Remove SSL_OP_SINGLE_ECDH_USE code. (57be4444) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

include/openssl/ssl.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -409,8 +409,8 @@ typedef int (custom_ext_parse_cb) (SSL s, unsigned int ext_type,
		# define SSL_OP_NO_COMPRESSION 0x00020000U
		/* Permit unsafe legacy renegotiation */
		# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U
		/* If set, always create a new key when using tmp_ecdh parameters */
		# define SSL_OP_SINGLE_ECDH_USE 0x00080000U
		/* Does nothing: retained for compatibility */
		# define SSL_OP_SINGLE_ECDH_USE 0x0
		/* If set, always create a new key when using tmp_dh parameters */
		# define SSL_OP_SINGLE_DH_USE 0x00100000U
		/* Does nothing: retained for compatibiity */

ssl/statem/statem_srvr.c

+17 −42

Original line number	Diff line number	Diff line
		@@ -1823,19 +1823,8 @@ int tls_construct_server_key_exchange(SSL *s)
		#endif
		#ifndef OPENSSL_NO_EC
		if (type & (SSL_kECDHE \| SSL_kECDHEPSK)) {
		const EC_GROUP *group;
		EC_KEY *ecdh = NULL;

		/* Get NID of appropriate shared curve */
		int nid = tls1_shared_curve(s, -2);
		if (nid != NID_undef)
		ecdh = EC_KEY_new_by_curve_name(nid);
		if (ecdh == NULL) {
		al = SSL_AD_HANDSHAKE_FAILURE;
		SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
		SSL_R_MISSING_TMP_ECDH_KEY);
		goto f_err;
		}
		int nid;

		if (s->s3->tmp.ecdh != NULL) {
		SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
		@@ -1843,37 +1832,24 @@ int tls_construct_server_key_exchange(SSL *s)
		goto err;
		}

		s->s3->tmp.ecdh = ecdh;
		if ((EC_KEY_get0_public_key(ecdh) == NULL) \|\|
		(EC_KEY_get0_private_key(ecdh) == NULL) \|\|
		(s->options & SSL_OP_SINGLE_ECDH_USE)) {
		if (!EC_KEY_generate_key(ecdh)) {
		/* Get NID of appropriate shared curve */
		nid = tls1_shared_curve(s, -2);
		curve_id = tls1_ec_nid2curve_id(nid);
		if (curve_id == 0) {
		SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
		ERR_R_ECDH_LIB);
		goto err;
		}
		}

		if (((group = EC_KEY_get0_group(ecdh)) == NULL) \|\|
		(EC_KEY_get0_public_key(ecdh) == NULL) \|\|
		(EC_KEY_get0_private_key(ecdh) == NULL)) {
		SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
		SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
		goto err;
		}

		/*
		* XXX: For now, we only support ephemeral ECDH keys over named
		* (not generic) curves. For supported named curves, curve_id is
		* non-zero.
		*/
		if ((curve_id =
		tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
		== 0) {
		ecdh = EC_KEY_new_by_curve_name(nid);
		if (ecdh == NULL \|\| !EC_KEY_generate_key(ecdh)) {
		al = SSL_AD_INTERNAL_ERROR;
		SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
		SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
		goto err;
		ERR_R_EC_LIB);
		goto f_err;
		}

		s->s3->tmp.ecdh = ecdh;

		/*
		* Encode the public key. First check the size of encoding and
		* allocate memory accordingly.
		@@ -1887,10 +1863,9 @@ int tls_construct_server_key_exchange(SSL *s)
		}

		/*
		* XXX: For now, we only support named (not generic) curves in
		* ECDH ephemeral key exchanges. In this situation, we need four
		* additional bytes to encode the entire ServerECDHParams
		* structure.
		* We only support named (not generic) curves in ECDH ephemeral key
		* exchanges. In this situation, we need four additional bytes to
		* encode the entire ServerECDHParams structure.
		*/
		n += 4 + encodedlen;

Admin message