unifdef OPENSSL_NO_PSK.
Get those out of the way.
Change-Id: I4cc8c34cf637379ad734c43623f76ae72f22014e
Reviewed-on: https://boringssl-review.googlesource.com/1282
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7edda2a..1c3c55a 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -438,10 +438,8 @@
unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-#ifndef OPENSSL_NO_PSK
char *psk_identity_hint;
char *psk_identity;
-#endif
/* Used to indicate that session resumption is not allowed.
* Applications can also set this bit for a new session via
* not_resumable_session_cb to disable session caching and tickets. */
@@ -1011,14 +1009,12 @@
int (*tlsext_status_cb)(SSL *ssl, void *arg);
void *tlsext_status_arg;
-#ifndef OPENSSL_NO_PSK
char *psk_identity_hint;
unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len, unsigned char *psk,
unsigned int max_psk_len);
unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
unsigned char *psk, unsigned int max_psk_len);
-#endif
#ifndef OPENSSL_NO_BUF_FREELISTS
#define SSL_MAX_BUF_FREELIST_LEN_DEFAULT 32
@@ -1201,7 +1197,6 @@
void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
unsigned *len);
-#ifndef OPENSSL_NO_PSK
/* the maximum length of the buffer given to callbacks containing the
* resulting identity/psk */
#define PSK_MAX_IDENTITY_LEN 128
@@ -1224,7 +1219,6 @@
int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint);
const char *SSL_get_psk_identity_hint(const SSL *s);
const char *SSL_get_psk_identity(const SSL *s);
-#endif
#define SSL_NOTHING 1
#define SSL_WRITING 2
@@ -1372,7 +1366,6 @@
int error; /* error bytes to be written */
int error_code; /* actual code */
-#ifndef OPENSSL_NO_PSK
/* PSK identity hint is stored here only to enable setting a hint on an SSL object before an
* SSL_SESSION is associated with it. Once an SSL_SESSION is associated with this SSL object,
* the psk_identity_hint from the session takes precedence over this one. */
@@ -1382,7 +1375,6 @@
unsigned int max_psk_len);
unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
unsigned char *psk, unsigned int max_psk_len);
-#endif
SSL_CTX *ctx;
/* set this flag to 1 and a sleep(1) is put into all SSL_read()
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index f0dbe37..59c5ec3 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -393,9 +393,7 @@
if (s->s3->tmp.use_rsa_tmp
/* PSK: send ServerKeyExchange if PSK identity
* hint if provided */
-#ifndef OPENSSL_NO_PSK
|| ((alg_k & SSL_kPSK) && s->session->psk_identity_hint)
-#endif
|| (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
|| (alg_k & SSL_kEECDH)
|| ((alg_k & SSL_kRSA)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index d2dd3b5..3ed360d 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1249,7 +1249,6 @@
return -1;
}
-#ifndef OPENSSL_NO_PSK
/* In plain PSK ciphersuite, ServerKeyExchange can be
omitted if no identity hint is sent. Set
session->sess_cert anyway to avoid problems
@@ -1267,7 +1266,6 @@
s->session->psk_identity_hint = NULL;
}
}
-#endif
s->s3->tmp.reuse_message=1;
return(1);
}
@@ -1308,7 +1306,6 @@
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
EVP_MD_CTX_init(&md_ctx);
-#ifndef OPENSSL_NO_PSK
if (alg_a & SSL_aPSK)
{
CBS psk_identity_hint;
@@ -1346,7 +1343,6 @@
goto f_err;
}
}
-#endif /* !OPENSSL_NO_PSK */
if (0) {}
else if (alg_k & SSL_kRSA)
@@ -2010,10 +2006,8 @@
unsigned char *encodedPoint = NULL;
int encoded_pt_len = 0;
BN_CTX * bn_ctx = NULL;
-#ifndef OPENSSL_NO_PSK
unsigned int psk_len = 0;
unsigned char psk[PSK_MAX_PSK_LEN];
-#endif /* OPENSSL_NO_PSK */
#endif /* OPENSSL_NO_ECDH */
if (s->state == SSL3_ST_CW_KEY_EXCH_A)
@@ -2023,7 +2017,6 @@
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
-#ifndef OPENSSL_NO_PSK
if (alg_a & SSL_aPSK)
{
char identity[PSK_MAX_IDENTITY_LEN + 1];
@@ -2100,7 +2093,6 @@
goto err;
}
}
-#endif
/* Fool emacs indentation */
if (0) {}
@@ -2270,12 +2262,10 @@
EC_KEY *tkey;
int ecdh_clnt_cert = 0;
int field_size = 0;
-#ifndef OPENSSL_NO_PSK
unsigned char *pre_ms;
unsigned char *t;
unsigned int pre_ms_len;
unsigned int i;
-#endif
if (s->session->sess_cert == NULL)
{
@@ -2399,7 +2389,6 @@
goto err;
}
-#ifndef OPENSSL_NO_PSK
/* ECDHE PSK ciphersuites from RFC 5489 */
if ((alg_a & SSL_aPSK) && psk_len != 0)
{
@@ -2423,7 +2412,6 @@
OPENSSL_cleanse(pre_ms, pre_ms_len);
OPENSSL_free(pre_ms);
}
-#endif /* OPENSSL_NO_PSK */
if (!(alg_a & SSL_aPSK))
{
/* generate master key from the result */
@@ -2467,7 +2455,6 @@
encodedPoint, encoded_pt_len, bn_ctx);
n = 0;
-#ifndef OPENSSL_NO_PSK
if ((alg_a & SSL_aPSK) && psk_len != 0)
{
i = strlen(s->session->psk_identity);
@@ -2476,7 +2463,6 @@
p += i;
n = i + 2;
}
-#endif
*p = encoded_pt_len; /* length of encoded point */
/* Encoded point will be copied here */
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 81719c6..34635bc 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1368,7 +1368,6 @@
},
#endif /* OPENSSL_NO_CAMELLIA */
-#ifndef OPENSSL_NO_PSK
/* Cipher 8A */
{
1,
@@ -1432,7 +1431,6 @@
256,
256,
},
-#endif /* OPENSSL_NO_PSK */
#ifndef OPENSSL_NO_SEED
/* SEED ciphersuites from RFC4162 */
@@ -2419,7 +2417,6 @@
256,
},
-#ifndef OPENSSL_NO_PSK
/* ECDH PSK ciphersuites */
/* Cipher CAFE */
{
@@ -2437,7 +2434,6 @@
128,
128,
},
-#endif /* OPENSSL_NO_PSK */
#endif /* OPENSSL_NO_ECDH */
@@ -3571,11 +3567,9 @@
alg_k=c->algorithm_mkey;
alg_a=c->algorithm_auth;
-#ifndef OPENSSL_NO_PSK
/* with PSK there must be server callback set */
if ((alg_a & SSL_aPSK) && s->psk_server_callback == NULL)
ok = 0;
-#endif /* OPENSSL_NO_PSK */
if (SSL_C_IS_EXPORT(c))
{
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a0c8d38..ab94786 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -402,9 +402,7 @@
/* PSK: send ServerKeyExchange if either:
* - PSK identity hint is provided, or
* - the key exchange is kEECDH. */
-#ifndef OPENSSL_NO_PSK
|| ((alg_a & SSL_aPSK) && ((alg_k & SSL_kEECDH) || s->session->psk_identity_hint))
-#endif
|| (alg_k & SSL_kEDH)
|| (alg_k & SSL_kEECDH)
|| ((alg_k & SSL_kRSA)
@@ -1469,10 +1467,8 @@
int curve_id = 0;
BN_CTX *bn_ctx = NULL;
#endif
-#ifndef OPENSSL_NO_PSK
const char* psk_identity_hint;
size_t psk_identity_hint_len;
-#endif
EVP_PKEY *pkey;
const EVP_MD *md = NULL;
unsigned char *p,*d;
@@ -1497,7 +1493,6 @@
r[0]=r[1]=r[2]=r[3]=NULL;
n=0;
-#ifndef OPENSSL_NO_PSK
if (alg_a & SSL_aPSK)
{
/* size for PSK identity hint */
@@ -1508,7 +1503,6 @@
psk_identity_hint_len = 0;
n+=2+psk_identity_hint_len;
}
-#endif /* !OPENSSL_NO_PSK */
if (alg_k & SSL_kRSA)
{
rsa=cert->rsa_tmp;
@@ -1769,7 +1763,6 @@
/* Note: ECDHE PSK ciphersuites use SSL_kEECDH and SSL_aPSK.
* When one of them is used, the server key exchange record needs to have both
* the psk_identity_hint and the ServerECDHParams. */
-#ifndef OPENSSL_NO_PSK
if (alg_a & SSL_aPSK)
{
/* copy PSK identity hint (if provided) */
@@ -1780,7 +1773,6 @@
p+=psk_identity_hint_len;
}
}
-#endif /* OPENSSL_NO_PSK */
#ifndef OPENSSL_NO_ECDH
if (alg_k & SSL_kEECDH)
@@ -2008,10 +2000,8 @@
EVP_PKEY *clnt_pub_pkey = NULL;
EC_POINT *clnt_ecpoint = NULL;
BN_CTX *bn_ctx = NULL;
-#ifndef OPENSSL_NO_PSK
unsigned int psk_len = 0;
unsigned char psk[PSK_MAX_PSK_LEN];
-#endif /* OPENSSL_NO_PSK */
#endif
n=s->method->ssl_get_message(s,
@@ -2027,7 +2017,6 @@
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
-#ifndef OPENSSL_NO_PSK
/* If using a PSK key exchange, prepare the pre-shared key. */
if (alg_a & SSL_aPSK)
{
@@ -2082,7 +2071,6 @@
goto f_err;
}
}
-#endif /* OPENSSL_NO_PSK */
/* Depending on the key exchange method, compute |premaster_secret| and
* |premaster_secret_len|. Also, for DH and ECDH, set
@@ -2520,7 +2508,6 @@
premaster_secret_len = ecdh_len;
}
#endif
-#ifndef OPENSSL_NO_PSK
else if (alg_k & SSL_kPSK)
{
/* For plain PSK, other_secret is a block of 0s with the same
@@ -2534,7 +2521,6 @@
}
memset(premaster_secret, 0, premaster_secret_len);
}
-#endif /* !OPENSSL_NO_PSK */
else
{
al=SSL_AD_HANDSHAKE_FAILURE;
@@ -2542,7 +2528,6 @@
goto f_err;
}
-#ifndef OPENSSL_NO_PSK
/* For a PSK cipher suite, the actual pre-master secret is combined with
* the pre-shared key. */
if (alg_a & SSL_aPSK)
@@ -2572,7 +2557,6 @@
premaster_secret = new_data;
premaster_secret_len = new_len;
}
-#endif /* !OPENSSL_NO_PSK */
/* Compute the master secret */
s->session->master_key_length = s->method->ssl3_enc
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 6b0568e..2c91053 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -115,10 +115,8 @@
ASN1_OCTET_STRING tlsext_hostname;
ASN1_INTEGER tlsext_tick_lifetime;
ASN1_OCTET_STRING tlsext_tick;
-#ifndef OPENSSL_NO_PSK
ASN1_OCTET_STRING psk_identity_hint;
ASN1_OCTET_STRING psk_identity;
-#endif /* OPENSSL_NO_PSK */
ASN1_OCTET_STRING peer_sha256;
ASN1_OCTET_STRING original_handshake_hash;
} SSL_SESSION_ASN1;
@@ -234,7 +232,6 @@
a.tlsext_tick_lifetime.data=ibuf6;
ASN1_INTEGER_set(&a.tlsext_tick_lifetime,in->tlsext_tick_lifetime_hint);
}
-#ifndef OPENSSL_NO_PSK
if (in->psk_identity_hint)
{
a.psk_identity_hint.length=strlen(in->psk_identity_hint);
@@ -261,7 +258,6 @@
a.original_handshake_hash.type = V_ASN1_OCTET_STRING;
a.original_handshake_hash.data = in->original_handshake_hash;
}
-#endif /* OPENSSL_NO_PSK */
M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
@@ -286,12 +282,10 @@
M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
if (in->tlsext_hostname)
M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
-#ifndef OPENSSL_NO_PSK
if (in->psk_identity_hint)
M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
if (in->psk_identity)
M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
-#endif /* OPENSSL_NO_PSK */
if (in->peer_sha256_valid)
M_ASN1_I2D_len_EXP_opt(&(a.peer_sha256),i2d_ASN1_OCTET_STRING,13,v13);
if (in->original_handshake_hash_len > 0)
@@ -318,12 +312,10 @@
M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
if (in->tlsext_hostname)
M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
-#ifndef OPENSSL_NO_PSK
if (in->psk_identity_hint)
M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING,7,v7);
if (in->psk_identity)
M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
-#endif /* OPENSSL_NO_PSK */
if (in->tlsext_tick_lifetime_hint > 0)
M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
if (in->tlsext_tick)
@@ -502,7 +494,6 @@
else
ret->tlsext_hostname=NULL;
-#ifndef OPENSSL_NO_PSK
os.length=0;
os.data=NULL;
M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,7);
@@ -528,7 +519,6 @@
}
else
ret->psk_identity=NULL;
-#endif /* OPENSSL_NO_PSK */
ai.length=0;
M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,9);
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 4241c23..f1fc69b 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -580,10 +580,6 @@
*mkey |= SSL_kECDHe|SSL_kECDHr;
*auth |= SSL_aECDH;
#endif
-#ifdef OPENSSL_NO_PSK
- *mkey |= SSL_kPSK;
- *auth |= SSL_aPSK;
-#endif
#ifdef SSL_FORBID_ENULL
*enc |= SSL_eNULL;
#endif
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 74a8e06..fffe9e9 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -396,7 +396,6 @@
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
-#ifndef OPENSSL_NO_PSK
s->psk_identity_hint = NULL;
if (ctx->psk_identity_hint)
{
@@ -406,7 +405,6 @@
}
s->psk_client_callback=ctx->psk_client_callback;
s->psk_server_callback=ctx->psk_server_callback;
-#endif
return(s);
err:
@@ -693,10 +691,8 @@
if (s->tlsext_channel_id_private)
EVP_PKEY_free(s->tlsext_channel_id_private);
-#ifndef OPENSSL_NO_PSK
if (s->psk_identity_hint)
OPENSSL_free(s->psk_identity_hint);
-#endif
if (s->client_CA != NULL)
sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free);
@@ -2016,11 +2012,9 @@
ret->next_protos_advertised_cb = 0;
ret->next_proto_select_cb = 0;
# endif
-#ifndef OPENSSL_NO_PSK
ret->psk_identity_hint=NULL;
ret->psk_client_callback=NULL;
ret->psk_server_callback=NULL;
-#endif
#ifndef OPENSSL_NO_BUF_FREELISTS
ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -2143,10 +2137,8 @@
if (a->srtp_profiles)
sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
-#ifndef OPENSSL_NO_PSK
if (a->psk_identity_hint)
OPENSSL_free(a->psk_identity_hint);
-#endif
/* TODO(fork): remove. */
#if 0
@@ -2396,12 +2388,10 @@
}
#endif
-#ifndef OPENSSL_NO_PSK
mask_k |= SSL_kPSK;
mask_a |= SSL_aPSK;
emask_k |= SSL_kPSK;
emask_a |= SSL_aPSK;
-#endif
c->mask_k=mask_k;
c->mask_a=mask_a;
@@ -3175,7 +3165,6 @@
}
#endif
-#ifndef OPENSSL_NO_PSK
int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
{
if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN)
@@ -3287,7 +3276,6 @@
{
ctx->psk_server_callback = cb;
}
-#endif
void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
{
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 97ef3f8..ffc0d15 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -221,10 +221,8 @@
ss->tlsext_ellipticcurvelist = NULL;
#endif
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
-#ifndef OPENSSL_NO_PSK
ss->psk_identity_hint=NULL;
ss->psk_identity=NULL;
-#endif
return(ss);
}
@@ -391,7 +389,6 @@
return 0;
}
}
-#ifndef OPENSSL_NO_PSK
if (s->psk_identity_hint)
{
ss->psk_identity_hint = BUF_strdup(s->psk_identity_hint);
@@ -402,7 +399,6 @@
return 0;
}
}
-#endif
}
else
{
@@ -741,12 +737,10 @@
ss->tlsext_ellipticcurvelist_length = 0;
if (ss->tlsext_ellipticcurvelist != NULL) OPENSSL_free(ss->tlsext_ellipticcurvelist);
#endif /* OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_PSK
if (ss->psk_identity_hint != NULL)
OPENSSL_free(ss->psk_identity_hint);
if (ss->psk_identity != NULL)
OPENSSL_free(ss->psk_identity);
-#endif
OPENSSL_cleanse(ss,sizeof(*ss));
OPENSSL_free(ss);
}
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 96a0d78..1b78c4b 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -168,12 +168,10 @@
{
if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err;
}
-#ifndef OPENSSL_NO_PSK
if (BIO_puts(bp,"\n PSK identity: ") <= 0) goto err;
if (BIO_printf(bp, "%s", x->psk_identity ? x->psk_identity : "None") <= 0) goto err;
if (BIO_puts(bp,"\n PSK identity hint: ") <= 0) goto err;
if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) goto err;
-#endif
if (x->tlsext_tick_lifetime_hint)
{
if (BIO_printf(bp,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index ffadd22..2d67376 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1117,14 +1117,12 @@
c->mask_a |= SSL_aECDSA;
c->mask_k |= SSL_kECDHe;
}
-#ifndef OPENSSL_NO_PSK
/* with PSK there must be client callback set */
if (!s->psk_client_callback)
{
c->mask_a |= SSL_aPSK;
c->mask_k |= SSL_kPSK;
}
-#endif /* OPENSSL_NO_PSK */
c->valid = 1;
}
