[openssl-commits] [openssl] master update
Ben Laurie
ben at openssl.org
Fri Dec 11 18:39:00 UTC 2015
The branch master has been updated
via 94d61512360c4d16762a13e27fcad39ca4f5e506 (commit)
from ea11c6e92090078319e606d5639b7a81bdd57897 (commit)
- Log -----------------------------------------------------------------
commit 94d61512360c4d16762a13e27fcad39ca4f5e506
Author: Ben Laurie <ben at links.org>
Date: Sat Sep 12 17:17:33 2015 +0100
Make no-dh work, plus other no-dh problems found by Richard.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/engine/eng_cryptodev.c | 11 ++++++++++-
ssl/s3_lib.c | 12 +++---------
ssl/statem/statem_srvr.c | 4 ++--
test/recipes/70-test_sslskewith0p.t | 4 ++++
4 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index d1c0029..dede52d 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -55,7 +55,9 @@
# include <errno.h>
# include <string.h>
#endif
-#include <openssl/dh.h>
+#ifndef OPENSSL_NO_DH
+# include <openssl/dh.h>
+#endif
#include <openssl/dsa.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
@@ -125,11 +127,13 @@ static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen,
DSA *dsa);
static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa);
+#ifndef OPENSSL_NO_DH
static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *m_ctx);
static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key,
DH *dh);
+#endif
static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
void (*f) (void));
void ENGINE_load_cryptodev(void);
@@ -1364,6 +1368,7 @@ static DSA_METHOD cryptodev_dsa = {
NULL /* app_data */
};
+#ifndef OPENSSL_NO_DH
static int
cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
@@ -1425,6 +1430,8 @@ static DH_METHOD cryptodev_dh = {
NULL /* app_data */
};
+#endif /* ndef OPENSSL_NO_DH */
+
/*
* ctrl right now is just a wrapper that doesn't do much
* but I expect we'll want some options soon.
@@ -1512,6 +1519,7 @@ void ENGINE_load_cryptodev(void)
cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify;
}
+#ifndef OPENSSL_NO_DH
if (ENGINE_set_DH(engine, &cryptodev_dh)) {
const DH_METHOD *dh_meth = DH_OpenSSL();
@@ -1524,6 +1532,7 @@ void ENGINE_load_cryptodev(void)
cryptodev_dh.compute_key = cryptodev_dh_compute_key;
}
}
+#endif
ENGINE_add(engine);
ENGINE_free(engine);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index b6a73b9..ee00741 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4250,16 +4250,14 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
{
- CERT *cert;
-
- cert = ctx->cert;
-
switch (cmd) {
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *new = NULL, *dh;
+ CERT *cert;
+ cert = ctx->cert;
dh = (DH *)parg;
if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
DH_security_bits(dh), 0, dh)) {
@@ -4464,15 +4462,11 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
{
- CERT *cert;
-
- cert = ctx->cert;
-
switch (cmd) {
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
- cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
+ cxt->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
}
break;
#endif
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 3ccb287..51dcc9e 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1729,7 +1729,6 @@ int tls_construct_server_key_exchange(SSL *s)
int al, i;
unsigned long type;
int n;
- CERT *cert;
BIGNUM *r[4];
int nr[4], kn;
BUF_MEM *buf;
@@ -1742,7 +1741,6 @@ int tls_construct_server_key_exchange(SSL *s)
}
type = s->s3->tmp.new_cipher->algorithm_mkey;
- cert = s->cert;
buf = s->init_buf;
@@ -1763,6 +1761,8 @@ int tls_construct_server_key_exchange(SSL *s)
#endif /* !OPENSSL_NO_PSK */
#ifndef OPENSSL_NO_DH
if (type & (SSL_kDHE | SSL_kDHEPSK)) {
+ CERT *cert = s->cert;
+
if (s->cert->dh_tmp_auto) {
dhp = ssl_get_auto_dh(s);
if (dhp == NULL) {
diff --git a/test/recipes/70-test_sslskewith0p.t b/test/recipes/70-test_sslskewith0p.t
index 3f5e131..b3c5dc1 100755
--- a/test/recipes/70-test_sslskewith0p.t
+++ b/test/recipes/70-test_sslskewith0p.t
@@ -54,6 +54,7 @@
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr top_file top_dir/;
+use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
my $test_name = "test_sslskewith0p";
@@ -64,6 +65,9 @@ plan skip_all => "$test_name can only be performed with OpenSSL configured share
grep { /^SHARED_LIBS=/ }
do { local @ARGV = ( top_file("Makefile") ); <> })[0] ne "";
+plan skip_all => "dh is not supported by this OpenSSL build"
+ if disabled("dh");
+
$ENV{OPENSSL_ENGINES} = top_dir("engines");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
More information about the openssl-commits
mailing list