diff --git a/configure.ac b/configure.ac index 4895003e7..c07e22d82 100644 --- a/configure.ac +++ b/configure.ac @@ -772,9 +772,9 @@ AM_CONDITIONAL([BUILD_RSA], [test "x$ENABLED_RSA" = "xyes"]) # DH AC_ARG_ENABLE([dh], - [ --enable-dh Enable DH (default: enabled)], + [ --enable-dh Enable DH (default: disabled)], [ ENABLED_DH=$enableval ], - [ ENABLED_DH=yes ] + [ ENABLED_DH=no ] ) if test "$ENABLED_DH" = "no" diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index be7c505b9..022109ce6 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1163,8 +1163,6 @@ int DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g, word32 gSz) } -#ifdef OPENSSL_EXTRA - int DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz, byte* g, word32* gInOutSz) { @@ -1213,7 +1211,6 @@ int DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz, return 0; } -#endif /* OPENSSL_EXTRA */ #endif /* NO_DH */ diff --git a/cyassl/internal.h b/cyassl/internal.h index 41491c14d..533289230 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -214,7 +214,7 @@ void c32to24(word32 in, word24 out); #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 #endif - #if !defined(NO_DH) && defined(OPENSSL_EXTRA) + #if !defined(NO_DH) #if !defined(NO_SHA) #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA @@ -291,7 +291,7 @@ void c32to24(word32 in, word24 out); #endif #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) && defined(OPENSSL_EXTRA) + !defined(NO_RSA) #if !defined(NO_SHA) #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA @@ -309,8 +309,7 @@ void c32to24(word32 in, word24 out); #endif -#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \ - defined(OPENSSL_EXTRA) +#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) #ifndef NO_SHA256 #define BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 #ifdef HAVE_NULL_CIPHER diff --git a/cyassl/test.h b/cyassl/test.h index 1026b2f9b..179e049ec 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -932,6 +932,7 @@ static INLINE void CaCb(unsigned char* der, int sz, int type) } +#ifndef NO_DH static INLINE void SetDH(CYASSL* ssl) { /* dh1024 p */ @@ -985,7 +986,7 @@ static INLINE void SetDHCtx(CYASSL_CTX* ctx) CyaSSL_CTX_SetTmpDH(ctx, p, sizeof(p), g, sizeof(g)); } - +#endif /* NO_DH */ #endif /* !NO_CERTS */ #ifdef HAVE_CAVIUM diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 33f6df3df..214284eb8 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -227,9 +227,9 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) ssl = CyaSSL_new(ctx); if (ssl == NULL) err_sys("SSL_new failed"); CyaSSL_set_fd(ssl, clientfd); - #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) + #if !defined(NO_FILESYSTEM) && !defined(NO_DH) CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); - #elif !defined(NO_CERTS) + #elif !defined(NO_DH) SetDH(ssl); /* will repick suites with DHE, higher than PSK */ #endif if (CyaSSL_accept(ssl) != SSL_SUCCESS) { diff --git a/examples/server/server.c b/examples/server/server.c index 6e1358e8c..43a5ad7fb 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -481,9 +481,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) SSL_set_fd(ssl, clientfd); if (usePsk == 0 || cipherList != NULL) { - #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) + #if !defined(NO_FILESYSTEM) && !defined(NO_DH) CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); - #elif !defined(NO_CERTS) + #elif !defined(NO_DH) SetDH(ssl); /* repick suites with DHE, higher priority than PSK */ #endif } diff --git a/src/internal.c b/src/internal.c index ea071d865..cd976a1e9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -58,10 +58,6 @@ #endif -#if defined(OPENSSL_EXTRA) && defined(NO_DH) - #error OPENSSL_EXTRA needs DH, please remove NO_DH -#endif - #if defined(CYASSL_CALLBACKS) && !defined(LARGE_STATIC_BUFFERS) #error \ CYASSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS @@ -8581,7 +8577,7 @@ static void PickHashSigAlgo(CYASSL* ssl, return 0; } #endif - #ifdef OPENSSL_EXTRA + #ifndef NO_DH if (ssl->specs.kea == diffie_hellman_kea) { /* p */ @@ -8647,7 +8643,7 @@ static void PickHashSigAlgo(CYASSL* ssl, XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length); *inOutIdx += length; } /* dh_kea */ - #endif /* OPENSSL_EXTRA */ + #endif /* NO_DH */ #ifdef HAVE_ECC if (ssl->specs.kea == ecc_diffie_hellman_kea) @@ -8682,7 +8678,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } #endif /* HAVE_ECC */ - #if defined(OPENSSL_EXTRA) && !defined(NO_PSK) + #if !defined(NO_DH) && !defined(NO_PSK) if (ssl->specs.kea == dhe_psk_kea) { if ((*inOutIdx - begin) + OPAQUE16_LEN > size) return BUFFER_ERROR; @@ -8762,9 +8758,9 @@ static void PickHashSigAlgo(CYASSL* ssl, XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length); *inOutIdx += length; } - #endif /* OPENSSL_EXTRA || !NO_PSK */ + #endif /* !NO_DH || !NO_PSK */ - #if defined(OPENSSL_EXTRA) || defined(HAVE_ECC) + #if !defined(NO_DH) || defined(HAVE_ECC) if (ssl->specs.kea == ecc_diffie_hellman_kea || ssl->specs.kea == diffie_hellman_kea) { @@ -9011,9 +9007,9 @@ static void PickHashSigAlgo(CYASSL* ssl, ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; } return 0; -#else /* HAVE_OPENSSL or HAVE_ECC */ +#else /* !NO_DH or HAVE_ECC */ return NOT_COMPILED_IN; /* not supported by build */ -#endif /* HAVE_OPENSSL or HAVE_ECC */ +#endif /* !NO_DH or HAVE_ECC */ } @@ -9074,7 +9070,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } break; #endif - #ifdef OPENSSL_EXTRA + #ifndef NO_DH case diffie_hellman_kea: { buffer serverP = ssl->buffers.serverDH_P; @@ -9102,7 +9098,7 @@ static void PickHashSigAlgo(CYASSL* ssl, FreeDhKey(&key); } break; - #endif /* OPENSSL_EXTRA */ + #endif /* NO_DH */ #ifndef NO_PSK case psk_kea: { @@ -9133,7 +9129,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } break; #endif /* NO_PSK */ - #if defined(OPENSSL_EXTRA) && !defined(NO_PSK) + #if !defined(NO_DH) && !defined(NO_PSK) case dhe_psk_kea: { byte* pms = ssl->arrays->preMasterSecret; @@ -9199,7 +9195,7 @@ static void PickHashSigAlgo(CYASSL* ssl, ssl->arrays->psk_keySz = 0; /* No further need */ } break; - #endif /* OPENSSL_EXTRA && !NO_PSK */ + #endif /* !NO_DH && !NO_PSK */ #ifdef HAVE_NTRU case ntru_kea: { @@ -9845,7 +9841,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } #endif /*NO_PSK */ - #if defined(OPENSSL_EXTRA) && !defined(NO_PSK) + #if !defined(NO_DH) && !defined(NO_PSK) if (ssl->specs.kea == dhe_psk_kea) { byte *output; word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; @@ -9963,7 +9959,7 @@ static void PickHashSigAlgo(CYASSL* ssl, ret = SendBuffered(ssl); ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; } - #endif /* OPENSSL_EXTRA && !NO_PSK */ + #endif /* !NO_DH && !NO_PSK */ #ifdef HAVE_ECC if (ssl->specs.kea == ecc_diffie_hellman_kea) @@ -10307,7 +10303,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } #endif /* HAVE_ECC */ - #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) + #if !defined(NO_DH) && !defined(NO_RSA) if (ssl->specs.kea == diffie_hellman_kea) { byte *output; word32 length = 0, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; @@ -10588,7 +10584,7 @@ static void PickHashSigAlgo(CYASSL* ssl, ret = SendBuffered(ssl); ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; } - #endif /* OPENSSL_EXTRA */ + #endif /* NO_DH */ return ret; } @@ -11703,7 +11699,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } break; #endif /* HAVE_ECC */ - #ifdef OPENSSL_EXTRA + #ifndef NO_DH case diffie_hellman_kea: { word16 clientPubSz; @@ -11737,8 +11733,8 @@ static void PickHashSigAlgo(CYASSL* ssl, ret = MakeMasterSecret(ssl); } break; - #endif /* OPENSSL_EXTRA */ - #if defined(OPENSSL_EXTRA) && !defined(NO_PSK) + #endif /* NO_DH */ + #if !defined(NO_DH) && !defined(NO_PSK) case dhe_psk_kea: { byte* pms = ssl->arrays->preMasterSecret; @@ -11815,7 +11811,7 @@ static void PickHashSigAlgo(CYASSL* ssl, ssl->arrays->psk_keySz = 0; } break; - #endif /* OPENSSL_EXTRA && !NO_PSK */ + #endif /* !NO_DH && !NO_PSK */ default: { CYASSL_MSG("Bad kea type"); diff --git a/src/ssl.c b/src/ssl.c index 5e916a47a..9f1a5f107 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -362,8 +362,8 @@ int CyaSSL_GetObjectSize(void) } #endif -/* XXX should be NO_DH */ -#ifndef NO_CERTS + +#ifndef NO_DH /* server Diffie-Hellman parameters, SSL_SUCCESS on ok */ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz, const unsigned char* g, int gSz) @@ -415,7 +415,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz, CYASSL_LEAVE("CyaSSL_SetTmpDH", 0); return SSL_SUCCESS; } -#endif /* !NO_CERTS */ +#endif /* !NO_DH */ int CyaSSL_write(CYASSL* ssl, const void* data, int sz) @@ -3105,42 +3105,7 @@ int CyaSSL_CTX_use_certificate_chain_file(CYASSL_CTX* ctx, const char* file) } -#ifdef OPENSSL_EXTRA -/* put SSL type in extra for now, not very common */ - -int CyaSSL_use_certificate_file(CYASSL* ssl, const char* file, int format) -{ - CYASSL_ENTER("CyaSSL_use_certificate_file"); - if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 0, NULL) - == SSL_SUCCESS) - return SSL_SUCCESS; - - return SSL_FAILURE; -} - - -int CyaSSL_use_PrivateKey_file(CYASSL* ssl, const char* file, int format) -{ - CYASSL_ENTER("CyaSSL_use_PrivateKey_file"); - if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0, NULL) - == SSL_SUCCESS) - return SSL_SUCCESS; - - return SSL_FAILURE; -} - - -int CyaSSL_use_certificate_chain_file(CYASSL* ssl, const char* file) -{ - /* procces up to MAX_CHAIN_DEPTH plus subject cert */ - CYASSL_ENTER("CyaSSL_use_certificate_chain_file"); - if (ProcessFile(ssl->ctx, file, SSL_FILETYPE_PEM, CERT_TYPE, ssl, 1, NULL) - == SSL_SUCCESS) - return SSL_SUCCESS; - - return SSL_FAILURE; -} - +#ifndef NO_DH /* server wrapper for ctx or ssl Diffie-Hellman parameters */ static int CyaSSL_SetTmpDH_buffer_wrapper(CYASSL_CTX* ctx, CYASSL* ssl, @@ -3185,6 +3150,7 @@ static int CyaSSL_SetTmpDH_buffer_wrapper(CYASSL_CTX* ctx, CYASSL* ssl, return ret; } + /* server Diffie-Hellman parameters, SSL_SUCCESS on ok */ int CyaSSL_SetTmpDH_buffer(CYASSL* ssl, const unsigned char* buf, long sz, int format) @@ -3201,34 +3167,6 @@ int CyaSSL_CTX_SetTmpDH_buffer(CYASSL_CTX* ctx, const unsigned char* buf, } -#ifdef HAVE_ECC - -/* Set Temp CTX EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */ -int CyaSSL_CTX_SetTmpEC_DHE_Sz(CYASSL_CTX* ctx, word16 sz) -{ - if (ctx == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE) - return BAD_FUNC_ARG; - - ctx->eccTempKeySz = sz; - - return SSL_SUCCESS; -} - - -/* Set Temp SSL EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */ -int CyaSSL_SetTmpEC_DHE_Sz(CYASSL* ssl, word16 sz) -{ - if (ssl == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE) - return BAD_FUNC_ARG; - - ssl->eccTempKeySz = sz; - - return SSL_SUCCESS; -} - -#endif /* HAVE_ECC */ - - /* server Diffie-Hellman parameters */ static int CyaSSL_SetTmpDH_file_wrapper(CYASSL_CTX* ctx, CYASSL* ssl, const char* fname, int format) @@ -3288,6 +3226,108 @@ int CyaSSL_CTX_SetTmpDH_file(CYASSL_CTX* ctx, const char* fname, int format) } + /* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */ + int CyaSSL_CTX_SetTmpDH(CYASSL_CTX* ctx, const unsigned char* p, int pSz, + const unsigned char* g, int gSz) + { + CYASSL_ENTER("CyaSSL_CTX_SetTmpDH"); + if (ctx == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG; + + XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); + XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); + + ctx->serverDH_P.buffer = (byte*)XMALLOC(pSz, ctx->heap,DYNAMIC_TYPE_DH); + if (ctx->serverDH_P.buffer == NULL) + return MEMORY_E; + + ctx->serverDH_G.buffer = (byte*)XMALLOC(gSz, ctx->heap,DYNAMIC_TYPE_DH); + if (ctx->serverDH_G.buffer == NULL) { + XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); + return MEMORY_E; + } + + ctx->serverDH_P.length = pSz; + ctx->serverDH_G.length = gSz; + + XMEMCPY(ctx->serverDH_P.buffer, p, pSz); + XMEMCPY(ctx->serverDH_G.buffer, g, gSz); + + ctx->haveDH = 1; + + CYASSL_LEAVE("CyaSSL_CTX_SetTmpDH", 0); + return SSL_SUCCESS; + } +#endif /* NO_DH */ + + +#ifdef OPENSSL_EXTRA +/* put SSL type in extra for now, not very common */ + +int CyaSSL_use_certificate_file(CYASSL* ssl, const char* file, int format) +{ + CYASSL_ENTER("CyaSSL_use_certificate_file"); + if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 0, NULL) + == SSL_SUCCESS) + return SSL_SUCCESS; + + return SSL_FAILURE; +} + + +int CyaSSL_use_PrivateKey_file(CYASSL* ssl, const char* file, int format) +{ + CYASSL_ENTER("CyaSSL_use_PrivateKey_file"); + if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0, NULL) + == SSL_SUCCESS) + return SSL_SUCCESS; + + return SSL_FAILURE; +} + + +int CyaSSL_use_certificate_chain_file(CYASSL* ssl, const char* file) +{ + /* procces up to MAX_CHAIN_DEPTH plus subject cert */ + CYASSL_ENTER("CyaSSL_use_certificate_chain_file"); + if (ProcessFile(ssl->ctx, file, SSL_FILETYPE_PEM, CERT_TYPE, ssl, 1, NULL) + == SSL_SUCCESS) + return SSL_SUCCESS; + + return SSL_FAILURE; +} + + + +#ifdef HAVE_ECC + +/* Set Temp CTX EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */ +int CyaSSL_CTX_SetTmpEC_DHE_Sz(CYASSL_CTX* ctx, word16 sz) +{ + if (ctx == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE) + return BAD_FUNC_ARG; + + ctx->eccTempKeySz = sz; + + return SSL_SUCCESS; +} + + +/* Set Temp SSL EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */ +int CyaSSL_SetTmpEC_DHE_Sz(CYASSL* ssl, word16 sz) +{ + if (ssl == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE) + return BAD_FUNC_ARG; + + ssl->eccTempKeySz = sz; + + return SSL_SUCCESS; +} + +#endif /* HAVE_ECC */ + + + + int CyaSSL_CTX_use_RSAPrivateKey_file(CYASSL_CTX* ctx,const char* file, int format) { @@ -8645,40 +8685,6 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format) #ifdef OPENSSL_EXTRA -/* XXX shuld be NO_DH */ -#ifndef NO_CERTS - /* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */ - int CyaSSL_CTX_SetTmpDH(CYASSL_CTX* ctx, const unsigned char* p, int pSz, - const unsigned char* g, int gSz) - { - CYASSL_ENTER("CyaSSL_CTX_SetTmpDH"); - if (ctx == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG; - - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); - XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); - - ctx->serverDH_P.buffer = (byte*)XMALLOC(pSz, ctx->heap,DYNAMIC_TYPE_DH); - if (ctx->serverDH_P.buffer == NULL) - return MEMORY_E; - - ctx->serverDH_G.buffer = (byte*)XMALLOC(gSz, ctx->heap,DYNAMIC_TYPE_DH); - if (ctx->serverDH_G.buffer == NULL) { - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); - return MEMORY_E; - } - - ctx->serverDH_P.length = pSz; - ctx->serverDH_G.length = gSz; - - XMEMCPY(ctx->serverDH_P.buffer, p, pSz); - XMEMCPY(ctx->serverDH_G.buffer, g, gSz); - - ctx->haveDH = 1; - - CYASSL_LEAVE("CyaSSL_CTX_SetTmpDH", 0); - return SSL_SUCCESS; - } -#endif /* !NO_CERTS */ char* CyaSSL_CIPHER_description(CYASSL_CIPHER* cipher, char* in, int len) @@ -10074,6 +10080,8 @@ static int initGlobalRNG = 0; } + #ifndef NO_DH + static void InitCyaSSL_DH(CYASSL_DH* dh) { if (dh) { @@ -10312,6 +10320,7 @@ static int initGlobalRNG = 0; CYASSL_MSG("CyaSSL_compute_key success"); return (int)keySz; } + #endif /* NO_DH */ #ifndef NO_DSA diff --git a/tests/api.c b/tests/api.c index e2e9e305e..8342da249 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1046,9 +1046,9 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args) CyaSSL_set_fd(ssl, clientfd); #ifdef NO_PSK - #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) + #if !defined(NO_FILESYSTEM) && !defined(NO_DH) CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); - #else + #elif !defined(NO_DH) SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ #endif #endif @@ -1269,9 +1269,9 @@ THREAD_RETURN CYASSL_THREAD run_cyassl_server(void* args) CyaSSL_set_fd(ssl, cfd); #ifdef NO_PSK - #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) + #if !defined(NO_FILESYSTEM) && !defined(NO_DH) CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM); - #else + #elif !defined(NO_DH) SetDH(ssl); /* will repick suites with DHE, higher priority than PSK */ #endif #endif