Remove SSL_get_dhe_group_size.
Nothing calls this anymore. DHE is nearly gone. This unblocks us from
making key_exchange_info only apply to the curve.
Change-Id: I3099e7222a62441df6e01411767d48166a0729b1
Reviewed-on: https://boringssl-review.googlesource.com/12691
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 58f8d64..0224efe 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2026,15 +2026,6 @@
DH *(*dh)(SSL *ssl, int is_export,
int keylength));
-/* SSL_get_dhe_group_size returns the number of bits in the most recently
- * completed handshake's selected group's prime, or zero if not
- * applicable. Note, however, that validating this value does not ensure the
- * server selected a secure group.
- *
- * TODO(davidben): This API currently does not work correctly if there is a
- * renegotiation in progress. Fix this. */
-OPENSSL_EXPORT unsigned SSL_get_dhe_group_size(const SSL *ssl);
-
/* Certificate verification.
*
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e5c0559..383fbbc 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2424,19 +2424,6 @@
ssl->cert->dh_tmp_cb = callback;
}
-unsigned SSL_get_dhe_group_size(const SSL *ssl) {
- /* TODO(davidben): This checks the wrong session if there is a renegotiation in
- * progress. */
- SSL_SESSION *session = SSL_get_session(ssl);
- if (session == NULL ||
- session->cipher == NULL ||
- !SSL_CIPHER_is_DHE(session->cipher)) {
- return 0;
- }
-
- return session->key_exchange_info;
-}
-
int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 3ad906b..fa74150 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -1368,16 +1368,6 @@
}
}
- if (config->expect_dhe_group_size != 0) {
- unsigned dhe_group_size = SSL_get_dhe_group_size(ssl);
- if (static_cast<unsigned>(config->expect_dhe_group_size) !=
- dhe_group_size) {
- fprintf(stderr, "dhe_group_size was %u, wanted %d\n", dhe_group_size,
- config->expect_dhe_group_size);
- return false;
- }
- }
-
uint16_t cipher_id =
static_cast<uint16_t>(SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)));
if (config->expect_cipher_aes != 0 &&
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 6fb94de..b4c21b1 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -8106,33 +8106,6 @@
})
}
-func addDHEGroupSizeTests() {
- testCases = append(testCases, testCase{
- name: "DHEGroupSize-Client",
- config: Config{
- MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
- Bugs: ProtocolBugs{
- // This is a 1234-bit prime number, generated
- // with:
- // openssl gendh 1234 | openssl asn1parse -i
- DHGroupPrime: bigFromHex("0215C589A86BE450D1255A86D7A08877A70E124C11F0C75E476BA6A2186B1C830D4A132555973F2D5881D5F737BB800B7F417C01EC5960AEBF79478F8E0BBB6A021269BD10590C64C57F50AD8169D5488B56EE38DC5E02DA1A16ED3B5F41FEB2AD184B78A31F3A5B2BEC8441928343DA35DE3D4F89F0D4CEDE0034045084A0D1E6182E5EF7FCA325DD33CE81BE7FA87D43613E8FA7A1457099AB53"),
- },
- },
- flags: []string{"-expect-dhe-group-size", "1234"},
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "DHEGroupSize-Server",
- config: Config{
- MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
- },
- // bssl_shim as a server configures a 2048-bit DHE group.
- flags: []string{"-expect-dhe-group-size", "2048"},
- })
-}
-
func addTLS13RecordTests() {
testCases = append(testCases, testCase{
name: "TLS13-RecordPadding",
@@ -9862,7 +9835,6 @@
addCustomExtensionTests()
addRSAClientKeyExchangeTests()
addCurveTests()
- addDHEGroupSizeTests()
addSessionTicketTests()
addTLS13RecordTests()
addAllStateMachineCoverageTests()
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 9b9e20c..a35b223 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -164,7 +164,6 @@
{ "-expect-peer-signature-algorithm",
&TestConfig::expect_peer_signature_algorithm },
{ "-expect-curve-id", &TestConfig::expect_curve_id },
- { "-expect-dhe-group-size", &TestConfig::expect_dhe_group_size },
{ "-initial-timeout-duration-ms", &TestConfig::initial_timeout_duration_ms },
{ "-max-cert-list", &TestConfig::max_cert_list },
{ "-expect-cipher-aes", &TestConfig::expect_cipher_aes },
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index 76cd5fb..9d84786 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@@ -107,7 +107,6 @@
bool enable_all_curves = false;
bool use_sparse_dh_prime = false;
int expect_curve_id = 0;
- int expect_dhe_group_size = 0;
bool use_old_client_cert_callback = false;
int initial_timeout_duration_ms = 0;
bool use_null_client_ca_list = false;
diff --git a/tool/transport_common.cc b/tool/transport_common.cc
index a4fcfb2..0fee377 100644
--- a/tool/transport_common.cc
+++ b/tool/transport_common.cc
@@ -242,10 +242,6 @@
if (curve != 0) {
fprintf(stderr, " ECDHE curve: %s\n", SSL_get_curve_name(curve));
}
- unsigned dhe_bits = SSL_get_dhe_group_size(ssl);
- if (dhe_bits != 0) {
- fprintf(stderr, " DHE group size: %u bits\n", dhe_bits);
- }
uint16_t sigalg = SSL_get_peer_signature_algorithm(ssl);
if (sigalg != 0) {
fprintf(stderr, " Signature algorithm: %s\n",
