TLS is pretty boring without TLS extensions... unifdef OPENSSL_NO_TLSEXT,

which was already done for libssl some time back.
author: jsing <> 2014-11-06 14:50:12 +0000
committer: jsing <> 2014-11-06 14:50:12 +0000
commit: 88cf2820fafa430dc891c23333424543d7e58801 (patch)
tree: 73b9a7d7637aec8af747cb360db6919045ae44dd /src
parent: 004be1fe64dc7b3404e4d84f10300a4d0e9995fa (diff)
download: openbsd-88cf2820fafa430dc891c23333424543d7e58801.tar.gz
openbsd-88cf2820fafa430dc891c23333424543d7e58801.tar.bz2
openbsd-88cf2820fafa430dc891c23333424543d7e58801.zip
2 files changed, 2 insertions, 76 deletions
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index 25d4c0c5dd..12c9bd2c2d 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.5 2014/10/22 13:51:31 jsing Exp $ */
+/* $OpenBSD: s_client.c,v 1.6 2014/11/06 14:50:12 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -179,10 +179,8 @@ extern int verify_return_error;
 static int c_nbio = 0;
 static int c_Pause = 0;
 static int c_debug = 0;
-#ifndef OPENSSL_NO_TLSEXT
 static int c_tlsextdebug = 0;
 static int c_status_req = 0;
-#endif
 static int c_msg = 0;
 static int c_showcerts = 0;
@@ -191,9 +189,7 @@ static int keymatexportlen = 20;
 static void sc_usage(void);
 static void print_stuff(BIO * berr, SSL * con, int full);
-#ifndef OPENSSL_NO_TLSEXT
 static int ocsp_resp_cb(SSL * s, void *arg);
-#endif
 static BIO *bio_c_out = NULL;
 static int c_quiet = 0;
 static int c_ign_eof = 0;
@@ -251,7 +247,6 @@ sc_usage(void)
 #endif
        BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n");
        BIO_printf(bio_err, " -sess_in arg  - file to read SSL session from\n");
-#ifndef OPENSSL_NO_TLSEXT
        BIO_printf(bio_err, " -servername host  - Set TLS extension servername in ClientHello\n");
        BIO_printf(bio_err, " -tlsextdebug      - hex dump of all TLS extensions received\n");
        BIO_printf(bio_err, " -status           - request certificate status from server\n");
@@ -259,7 +254,6 @@ sc_usage(void)
 #ifndef OPENSSL_NO_NEXTPROTONEG
        BIO_printf(bio_err, " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
 #endif
-#endif
 #ifndef OPENSSL_NO_SRTP
        BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
 #endif
@@ -267,7 +261,6 @@ sc_usage(void)
        BIO_printf(bio_err, " -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
 }
-#ifndef OPENSSL_NO_TLSEXT
 /* This is a context that we pass to callbacks */
 typedef struct tlsextctx_st {
@@ -324,7 +317,6 @@ next_proto_cb(SSL * s, unsigned char **out, unsigned char *outlen, const unsigne
        return SSL_TLSEXT_ERR_OK;
 }
 #endif                          /* ndef OPENSSL_NO_NEXTPROTONEG */
-#endif
 enum {
        PROTO_OFF = 0,
@@ -378,14 +370,12 @@ s_client_main(int argc, char **argv)
        ENGINE *ssl_client_engine = NULL;
 #endif
        ENGINE *e = NULL;
-#ifndef OPENSSL_NO_TLSEXT
        char *servername = NULL;
        tlsextctx tlsextcbp =
        {NULL, 0};
 #ifndef OPENSSL_NO_NEXTPROTONEG
        const char *next_proto_neg_in = NULL;
 #endif
-#endif
        char *sess_in = NULL;
        char *sess_out = NULL;
        struct sockaddr peer;
@@ -475,12 +465,10 @@ s_client_main(int argc, char **argv)
                        c_Pause = 1;
                else if (strcmp(*argv, "-debug") == 0)
                        c_debug = 1;
-#ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv, "-tlsextdebug") == 0)
                        c_tlsextdebug = 1;
                else if (strcmp(*argv, "-status") == 0)
                        c_status_req = 1;
-#endif
                else if (strcmp(*argv, "-msg") == 0)
                        c_msg = 1;
                else if (strcmp(*argv, "-showcerts") == 0)
@@ -548,7 +536,6 @@ s_client_main(int argc, char **argv)
                else if (strcmp(*argv, "-no_comp") == 0) {
                        off |= SSL_OP_NO_COMPRESSION;
                }
-#ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv, "-no_ticket") == 0) {
                        off |= SSL_OP_NO_TICKET;
                }
@@ -559,7 +546,6 @@ s_client_main(int argc, char **argv)
                        next_proto_neg_in = *(++argv);
                }
 #endif
-#endif
                else if (strcmp(*argv, "-serverpref") == 0)
                        off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
                else if (strcmp(*argv, "-legacy_renegotiation") == 0)
@@ -611,14 +597,12 @@ s_client_main(int argc, char **argv)
                } else if (strcmp(*argv, "-6") == 0) {
                        af = AF_INET6;
                }
-#ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv, "-servername") == 0) {
                        if (--argc < 1)
                                goto bad;
                        servername = *(++argv);
                        /* meth=TLSv1_client_method(); */
                }
-#endif
 #ifndef OPENSSL_NO_SRTP
                else if (strcmp(*argv, "-use_srtp") == 0) {
                        if (--argc < 1)
@@ -777,13 +761,11 @@ bad:
                ERR_print_errors(bio_err);
                /* goto end; */
        }
-#ifndef OPENSSL_NO_TLSEXT
        if (servername != NULL) {
                tlsextcbp.biodebug = bio_err;
                SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
                SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
        }
-#endif
        con = SSL_new(ctx);
        if (sess_in) {
@@ -806,7 +788,6 @@ bad:
                SSL_set_session(con, sess);
                SSL_SESSION_free(sess);
        }
-#ifndef OPENSSL_NO_TLSEXT
        if (servername != NULL) {
                if (!SSL_set_tlsext_host_name(con, servername)) {
                        BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
@@ -814,7 +795,6 @@ bad:
                        goto end;
                }
        }
-#endif
 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
 re_start:
@@ -881,7 +861,6 @@ re_start:
                SSL_set_msg_callback(con, msg_cb);
                SSL_set_msg_callback_arg(con, bio_c_out);
        }
-#ifndef OPENSSL_NO_TLSEXT
        if (c_tlsextdebug) {
                SSL_set_tlsext_debug_callback(con, tlsext_cb);
                SSL_set_tlsext_debug_arg(con, bio_c_out);
@@ -891,7 +870,6 @@ re_start:
                SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
                SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
        }
-#endif
        SSL_set_bio(con, sbio, sbio);
        SSL_set_connect_state(con);
@@ -1472,7 +1450,6 @@ print_stuff(BIO * bio, SSL * s, int full)
        (void) BIO_flush(bio);
 }
-#ifndef OPENSSL_NO_TLSEXT
 static int
 ocsp_resp_cb(SSL * s, void *arg)
@@ -1499,4 +1476,3 @@ ocsp_resp_cb(SSL * s, void *arg)
        return 1;
 }
-#endif
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 30a926c411..1e6f85f9fb 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.5 2014/10/31 16:59:00 jsing Exp $ */
+/* $OpenBSD: s_server.c,v 1.6 2014/11/06 14:50:12 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -200,9 +200,7 @@ static int bufsize = BUFSIZZ;
 static int accept_socket = -1;
 #define TEST_CERT       "server.pem"
-#ifndef OPENSSL_NO_TLSEXT
 #define TEST_CERT2      "server2.pem"
-#endif
 extern int verify_depth, verify_return_error;
@@ -210,26 +208,20 @@ static char *cipher = NULL;
 static int s_server_verify = SSL_VERIFY_NONE;
 static int s_server_session_id_context = 1;     /* anything will do */
 static const char *s_cert_file = TEST_CERT, *s_key_file = NULL;
-#ifndef OPENSSL_NO_TLSEXT
 static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
-#endif
 static char *s_dcert_file = NULL, *s_dkey_file = NULL;
 static int s_nbio = 0;
 static int s_nbio_test = 0;
 int s_crlf = 0;
 static SSL_CTX *ctx = NULL;
-#ifndef OPENSSL_NO_TLSEXT
 static SSL_CTX *ctx2 = NULL;
-#endif
 static int www = 0;
 static BIO *bio_s_out = NULL;
 static int s_debug = 0;
-#ifndef OPENSSL_NO_TLSEXT
 static int s_tlsextdebug = 0;
 static int s_tlsextstatus = 0;
 static int cert_status_cb(SSL * s, void *arg);
-#endif
 static int s_msg = 0;
 static int s_quiet = 0;
@@ -261,11 +253,9 @@ s_server_init(void)
        s_dkey_file = NULL;
        s_cert_file = TEST_CERT;
        s_key_file = NULL;
-#ifndef OPENSSL_NO_TLSEXT
        s_cert_file2 = TEST_CERT2;
        s_key_file2 = NULL;
        ctx2 = NULL;
-#endif
        s_nbio = 0;
        s_nbio_test = 0;
        ctx = NULL;
@@ -350,7 +340,6 @@ sv_usage(void)
        BIO_printf(bio_err, " -engine id    - Initialise and use the specified engine\n");
 #endif
        BIO_printf(bio_err, " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
-#ifndef OPENSSL_NO_TLSEXT
        BIO_printf(bio_err, " -servername host - servername for HostName TLS extension\n");
        BIO_printf(bio_err, " -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
        BIO_printf(bio_err, " -cert2 arg    - certificate file to use for servername\n");
@@ -365,7 +354,6 @@ sv_usage(void)
 #ifndef OPENSSL_NO_SRTP
        BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
 #endif
-#endif
        BIO_printf(bio_err, " -keymatexport label   - Export keying material using label\n");
        BIO_printf(bio_err, " -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
 }
@@ -373,7 +361,6 @@ sv_usage(void)
 static int local_argc = 0;
 static char **local_argv;
-#ifndef OPENSSL_NO_TLSEXT
 /* This is a context that we pass to callbacks */
 typedef struct tlsextctx_st {
@@ -558,7 +545,6 @@ next_proto_cb(SSL * s, const unsigned char **data, unsigned int *len, void *arg)
 #endif                          /* ndef OPENSSL_NO_NEXTPROTONEG */
-#endif
 int s_server_main(int, char **);
@@ -592,7 +578,6 @@ s_server_main(int argc, char *argv[])
        EVP_PKEY *s_key = NULL, *s_dkey = NULL;
        int no_cache = 0;
        const char *errstr = NULL;
-#ifndef OPENSSL_NO_TLSEXT
        EVP_PKEY *s_key2 = NULL;
        X509 *s_cert2 = NULL;
        tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
@@ -600,7 +585,6 @@ s_server_main(int argc, char *argv[])
        const char *next_proto_neg_in = NULL;
        tlsextnextprotoctx next_proto;
 #endif
-#endif
        meth = SSLv23_server_method();
        local_argc = argc;
@@ -729,7 +713,6 @@ s_server_main(int argc, char *argv[])
                } else if (strcmp(*argv, "-debug") == 0) {
                        s_debug = 1;
                }
-#ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv, "-tlsextdebug") == 0)
                        s_tlsextdebug = 1;
                else if (strcmp(*argv, "-status") == 0)
@@ -757,7 +740,6 @@ s_server_main(int argc, char *argv[])
                                goto bad;
                        }
                }
-#endif
                else if (strcmp(*argv, "-msg") == 0) {
                        s_msg = 1;
                } else if (strcmp(*argv, "-hack") == 0) {
@@ -795,11 +777,9 @@ s_server_main(int argc, char *argv[])
                } else if (strcmp(*argv, "-no_comp") == 0) {
                        off |= SSL_OP_NO_COMPRESSION;
                }
-#ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv, "-no_ticket") == 0) {
                        off |= SSL_OP_NO_TICKET;
                }
-#endif
                else if (strcmp(*argv, "-ssl3") == 0) {
                        meth = SSLv3_server_method();
                } else if (strcmp(*argv, "-tls1") == 0) {
@@ -836,7 +816,6 @@ s_server_main(int argc, char *argv[])
                        engine_id = *(++argv);
                }
 #endif
-#ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv, "-servername") == 0) {
                        if (--argc < 1)
                                goto bad;
@@ -859,7 +838,6 @@ s_server_main(int argc, char *argv[])
                        next_proto_neg_in = *(++argv);
                }
 #endif
-#endif
 #ifndef OPENSSL_NO_SRTP
                else if (strcmp(*argv, "-use_srtp") == 0) {
                        if (--argc < 1)
@@ -905,10 +883,8 @@ bad:
        }
        if (s_key_file == NULL)
                s_key_file = s_cert_file;
-#ifndef OPENSSL_NO_TLSEXT
        if (s_key_file2 == NULL)
                s_key_file2 = s_cert_file2;
-#endif
        if (nocert == 0) {
                s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
@@ -924,7 +900,6 @@ bad:
                        ERR_print_errors(bio_err);
                        goto end;
                }
-#ifndef OPENSSL_NO_TLSEXT
                if (tlsextcbp.servername) {
                        s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
                            "second server certificate private key file");
@@ -940,7 +915,6 @@ bad:
                                goto end;
                        }
                }
-#endif
        }
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
        if (next_proto_neg_in) {
@@ -989,10 +963,8 @@ bad:
                s_key_file = NULL;
                s_dcert_file = NULL;
                s_dkey_file = NULL;
-#ifndef OPENSSL_NO_TLSEXT
                s_cert_file2 = NULL;
                s_key_file2 = NULL;
-#endif
        }
        ctx = SSL_CTX_new(meth);
        if (ctx == NULL) {
@@ -1048,7 +1020,6 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
-#ifndef OPENSSL_NO_TLSEXT
        if (s_cert2) {
                ctx2 = SSL_CTX_new(meth);
                if (ctx2 == NULL) {
@@ -1105,7 +1076,6 @@ bad:
        if (next_proto.data)
                SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
 #endif
-#endif
 #ifndef OPENSSL_NO_DH
        if (!no_dhe) {
@@ -1132,7 +1102,6 @@ bad:
                        goto end;
                }
-#ifndef OPENSSL_NO_TLSEXT
                if (ctx2) {
                        if (!dhfile) {
                                DH *dh2 = load_dh_param(s_cert_file2);
@@ -1154,7 +1123,6 @@ bad:
                                goto end;
                        }
                }
-#endif
                DH_free(dh);
        }
 #endif
@@ -1190,19 +1158,15 @@ bad:
                (void) BIO_flush(bio_s_out);
                SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-#ifndef OPENSSL_NO_TLSEXT
                if (ctx2)
                        SSL_CTX_set_tmp_ecdh(ctx2, ecdh);
-#endif
                EC_KEY_free(ecdh);
        }
        if (!set_cert_key_stuff(ctx, s_cert, s_key))
                goto end;
-#ifndef OPENSSL_NO_TLSEXT
        if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2))
                goto end;
-#endif
        if (s_dcert != NULL) {
                if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
                        goto end;
@@ -1214,13 +1178,11 @@ bad:
                        ERR_print_errors(bio_err);
                        goto end;
                }
-#ifndef OPENSSL_NO_TLSEXT
                if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, cipher)) {
                        BIO_printf(bio_err, "error setting cipher list\n");
                        ERR_print_errors(bio_err);
                        goto end;
                }
-#endif
        }
        SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
        SSL_CTX_set_session_id_context(ctx, (void *) &s_server_session_id_context,
@@ -1230,7 +1192,6 @@ bad:
        SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
        SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
-#ifndef OPENSSL_NO_TLSEXT
        if (ctx2) {
                SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
                SSL_CTX_set_session_id_context(ctx2, (void *) &s_server_session_id_context,
@@ -1242,14 +1203,11 @@ bad:
                SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
                SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
        }
-#endif
        if (CAfile != NULL) {
                SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
-#ifndef OPENSSL_NO_TLSEXT
                if (ctx2)
                        SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
-#endif
        }
        BIO_printf(bio_s_out, "ACCEPT\n");
        (void) BIO_flush(bio_s_out);
@@ -1274,7 +1232,6 @@ end:
        free(dpass);
        if (vpm)
                X509_VERIFY_PARAM_free(vpm);
-#ifndef OPENSSL_NO_TLSEXT
        free(tlscstatp.host);
        free(tlscstatp.port);
        free(tlscstatp.path);
@@ -1284,7 +1241,6 @@ end:
                X509_free(s_cert2);
        if (s_key2)
                EVP_PKEY_free(s_key2);
-#endif
        if (bio_s_out != NULL) {
                BIO_free(bio_s_out);
                bio_s_out = NULL;
@@ -1345,7 +1301,6 @@ sv_body(char *hostname, int s, unsigned char *context)
        if (con == NULL) {
                con = SSL_new(ctx);
-#ifndef OPENSSL_NO_TLSEXT
                if (s_tlsextdebug) {
                        SSL_set_tlsext_debug_callback(con, tlsext_cb);
                        SSL_set_tlsext_debug_arg(con, bio_s_out);
@@ -1355,7 +1310,6 @@ sv_body(char *hostname, int s, unsigned char *context)
                        tlscstatp.err = bio_err;
                        SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
                }
-#endif
                if (context)
                        SSL_set_session_id_context(con, context,
                            strlen((char *) context));
@@ -1407,12 +1361,10 @@ sv_body(char *hostname, int s, unsigned char *context)
                SSL_set_msg_callback(con, msg_cb);
                SSL_set_msg_callback_arg(con, bio_s_out);
        }
-#ifndef OPENSSL_NO_TLSEXT
        if (s_tlsextdebug) {
                SSL_set_tlsext_debug_callback(con, tlsext_cb);
                SSL_set_tlsext_debug_arg(con, bio_s_out);
        }
-#endif
        width = s + 1;
        for (;;) {
@@ -1781,12 +1733,10 @@ www_body(char *hostname, int s, unsigned char *context)
        if ((con = SSL_new(ctx)) == NULL)
                goto err;
-#ifndef OPENSSL_NO_TLSEXT
        if (s_tlsextdebug) {
                SSL_set_tlsext_debug_callback(con, tlsext_cb);
                SSL_set_tlsext_debug_arg(con, bio_s_out);
        }
-#endif
        if (context)
                SSL_set_session_id_context(con, context,
                    strlen((char *) context));
author	jsing <>	2014-11-06 14:50:12 +0000
committer	jsing <>	2014-11-06 14:50:12 +0000
commit	88cf2820fafa430dc891c23333424543d7e58801 (patch)
tree	73b9a7d7637aec8af747cb360db6919045ae44dd /src
parent	004be1fe64dc7b3404e4d84f10300a4d0e9995fa (diff)
download	openbsd-88cf2820fafa430dc891c23333424543d7e58801.tar.gz openbsd-88cf2820fafa430dc891c23333424543d7e58801.tar.bz2 openbsd-88cf2820fafa430dc891c23333424543d7e58801.zip