Commit 6f78b9e8 authored by Kurt Roeckx's avatar Kurt Roeckx
Browse files

Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). 



This only gets used to set a specific curve without actually checking that the
peer supports it or not and can therefor result in handshake failures that can
be avoided by selecting a different cipher.

Reviewed-by: default avatarDr. Stephen Henson <steve@openssl.org>
parent ad3819c2

CHANGES

+4 −0
Original line number Diff line number Diff line
@@ -13,6 +13,10 @@ 
     pages. This work was developed in partnership with Intel Corp.

     [Matt Caswell]



  *) Remove support for SSL_{CTX_}set_tmp_ecdh_callback().  You should set the

     curve you want to support using SSL_{CTX_}set1_curves().

     [Kurt Roeckx]



  *) State machine rewrite. The state machine code has been significantly

     refactored in order to remove much duplication of code and solve issues

     with the old code (see ssl/statem/README for further details). This change

include/openssl/ssl.h

+0 −9
Original line number Diff line number Diff line
@@ -1119,7 +1119,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 
# define SSL_CTRL_SET_TMP_ECDH                   4

# define SSL_CTRL_SET_TMP_RSA_CB                 5

# define SSL_CTRL_SET_TMP_DH_CB                  6

# define SSL_CTRL_SET_TMP_ECDH_CB                7

# define SSL_CTRL_GET_SESSION_REUSED             8

# define SSL_CTRL_GET_CLIENT_CERT_REQUEST        9

# define SSL_CTRL_GET_NUM_RENEGOTIATIONS         10
@@ -1772,14 +1771,6 @@ void SSL_set_tmp_dh_callback(SSL *ssl, 
                             DH *(*dh) (SSL *ssl, int is_export,

                                        int keylength));

# endif

# ifndef OPENSSL_NO_EC

void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,

                                   EC_KEY *(*ecdh) (SSL *ssl, int is_export,

                                                    int keylength));

void SSL_set_tmp_ecdh_callback(SSL *ssl,

                               EC_KEY *(*ecdh) (SSL *ssl, int is_export,

                                                int keylength));

# endif



__owur const COMP_METHOD *SSL_get_current_compression(SSL *s);

__owur const COMP_METHOD *SSL_get_current_expansion(SSL *s);

ssl/s3_lib.c

+0 −24
Original line number Diff line number Diff line
@@ -4095,11 +4095,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 
            ret = 1;

        }

        break;

    case SSL_CTRL_SET_TMP_ECDH_CB:

        {

            SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

            return (ret);

        }

#endif                          /* !OPENSSL_NO_EC */

    case SSL_CTRL_SET_TLSEXT_HOSTNAME:

        if (larg == TLSEXT_NAMETYPE_host_name) {
@@ -4422,13 +4417,6 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) 
            s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;

        }

        break;

#endif

#ifndef OPENSSL_NO_EC

    case SSL_CTRL_SET_TMP_ECDH_CB:

        {

            s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;

        }

        break;

#endif

    case SSL_CTRL_SET_TLSEXT_DEBUG_CB:

        s->tlsext_debug_cb = (void (*)(SSL *, int, int,
@@ -4558,11 +4546,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 
            return 1;

        }

        /* break; */

    case SSL_CTRL_SET_TMP_ECDH_CB:

        {

            SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

            return (0);

        }

#endif                          /* !OPENSSL_NO_EC */

    case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:

        ctx->tlsext_servername_arg = parg;
@@ -4732,13 +4715,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) 
            cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;

        }

        break;

#endif

#ifndef OPENSSL_NO_EC

    case SSL_CTRL_SET_TMP_ECDH_CB:

        {

            cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;

        }

        break;

#endif

    case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:

        ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;

ssl/ssl_cert.c

+0 −1
Original line number Diff line number Diff line
@@ -239,7 +239,6 @@ CERT *ssl_cert_dup(CERT *cert) 
            goto err;

        }

    }

    ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;

    ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;

#endif

ssl/ssl_lib.c

+1 −18
Original line number Diff line number Diff line
@@ -2037,7 +2037,7 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) 
#endif



#ifndef OPENSSL_NO_EC

    have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);

    have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_auto);

#endif

    cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);

    rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;
@@ -3142,23 +3142,6 @@ void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, 
}

#endif



#ifndef OPENSSL_NO_EC

void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,

                                   EC_KEY *(*ecdh) (SSL *ssl, int is_export,

                                                    int keylength))

{

    SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB,

                          (void (*)(void))ecdh);

}



void SSL_set_tmp_ecdh_callback(SSL *ssl,

                               EC_KEY *(*ecdh) (SSL *ssl, int is_export,

                                                int keylength))

{

    SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB, (void (*)(void))ecdh);

}

#endif



#ifndef OPENSSL_NO_PSK

int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)

{