_free(SSL *s) ssl_cert_free(s->cert); /* Free up if allocated */ -#ifndef OPENSSL_NO_TLSEXT OPENSSL_free(s->tlsext_hostname); SSL_CTX_free(s->initial_ctx); -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC OPENSSL_free(s->tlsext_ecpointformatlist); OPENSSL_free(s->tlsext_ellipticcurvelist); -# endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_EC */ sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); OPENSSL_free(s->tlsext_ocsp_resp); OPENSSL_free(s->alpn_client_proto_list); -#endif sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); @@ -579,7 +575,7 @@ void SSL_free(SSL *s) SSL_CTX_free(s->ctx); -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) OPENSSL_free(s->next_proto_negotiated); #endif @@ -1394,7 +1390,6 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) return (buf); } -#ifndef OPENSSL_NO_TLSEXT /** return a servername extension value if provided in Client Hello, or NULL. * So far, only host_name types are defined (RFC 3546). */ @@ -1476,7 +1471,7 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, return status; } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG /* * SSL_get0_next_proto_negotiated sets *data and *len to point to the * client's requested protocol for this connection and returns 0. If the @@ -1537,7 +1532,7 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, ctx->next_proto_select_cb = cb; ctx->next_proto_select_cb_arg = arg; } -# endif +#endif /* * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|. @@ -1610,7 +1605,6 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, *len = ssl->s3->alpn_selected_len; } -#endif /* !OPENSSL_NO_TLSEXT */ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, const char *label, size_t llen, @@ -1765,7 +1759,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; -#ifndef OPENSSL_NO_TLSEXT ret->tlsext_servername_callback = 0; ret->tlsext_servername_arg = NULL; /* Setup RFC4507 ticket keys */ @@ -1777,10 +1770,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->tlsext_status_cb = 0; ret->tlsext_status_arg = NULL; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG ret->next_protos_advertised_cb = 0; ret->next_proto_select_cb = 0; -# endif #endif #ifndef OPENSSL_NO_PSK ret->psk_identity_hint = NULL; @@ -1881,13 +1873,11 @@ void SSL_CTX_free(SSL_CTX *a) ENGINE_finish(a->client_cert_engine); #endif -#ifndef OPENSSL_NO_TLSEXT -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC OPENSSL_free(a->tlsext_ecpointformatlist); OPENSSL_free(a->tlsext_ellipticcurvelist); -# endif - OPENSSL_free(a->alpn_client_proto_list); #endif + OPENSSL_free(a->alpn_client_proto_list); OPENSSL_free(a); } @@ -2273,7 +2263,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, return c->pkeys[idx].privatekey; } -#ifndef OPENSSL_NO_TLSEXT int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length) { @@ -2293,7 +2282,6 @@ int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, *serverinfo_length = c->pkeys[i].serverinfo_length; return 1; } -#endif void ssl_update_cache(SSL *s, int mode) { @@ -2818,10 +2806,8 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) CERT *new_cert; if (ssl->ctx == ctx) return ssl->ctx; -#ifndef OPENSSL_NO_TLSEXT if (ctx == NULL) ctx = ssl->initial_ctx; -#endif new_cert = ssl_cert_dup(ctx->cert); if (new_cert == NULL) { return NULL; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 04e59085d2..bdc4d8c67d 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -652,19 +652,17 @@ struct ssl_session_st { * implement a maximum cache size. */ struct ssl_session_st *prev, *next; -# ifndef OPENSSL_NO_TLSEXT char *tlsext_hostname; -# ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_EC size_t tlsext_ecpointformatlist_length; unsigned char *tlsext_ecpointformatlist; /* peer's list */ size_t tlsext_ellipticcurvelist_length; unsigned char *tlsext_ellipticcurvelist; /* peer's list */ -# endif /* OPENSSL_NO_EC */ +# endif /* OPENSSL_NO_EC */ /* RFC4507 info */ unsigned char *tlsext_tick; /* Session ticket */ size_t tlsext_ticklen; /* Session ticket length */ unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ -# endif # ifndef OPENSSL_NO_SRP char *srp_username; # endif @@ -850,7 +848,6 @@ struct ssl_ctx_st { ENGINE *client_cert_engine; # endif -# ifndef OPENSSL_NO_TLSEXT /* TLS extensions servername callback */ int (*tlsext_servername_callback) (SSL *, int *, void *); void *tlsext_servername_arg; @@ -868,7 +865,6 @@ struct ssl_ctx_st { /* Callback for status request */ int (*tlsext_status_cb) (SSL *ssl, void *arg); void *tlsext_status_arg; -# endif # ifndef OPENSSL_NO_PSK char *psk_identity_hint; @@ -886,9 +882,7 @@ struct ssl_ctx_st { SRP_CTX srp_ctx; /* ctx for SRP authentication */ # endif -# ifndef OPENSSL_NO_TLSEXT - -# ifndef OPENSSL_NO_NEXTPROTONEG +# ifndef OPENSSL_NO_NEXTPROTONEG /* Next protocol negotiation information */ /* (for experimental NPN extension). */ @@ -908,7 +902,7 @@ struct ssl_ctx_st { const unsigned char *in, unsigned int inlen, void *arg); void *next_proto_select_cb_arg; -# endif +# endif /* * ALPN information (we are in the process of transitioning from NPN to @@ -941,7 +935,6 @@ struct ssl_ctx_st { /* SRTP profiles we are willing to do from RFC 5764 */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; -# endif /* * Callback for disabling session caching and ticket support on a session * basis, depending on the chosen cipher. @@ -1096,7 +1089,7 @@ struct ssl_st { /* what was passed, used for SSLv3/TLS rollback check */ int client_version; unsigned int max_send_fragment; -# ifndef OPENSSL_NO_TLSEXT + /* TLS extension debug callback */ void (*tlsext_debug_cb) (SSL *s, int client_server, int type, unsigned char *data, int len, void *arg); @@ -1122,14 +1115,14 @@ struct ssl_st { int tlsext_ocsp_resplen; /* RFC4507 session ticket expected to be received or sent */ int tlsext_ticket_expected; -# ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_EC size_t tlsext_ecpointformatlist_length; /* our list */ unsigned char *tlsext_ecpointformatlist; size_t tlsext_ellipticcurvelist_length; /* our list */ unsigned char *tlsext_ellipticcurvelist; -# endif /* OPENSSL_NO_EC */ +# endif /* OPENSSL_NO_EC */ /* TLS Session Ticket extension override */ TLS_SESSION_TICKET_EXT *tlsext_session_ticket; /* TLS Session Ticket extension callback */ @@ -1139,7 +1132,7 @@ struct ssl_st { tls_session_secret_cb_fn tls_session_secret_cb; void *tls_session_secret_cb_arg; SSL_CTX *initial_ctx; /* initial ctx, used to store sessions */ -# ifndef OPENSSL_NO_NEXTPROTONEG +# ifndef OPENSSL_NO_NEXTPROTONEG /* * Next protocol negotiation. For the client, this is the protocol that * we sent in NextProtocol and is set when handling ServerHello @@ -1149,8 +1142,8 @@ struct ssl_st { */ unsigned char *next_proto_negotiated; unsigned char next_proto_negotiated_len; -# endif -# define session_ctx initial_ctx +# endif +# define session_ctx initial_ctx /* What we'll do */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What's been chosen */ @@ -1172,9 +1165,7 @@ struct ssl_st { */ unsigned char *alpn_client_proto_list; unsigned alpn_client_proto_list_len; -# else -# define session_ctx ctx -# endif /* OPENSSL_NO_TLSEXT */ + /*- * 1 if we are renegotiating. * 2 if we are a server and are inside a handshake @@ -1328,8 +1319,6 @@ typedef struct ssl3_state_st { int next_proto_neg_seen; # endif -# ifndef OPENSSL_NO_TLSEXT - /* * ALPN information (we are in the process of transitioning from NPN to * ALPN.) @@ -1351,8 +1340,6 @@ typedef struct ssl3_state_st { */ char is_probably_safari; # endif /* !OPENSSL_NO_EC */ - -# endif /* !OPENSSL_NO_TLSEXT */ } SSL3_STATE; @@ -1462,7 +1449,7 @@ typedef struct cert_pkey_st { EVP_PKEY *privatekey; /* Chain for this certificate */ STACK_OF(X509) *chain; -# ifndef OPENSSL_NO_TLSEXT + /*- * serverinfo data for this certificate. The data is in TLS Extension * wire format, specifically it's a series of records like: @@ -1472,7 +1459,6 @@ typedef struct cert_pkey_st { */ unsigned char *serverinfo; size_t serverinfo_length; -# endif } CERT_PKEY; /* Retrieve Suite B flags */ # define tls1_suiteb(s) (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS) @@ -1916,10 +1902,8 @@ int ssl_undefined_function(SSL *s); __owur int ssl_undefined_void_function(void); __owur int ssl_undefined_const_function(const SSL *s); __owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s); -# ifndef OPENSSL_NO_TLSEXT __owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length); -# endif __owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); __owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey); void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher); @@ -2031,10 +2015,8 @@ __owur int ssl3_send_client_key_exchange(SSL *s); __owur int ssl3_get_key_exchange(SSL *s); __owur int ssl3_get_server_certificate(SSL *s); __owur int ssl3_check_cert_and_algorithm(SSL *s); -# ifndef OPENSSL_NO_TLSEXT -# ifndef OPENSSL_NO_NEXTPROTONEG +# ifndef OPENSSL_NO_NEXTPROTONEG __owur int ssl3_send_next_proto(SSL *s); -# endif # endif int dtls1_client_hello(SSL *s); @@ -2106,7 +2088,6 @@ __owur int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id); # endif /* OPENSSL_NO_EC */ -# ifndef OPENSSL_NO_TLSEXT __owur int tls1_shared_list(SSL *s, const unsigned char *l1, size_t l1len, const unsigned char *l2, size_t l2len, int nmatch); @@ -2123,12 +2104,12 @@ __owur int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, __owur int ssl_prepare_clienthello_tlsext(SSL *s); __owur int ssl_prepare_serverhello_tlsext(SSL *s); -# ifndef OPENSSL_NO_HEARTBEATS +# ifndef OPENSSL_NO_HEARTBEATS __owur int tls1_heartbeat(SSL *s); __owur int dtls1_heartbeat(SSL *s); __owur int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length); __owur int dtls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length); -# endif +# endif __owur int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, const unsigned char *limit, SSL_SESSION **ret); @@ -2145,7 +2126,6 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, int idx); void tls1_set_cert_validity(SSL *s); -# endif # ifndef OPENSSL_NO_DH __owur DH *ssl_get_auto_dh(SSL *s); # endif diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index a9c832c8b6..f4851266a1 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -738,7 +738,6 @@ int SSL_use_certificate_chain_file(SSL *ssl, const char *file) } #endif -#ifndef OPENSSL_NO_TLSEXT static int serverinfo_find_extension(const unsigned char *serverinfo, size_t serverinfo_length, unsigned int extension_type, @@ -910,7 +909,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, return 1; } -# ifndef OPENSSL_NO_STDIO +#ifndef OPENSSL_NO_STDIO int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) { unsigned char *serverinfo = NULL; @@ -1000,5 +999,4 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) BIO_free(bin); return ret; } -# endif /* OPENSSL_NO_STDIO */ -#endif /* OPENSSL_NO_TLSEXT */ +#endif /* OPENSSL_NO_STDIO */ diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 2be9592c23..f1c209508c 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -207,14 +207,12 @@ SSL_SESSION *SSL_SESSION_new(void) ss->prev = NULL; ss->next = NULL; ss->compress_meth = 0; -#ifndef OPENSSL_NO_TLSEXT ss->tlsext_hostname = NULL; -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC ss->tlsext_ecpointformatlist_length = 0; ss->tlsext_ecpointformatlist = NULL; ss->tlsext_ellipticcurvelist_length = 0; ss->tlsext_ellipticcurvelist = NULL; -# endif #endif CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); #ifndef OPENSSL_NO_PSK @@ -322,7 +320,7 @@ int ssl_get_new_session(SSL *s, int session) SSL_SESSION_free(ss); return (0); } -#ifndef OPENSSL_NO_TLSEXT + /*- * If RFC5077 ticket, use empty session ID (as server). * Note that: @@ -342,7 +340,7 @@ int ssl_get_new_session(SSL *s, int session) ss->session_id_length = 0; goto sess_id_done; } -#endif + /* Choose which callback will set the session ID */ CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); if (s->generate_session_id) @@ -378,7 +376,7 @@ int ssl_get_new_session(SSL *s, int session) SSL_SESSION_free(ss); return (0); } -#ifndef OPENSSL_NO_TLSEXT + sess_id_done: if (s->tlsext_hostname) { ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname); @@ -388,7 +386,6 @@ int ssl_get_new_session(SSL *s, int session) return 0; } } -#endif } else { ss->session_id_length = 0; } @@ -435,9 +432,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, SSL_SESSION *ret = NULL; int fatal = 0; int try_session_cache = 1; -#ifndef OPENSSL_NO_TLSEXT int r; -#endif if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; @@ -450,7 +445,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, if (len == 0) try_session_cache = 0; -#ifndef OPENSSL_NO_TLSEXT /* sets s->tlsext_ticket_expected */ r = tls1_process_ticket(s, session_id, len, limit, &ret); switch (r) { @@ -467,7 +461,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, default: abort(); } -#endif if (try_session_cache && ret == NULL && @@ -589,7 +582,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, err: if (ret != NULL) { SSL_SESSION_free(ret); -#ifndef OPENSSL_NO_TLSEXT + if (!try_session_cache) { /* * The session was from a ticket, so we should issue a ticket for @@ -597,7 +590,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, */ s->tlsext_ticket_expected = 1; } -#endif } if (fatal) return -1; @@ -734,16 +726,14 @@ void SSL_SESSION_free(SSL_SESSION *ss) ssl_sess_cert_free(ss->sess_cert); X509_free(ss->peer); sk_SSL_CIPHER_free(ss->ciphers); -#ifndef OPENSSL_NO_TLSEXT OPENSSL_free(ss->tlsext_hostname); OPENSSL_free(ss->tlsext_tick); -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC ss->tlsext_ecpointformatlist_length = 0; OPENSSL_free(ss->tlsext_ecpointformatlist); ss->tlsext_ellipticcurvelist_length = 0; OPENSSL_free(ss->tlsext_ellipticcurvelist); -# endif /* OPENSSL_NO_EC */ -#endif +#endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_PSK OPENSSL_free(ss->psk_identity_hint); OPENSSL_free(ss->psk_identity); @@ -877,7 +867,6 @@ long SSL_CTX_get_timeout(const SSL_CTX *s) return (s->session_timeout); } -#ifndef OPENSSL_NO_TLSEXT int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb) (SSL *s, void *secret, @@ -932,7 +921,6 @@ int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) return 0; } -#endif /* OPENSSL_NO_TLSEXT */ typedef struct timeout_param_st { SSL_CTX *ctx; diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 0da2bb44b9..0f506f0fb9 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -182,7 +182,6 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0) goto err; #endif -#ifndef OPENSSL_NO_TLSEXT if (x->tlsext_tick_lifetime_hint) { if (BIO_printf(bp, "\n TLS session ticket lifetime hint: %ld (seconds)", @@ -196,7 +195,6 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) <= 0) goto err; } -#endif #ifndef OPENSSL_NO_COMP if (x->compress_meth != 0) { diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c index f1092ac93d..396ad7e171 100644 --- a/ssl/t1_ext.c +++ b/ssl/t1_ext.c @@ -57,7 +57,6 @@ #include "ssl_locl.h" -#ifndef OPENSSL_NO_TLSEXT /* Find a custom extension from the list. */ static custom_ext_method *custom_ext_find(custom_ext_methods *exts, @@ -283,12 +282,11 @@ int SSL_extension_supported(unsigned int ext_type) case TLSEXT_TYPE_srp: case TLSEXT_TYPE_status_request: case TLSEXT_TYPE_use_srtp: -# ifdef TLSEXT_TYPE_encrypt_then_mac +#ifdef TLSEXT_TYPE_encrypt_then_mac case TLSEXT_TYPE_encrypt_then_mac: -# endif +#endif return 1; default: return 0; } } -#endif diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 7053c4a714..ce010ca4ed 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -123,13 +123,11 @@ const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT; -#ifndef OPENSSL_NO_TLSEXT static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, const unsigned char *sess_id, int sesslen, SSL_SESSION **psess); static int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); -#endif SSL3_ENC_METHOD const TLSv1_enc_data = { tls1_enc, @@ -208,9 +206,7 @@ int tls1_new(SSL *s) void tls1_free(SSL *s) { -#ifndef OPENSSL_NO_TLSEXT OPENSSL_free(s->tlsext_session_ticket); -#endif /* OPENSSL_NO_TLSEXT */ ssl3_free(s); } @@ -912,32 +908,30 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) #endif /* OPENSSL_NO_EC */ -#ifndef OPENSSL_NO_TLSEXT - /* * List of supported signature algorithms and hashes. Should make this * customisable at some point, for now include everything we support. */ -# ifdef OPENSSL_NO_RSA -# define tlsext_sigalg_rsa(md) /* */ -# else -# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, -# endif +#ifdef OPENSSL_NO_RSA +# define tlsext_sigalg_rsa(md) /* */ +#else +# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, +#endif -# ifdef OPENSSL_NO_DSA -# define tlsext_sigalg_dsa(md) /* */ -# else -# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, -# endif +#ifdef OPENSSL_NO_DSA +# define tlsext_sigalg_dsa(md) /* */ +#else +# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, +#endif -# ifdef OPENSSL_NO_EC -# define tlsext_sigalg_ecdsa(md) /* */ -# else -# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, -# endif +#ifdef OPENSSL_NO_EC +# define tlsext_sigalg_ecdsa(md) /* */ +#else +# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, +#endif -# define tlsext_sigalg(md) \ +#define tlsext_sigalg(md) \ tlsext_sigalg_rsa(md) \ tlsext_sigalg_dsa(md) \ tlsext_sigalg_ecdsa(md) @@ -950,19 +944,19 @@ static const unsigned char tls12_sigalgs[] = { tlsext_sigalg(TLSEXT_hash_sha1) }; -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC static const unsigned char suiteb_sigalgs[] = { tlsext_sigalg_ecdsa(TLSEXT_hash_sha256) tlsext_sigalg_ecdsa(TLSEXT_hash_sha384) }; -# endif +#endif size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) { /* * If Suite B mode use Suite B sigalgs only, ignore any other * preferences. */ -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC switch (tls1_suiteb(s)) { case SSL_CERT_FLAG_SUITEB_128_LOS: *psigs = suiteb_sigalgs; @@ -976,7 +970,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) *psigs = suiteb_sigalgs + 2; return 2; } -# endif +#endif /* If server use client authentication sigalgs if not NULL */ if (s->server && s->cert->client_sigalgs) { *psigs = s->cert->client_sigalgs; @@ -1008,7 +1002,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC if (pkey->type == EVP_PKEY_EC) { unsigned char curve_id[2], comp_id; /* Check compression and curve matches extensions */ @@ -1039,7 +1033,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, } } else if (tls1_suiteb(s)) return 0; -# endif +#endif /* Check signature matches a type we sent */ sent_sigslen = tls12_get_psigalgs(s, &sent_sigs); @@ -1105,13 +1099,13 @@ void ssl_set_client_disabled(SSL *s) s->s3->tmp.mask_a |= SSL_aPSK; s->s3->tmp.mask_k |= SSL_kPSK; } -# endif /* OPENSSL_NO_PSK */ -# ifndef OPENSSL_NO_SRP +#endif /* OPENSSL_NO_PSK */ +#ifndef OPENSSL_NO_SRP if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) { s->s3->tmp.mask_a |= SSL_aSRP; s->s3->tmp.mask_k |= SSL_kSRP; } -# endif +#endif } int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op) @@ -1136,7 +1130,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, int extdatalen = 0; unsigned char *orig = buf; unsigned char *ret = buf; -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC /* See if we support any ECC ciphersuites */ int using_ecc = 0; if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) { @@ -1156,7 +1150,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, } } } -# endif +#endif ret += 2; @@ -1221,7 +1215,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, memcpy(ret, s->tlsext_hostname, size_str); ret += size_str; } -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP /* Add SRP username if there is one */ if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the * Client Hello message */ @@ -1248,9 +1242,9 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, memcpy(ret, s->srp_ctx.login, login_len); ret += login_len; } -# endif +#endif -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC if (using_ecc) { /* * Add TLS extension ECPointFormats to the ClientHello message @@ -1311,7 +1305,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, s2n(curves_list_len, ret); ret += curves_list_len; } -# endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_EC */ if (tls_use_ticket(s)) { int ticklen; @@ -1407,7 +1401,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, if (extlen > 0) i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); } -# ifndef OPENSSL_NO_HEARTBEATS +#ifndef OPENSSL_NO_HEARTBEATS /* Add Heartbeat extension */ if ((limit - ret - 4 - 1) < 0) return NULL; @@ -1422,9 +1416,9 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; else *(ret++) = SSL_TLSEXT_HB_ENABLED; -# endif +#endif -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { /* * The client advertises an emtpy extension to indicate its support @@ -1435,7 +1429,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, s2n(TLSEXT_TYPE_next_proto_neg, ret); s2n(0, ret); } -# endif +#endif if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) { if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len) @@ -1446,7 +1440,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len); ret += s->alpn_client_proto_list_len; } -# ifndef OPENSSL_NO_SRTP +#ifndef OPENSSL_NO_SRTP if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { int el; @@ -1468,15 +1462,15 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, } ret += el; } -# endif +#endif custom_ext_init(&s->cert->cli_ext); /* Add custom TLS Extensions to ClientHello */ if (!custom_ext_add(s, 0, &ret, limit, al)) return NULL; -# ifdef TLSEXT_TYPE_encrypt_then_mac +#ifdef TLSEXT_TYPE_encrypt_then_mac s2n(TLSEXT_TYPE_encrypt_then_mac, ret); s2n(0, ret); -# endif +#endif s2n(TLSEXT_TYPE_extended_master_secret, ret); s2n(0, ret); @@ -1518,16 +1512,16 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, int extdatalen = 0; unsigned char *orig = buf; unsigned char *ret = buf; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG int next_proto_neg_seen; -# endif -# ifndef OPENSSL_NO_EC +#endif +#ifndef OPENSSL_NO_EC unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)) || (alg_a & SSL_aECDSA); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); -# endif +#endif ret += 2; if (ret >= limit) @@ -1567,7 +1561,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, s2n(TLSEXT_TYPE_server_name, ret); s2n(0, ret); } -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC if (using_ecc) { const unsigned char *plist; size_t plistlen; @@ -1598,7 +1592,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, * Currently the server should not respond with a SupportedCurves * extension */ -# endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_EC */ if (s->tlsext_ticket_expected && tls_use_ticket(s)) { if ((long)(limit - ret - 4) < 0) @@ -1614,7 +1608,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, s2n(0, ret); } -# ifndef OPENSSL_NO_SRTP +#ifndef OPENSSL_NO_SRTP if (SSL_IS_DTLS(s) && s->srtp_profile) { int el; @@ -1635,7 +1629,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, } ret += el; } -# endif +#endif if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) @@ -1654,7 +1648,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, ret += 36; } -# ifndef OPENSSL_NO_HEARTBEATS +#ifndef OPENSSL_NO_HEARTBEATS /* Add Heartbeat extension if we've received one */ if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) { if ((limit - ret - 4 - 1) < 0) @@ -1672,9 +1666,9 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, *(ret++) = SSL_TLSEXT_HB_ENABLED; } -# endif +#endif -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG next_proto_neg_seen = s->s3->next_proto_neg_seen; s->s3->next_proto_neg_seen = 0; if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { @@ -1695,10 +1689,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, s->s3->next_proto_neg_seen = 1; } } -# endif +#endif if (!custom_ext_add(s, 1, &ret, limit, al)) return NULL; -# ifdef TLSEXT_TYPE_encrypt_then_mac +#ifdef TLSEXT_TYPE_encrypt_then_mac if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) { /* * Don't use encrypt_then_mac if AEAD or RC4 might want to disable @@ -1712,7 +1706,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, s2n(0, ret); } } -# endif +#endif if (!s->hit && s->session->flags & SSL_SESS_FLAG_EXTMS) { s2n(TLSEXT_TYPE_extended_master_secret, ret); s2n(0, ret); @@ -1808,7 +1802,7 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, return -1; } -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC /*- * ssl_check_for_safari attempts to fingerprint Safari using OS X * SecureTransport using the TLS extension block in |d|, of length |n|. @@ -1889,7 +1883,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, s->s3->is_probably_safari = 1; } -# endif /* !OPENSSL_NO_EC */ +#endif /* !OPENSSL_NO_EC */ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) @@ -1902,33 +1896,33 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, s->servername_done = 0; s->tlsext_status_type = -1; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG s->s3->next_proto_neg_seen = 0; -# endif +#endif OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; -# ifndef OPENSSL_NO_HEARTBEATS +#ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); -# endif +#endif -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) ssl_check_for_safari(s, data, d, n); -# endif /* !OPENSSL_NO_EC */ +#endif /* !OPENSSL_NO_EC */ /* Clear any signature algorithms extension received */ OPENSSL_free(s->s3->tmp.peer_sigalgs); s->s3->tmp.peer_sigalgs = NULL; -# ifdef TLSEXT_TYPE_encrypt_then_mac +#ifdef TLSEXT_TYPE_encrypt_then_mac s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; -# endif +#endif -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP OPENSSL_free(s->srp_ctx.login); s->srp_ctx.login = NULL; -# endif +#endif s->srtp_profile = NULL; @@ -2051,7 +2045,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, } } -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP else if (type == TLSEXT_TYPE_srp) { if (size <= 0 || ((len = data[0])) != (size - 1)) { *al = SSL_AD_DECODE_ERROR; @@ -2071,9 +2065,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, return 0; } } -# endif +#endif -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); @@ -2126,7 +2120,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, ellipticcurvelist_length); } } -# endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_EC */ else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && !s->tls_session_ticket_ext_cb(s, data, size, @@ -2239,7 +2233,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, else s->tlsext_status_type = -1; } -# ifndef OPENSSL_NO_HEARTBEATS +#ifndef OPENSSL_NO_HEARTBEATS else if (type == TLSEXT_TYPE_heartbeat) { switch (data[0]) { case 0x01: /* Client allows us to send HB requests */ @@ -2254,8 +2248,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, return 0; } } -# endif -# ifndef OPENSSL_NO_NEXTPROTONEG +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0 && s->s3->alpn_selected == NULL) { @@ -2278,30 +2272,30 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, */ s->s3->next_proto_neg_seen = 1; } -# endif +#endif else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) { if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) return 0; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG /* ALPN takes precedence over NPN. */ s->s3->next_proto_neg_seen = 0; -# endif +#endif } /* session ticket processed earlier */ -# ifndef OPENSSL_NO_SRTP +#ifndef OPENSSL_NO_SRTP else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) && type == TLSEXT_TYPE_use_srtp) { if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) return 0; } -# endif -# ifdef TLSEXT_TYPE_encrypt_then_mac +#endif +#ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; -# endif +#endif else if (type == TLSEXT_TYPE_extended_master_secret) { if (!s->hit) s->session->flags |= SSL_SESS_FLAG_EXTMS; @@ -2355,7 +2349,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, return 1; } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG /* * ssl_next_proto_validate validates a Next Protocol Negotiation block. No * elements of zero length are allowed and the set of elements must exactly @@ -2374,7 +2368,7 @@ static char ssl_next_proto_validate(unsigned char *d, unsigned len) return off == len; } -# endif +#endif static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) @@ -2386,21 +2380,21 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, int tlsext_servername = 0; int renegotiate_seen = 0; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG s->s3->next_proto_neg_seen = 0; -# endif +#endif s->tlsext_ticket_expected = 0; OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; -# ifndef OPENSSL_NO_HEARTBEATS +#ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); -# endif +#endif -# ifdef TLSEXT_TYPE_encrypt_then_mac +#ifdef TLSEXT_TYPE_encrypt_then_mac s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; -# endif +#endif if (data >= (d + n - 2)) goto ri_check; @@ -2433,7 +2427,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, } tlsext_servername = 1; } -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); @@ -2456,7 +2450,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, ecpointformatlist_length); } } -# endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_EC */ else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && @@ -2484,7 +2478,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, /* Set flag to expect CertificateStatus message */ s->tlsext_status_expected = 1; } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0) { unsigned char *selected; @@ -2517,7 +2511,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, s->next_proto_negotiated_len = selected_len; s->s3->next_proto_neg_seen = 1; } -# endif +#endif else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) { unsigned len; @@ -2558,7 +2552,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, memcpy(s->s3->alpn_selected, data + 3, len); s->s3->alpn_selected_len = len; } -# ifndef OPENSSL_NO_HEARTBEATS +#ifndef OPENSSL_NO_HEARTBEATS else if (type == TLSEXT_TYPE_heartbeat) { switch (data[0]) { case 0x01: /* Server allows us to send HB requests */ @@ -2573,21 +2567,21 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, return 0; } } -# endif -# ifndef OPENSSL_NO_SRTP +#endif +#ifndef OPENSSL_NO_SRTP else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al)) return 0; } -# endif -# ifdef TLSEXT_TYPE_encrypt_then_mac +#endif +#ifdef TLSEXT_TYPE_encrypt_then_mac else if (type == TLSEXT_TYPE_encrypt_then_mac) { /* Ignore if inappropriate ciphersuite */ if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; } -# endif +#endif else if (type == TLSEXT_TYPE_extended_master_secret) { if (!s->hit) s->session->flags |= SSL_SESS_FLAG_EXTMS; @@ -2661,7 +2655,7 @@ static int ssl_check_clienthello_tlsext_early(SSL *s) int ret = SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC /* * The handling of the ECPointFormats extension is done elsewhere, namely * in ssl3_choose_cipher in s3_lib.c. @@ -2670,7 +2664,7 @@ static int ssl_check_clienthello_tlsext_early(SSL *s) * The handling of the EllipticCurves extension is done elsewhere, namely * in ssl3_choose_cipher in s3_lib.c. */ -# endif +#endif if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) ret = @@ -2818,7 +2812,7 @@ int ssl_check_serverhello_tlsext(SSL *s) int ret = SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; -# ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_EC /* * If we are client and using an elliptic curve cryptography cipher * suite, then if server returns an EC point formats lists extension it @@ -2850,7 +2844,7 @@ int ssl_check_serverhello_tlsext(SSL *s) } } ret = SSL_TLSEXT_ERR_OK; -# endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_EC */ if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) ret = @@ -3227,11 +3221,11 @@ typedef struct { } tls12_hash_info; static const tls12_hash_info tls12_md_info[] = { -# ifdef OPENSSL_NO_MD5 +#ifdef OPENSSL_NO_MD5 {NID_md5, 64, 0}, -# else +#else {NID_md5, 64, EVP_md5}, -# endif +#endif {NID_sha1, 80, EVP_sha1}, {NID_sha224, 112, EVP_sha224}, {NID_sha256, 128, EVP_sha256}, @@ -3262,18 +3256,18 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) static int tls12_get_pkey_idx(unsigned char sig_alg) { switch (sig_alg) { -# ifndef OPENSSL_NO_RSA +#ifndef OPENSSL_NO_RSA case TLSEXT_signature_rsa: return SSL_PKEY_RSA_SIGN; -# endif -# ifndef OPENSSL_NO_DSA +#endif +#ifndef OPENSSL_NO_DSA case TLSEXT_signature_dsa: return SSL_PKEY_DSA_SIGN; -# endif -# ifndef OPENSSL_NO_EC +#endif +#ifndef OPENSSL_NO_EC case TLSEXT_signature_ecdsa: return SSL_PKEY_ECC; -# endif +#endif } return -1; } @@ -3336,24 +3330,24 @@ void ssl_set_sig_mask(unsigned long *pmask_a, SSL *s, int op) sigalgslen = tls12_get_psigalgs(s, &sigalgs); for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) { switch (sigalgs[1]) { -# ifndef OPENSSL_NO_RSA +#ifndef OPENSSL_NO_RSA case TLSEXT_signature_rsa: if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs)) have_rsa = 1; break; -# endif -# ifndef OPENSSL_NO_DSA +#endif +#ifndef OPENSSL_NO_DSA case TLSEXT_signature_dsa: if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs)) have_dsa = 1; break; -# endif -# ifndef OPENSSL_NO_EC +#endif +#ifndef OPENSSL_NO_EC case TLSEXT_signature_ecdsa: if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs)) have_ecdsa = 1; break; -# endif +#endif } } if (!have_rsa) @@ -3487,7 +3481,7 @@ int tls1_process_sigalgs(SSL *s) if (!tls1_set_shared_sigalgs(s)) return 0; -# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) { /* * Use first set signature preference to force message digest, @@ -3509,7 +3503,7 @@ int tls1_process_sigalgs(SSL *s) } } } -# endif +#endif for (i = 0, sigptr = c->shared_sigalgs; i < c->shared_sigalgslen; i++, sigptr++) { @@ -3534,20 +3528,20 @@ int tls1_process_sigalgs(SSL *s) * Set any remaining keys to default values. NOTE: if alg is not * supported it stays as NULL. */ -# ifndef OPENSSL_NO_DSA +#ifndef OPENSSL_NO_DSA if (pmd[SSL_PKEY_DSA_SIGN] == NULL) pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1(); -# endif -# ifndef OPENSSL_NO_RSA +#endif +#ifndef OPENSSL_NO_RSA if (pmd[SSL_PKEY_RSA_SIGN] == NULL) { pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1(); pmd[SSL_PKEY_RSA_ENC] = EVP_sha1(); } -# endif -# ifndef OPENSSL_NO_EC +#endif +#ifndef OPENSSL_NO_EC if (pmd[SSL_PKEY_ECC] == NULL) pmd[SSL_PKEY_ECC] = EVP_sha1(); -# endif +#endif } return 1; } @@ -3594,7 +3588,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx, return s->cert->shared_sigalgslen; } -# ifndef OPENSSL_NO_HEARTBEATS +#ifndef OPENSSL_NO_HEARTBEATS int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length) { unsigned char *pl; @@ -3752,9 +3746,9 @@ int tls1_heartbeat(SSL *s) OPENSSL_free(buf); return ret; } -# endif +#endif -# define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2) +#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2) typedef struct { size_t sigalgcnt; @@ -3897,10 +3891,10 @@ static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x) /* Flags which need to be set for a certificate when stict mode not set */ -# define CERT_PKEY_VALID_FLAGS \ +#define CERT_PKEY_VALID_FLAGS \ (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM) /* Strict mode flags */ -# define CERT_PKEY_STRICT_FLAGS \ +#define CERT_PKEY_STRICT_FLAGS \ (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \ | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE) @@ -3930,7 +3924,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, /* If no cert or key, forget it */ if (!x || !pk) goto end; -# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL /* Allow any certificate to pass test */ if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) { rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN | @@ -3938,7 +3932,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, *pvalid = rv; return rv; } -# endif +#endif } else { if (!x || !pk) return 0; @@ -4174,7 +4168,6 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) return tls1_check_chain(s, x, pk, chain, -1); } -#endif #ifndef OPENSSL_NO_DH DH *ssl_get_auto_dh(SSL *s) diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 00a3efebac..5161c170b4 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -289,7 +289,6 @@ $cflags.=" -DOPENSSL_NO_DH" if $no_dh; $cflags.=" -DOPENSSL_NO_WHIRLPOOL" if $no_whirlpool; $cflags.=" -DOPENSSL_NO_SOCK" if $no_sock; $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3; -$cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext; $cflags.=" -DOPENSSL_NO_SRP" if $no_srp; $cflags.=" -DOPENSSL_NO_CMS" if $no_cms; $cflags.=" -DOPENSSL_NO_ERR" if $no_err; @@ -1391,7 +1390,6 @@ sub read_options "gaswin" => \$gaswin, "no-ssl3" => \$no_ssl3, "no-ssl3-method" => 0, - "no-tlsext" => \$no_tlsext, "no-srp" => \$no_srp, "no-cms" => \$no_cms, "no-jpake" => \$no_jpake, diff --git a/util/mkdef.pl b/util/mkdef.pl index e2b1fb6d4a..b21d03b36e 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -81,7 +81,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", # Engines "STATIC_ENGINE", "ENGINE", "HW", "GMP", # TLS - "TLSEXT", "PSK", "SRP", "HEARTBEATS", + "PSK", "SRP", "HEARTBEATS", # CMS "CMS", # CryptoAPI Engine @@ -124,7 +124,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated; -my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng; +my $no_psk; my $no_cms; my $no_capieng; my $no_jpake; my $no_srp; my $no_ec2m; my $no_nistp_gcc; my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace; my $no_unit_test; my $no_ssl3_method; my $no_ocb; @@ -213,7 +213,6 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-engine$/) { $no_engine=1; } elsif (/^no-hw$/) { $no_hw=1; } elsif (/^no-gmp$/) { $no_gmp=1; } - elsif (/^no-tlsext$/) { $no_tlsext=1; } elsif (/^no-cms$/) { $no_cms=1; } elsif (/^no-ec2m$/) { $no_ec2m=1; } elsif (/^no-ec-nistp224-64-gcc-128$/) { $no_nistp_gcc=1; } @@ -1198,7 +1197,6 @@ sub is_valid if ($keyword eq "FP_API" && $no_fp_api) { return 0; } if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; } if ($keyword eq "GMP" && $no_gmp) { return 0; } - if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; } if ($keyword eq "PSK" && $no_psk) { return 0; } if ($keyword eq "CMS" && $no_cms) { return 0; } if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc) diff --git a/util/ssleay.num b/util/ssleay.num index d595fe0e35..1b4755cb12 100755 --- a/util/ssleay.num +++ b/util/ssleay.num @@ -240,8 +240,8 @@ SSL_CTX_sess_get_new_cb 287 EXIST::FUNCTION: SSL_CTX_get_client_cert_cb 288 EXIST::FUNCTION: SSL_CTX_sess_get_remove_cb 289 EXIST::FUNCTION: SSL_set_SSL_CTX 290 EXIST::FUNCTION: -SSL_get_servername 291 EXIST::FUNCTION:TLSEXT -SSL_get_servername_type 292 EXIST::FUNCTION:TLSEXT +SSL_get_servername 291 EXIST::FUNCTION: +SSL_get_servername_type 292 EXIST::FUNCTION: SSL_CTX_set_client_cert_engine 293 EXIST::FUNCTION:ENGINE SSL_CTX_use_psk_identity_hint 294 EXIST::FUNCTION:PSK SSL_CTX_set_psk_client_callback 295 EXIST::FUNCTION:PSK @@ -309,21 +309,21 @@ SSL_CIPHER_get_id 349 EXIST::FUNCTION: TLSv1_2_method 350 EXIST::FUNCTION: SSL_SESSION_get_id_len 351 NOEXIST::FUNCTION: kssl_ctx_get0_client_princ 352 NOEXIST::FUNCTION: -SSL_export_keying_material 353 EXIST::FUNCTION:TLSEXT +SSL_export_keying_material 353 EXIST::FUNCTION: SSL_set_tlsext_use_srtp 354 EXIST::FUNCTION:SRTP SSL_CTX_set_next_protos_advertised_cb 355 EXIST:!VMS:FUNCTION:NEXTPROTONEG SSL_CTX_set_next_protos_adv_cb 355 EXIST:VMS:FUNCTION:NEXTPROTONEG SSL_get0_next_proto_negotiated 356 EXIST::FUNCTION:NEXTPROTONEG SSL_get_selected_srtp_profile 357 EXIST::FUNCTION:SRTP SSL_CTX_set_tlsext_use_srtp 358 EXIST::FUNCTION:SRTP -SSL_select_next_proto 359 EXIST::FUNCTION:TLSEXT +SSL_select_next_proto 359 EXIST::FUNCTION: SSL_get_srtp_profiles 360 EXIST::FUNCTION:SRTP SSL_CTX_set_next_proto_select_cb 361 EXIST:!VMS:FUNCTION:NEXTPROTONEG SSL_CTX_set_next_proto_sel_cb 361 EXIST:VMS:FUNCTION:NEXTPROTONEG SSL_SESSION_get_compress_id 362 EXIST::FUNCTION: SSL_get0_param 363 EXIST::FUNCTION: SSL_CTX_get0_privatekey 364 EXIST::FUNCTION: -SSL_get_shared_sigalgs 365 EXIST::FUNCTION:TLSEXT +SSL_get_shared_sigalgs 365 EXIST::FUNCTION: SSL_CONF_CTX_finish 366 EXIST::FUNCTION: DTLS_method 367 EXIST::FUNCTION: DTLS_client_method 368 EXIST::FUNCTION: @@ -336,40 +336,40 @@ SSL_COMP_set0_compress_methods 374 NOEXIST::FUNCTION: SSL_COMP_set0_compression_methods 374 EXIST:!VMS:FUNCTION: SSL_COMP_set0_compr_methods 374 EXIST:VMS:FUNCTION: SSL_CTX_set_cert_cb 375 EXIST::FUNCTION: -SSL_CTX_add_client_custom_ext 376 EXIST::FUNCTION:TLSEXT +SSL_CTX_add_client_custom_ext 376 EXIST::FUNCTION: SSL_is_server 377 EXIST::FUNCTION: SSL_CTX_get0_param 378 EXIST::FUNCTION: SSL_CONF_cmd 379 EXIST::FUNCTION: SSL_CTX_get_ssl_method 380 EXIST::FUNCTION: SSL_CONF_CTX_set_ssl_ctx 381 EXIST::FUNCTION: SSL_CIPHER_find 382 EXIST::FUNCTION: -SSL_CTX_use_serverinfo 383 EXIST::FUNCTION:TLSEXT +SSL_CTX_use_serverinfo 383 EXIST::FUNCTION: DTLSv1_2_client_method 384 EXIST::FUNCTION: SSL_get0_alpn_selected 385 EXIST::FUNCTION: SSL_CONF_CTX_clear_flags 386 EXIST::FUNCTION: SSL_CTX_set_alpn_protos 387 EXIST::FUNCTION: -SSL_CTX_add_server_custom_ext 389 EXIST::FUNCTION:TLSEXT +SSL_CTX_add_server_custom_ext 389 EXIST::FUNCTION: SSL_CTX_get0_certificate 390 EXIST::FUNCTION: SSL_CTX_set_alpn_select_cb 391 EXIST::FUNCTION: SSL_CONF_cmd_value_type 392 EXIST::FUNCTION: SSL_set_cert_cb 393 EXIST::FUNCTION: -SSL_get_sigalgs 394 EXIST::FUNCTION:TLSEXT +SSL_get_sigalgs 394 EXIST::FUNCTION: SSL_CONF_CTX_set1_prefix 395 EXIST::FUNCTION: SSL_CONF_CTX_new 396 EXIST::FUNCTION: SSL_CONF_CTX_set_flags 397 EXIST::FUNCTION: SSL_CONF_CTX_set_ssl 398 EXIST::FUNCTION: -SSL_check_chain 399 EXIST::FUNCTION:TLSEXT +SSL_check_chain 399 EXIST::FUNCTION: SSL_certs_clear 400 EXIST::FUNCTION: SSL_CONF_CTX_free 401 EXIST::FUNCTION: SSL_trace 402 EXIST::FUNCTION:SSL_TRACE SSL_CTX_set_cli_supp_data 403 NOEXIST::FUNCTION: DTLSv1_2_method 404 EXIST::FUNCTION: DTLS_server_method 405 EXIST::FUNCTION: -SSL_CTX_use_serverinfo_file 406 EXIST::FUNCTION:STDIO,TLSEXT +SSL_CTX_use_serverinfo_file 406 EXIST::FUNCTION:STDIO SSL_COMP_free_compress_methods 407 NOEXIST::FUNCTION: SSL_COMP_free_compression_methods 407 EXIST:!VMS:FUNCTION: SSL_COMP_free_compr_methods 407 EXIST:VMS:FUNCTION: -SSL_extension_supported 409 EXIST::FUNCTION:TLSEXT +SSL_extension_supported 409 EXIST::FUNCTION: SSL_CTX_get_security_callback 410 EXIST::FUNCTION: SSL_SESSION_print_keylog 411 EXIST::FUNCTION: SSL_CTX_set_not_resumable_session_callback 412 EXIST:!VMS:FUNCTION: |