From c0b85757f9e86cad92f828b911ea147c1b80283f Mon Sep 17 00:00:00 2001 From: jsing Date: Fri, 7 Jan 2022 16:45:06 +0000 Subject: [PATCH] Rename dh_tmp to dhe_params. Support for non-ephemeral DH was removed a long time ago - as such, the dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect reality. ok inoguchi@ tb@ --- lib/libssl/s3_lib.c | 31 ++++++++++++++++++------------- lib/libssl/ssl_cert.c | 16 ++++++++-------- lib/libssl/ssl_lib.c | 7 ++++--- lib/libssl/ssl_locl.h | 8 ++++---- lib/libssl/ssl_srvr.c | 10 +++++----- 5 files changed, 39 insertions(+), 33 deletions(-) diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 899432e947d..1ede113cbb2 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.222 2022/01/07 15:46:30 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.223 2022/01/07 16:45:06 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1708,20 +1708,20 @@ _SSL_total_renegotiations(SSL *s) static int _SSL_set_tmp_dh(SSL *s, DH *dh) { - DH *dh_tmp; + DH *dhe_params; if (dh == NULL) { SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); return 0; } - if ((dh_tmp = DHparams_dup(dh)) == NULL) { + if ((dhe_params = DHparams_dup(dh)) == NULL) { SSLerror(s, ERR_R_DH_LIB); return 0; } - DH_free(s->cert->dh_tmp); - s->cert->dh_tmp = dh_tmp; + DH_free(s->cert->dhe_params); + s->cert->dhe_params = dhe_params; return 1; } @@ -1729,7 +1729,7 @@ _SSL_set_tmp_dh(SSL *s, DH *dh) static int _SSL_set_dh_auto(SSL *s, int state) { - s->cert->dh_tmp_auto = state; + s->cert->dhe_params_auto = state; return 1; } @@ -2122,7 +2122,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) return 0; case SSL_CTRL_SET_TMP_DH_CB: - s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; + s->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; return 1; case SSL_CTRL_SET_TMP_ECDH_CB: @@ -2140,15 +2140,20 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) static int _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) { - DH *dh_tmp; + DH *dhe_params; - if ((dh_tmp = DHparams_dup(dh)) == NULL) { + if (dh == NULL) { + SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + + if ((dhe_params = DHparams_dup(dh)) == NULL) { SSLerrorx(ERR_R_DH_LIB); return 0; } - DH_free(ctx->internal->cert->dh_tmp); - ctx->internal->cert->dh_tmp = dh_tmp; + DH_free(ctx->internal->cert->dhe_params); + ctx->internal->cert->dhe_params = dhe_params; return 1; } @@ -2156,7 +2161,7 @@ _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) static int _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) { - ctx->internal->cert->dh_tmp_auto = state; + ctx->internal->cert->dhe_params_auto = state; return 1; } @@ -2443,7 +2448,7 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) return 0; case SSL_CTRL_SET_TMP_DH_CB: - ctx->internal->cert->dh_tmp_cb = + ctx->internal->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; return 1; diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index faa9886b90e..173e217c8f2 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.90 2022/01/07 15:56:33 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.91 2022/01/07 16:45:06 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -195,15 +195,15 @@ ssl_cert_dup(CERT *cert) ret->mask_k = cert->mask_k; ret->mask_a = cert->mask_a; - if (cert->dh_tmp != NULL) { - ret->dh_tmp = DHparams_dup(cert->dh_tmp); - if (ret->dh_tmp == NULL) { + if (cert->dhe_params != NULL) { + ret->dhe_params = DHparams_dup(cert->dhe_params); + if (ret->dhe_params == NULL) { SSLerrorx(ERR_R_DH_LIB); goto err; } } - ret->dh_tmp_cb = cert->dh_tmp_cb; - ret->dh_tmp_auto = cert->dh_tmp_auto; + ret->dhe_params_cb = cert->dhe_params_cb; + ret->dhe_params_auto = cert->dhe_params_auto; for (i = 0; i < SSL_PKEY_NUM; i++) { if (cert->pkeys[i].x509 != NULL) { @@ -256,7 +256,7 @@ ssl_cert_dup(CERT *cert) return (ret); err: - DH_free(ret->dh_tmp); + DH_free(ret->dhe_params); for (i = 0; i < SSL_PKEY_NUM; i++) { X509_free(ret->pkeys[i].x509); @@ -280,7 +280,7 @@ ssl_cert_free(CERT *c) if (i > 0) return; - DH_free(c->dh_tmp); + DH_free(c->dhe_params); for (i = 0; i < SSL_PKEY_NUM; i++) { X509_free(c->pkeys[i].x509); diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index a0d3d057750..4fe7fb58dce 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.280 2021/12/04 14:03:22 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.281 2022/01/07 16:45:06 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2198,7 +2198,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) mask_a = SSL_aNULL | SSL_aTLS1_3; mask_k = SSL_kECDHE | SSL_kTLS1_3; - if (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto != 0) + if (c->dhe_params != NULL || c->dhe_params_cb != NULL || + c->dhe_params_auto != 0) mask_k |= SSL_kDHE; cpk = &(c->pkeys[SSL_PKEY_ECC]); @@ -2324,7 +2325,7 @@ ssl_dhe_params_auto_key_bits(SSL *s) CERT_PKEY *cpk; int key_bits; - if (s->cert->dh_tmp_auto == 2) { + if (s->cert->dhe_params_auto == 2) { key_bits = 1024; } else if (S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) { key_bits = 1024; diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index cc7b342247d..5361704d707 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.375 2022/01/07 15:46:30 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.376 2022/01/07 16:45:06 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1212,9 +1212,9 @@ typedef struct cert_st { unsigned long mask_k; unsigned long mask_a; - DH *dh_tmp; - DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); - int dh_tmp_auto; + DH *dhe_params; + DH *(*dhe_params_cb)(SSL *ssl, int is_export, int keysize); + int dhe_params_auto; CERT_PKEY pkeys[SSL_PKEY_NUM]; diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index b66a2c108dd..9fad66b91a5 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.131 2022/01/07 15:46:30 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.132 2022/01/07 16:45:06 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1315,7 +1315,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL) goto err; - if (s->cert->dh_tmp_auto != 0) { + if (s->cert->dhe_params_auto != 0) { size_t key_bits; if ((key_bits = ssl_dhe_params_auto_key_bits(s)) == 0) { @@ -1327,10 +1327,10 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) tls_key_share_set_key_bits(S3I(s)->hs.key_share, key_bits); } else { - DH *dh_params = s->cert->dh_tmp; + DH *dh_params = s->cert->dhe_params; - if (dh_params == NULL && s->cert->dh_tmp_cb != NULL) - dh_params = s->cert->dh_tmp_cb(s, 0, + if (dh_params == NULL && s->cert->dhe_params_cb != NULL) + dh_params = s->cert->dhe_params_cb(s, 0, SSL_C_PKEYLENGTH(S3I(s)->hs.cipher)); if (dh_params == NULL) { -- 2.20.1