From 94d61512360c4d16762a13e27fcad39ca4f5e506 Mon Sep 17 00:00:00 2001
From: Ben Laurie <ben@links.org>
Date: Sat, 12 Sep 2015 17:17:33 +0100
Subject: [PATCH] Make no-dh work, plus other no-dh problems found by Richard.

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 crypto/engine/eng_cryptodev.c       | 11 ++++++++++-
 ssl/s3_lib.c                        | 12 +++---------
 ssl/statem/statem_srvr.c            |  4 ++--
 test/recipes/70-test_sslskewith0p.t |  4 ++++
 4 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index d1c0029d35..dede52df44 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -55,7 +55,9 @@
 # include <errno.h>
 # include <string.h>
 #endif
-#include <openssl/dh.h>
+#ifndef OPENSSL_NO_DH
+# include <openssl/dh.h>
+#endif
 #include <openssl/dsa.h>
 #include <openssl/err.h>
 #include <openssl/rsa.h>
@@ -125,11 +127,13 @@ static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen,
                                       DSA *dsa);
 static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
                                 DSA_SIG *sig, DSA *dsa);
+#ifndef OPENSSL_NO_DH
 static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
                                 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
                                 BN_MONT_CTX *m_ctx);
 static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key,
                                     DH *dh);
+#endif
 static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
                           void (*f) (void));
 void ENGINE_load_cryptodev(void);
@@ -1364,6 +1368,7 @@ static DSA_METHOD cryptodev_dsa = {
     NULL                        /* app_data */
 };
 
+#ifndef OPENSSL_NO_DH
 static int
 cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
                      const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
@@ -1425,6 +1430,8 @@ static DH_METHOD cryptodev_dh = {
     NULL                        /* app_data */
 };
 
+#endif /* ndef OPENSSL_NO_DH */
+
 /*
  * ctrl right now is just a wrapper that doesn't do much
  * but I expect we'll want some options soon.
@@ -1512,6 +1519,7 @@ void ENGINE_load_cryptodev(void)
             cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify;
     }
 
+#ifndef OPENSSL_NO_DH
     if (ENGINE_set_DH(engine, &cryptodev_dh)) {
         const DH_METHOD *dh_meth = DH_OpenSSL();
 
@@ -1524,6 +1532,7 @@ void ENGINE_load_cryptodev(void)
                 cryptodev_dh.compute_key = cryptodev_dh_compute_key;
         }
     }
+#endif
 
     ENGINE_add(engine);
     ENGINE_free(engine);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index b6a73b9144..ee00741767 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4250,16 +4250,14 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
 
 long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 {
-    CERT *cert;
-
-    cert = ctx->cert;
-
     switch (cmd) {
 #ifndef OPENSSL_NO_DH
     case SSL_CTRL_SET_TMP_DH:
         {
             DH *new = NULL, *dh;
+            CERT *cert;
 
+            cert = ctx->cert;
             dh = (DH *)parg;
             if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
                                   DH_security_bits(dh), 0, dh)) {
@@ -4464,15 +4462,11 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 
 long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
 {
-    CERT *cert;
-
-    cert = ctx->cert;
-
     switch (cmd) {
 #ifndef OPENSSL_NO_DH
     case SSL_CTRL_SET_TMP_DH_CB:
         {
-            cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
+            cxt->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
         }
         break;
 #endif
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 3ccb28777e..51dcc9eee8 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1729,7 +1729,6 @@ int tls_construct_server_key_exchange(SSL *s)
     int al, i;
     unsigned long type;
     int n;
-    CERT *cert;
     BIGNUM *r[4];
     int nr[4], kn;
     BUF_MEM *buf;
@@ -1742,7 +1741,6 @@ int tls_construct_server_key_exchange(SSL *s)
     }
 
     type = s->s3->tmp.new_cipher->algorithm_mkey;
-    cert = s->cert;
 
     buf = s->init_buf;
 
@@ -1763,6 +1761,8 @@ int tls_construct_server_key_exchange(SSL *s)
 #endif                          /* !OPENSSL_NO_PSK */
 #ifndef OPENSSL_NO_DH
     if (type & (SSL_kDHE | SSL_kDHEPSK)) {
+        CERT *cert = s->cert;
+
         if (s->cert->dh_tmp_auto) {
             dhp = ssl_get_auto_dh(s);
             if (dhp == NULL) {
diff --git a/test/recipes/70-test_sslskewith0p.t b/test/recipes/70-test_sslskewith0p.t
index 3f5e131e6b..b3c5dc1d38 100755
--- a/test/recipes/70-test_sslskewith0p.t
+++ b/test/recipes/70-test_sslskewith0p.t
@@ -54,6 +54,7 @@
 
 use strict;
 use OpenSSL::Test qw/:DEFAULT cmdstr top_file top_dir/;
+use OpenSSL::Test::Utils;
 use TLSProxy::Proxy;
 
 my $test_name = "test_sslskewith0p";
@@ -64,6 +65,9 @@ plan skip_all => "$test_name can only be performed with OpenSSL configured share
 	    grep { /^SHARED_LIBS=/ }
 	    do { local @ARGV = ( top_file("Makefile") ); <> })[0] ne "";
 
+plan skip_all => "dh is not supported by this OpenSSL build"
+    if disabled("dh");
+
 $ENV{OPENSSL_ENGINES} = top_dir("engines");
 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
-- 
2.25.1