提交 57be4444 编写于 作者: D Dr. Stephen Henson

Remove SSL_OP_SINGLE_ECDH_USE code.

Since auto ecdh is now always used SSL_OP_SINGLE_ECDH_USE is
redundant. Simplify associated code.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
上级 cae41364
...@@ -409,8 +409,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, ...@@ -409,8 +409,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
# define SSL_OP_NO_COMPRESSION 0x00020000U # define SSL_OP_NO_COMPRESSION 0x00020000U
/* Permit unsafe legacy renegotiation */ /* Permit unsafe legacy renegotiation */
# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U
/* If set, always create a new key when using tmp_ecdh parameters */ /* Does nothing: retained for compatibility */
# define SSL_OP_SINGLE_ECDH_USE 0x00080000U # define SSL_OP_SINGLE_ECDH_USE 0x0
/* If set, always create a new key when using tmp_dh parameters */ /* If set, always create a new key when using tmp_dh parameters */
# define SSL_OP_SINGLE_DH_USE 0x00100000U # define SSL_OP_SINGLE_DH_USE 0x00100000U
/* Does nothing: retained for compatibiity */ /* Does nothing: retained for compatibiity */
......
...@@ -1823,19 +1823,8 @@ int tls_construct_server_key_exchange(SSL *s) ...@@ -1823,19 +1823,8 @@ int tls_construct_server_key_exchange(SSL *s)
#endif #endif
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
const EC_GROUP *group;
EC_KEY *ecdh = NULL; EC_KEY *ecdh = NULL;
int nid;
/* Get NID of appropriate shared curve */
int nid = tls1_shared_curve(s, -2);
if (nid != NID_undef)
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_MISSING_TMP_ECDH_KEY);
goto f_err;
}
if (s->s3->tmp.ecdh != NULL) { if (s->s3->tmp.ecdh != NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
...@@ -1843,36 +1832,23 @@ int tls_construct_server_key_exchange(SSL *s) ...@@ -1843,36 +1832,23 @@ int tls_construct_server_key_exchange(SSL *s)
goto err; goto err;
} }
s->s3->tmp.ecdh = ecdh; /* Get NID of appropriate shared curve */
if ((EC_KEY_get0_public_key(ecdh) == NULL) || nid = tls1_shared_curve(s, -2);
(EC_KEY_get0_private_key(ecdh) == NULL) || curve_id = tls1_ec_nid2curve_id(nid);
(s->options & SSL_OP_SINGLE_ECDH_USE)) { if (curve_id == 0) {
if (!EC_KEY_generate_key(ecdh)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_ECDH_LIB);
goto err;
}
}
if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
(EC_KEY_get0_public_key(ecdh) == NULL) ||
(EC_KEY_get0_private_key(ecdh) == NULL)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
goto err;
}
/*
* XXX: For now, we only support ephemeral ECDH keys over named
* (not generic) curves. For supported named curves, curve_id is
* non-zero.
*/
if ((curve_id =
tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
== 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
goto err; goto err;
} }
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL || !EC_KEY_generate_key(ecdh)) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_EC_LIB);
goto f_err;
}
s->s3->tmp.ecdh = ecdh;
/* /*
* Encode the public key. First check the size of encoding and * Encode the public key. First check the size of encoding and
...@@ -1887,10 +1863,9 @@ int tls_construct_server_key_exchange(SSL *s) ...@@ -1887,10 +1863,9 @@ int tls_construct_server_key_exchange(SSL *s)
} }
/* /*
* XXX: For now, we only support named (not generic) curves in * We only support named (not generic) curves in ECDH ephemeral key
* ECDH ephemeral key exchanges. In this situation, we need four * exchanges. In this situation, we need four additional bytes to
* additional bytes to encode the entire ServerECDHParams * encode the entire ServerECDHParams structure.
* structure.
*/ */
n += 4 + encodedlen; n += 4 + encodedlen;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册