From 0ca5011d0600da1f218404c4541317bad356f8f1 Mon Sep 17 00:00:00 2001 From: beck <> Date: Fri, 11 Jul 2014 09:24:44 +0000 Subject: Remove the PSK code. We don't need to drag around this baggage. ok miod@ jsing@ --- src/lib/libssl/d1_clnt.c | 79 +-------------------- src/lib/libssl/d1_srvr.c | 26 +------ src/lib/libssl/s3_clnt.c | 137 +------------------------------------ src/lib/libssl/s3_lib.c | 72 +------------------ src/lib/libssl/s3_srvr.c | 109 +---------------------------- src/lib/libssl/src/apps/apps.h | 5 +- src/lib/libssl/src/apps/s_client.c | 96 +------------------------- src/lib/libssl/src/apps/s_server.c | 103 +--------------------------- src/lib/libssl/src/ssl/d1_clnt.c | 79 +-------------------- src/lib/libssl/src/ssl/d1_srvr.c | 26 +------ src/lib/libssl/src/ssl/s3_clnt.c | 137 +------------------------------------ src/lib/libssl/src/ssl/s3_lib.c | 72 +------------------ src/lib/libssl/src/ssl/s3_srvr.c | 109 +---------------------------- src/lib/libssl/src/ssl/ssl.h | 45 +----------- src/lib/libssl/src/ssl/ssl_asn1.c | 55 +-------------- src/lib/libssl/src/ssl/ssl_ciph.c | 4 +- src/lib/libssl/src/ssl/ssl_lib.c | 116 +------------------------------ src/lib/libssl/src/ssl/ssl_sess.c | 10 +-- src/lib/libssl/src/ssl/ssl_txt.c | 12 +--- src/lib/libssl/ssl.h | 45 +----------- src/lib/libssl/ssl_asn1.c | 55 +-------------- src/lib/libssl/ssl_ciph.c | 4 +- src/lib/libssl/ssl_lib.c | 116 +------------------------------ src/lib/libssl/ssl_sess.c | 10 +-- src/lib/libssl/ssl_txt.c | 12 +--- 25 files changed, 27 insertions(+), 1507 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 04ae11d7bc..3f47a3854b 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.27 2014/07/10 08:51:14 tedu Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.28 2014/07/11 09:24:44 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -1196,83 +1196,6 @@ dtls1_send_client_key_exchange(SSL *s) EVP_PKEY_free(srvr_pub_pkey); } -#ifndef OPENSSL_NO_PSK - else if (alg_k & SSL_kPSK) { - char identity[PSK_MAX_IDENTITY_LEN]; - unsigned char *t = NULL; - unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4]; - unsigned int pre_ms_len = 0, psk_len = 0; - int psk_err = 1; - - n = 0; - if (s->psk_client_callback == NULL) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_NO_CLIENT_CB); - goto err; - } - - psk_len = s->psk_client_callback(s, - s->ctx->psk_identity_hint, identity, - PSK_MAX_IDENTITY_LEN, psk_or_pre_ms, - sizeof(psk_or_pre_ms)); - if (psk_len > PSK_MAX_PSK_LEN) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto psk_err; - } else if (psk_len == 0) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_IDENTITY_NOT_FOUND); - goto psk_err; - } - - /* create PSK pre_master_secret */ - pre_ms_len = 2 + psk_len + 2 + psk_len; - t = psk_or_pre_ms; - memmove(psk_or_pre_ms + psk_len + 4, - psk_or_pre_ms, psk_len); - s2n(psk_len, t); - memset(t, 0, psk_len); - t += psk_len; - s2n(psk_len, t); - - free(s->session->psk_identity_hint); - s->session->psk_identity_hint = - BUF_strdup(s->ctx->psk_identity_hint); - if (s->ctx->psk_identity_hint != NULL && - s->session->psk_identity_hint == NULL) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup(identity); - if (s->session->psk_identity == NULL) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - psk_or_pre_ms, pre_ms_len); - - n = strlen(identity); - s2n(n, p); - memcpy(p, identity, n); - n += 2; - psk_err = 0; -psk_err: - OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); - if (psk_err != 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_HANDSHAKE_FAILURE); - goto err; - } - } -#endif else { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 9fdb6c290b..d94c08a313 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.29 2014/07/10 08:51:14 tedu Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.30 2014/07/11 09:24:44 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -464,11 +464,6 @@ dtls1_accept(SSL *s) /* only send if a DH key exchange or * RSA but we have a sign only certificate */ if (s->s3->tmp.use_rsa_tmp - /* PSK: send ServerKeyExchange if PSK identity - * hint if provided */ -#ifndef OPENSSL_NO_PSK - || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) -#endif || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) || (alg_k & SSL_kEECDH) || ((alg_k & SSL_kRSA) @@ -1011,9 +1006,6 @@ dtls1_send_server_key_exchange(SSL *s) int curve_id = 0; BN_CTX *bn_ctx = NULL; -#ifndef OPENSSL_NO_PSK - size_t pskhintlen = 0; -#endif EVP_PKEY *pkey; unsigned char *p, *d; int al, i; @@ -1200,13 +1192,6 @@ dtls1_send_server_key_exchange(SSL *s) r[2] = NULL; r[3] = NULL; } else -#ifndef OPENSSL_NO_PSK - if (type & SSL_kPSK) { - pskhintlen = strlen(s->ctx->psk_identity_hint); - /* reserve size for record length and PSK identity hint*/ - n += 2 + pskhintlen; - } else -#endif /* !OPENSSL_NO_PSK */ { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); @@ -1265,15 +1250,6 @@ dtls1_send_server_key_exchange(SSL *s) p += encodedlen; } -#ifndef OPENSSL_NO_PSK - if (type & SSL_kPSK) { - /* copy PSK identity hint */ - s2n(pskhintlen, p); - - memcpy(p, s->ctx->psk_identity_hint, pskhintlen); - p += pskhintlen; - } -#endif /* not anonymous */ if (pkey != NULL) { diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 079544da84..b70719f75a 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.74 2014/07/10 08:51:14 tedu Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.75 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1173,20 +1173,6 @@ ssl3_get_key_exchange(SSL *s) return ((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { -#ifndef OPENSSL_NO_PSK - /* - * In plain PSK ciphersuite, ServerKeyExchange can be - * omitted if no identity hint is sent. Set session->sess_cert - * anyway to avoid problems later. - */ - if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { - s->session->sess_cert = ssl_sess_cert_new(); - if (s->session->sess_cert == NULL) - goto err; - free(s->ctx->psk_identity_hint); - s->ctx->psk_identity_hint = NULL; - } -#endif s->s3->tmp.reuse_message = 1; return (1); } @@ -1212,50 +1198,6 @@ ssl3_get_key_exchange(SSL *s) alg_a = s->s3->tmp.new_cipher->algorithm_auth; EVP_MD_CTX_init(&md_ctx); -#ifndef OPENSSL_NO_PSK - if (alg_k & SSL_kPSK) { - char tmp_id_hint[PSK_MAX_IDENTITY_LEN + 1]; - - al = SSL_AD_HANDSHAKE_FAILURE; - n2s(p, i); - param_len = i + 2; - /* - * Store PSK identity hint for later use, hint is used - * in ssl3_send_client_key_exchange. Assume that the - * maximum length of a PSK identity hint can be as - * long as the maximum length of a PSK identity. - */ - if (i > PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; - } - if (param_len > n) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); - goto f_err; - } - /* - * If received PSK identity hint contains NULL - * characters, the hint is truncated from the first - * NULL. p may not be ending with NULL, so create a - * NULL-terminated string. - */ - memcpy(tmp_id_hint, p, i); - memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); - free(s->ctx->psk_identity_hint); - s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); - if (s->ctx->psk_identity_hint == NULL) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto f_err; - } - - p += i; - n -= param_len; - } else -#endif /* !OPENSSL_NO_PSK */ if (alg_k & SSL_kRSA) { if ((rsa = RSA_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, @@ -2363,83 +2305,6 @@ ssl3_send_client_key_exchange(SSL *s) EVP_PKEY_free(pub_key); } -#ifndef OPENSSL_NO_PSK - else if (alg_k & SSL_kPSK) { - char identity[PSK_MAX_IDENTITY_LEN]; - unsigned char *t = NULL; - unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4]; - unsigned int pre_ms_len = 0, psk_len = 0; - int psk_err = 1; - - n = 0; - if (s->psk_client_callback == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_NO_CLIENT_CB); - goto err; - } - - psk_len = s->psk_client_callback(s, - s->ctx->psk_identity_hint, identity, - PSK_MAX_IDENTITY_LEN, psk_or_pre_ms, - sizeof(psk_or_pre_ms)); - if (psk_len > PSK_MAX_PSK_LEN) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto psk_err; - } else if (psk_len == 0) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_IDENTITY_NOT_FOUND); - goto psk_err; - } - - /* create PSK pre_master_secret */ - pre_ms_len = 2 + psk_len + 2 + psk_len; - t = psk_or_pre_ms; - memmove(psk_or_pre_ms + psk_len + 4, - psk_or_pre_ms, psk_len); - s2n(psk_len, t); - memset(t, 0, psk_len); - t += psk_len; - s2n(psk_len, t); - - free(s->session->psk_identity_hint); - s->session->psk_identity_hint = - BUF_strdup(s->ctx->psk_identity_hint); - if (s->ctx->psk_identity_hint != NULL && - s->session->psk_identity_hint == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup(identity); - if (s->session->psk_identity == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret( - s, s->session->master_key, psk_or_pre_ms, - pre_ms_len); - - n = strlen(identity); - s2n(n, p); - memcpy(p, identity, n); - n += 2; - psk_err = 0; -psk_err: - OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); - if (psk_err != 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_HANDSHAKE_FAILURE); - goto err; - } - } -#endif else { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 400c1b87e0..f94e207fc4 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.68 2014/07/10 08:51:14 tedu Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.69 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1262,71 +1262,6 @@ SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_CAMELLIA */ -#ifndef OPENSSL_NO_PSK - /* Cipher 8A */ - { - .valid = 1, - .name = TLS1_TXT_PSK_WITH_RC4_128_SHA, - .id = TLS1_CK_PSK_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kPSK, - .algorithm_auth = SSL_aPSK, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 8B */ - { - .valid = 1, - .name = TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA, - .id = TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA, - .algorithm_mkey = SSL_kPSK, - .algorithm_auth = SSL_aPSK, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher 8C */ - { - .valid = 1, - .name = TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_PSK_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kPSK, - .algorithm_auth = SSL_aPSK, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 8D */ - { - .valid = 1, - .name = TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_PSK_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kPSK, - .algorithm_auth = SSL_aPSK, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, -#endif /* OPENSSL_NO_PSK */ /* GCM ciphersuites from RFC5288 */ @@ -3030,11 +2965,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; -#ifndef OPENSSL_NO_PSK - /* with PSK there must be server callback set */ - if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL) - continue; -#endif /* OPENSSL_NO_PSK */ ok = (alg_k & mask_k) && (alg_a & mask_a); diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 8fb041c4f5..c31ac39fe1 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.71 2014/07/10 21:36:49 bcook Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.72 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -429,9 +429,6 @@ ssl3_accept(SSL *s) * public key for key exchange. */ if (s->s3->tmp.use_rsa_tmp -#ifndef OPENSSL_NO_PSK - || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) -#endif || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) || (alg_k & SSL_kEECDH) || ((alg_k & SSL_kRSA) @@ -1383,9 +1380,6 @@ ssl3_send_server_key_exchange(SSL *s) int curve_id = 0; BN_CTX *bn_ctx = NULL; -#ifndef OPENSSL_NO_PSK - size_t pskhintlen = 0; -#endif EVP_PKEY *pkey; const EVP_MD *md = NULL; unsigned char *p, *d; @@ -1592,13 +1586,6 @@ ssl3_send_server_key_exchange(SSL *s) r[2] = NULL; r[3] = NULL; } else -#ifndef OPENSSL_NO_PSK - if (type & SSL_kPSK) { - pskhintlen = strlen(s->ctx->psk_identity_hint); - /* reserve size for record length and PSK identity hint*/ - n += 2 + pskhintlen; - } else -#endif /* !OPENSSL_NO_PSK */ { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, @@ -1661,15 +1648,6 @@ ssl3_send_server_key_exchange(SSL *s) p += encodedlen; } -#ifndef OPENSSL_NO_PSK - if (type & SSL_kPSK) { - /* copy PSK identity hint */ - s2n(pskhintlen, p); - - memcpy(p, s->ctx->psk_identity_hint, pskhintlen); - p += pskhintlen; - } -#endif /* not anonymous */ if (pkey != NULL) { @@ -2196,91 +2174,6 @@ ssl3_get_client_key_exchange(SSL *s) OPENSSL_cleanse(p, i); return (ret); } else -#ifndef OPENSSL_NO_PSK - if (alg_k & SSL_kPSK) { - unsigned char *t = NULL; - unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4]; - unsigned int pre_ms_len = 0, psk_len = 0; - int psk_err = 1; - char tmp_id[PSK_MAX_IDENTITY_LEN + 1]; - - al = SSL_AD_HANDSHAKE_FAILURE; - - n2s(p, i); - if (n != i + 2) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_LENGTH_MISMATCH); - goto psk_err; - } - if (i > PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_DATA_LENGTH_TOO_LONG); - goto psk_err; - } - if (s->psk_server_callback == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_NO_SERVER_CB); - goto psk_err; - } - - /* - * Create guaranteed NULL-terminated identity - * string for the callback - */ - memcpy(tmp_id, p, i); - memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); - psk_len = s->psk_server_callback(s, tmp_id, - psk_or_pre_ms, sizeof(psk_or_pre_ms)); - OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1); - - if (psk_len > PSK_MAX_PSK_LEN) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto psk_err; - } else if (psk_len == 0) { - /* PSK related to the given identity not found */ - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_IDENTITY_NOT_FOUND); - al = SSL_AD_UNKNOWN_PSK_IDENTITY; - goto psk_err; - } - - /* create PSK pre_master_secret */ - pre_ms_len = 2 + psk_len + 2 + psk_len; - t = psk_or_pre_ms; - memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len); - s2n(psk_len, t); - memset(t, 0, psk_len); - t += psk_len; - s2n(psk_len, t); - - free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup((char *)p); - if (s->session->psk_identity == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - free(s->session->psk_identity_hint); - s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); - if (s->ctx->psk_identity_hint != NULL && - s->session->psk_identity_hint == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret( - s, s->session->master_key, psk_or_pre_ms, pre_ms_len); - psk_err = 0; - psk_err: - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); - if (psk_err != 0) - goto f_err; - } else -#endif if (alg_k & SSL_kGOST) { int ret = 0; EVP_PKEY_CTX *pkey_ctx; diff --git a/src/lib/libssl/src/apps/apps.h b/src/lib/libssl/src/apps/apps.h index 9909d7fa66..9d8725159b 100644 --- a/src/lib/libssl/src/apps/apps.h +++ b/src/lib/libssl/src/apps/apps.h @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.h,v 1.34 2014/07/09 09:06:58 bcook Exp $ */ +/* $OpenBSD: apps.h,v 1.35 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -244,9 +244,6 @@ int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts); int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts); -#ifndef OPENSSL_NO_PSK -extern char *psk_key; -#endif #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) unsigned char *next_protos_parse(unsigned short *outlen, const char *in); diff --git a/src/lib/libssl/src/apps/s_client.c b/src/lib/libssl/src/apps/s_client.c index 2b313c84ff..ec23b92754 100644 --- a/src/lib/libssl/src/apps/s_client.c +++ b/src/lib/libssl/src/apps/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.65 2014/07/10 09:30:53 jsing Exp $ */ +/* $OpenBSD: s_client.c,v 1.66 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -198,70 +198,6 @@ static BIO *bio_c_out = NULL; static int c_quiet = 0; static int c_ign_eof = 0; -#ifndef OPENSSL_NO_PSK -/* Default PSK identity and key */ -static char *psk_identity = "Client_identity"; -/*char *psk_key=NULL; by default PSK is not used */ - -static unsigned int -psk_client_cb(SSL * ssl, const char *hint, char *identity, - unsigned int max_identity_len, unsigned char *psk, - unsigned int max_psk_len) -{ - unsigned int psk_len = 0; - size_t maxlen = 0; - int ret; - BIGNUM *bn = NULL; - - if (c_debug) - BIO_printf(bio_c_out, "psk_client_cb\n"); - if (max_identity_len > INT_MAX) - goto out_err; - maxlen = max_identity_len; - if (!hint) { - /* no ServerKeyExchange message */ - if (c_debug) - BIO_printf(bio_c_out, "NULL received PSK identity hint, continuing anyway\n"); - } else if (c_debug) - BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint); - - /* - * lookup PSK identity and PSK key based on the given identity hint - * here - */ - ret = snprintf(identity, maxlen, "%s", psk_identity); - if (ret == -1 || ret >= maxlen) - goto out_err; - if (c_debug) - BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret); - ret = BN_hex2bn(&bn, psk_key); - if (!ret) { - BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n", psk_key); - if (bn) - BN_free(bn); - return 0; - } - if ((unsigned int) BN_num_bytes(bn) > max_psk_len) { - BIO_printf(bio_err, "psk buffer of callback is too small (%d) for key (%d)\n", - max_psk_len, BN_num_bytes(bn)); - BN_free(bn); - return 0; - } - psk_len = BN_bn2bin(bn, psk); - BN_free(bn); - if (psk_len == 0) - goto out_err; - - if (c_debug) - BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len); - - return psk_len; -out_err: - if (c_debug) - BIO_printf(bio_err, "Error in PSK client callback\n"); - return 0; -} -#endif static void sc_usage(void) @@ -295,10 +231,6 @@ sc_usage(void) BIO_printf(bio_err, " -quiet - no s_client output\n"); BIO_printf(bio_err, " -ign_eof - ignore input eof (default when -quiet)\n"); BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n"); -#ifndef OPENSSL_NO_PSK - BIO_printf(bio_err, " -psk_identity arg - PSK identity\n"); - BIO_printf(bio_err, " -psk arg - PSK in hex (without 0x)\n"); -#endif BIO_printf(bio_err, " -ssl3 - just use SSLv3\n"); BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); @@ -560,25 +492,6 @@ s_client_main(int argc, char **argv) nbio_test = 1; else if (strcmp(*argv, "-state") == 0) state = 1; -#ifndef OPENSSL_NO_PSK - else if (strcmp(*argv, "-psk_identity") == 0) { - if (--argc < 1) - goto bad; - psk_identity = *(++argv); - } else if (strcmp(*argv, "-psk") == 0) { - size_t j; - - if (--argc < 1) - goto bad; - psk_key = *(++argv); - for (j = 0; j < strlen(psk_key); j++) { - if (isxdigit((unsigned char) psk_key[j])) - continue; - BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); - goto bad; - } - } -#endif else if (strcmp(*argv, "-ssl3") == 0) meth = SSLv3_client_method(); else if (strcmp(*argv, "-tls1_2") == 0) @@ -827,13 +740,6 @@ bad: } #endif -#ifndef OPENSSL_NO_PSK - if (psk_key != NULL) { - if (c_debug) - BIO_printf(bio_c_out, "PSK key given, setting client callback\n"); - SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); - } -#endif #ifndef OPENSSL_NO_SRTP if (srtp_profiles != NULL) SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c index 45c4f5fa9c..802150a29a 100644 --- a/src/lib/libssl/src/apps/s_server.c +++ b/src/lib/libssl/src/apps/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.57 2014/07/10 08:59:15 bcook Exp $ */ +/* $OpenBSD: s_server.c,v 1.58 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -280,68 +280,6 @@ static int cert_chain = 0; #endif -#ifndef OPENSSL_NO_PSK -static char *psk_identity = "Client_identity"; -char *psk_key = NULL; /* by default PSK is not used */ - -static unsigned int -psk_server_cb(SSL * ssl, const char *identity, - unsigned char *psk, unsigned int max_psk_len) -{ - unsigned int psk_len = 0; - int ret; - BIGNUM *bn = NULL; - - if (s_debug) - BIO_printf(bio_s_out, "psk_server_cb\n"); - if (!identity) { - BIO_printf(bio_err, "Error: client did not send PSK identity\n"); - goto out_err; - } - if (s_debug) - BIO_printf(bio_s_out, "identity_len=%d identity=%s\n", - identity ? (int) strlen(identity) : 0, identity); - - /* here we could lookup the given identity e.g. from a database */ - if (strcmp(identity, psk_identity) != 0) { - BIO_printf(bio_s_out, "PSK error: client identity not found" - " (got '%s' expected '%s')\n", identity, - psk_identity); - goto out_err; - } - if (s_debug) - BIO_printf(bio_s_out, "PSK client identity found\n"); - - /* convert the PSK key to binary */ - ret = BN_hex2bn(&bn, psk_key); - if (!ret) { - BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n", psk_key); - if (bn) - BN_free(bn); - return 0; - } - if (BN_num_bytes(bn) > (int) max_psk_len) { - BIO_printf(bio_err, "psk buffer of callback is too small (%d) for key (%d)\n", - max_psk_len, BN_num_bytes(bn)); - BN_free(bn); - return 0; - } - ret = BN_bn2bin(bn, psk); - BN_free(bn); - - if (ret < 0) - goto out_err; - psk_len = (unsigned int) ret; - - if (s_debug) - BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len); - return psk_len; -out_err: - if (s_debug) - BIO_printf(bio_err, "Error in PSK server callback\n"); - return 0; -} -#endif static void @@ -418,10 +356,6 @@ sv_usage(void) BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n"); BIO_printf(bio_err, " -quiet - Inhibit printing of session and certificate information\n"); BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n"); -#ifndef OPENSSL_NO_PSK - BIO_printf(bio_err, " -psk_hint arg - PSK identity hint to use\n"); - BIO_printf(bio_err, " -psk arg - PSK in hex (without 0x)\n"); -#endif BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n"); BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n"); BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n"); @@ -698,10 +632,6 @@ s_server_main(int argc, char *argv[]) const char *next_proto_neg_in = NULL; tlsextnextprotoctx next_proto; #endif -#endif -#ifndef OPENSSL_NO_PSK - /* by default do not send a PSK identity hint */ - static char *psk_identity_hint = NULL; #endif meth = SSLv23_server_method(); @@ -882,25 +812,6 @@ s_server_main(int argc, char *argv[]) } else if (strcmp(*argv, "-no_ecdhe") == 0) { no_ecdhe = 1; } -#ifndef OPENSSL_NO_PSK - else if (strcmp(*argv, "-psk_hint") == 0) { - if (--argc < 1) - goto bad; - psk_identity_hint = *(++argv); - } else if (strcmp(*argv, "-psk") == 0) { - size_t i; - - if (--argc < 1) - goto bad; - psk_key = *(++argv); - for (i = 0; i < strlen(psk_key); i++) { - if (isxdigit((unsigned char) psk_key[i])) - continue; - BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); - goto bad; - } - } -#endif else if (strcmp(*argv, "-www") == 0) { www = 1; } else if (strcmp(*argv, "-WWW") == 0) { @@ -1328,18 +1239,6 @@ bad: #endif } -#ifndef OPENSSL_NO_PSK - if (psk_key != NULL) { - if (s_debug) - BIO_printf(bio_s_out, "PSK key given, setting server callback\n"); - SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); - } - if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) { - BIO_printf(bio_err, "error setting PSK identity hint to context\n"); - ERR_print_errors(bio_err); - goto end; - } -#endif if (cipher != NULL) { if (!SSL_CTX_set_cipher_list(ctx, cipher)) { diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c index 04ae11d7bc..3f47a3854b 100644 --- a/src/lib/libssl/src/ssl/d1_clnt.c +++ b/src/lib/libssl/src/ssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.27 2014/07/10 08:51:14 tedu Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.28 2014/07/11 09:24:44 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -1196,83 +1196,6 @@ dtls1_send_client_key_exchange(SSL *s) EVP_PKEY_free(srvr_pub_pkey); } -#ifndef OPENSSL_NO_PSK - else if (alg_k & SSL_kPSK) { - char identity[PSK_MAX_IDENTITY_LEN]; - unsigned char *t = NULL; - unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4]; - unsigned int pre_ms_len = 0, psk_len = 0; - int psk_err = 1; - - n = 0; - if (s->psk_client_callback == NULL) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_NO_CLIENT_CB); - goto err; - } - - psk_len = s->psk_client_callback(s, - s->ctx->psk_identity_hint, identity, - PSK_MAX_IDENTITY_LEN, psk_or_pre_ms, - sizeof(psk_or_pre_ms)); - if (psk_len > PSK_MAX_PSK_LEN) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto psk_err; - } else if (psk_len == 0) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_IDENTITY_NOT_FOUND); - goto psk_err; - } - - /* create PSK pre_master_secret */ - pre_ms_len = 2 + psk_len + 2 + psk_len; - t = psk_or_pre_ms; - memmove(psk_or_pre_ms + psk_len + 4, - psk_or_pre_ms, psk_len); - s2n(psk_len, t); - memset(t, 0, psk_len); - t += psk_len; - s2n(psk_len, t); - - free(s->session->psk_identity_hint); - s->session->psk_identity_hint = - BUF_strdup(s->ctx->psk_identity_hint); - if (s->ctx->psk_identity_hint != NULL && - s->session->psk_identity_hint == NULL) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup(identity); - if (s->session->psk_identity == NULL) { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - psk_or_pre_ms, pre_ms_len); - - n = strlen(identity); - s2n(n, p); - memcpy(p, identity, n); - n += 2; - psk_err = 0; -psk_err: - OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); - if (psk_err != 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_HANDSHAKE_FAILURE); - goto err; - } - } -#endif else { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c index 9fdb6c290b..d94c08a313 100644 --- a/src/lib/libssl/src/ssl/d1_srvr.c +++ b/src/lib/libssl/src/ssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.29 2014/07/10 08:51:14 tedu Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.30 2014/07/11 09:24:44 beck Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -464,11 +464,6 @@ dtls1_accept(SSL *s) /* only send if a DH key exchange or * RSA but we have a sign only certificate */ if (s->s3->tmp.use_rsa_tmp - /* PSK: send ServerKeyExchange if PSK identity - * hint if provided */ -#ifndef OPENSSL_NO_PSK - || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) -#endif || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) || (alg_k & SSL_kEECDH) || ((alg_k & SSL_kRSA) @@ -1011,9 +1006,6 @@ dtls1_send_server_key_exchange(SSL *s) int curve_id = 0; BN_CTX *bn_ctx = NULL; -#ifndef OPENSSL_NO_PSK - size_t pskhintlen = 0; -#endif EVP_PKEY *pkey; unsigned char *p, *d; int al, i; @@ -1200,13 +1192,6 @@ dtls1_send_server_key_exchange(SSL *s) r[2] = NULL; r[3] = NULL; } else -#ifndef OPENSSL_NO_PSK - if (type & SSL_kPSK) { - pskhintlen = strlen(s->ctx->psk_identity_hint); - /* reserve size for record length and PSK identity hint*/ - n += 2 + pskhintlen; - } else -#endif /* !OPENSSL_NO_PSK */ { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); @@ -1265,15 +1250,6 @@ dtls1_send_server_key_exchange(SSL *s) p += encodedlen; } -#ifndef OPENSSL_NO_PSK - if (type & SSL_kPSK) { - /* copy PSK identity hint */ - s2n(pskhintlen, p); - - memcpy(p, s->ctx->psk_identity_hint, pskhintlen); - p += pskhintlen; - } -#endif /* not anonymous */ if (pkey != NULL) { diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 079544da84..b70719f75a 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.74 2014/07/10 08:51:14 tedu Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.75 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1173,20 +1173,6 @@ ssl3_get_key_exchange(SSL *s) return ((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { -#ifndef OPENSSL_NO_PSK - /* - * In plain PSK ciphersuite, ServerKeyExchange can be - * omitted if no identity hint is sent. Set session->sess_cert - * anyway to avoid problems later. - */ - if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { - s->session->sess_cert = ssl_sess_cert_new(); - if (s->session->sess_cert == NULL) - goto err; - free(s->ctx->psk_identity_hint); - s->ctx->psk_identity_hint = NULL; - } -#endif s->s3->tmp.reuse_message = 1; return (1); } @@ -1212,50 +1198,6 @@ ssl3_get_key_exchange(SSL *s) alg_a = s->s3->tmp.new_cipher->algorithm_auth; EVP_MD_CTX_init(&md_ctx); -#ifndef OPENSSL_NO_PSK - if (alg_k & SSL_kPSK) { - char tmp_id_hint[PSK_MAX_IDENTITY_LEN + 1]; - - al = SSL_AD_HANDSHAKE_FAILURE; - n2s(p, i); - param_len = i + 2; - /* - * Store PSK identity hint for later use, hint is used - * in ssl3_send_client_key_exchange. Assume that the - * maximum length of a PSK identity hint can be as - * long as the maximum length of a PSK identity. - */ - if (i > PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; - } - if (param_len > n) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); - goto f_err; - } - /* - * If received PSK identity hint contains NULL - * characters, the hint is truncated from the first - * NULL. p may not be ending with NULL, so create a - * NULL-terminated string. - */ - memcpy(tmp_id_hint, p, i); - memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); - free(s->ctx->psk_identity_hint); - s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); - if (s->ctx->psk_identity_hint == NULL) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto f_err; - } - - p += i; - n -= param_len; - } else -#endif /* !OPENSSL_NO_PSK */ if (alg_k & SSL_kRSA) { if ((rsa = RSA_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, @@ -2363,83 +2305,6 @@ ssl3_send_client_key_exchange(SSL *s) EVP_PKEY_free(pub_key); } -#ifndef OPENSSL_NO_PSK - else if (alg_k & SSL_kPSK) { - char identity[PSK_MAX_IDENTITY_LEN]; - unsigned char *t = NULL; - unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4]; - unsigned int pre_ms_len = 0, psk_len = 0; - int psk_err = 1; - - n = 0; - if (s->psk_client_callback == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_NO_CLIENT_CB); - goto err; - } - - psk_len = s->psk_client_callback(s, - s->ctx->psk_identity_hint, identity, - PSK_MAX_IDENTITY_LEN, psk_or_pre_ms, - sizeof(psk_or_pre_ms)); - if (psk_len > PSK_MAX_PSK_LEN) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto psk_err; - } else if (psk_len == 0) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_IDENTITY_NOT_FOUND); - goto psk_err; - } - - /* create PSK pre_master_secret */ - pre_ms_len = 2 + psk_len + 2 + psk_len; - t = psk_or_pre_ms; - memmove(psk_or_pre_ms + psk_len + 4, - psk_or_pre_ms, psk_len); - s2n(psk_len, t); - memset(t, 0, psk_len); - t += psk_len; - s2n(psk_len, t); - - free(s->session->psk_identity_hint); - s->session->psk_identity_hint = - BUF_strdup(s->ctx->psk_identity_hint); - if (s->ctx->psk_identity_hint != NULL && - s->session->psk_identity_hint == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup(identity); - if (s->session->psk_identity == NULL) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret( - s, s->session->master_key, psk_or_pre_ms, - pre_ms_len); - - n = strlen(identity); - s2n(n, p); - memcpy(p, identity, n); - n += 2; - psk_err = 0; -psk_err: - OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); - if (psk_err != 0) { - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_HANDSHAKE_FAILURE); - goto err; - } - } -#endif else { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index 400c1b87e0..f94e207fc4 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.68 2014/07/10 08:51:14 tedu Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.69 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1262,71 +1262,6 @@ SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_CAMELLIA */ -#ifndef OPENSSL_NO_PSK - /* Cipher 8A */ - { - .valid = 1, - .name = TLS1_TXT_PSK_WITH_RC4_128_SHA, - .id = TLS1_CK_PSK_WITH_RC4_128_SHA, - .algorithm_mkey = SSL_kPSK, - .algorithm_auth = SSL_aPSK, - .algorithm_enc = SSL_RC4, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 8B */ - { - .valid = 1, - .name = TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA, - .id = TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA, - .algorithm_mkey = SSL_kPSK, - .algorithm_auth = SSL_aPSK, - .algorithm_enc = SSL_3DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 112, - .alg_bits = 168, - }, - - /* Cipher 8C */ - { - .valid = 1, - .name = TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_PSK_WITH_AES_128_CBC_SHA, - .algorithm_mkey = SSL_kPSK, - .algorithm_auth = SSL_aPSK, - .algorithm_enc = SSL_AES128, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 128, - .alg_bits = 128, - }, - - /* Cipher 8D */ - { - .valid = 1, - .name = TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_PSK_WITH_AES_256_CBC_SHA, - .algorithm_mkey = SSL_kPSK, - .algorithm_auth = SSL_aPSK, - .algorithm_enc = SSL_AES256, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 256, - .alg_bits = 256, - }, -#endif /* OPENSSL_NO_PSK */ /* GCM ciphersuites from RFC5288 */ @@ -3030,11 +2965,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; -#ifndef OPENSSL_NO_PSK - /* with PSK there must be server callback set */ - if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL) - continue; -#endif /* OPENSSL_NO_PSK */ ok = (alg_k & mask_k) && (alg_a & mask_a); diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 8fb041c4f5..c31ac39fe1 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.71 2014/07/10 21:36:49 bcook Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.72 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -429,9 +429,6 @@ ssl3_accept(SSL *s) * public key for key exchange. */ if (s->s3->tmp.use_rsa_tmp -#ifndef OPENSSL_NO_PSK - || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) -#endif || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) || (alg_k & SSL_kEECDH) || ((alg_k & SSL_kRSA) @@ -1383,9 +1380,6 @@ ssl3_send_server_key_exchange(SSL *s) int curve_id = 0; BN_CTX *bn_ctx = NULL; -#ifndef OPENSSL_NO_PSK - size_t pskhintlen = 0; -#endif EVP_PKEY *pkey; const EVP_MD *md = NULL; unsigned char *p, *d; @@ -1592,13 +1586,6 @@ ssl3_send_server_key_exchange(SSL *s) r[2] = NULL; r[3] = NULL; } else -#ifndef OPENSSL_NO_PSK - if (type & SSL_kPSK) { - pskhintlen = strlen(s->ctx->psk_identity_hint); - /* reserve size for record length and PSK identity hint*/ - n += 2 + pskhintlen; - } else -#endif /* !OPENSSL_NO_PSK */ { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, @@ -1661,15 +1648,6 @@ ssl3_send_server_key_exchange(SSL *s) p += encodedlen; } -#ifndef OPENSSL_NO_PSK - if (type & SSL_kPSK) { - /* copy PSK identity hint */ - s2n(pskhintlen, p); - - memcpy(p, s->ctx->psk_identity_hint, pskhintlen); - p += pskhintlen; - } -#endif /* not anonymous */ if (pkey != NULL) { @@ -2196,91 +2174,6 @@ ssl3_get_client_key_exchange(SSL *s) OPENSSL_cleanse(p, i); return (ret); } else -#ifndef OPENSSL_NO_PSK - if (alg_k & SSL_kPSK) { - unsigned char *t = NULL; - unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4]; - unsigned int pre_ms_len = 0, psk_len = 0; - int psk_err = 1; - char tmp_id[PSK_MAX_IDENTITY_LEN + 1]; - - al = SSL_AD_HANDSHAKE_FAILURE; - - n2s(p, i); - if (n != i + 2) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_LENGTH_MISMATCH); - goto psk_err; - } - if (i > PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_DATA_LENGTH_TOO_LONG); - goto psk_err; - } - if (s->psk_server_callback == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_NO_SERVER_CB); - goto psk_err; - } - - /* - * Create guaranteed NULL-terminated identity - * string for the callback - */ - memcpy(tmp_id, p, i); - memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); - psk_len = s->psk_server_callback(s, tmp_id, - psk_or_pre_ms, sizeof(psk_or_pre_ms)); - OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1); - - if (psk_len > PSK_MAX_PSK_LEN) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto psk_err; - } else if (psk_len == 0) { - /* PSK related to the given identity not found */ - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_IDENTITY_NOT_FOUND); - al = SSL_AD_UNKNOWN_PSK_IDENTITY; - goto psk_err; - } - - /* create PSK pre_master_secret */ - pre_ms_len = 2 + psk_len + 2 + psk_len; - t = psk_or_pre_ms; - memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len); - s2n(psk_len, t); - memset(t, 0, psk_len); - t += psk_len; - s2n(psk_len, t); - - free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup((char *)p); - if (s->session->psk_identity == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - free(s->session->psk_identity_hint); - s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); - if (s->ctx->psk_identity_hint != NULL && - s->session->psk_identity_hint == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret( - s, s->session->master_key, psk_or_pre_ms, pre_ms_len); - psk_err = 0; - psk_err: - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); - if (psk_err != 0) - goto f_err; - } else -#endif if (alg_k & SSL_kGOST) { int ret = 0; EVP_PKEY_CTX *pkey_ctx; diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 0301fd0b96..5ea440231a 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.60 2014/07/10 11:58:08 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.61 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -460,10 +460,6 @@ struct ssl_session_st { unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; -#ifndef OPENSSL_NO_PSK - char *psk_identity_hint; - char *psk_identity; -#endif /* Used to indicate that session resumption is not allowed. * Applications can also set this bit for a new session via * not_resumable_session_cb to disable session caching and tickets. */ @@ -835,14 +831,6 @@ struct ssl_ctx_st { int (*tlsext_status_cb)(SSL *ssl, void *arg); void *tlsext_status_arg; -#ifndef OPENSSL_NO_PSK - char *psk_identity_hint; - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, unsigned char *psk, - unsigned int max_psk_len); - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - unsigned char *psk, unsigned int max_psk_len); -#endif @@ -955,30 +943,6 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, #define OPENSSL_NPN_NO_OVERLAP 2 #endif -#ifndef OPENSSL_NO_PSK -/* the maximum length of the buffer given to callbacks containing the - * resulting identity/psk */ -#define PSK_MAX_IDENTITY_LEN 128 -#define PSK_MAX_PSK_LEN 256 -void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, unsigned char *psk, - unsigned int max_psk_len)); -void SSL_set_psk_client_callback(SSL *ssl, - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, unsigned char *psk, - unsigned int max_psk_len)); -void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - unsigned char *psk, unsigned int max_psk_len)); -void SSL_set_psk_server_callback(SSL *ssl, - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - unsigned char *psk, unsigned int max_psk_len)); -int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint); -int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint); -const char *SSL_get_psk_identity_hint(const SSL *s); -const char *SSL_get_psk_identity(const SSL *s); -#endif #define SSL_NOTHING 1 #define SSL_WRITING 2 @@ -1123,13 +1087,6 @@ struct ssl_st { int error_code; /* actual code */ -#ifndef OPENSSL_NO_PSK - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, unsigned char *psk, - unsigned int max_psk_len); - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - unsigned char *psk, unsigned int max_psk_len); -#endif SSL_CTX *ctx; /* set this flag to 1 and a sleep(1) is put into all SSL_read() diff --git a/src/lib/libssl/src/ssl/ssl_asn1.c b/src/lib/libssl/src/ssl/ssl_asn1.c index 43366b33b8..dd958d6570 100644 --- a/src/lib/libssl/src/ssl/ssl_asn1.c +++ b/src/lib/libssl/src/ssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.27 2014/07/10 08:51:15 tedu Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.28 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -103,17 +103,13 @@ typedef struct ssl_session_asn1_st { ASN1_OCTET_STRING tlsext_hostname; ASN1_INTEGER tlsext_tick_lifetime; ASN1_OCTET_STRING tlsext_tick; -#ifndef OPENSSL_NO_PSK - ASN1_OCTET_STRING psk_identity_hint; - ASN1_OCTET_STRING psk_identity; -#endif /* OPENSSL_NO_PSK */ } SSL_SESSION_ASN1; int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) { #define LSIZE2 (sizeof(long)*2) - int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0, v7 = 0, v8 = 0; + int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0; unsigned char buf[4], ibuf1[LSIZE2], ibuf2[LSIZE2]; unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2]; int v6 = 0, v9 = 0, v10 = 0; @@ -202,18 +198,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.tlsext_tick_lifetime.data = ibuf6; ASN1_INTEGER_set(&a.tlsext_tick_lifetime, in->tlsext_tick_lifetime_hint); } -#ifndef OPENSSL_NO_PSK - if (in->psk_identity_hint) { - a.psk_identity_hint.length = strlen(in->psk_identity_hint); - a.psk_identity_hint.type = V_ASN1_OCTET_STRING; - a.psk_identity_hint.data = (unsigned char *)(in->psk_identity_hint); - } - if (in->psk_identity) { - a.psk_identity.length = strlen(in->psk_identity); - a.psk_identity.type = V_ASN1_OCTET_STRING; - a.psk_identity.data = (unsigned char *)(in->psk_identity); - } -#endif /* OPENSSL_NO_PSK */ M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER); @@ -236,12 +220,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, v10); if (in->tlsext_hostname) M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, v6); -#ifndef OPENSSL_NO_PSK - if (in->psk_identity_hint) - M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7); - if (in->psk_identity) - M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8); -#endif /* OPENSSL_NO_PSK */ M_ASN1_I2D_seq_total(); @@ -262,12 +240,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) M_ASN1_I2D_put_EXP_opt(&a.verify_result, i2d_ASN1_INTEGER, 5, v5); if (in->tlsext_hostname) M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, v6); -#ifndef OPENSSL_NO_PSK - if (in->psk_identity_hint) - M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7); - if (in->psk_identity) - M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8); -#endif /* OPENSSL_NO_PSK */ if (in->tlsext_tick_lifetime_hint > 0) M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, v9); if (in->tlsext_tick) @@ -415,29 +387,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) } else ret->tlsext_hostname = NULL; -#ifndef OPENSSL_NO_PSK - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 7); - if (os.data) { - ret->psk_identity_hint = BUF_strndup((char *)os.data, os.length); - free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->psk_identity_hint = NULL; - - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 8); - if (os.data) { - ret->psk_identity = BUF_strndup((char *)os.data, os.length); - free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->psk_identity = NULL; -#endif /* OPENSSL_NO_PSK */ ai.length = 0; M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 9); diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c index 92d2417cb9..a79eafc9cf 100644 --- a/src/lib/libssl/src/ssl/ssl_ciph.c +++ b/src/lib/libssl/src/ssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.62 2014/07/10 11:58:08 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.63 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -883,10 +883,8 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *auth |= SSL_aDH; *mkey |= SSL_kKRB5; *auth |= SSL_aKRB5; -#ifdef OPENSSL_NO_PSK *mkey |= SSL_kPSK; *auth |= SSL_aPSK; -#endif *mkey |= SSL_kSRP; /* Check for presence of GOST 34.10 algorithms, and if they * do not present, disable appropriate auth and key exchange */ diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 5473690e09..c3169204f6 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.73 2014/07/10 11:58:08 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.74 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -349,10 +349,6 @@ SSL_new(SSL_CTX *ctx) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); -#ifndef OPENSSL_NO_PSK - s->psk_client_callback = ctx->psk_client_callback; - s->psk_server_callback = ctx->psk_server_callback; -#endif return (s); err: @@ -1391,13 +1387,6 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p, if ((c->algorithm_ssl & SSL_TLSV1_2) && (TLS1_get_client_version(s) < TLS1_2_VERSION)) continue; -#ifndef OPENSSL_NO_PSK - /* with PSK there must be client callback set */ - if (((c->algorithm_mkey & SSL_kPSK) || - (c->algorithm_auth & SSL_aPSK)) && - s->psk_client_callback == NULL) - continue; -#endif /* OPENSSL_NO_PSK */ j = put_cb ? put_cb(c, p) : ssl_put_cipher_by_char(s, c, p); p += j; } @@ -1811,11 +1800,6 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->next_protos_advertised_cb = 0; ret->next_proto_select_cb = 0; # endif -#ifndef OPENSSL_NO_PSK - ret->psk_identity_hint = NULL; - ret->psk_client_callback = NULL; - ret->psk_server_callback = NULL; -#endif #ifndef OPENSSL_NO_ENGINE ret->client_cert_engine = NULL; #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO @@ -1902,9 +1886,6 @@ SSL_CTX_free(SSL_CTX *a) sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); #endif -#ifndef OPENSSL_NO_PSK - free(a->psk_identity_hint); -#endif #ifndef OPENSSL_NO_ENGINE if (a->client_cert_engine) ENGINE_finish(a->client_cert_engine); @@ -2048,10 +2029,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) mask_k|=SSL_kEECDH; } -#ifndef OPENSSL_NO_PSK - mask_k |= SSL_kPSK; - mask_a |= SSL_aPSK; -#endif c->mask_k = mask_k; c->mask_a = mask_a; @@ -2914,97 +2891,6 @@ SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export, SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); } -#ifndef OPENSSL_NO_PSK -int -SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) -{ - if (identity_hint != NULL && strlen(identity_hint) > - PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, - SSL_R_DATA_LENGTH_TOO_LONG); - return (0); - } - free(ctx->psk_identity_hint); - if (identity_hint != NULL) { - ctx->psk_identity_hint = BUF_strdup(identity_hint); - if (ctx->psk_identity_hint == NULL) - return (0); - } else - ctx->psk_identity_hint = NULL; - return (1); -} - -int -SSL_use_psk_identity_hint(SSL *s, const char *identity_hint) -{ - if (s == NULL) - return (0); - - if (s->session == NULL) - return (1); /* session not created yet, ignored */ - - if (identity_hint != NULL && - strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, - SSL_R_DATA_LENGTH_TOO_LONG); - return (0); - } - free(s->session->psk_identity_hint); - if (identity_hint != NULL) { - s->session->psk_identity_hint = BUF_strdup(identity_hint); - if (s->session->psk_identity_hint == NULL) - return (0); - } else - s->session->psk_identity_hint = NULL; - return (1); -} - -const char * -SSL_get_psk_identity_hint(const SSL *s) -{ - if (s == NULL || s->session == NULL) - return (NULL); - return (s->session->psk_identity_hint); -} - -const char * -SSL_get_psk_identity(const SSL *s) -{ - if (s == NULL || s->session == NULL) - return (NULL); - return (s->session->psk_identity); -} - -void -SSL_set_psk_client_callback(SSL *s, unsigned int (*cb)(SSL *ssl, - const char *hint, char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)) -{ - s->psk_client_callback = cb; -} - -void -SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, unsigned int (*cb)(SSL *ssl, - const char *hint, char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)) -{ - ctx->psk_client_callback = cb; -} - -void -SSL_set_psk_server_callback(SSL *s, unsigned int (*cb)(SSL *ssl, - const char *identity, unsigned char *psk, unsigned int max_psk_len)) -{ - s->psk_server_callback = cb; -} - -void -SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, unsigned int (*cb)(SSL *ssl, - const char *identity, unsigned char *psk, unsigned int max_psk_len)) -{ - ctx->psk_server_callback = cb; -} -#endif void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c index b3dd3e6117..af29cfc7ff 100644 --- a/src/lib/libssl/src/ssl/ssl_sess.c +++ b/src/lib/libssl/src/ssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.35 2014/07/10 08:51:15 tedu Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.36 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -214,10 +214,6 @@ SSL_SESSION_new(void) ss->tlsext_ellipticcurvelist_length = 0; ss->tlsext_ellipticcurvelist = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); -#ifndef OPENSSL_NO_PSK - ss->psk_identity_hint = NULL; - ss->psk_identity = NULL; -#endif return (ss); } @@ -690,10 +686,6 @@ SSL_SESSION_free(SSL_SESSION *ss) free(ss->tlsext_ecpointformatlist); ss->tlsext_ellipticcurvelist_length = 0; free(ss->tlsext_ellipticcurvelist); -#ifndef OPENSSL_NO_PSK - free(ss->psk_identity_hint); - free(ss->psk_identity); -#endif OPENSSL_cleanse(ss, sizeof(*ss)); free(ss); } diff --git a/src/lib/libssl/src/ssl/ssl_txt.c b/src/lib/libssl/src/ssl/ssl_txt.c index 25f2290290..950620d300 100644 --- a/src/lib/libssl/src/ssl/ssl_txt.c +++ b/src/lib/libssl/src/ssl/ssl_txt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_txt.c,v 1.22 2014/07/10 08:51:15 tedu Exp $ */ +/* $OpenBSD: ssl_txt.c,v 1.23 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -159,16 +159,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } -#ifndef OPENSSL_NO_PSK - if (BIO_puts(bp, "\n PSK identity: ") <= 0) - goto err; - if (BIO_printf(bp, "%s", x->psk_identity ? x->psk_identity : "None") <= 0) - goto err; - if (BIO_puts(bp, "\n PSK identity hint: ") <= 0) - goto err; - if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) - goto err; -#endif if (x->tlsext_tick_lifetime_hint) { if (BIO_printf(bp, "\n TLS session ticket lifetime hint: %ld (seconds)", diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 0301fd0b96..5ea440231a 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.60 2014/07/10 11:58:08 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.61 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -460,10 +460,6 @@ struct ssl_session_st { unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; -#ifndef OPENSSL_NO_PSK - char *psk_identity_hint; - char *psk_identity; -#endif /* Used to indicate that session resumption is not allowed. * Applications can also set this bit for a new session via * not_resumable_session_cb to disable session caching and tickets. */ @@ -835,14 +831,6 @@ struct ssl_ctx_st { int (*tlsext_status_cb)(SSL *ssl, void *arg); void *tlsext_status_arg; -#ifndef OPENSSL_NO_PSK - char *psk_identity_hint; - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, unsigned char *psk, - unsigned int max_psk_len); - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - unsigned char *psk, unsigned int max_psk_len); -#endif @@ -955,30 +943,6 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, #define OPENSSL_NPN_NO_OVERLAP 2 #endif -#ifndef OPENSSL_NO_PSK -/* the maximum length of the buffer given to callbacks containing the - * resulting identity/psk */ -#define PSK_MAX_IDENTITY_LEN 128 -#define PSK_MAX_PSK_LEN 256 -void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, unsigned char *psk, - unsigned int max_psk_len)); -void SSL_set_psk_client_callback(SSL *ssl, - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, unsigned char *psk, - unsigned int max_psk_len)); -void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - unsigned char *psk, unsigned int max_psk_len)); -void SSL_set_psk_server_callback(SSL *ssl, - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - unsigned char *psk, unsigned int max_psk_len)); -int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint); -int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint); -const char *SSL_get_psk_identity_hint(const SSL *s); -const char *SSL_get_psk_identity(const SSL *s); -#endif #define SSL_NOTHING 1 #define SSL_WRITING 2 @@ -1123,13 +1087,6 @@ struct ssl_st { int error_code; /* actual code */ -#ifndef OPENSSL_NO_PSK - unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, unsigned char *psk, - unsigned int max_psk_len); - unsigned int (*psk_server_callback)(SSL *ssl, const char *identity, - unsigned char *psk, unsigned int max_psk_len); -#endif SSL_CTX *ctx; /* set this flag to 1 and a sleep(1) is put into all SSL_read() diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c index 43366b33b8..dd958d6570 100644 --- a/src/lib/libssl/ssl_asn1.c +++ b/src/lib/libssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.27 2014/07/10 08:51:15 tedu Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.28 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -103,17 +103,13 @@ typedef struct ssl_session_asn1_st { ASN1_OCTET_STRING tlsext_hostname; ASN1_INTEGER tlsext_tick_lifetime; ASN1_OCTET_STRING tlsext_tick; -#ifndef OPENSSL_NO_PSK - ASN1_OCTET_STRING psk_identity_hint; - ASN1_OCTET_STRING psk_identity; -#endif /* OPENSSL_NO_PSK */ } SSL_SESSION_ASN1; int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) { #define LSIZE2 (sizeof(long)*2) - int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0, v7 = 0, v8 = 0; + int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0; unsigned char buf[4], ibuf1[LSIZE2], ibuf2[LSIZE2]; unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2]; int v6 = 0, v9 = 0, v10 = 0; @@ -202,18 +198,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.tlsext_tick_lifetime.data = ibuf6; ASN1_INTEGER_set(&a.tlsext_tick_lifetime, in->tlsext_tick_lifetime_hint); } -#ifndef OPENSSL_NO_PSK - if (in->psk_identity_hint) { - a.psk_identity_hint.length = strlen(in->psk_identity_hint); - a.psk_identity_hint.type = V_ASN1_OCTET_STRING; - a.psk_identity_hint.data = (unsigned char *)(in->psk_identity_hint); - } - if (in->psk_identity) { - a.psk_identity.length = strlen(in->psk_identity); - a.psk_identity.type = V_ASN1_OCTET_STRING; - a.psk_identity.data = (unsigned char *)(in->psk_identity); - } -#endif /* OPENSSL_NO_PSK */ M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER); @@ -236,12 +220,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, v10); if (in->tlsext_hostname) M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, v6); -#ifndef OPENSSL_NO_PSK - if (in->psk_identity_hint) - M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7); - if (in->psk_identity) - M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8); -#endif /* OPENSSL_NO_PSK */ M_ASN1_I2D_seq_total(); @@ -262,12 +240,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) M_ASN1_I2D_put_EXP_opt(&a.verify_result, i2d_ASN1_INTEGER, 5, v5); if (in->tlsext_hostname) M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, v6); -#ifndef OPENSSL_NO_PSK - if (in->psk_identity_hint) - M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7); - if (in->psk_identity) - M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8); -#endif /* OPENSSL_NO_PSK */ if (in->tlsext_tick_lifetime_hint > 0) M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, v9); if (in->tlsext_tick) @@ -415,29 +387,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) } else ret->tlsext_hostname = NULL; -#ifndef OPENSSL_NO_PSK - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 7); - if (os.data) { - ret->psk_identity_hint = BUF_strndup((char *)os.data, os.length); - free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->psk_identity_hint = NULL; - - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 8); - if (os.data) { - ret->psk_identity = BUF_strndup((char *)os.data, os.length); - free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->psk_identity = NULL; -#endif /* OPENSSL_NO_PSK */ ai.length = 0; M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 9); diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 92d2417cb9..a79eafc9cf 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.62 2014/07/10 11:58:08 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.63 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -883,10 +883,8 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *auth |= SSL_aDH; *mkey |= SSL_kKRB5; *auth |= SSL_aKRB5; -#ifdef OPENSSL_NO_PSK *mkey |= SSL_kPSK; *auth |= SSL_aPSK; -#endif *mkey |= SSL_kSRP; /* Check for presence of GOST 34.10 algorithms, and if they * do not present, disable appropriate auth and key exchange */ diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 5473690e09..c3169204f6 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.73 2014/07/10 11:58:08 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.74 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -349,10 +349,6 @@ SSL_new(SSL_CTX *ctx) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); -#ifndef OPENSSL_NO_PSK - s->psk_client_callback = ctx->psk_client_callback; - s->psk_server_callback = ctx->psk_server_callback; -#endif return (s); err: @@ -1391,13 +1387,6 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p, if ((c->algorithm_ssl & SSL_TLSV1_2) && (TLS1_get_client_version(s) < TLS1_2_VERSION)) continue; -#ifndef OPENSSL_NO_PSK - /* with PSK there must be client callback set */ - if (((c->algorithm_mkey & SSL_kPSK) || - (c->algorithm_auth & SSL_aPSK)) && - s->psk_client_callback == NULL) - continue; -#endif /* OPENSSL_NO_PSK */ j = put_cb ? put_cb(c, p) : ssl_put_cipher_by_char(s, c, p); p += j; } @@ -1811,11 +1800,6 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->next_protos_advertised_cb = 0; ret->next_proto_select_cb = 0; # endif -#ifndef OPENSSL_NO_PSK - ret->psk_identity_hint = NULL; - ret->psk_client_callback = NULL; - ret->psk_server_callback = NULL; -#endif #ifndef OPENSSL_NO_ENGINE ret->client_cert_engine = NULL; #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO @@ -1902,9 +1886,6 @@ SSL_CTX_free(SSL_CTX *a) sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); #endif -#ifndef OPENSSL_NO_PSK - free(a->psk_identity_hint); -#endif #ifndef OPENSSL_NO_ENGINE if (a->client_cert_engine) ENGINE_finish(a->client_cert_engine); @@ -2048,10 +2029,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) mask_k|=SSL_kEECDH; } -#ifndef OPENSSL_NO_PSK - mask_k |= SSL_kPSK; - mask_a |= SSL_aPSK; -#endif c->mask_k = mask_k; c->mask_a = mask_a; @@ -2914,97 +2891,6 @@ SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export, SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); } -#ifndef OPENSSL_NO_PSK -int -SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) -{ - if (identity_hint != NULL && strlen(identity_hint) > - PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, - SSL_R_DATA_LENGTH_TOO_LONG); - return (0); - } - free(ctx->psk_identity_hint); - if (identity_hint != NULL) { - ctx->psk_identity_hint = BUF_strdup(identity_hint); - if (ctx->psk_identity_hint == NULL) - return (0); - } else - ctx->psk_identity_hint = NULL; - return (1); -} - -int -SSL_use_psk_identity_hint(SSL *s, const char *identity_hint) -{ - if (s == NULL) - return (0); - - if (s->session == NULL) - return (1); /* session not created yet, ignored */ - - if (identity_hint != NULL && - strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, - SSL_R_DATA_LENGTH_TOO_LONG); - return (0); - } - free(s->session->psk_identity_hint); - if (identity_hint != NULL) { - s->session->psk_identity_hint = BUF_strdup(identity_hint); - if (s->session->psk_identity_hint == NULL) - return (0); - } else - s->session->psk_identity_hint = NULL; - return (1); -} - -const char * -SSL_get_psk_identity_hint(const SSL *s) -{ - if (s == NULL || s->session == NULL) - return (NULL); - return (s->session->psk_identity_hint); -} - -const char * -SSL_get_psk_identity(const SSL *s) -{ - if (s == NULL || s->session == NULL) - return (NULL); - return (s->session->psk_identity); -} - -void -SSL_set_psk_client_callback(SSL *s, unsigned int (*cb)(SSL *ssl, - const char *hint, char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)) -{ - s->psk_client_callback = cb; -} - -void -SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, unsigned int (*cb)(SSL *ssl, - const char *hint, char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)) -{ - ctx->psk_client_callback = cb; -} - -void -SSL_set_psk_server_callback(SSL *s, unsigned int (*cb)(SSL *ssl, - const char *identity, unsigned char *psk, unsigned int max_psk_len)) -{ - s->psk_server_callback = cb; -} - -void -SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, unsigned int (*cb)(SSL *ssl, - const char *identity, unsigned char *psk, unsigned int max_psk_len)) -{ - ctx->psk_server_callback = cb; -} -#endif void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index b3dd3e6117..af29cfc7ff 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.35 2014/07/10 08:51:15 tedu Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.36 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -214,10 +214,6 @@ SSL_SESSION_new(void) ss->tlsext_ellipticcurvelist_length = 0; ss->tlsext_ellipticcurvelist = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); -#ifndef OPENSSL_NO_PSK - ss->psk_identity_hint = NULL; - ss->psk_identity = NULL; -#endif return (ss); } @@ -690,10 +686,6 @@ SSL_SESSION_free(SSL_SESSION *ss) free(ss->tlsext_ecpointformatlist); ss->tlsext_ellipticcurvelist_length = 0; free(ss->tlsext_ellipticcurvelist); -#ifndef OPENSSL_NO_PSK - free(ss->psk_identity_hint); - free(ss->psk_identity); -#endif OPENSSL_cleanse(ss, sizeof(*ss)); free(ss); } diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c index 25f2290290..950620d300 100644 --- a/src/lib/libssl/ssl_txt.c +++ b/src/lib/libssl/ssl_txt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_txt.c,v 1.22 2014/07/10 08:51:15 tedu Exp $ */ +/* $OpenBSD: ssl_txt.c,v 1.23 2014/07/11 09:24:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -159,16 +159,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } -#ifndef OPENSSL_NO_PSK - if (BIO_puts(bp, "\n PSK identity: ") <= 0) - goto err; - if (BIO_printf(bp, "%s", x->psk_identity ? x->psk_identity : "None") <= 0) - goto err; - if (BIO_puts(bp, "\n PSK identity hint: ") <= 0) - goto err; - if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) - goto err; -#endif if (x->tlsext_tick_lifetime_hint) { if (BIO_printf(bp, "\n TLS session ticket lifetime hint: %ld (seconds)", -- cgit v1.2.3-55-g6feb