From af6e2d51bfeabbae827030d4c9d58a8f7477c4a0 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 18 Nov 2014 16:54:07 +0000 Subject: [PATCH] Add OPENSSL_NO_ECDH guards MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reviewed-by: Emilia Käsper --- crypto/ec/ec_pmeth.c | 8 ++++++++ ssl/s3_lib.c | 8 +++++++- ssl/ssl_ciph.c | 5 +++++ ssl/ssl_lib.c | 2 ++ ssl/ssl_locl.h | 2 ++ ssl/t1_lib.c | 2 ++ test/cms-test.pl | 20 ++++++++++++++++++++ 7 files changed, 46 insertions(+), 1 deletion(-) diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 29752998c2..ad68139ef6 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -213,6 +213,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx, return ret; } +#ifndef OPENSSL_NO_ECDH static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) { int ret; @@ -288,6 +289,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx, } return rv; } +#endif static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { @@ -316,6 +318,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) EC_GROUP_set_asn1_flag(dctx->gen_group, p1); return 1; +#ifndef OPENSSL_NO_ECDH case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: if (p1 == -2) { @@ -357,6 +360,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) dctx->co_key = NULL; } return 1; +#endif case EVP_PKEY_CTRL_EC_KDF_TYPE: if (p1 == -2) @@ -556,7 +560,11 @@ const EVP_PKEY_METHOD ec_pkey_meth = 0,0, 0, +#ifndef OPENSSL_NO_ECDH pkey_ec_kdf_derive, +#else + 0, +#endif pkey_ec_ctrl, pkey_ec_ctrl_str diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 51a4ec3e89..0cd08bd4f0 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3810,9 +3810,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_SHARED_CURVE: return tls1_shared_curve(s, larg); +#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_ECDH_AUTO: s->cert->ecdh_tmp_auto = larg; return 1; +#endif #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3884,7 +3886,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY *ptmp; int rv = 0; sc = s->session->sess_cert; -#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDH) if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp) return 0; @@ -4237,9 +4239,11 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, parg); +#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_ECDH_AUTO: ctx->cert->ecdh_tmp_auto = larg; return 1; +#endif #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -4543,10 +4547,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECDH /* if we are considering an ECC cipher suite that uses * an ephemeral EC key check it */ if (alg_k & SSL_kECDHE) ok = ok && tls1_check_ec_tmp_key(s, c->id); +#endif /* OPENSSL_NO_ECDH */ #endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_TLSEXT */ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 133d9d9b2f..60e5772639 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1436,6 +1436,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, return 0; } +#ifndef OPENSSL_NO_ECDH switch(suiteb_flags) { case SSL_CERT_FLAG_SUITEB_128_LOS: @@ -1454,6 +1455,10 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, /* Set auto ECDH parameter determination */ c->ecdh_tmp_auto = 1; return 1; +#else + SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); + return 0; +#endif } #endif diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a4d565fb4a..ea271fb4f5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2361,8 +2361,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) x = cpk->x509; /* This call populates extension flags (ex_flags) */ X509_check_purpose(x, -1, 0); +#ifndef OPENSSL_NO_ECDH ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; +#endif ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; if (!(cpk->valid_flags & CERT_PKEY_SIGN)) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4e307e44c1..2e598e3ac5 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1250,7 +1250,9 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen, int *curves, size_t ncurves); int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str); +#ifndef OPENSSL_NO_ECDH int tls1_check_ec_tmp_key(SSL *s, unsigned long id); +#endif /* OPENSSL_NO_ECDH */ #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_TLSEXT diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8d5fd12903..f0291b115f 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -828,6 +828,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) } return rv; } +#ifndef OPENSSL_NO_ECDH /* Check EC temporary key is compatible with client extensions */ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) { @@ -894,6 +895,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) return tls1_check_ec_key(s, curve_id, NULL); #endif } +#endif /* OPENSSL_NO_ECDH */ #else diff --git a/test/cms-test.pl b/test/cms-test.pl index 595ab48fa9..7d4ca2990a 100644 --- a/test/cms-test.pl +++ b/test/cms-test.pl @@ -84,6 +84,7 @@ my $halt_err = 1; my $badcmd = 0; my $no_ec; my $no_ec2m; +my $no_ecdh; my $ossl8 = `$ossl_path version -v` =~ /0\.9\.8/; system ("$ossl_path no-ec >/dev/null"); @@ -113,6 +114,20 @@ else { die "Error checking for EC2M support\n"; } + +system ("$ossl_path no-ecdh >/dev/null"); +if ($? == 0) + { + $no_ecdh = 1; + } +elsif ($? == 256) + { + $no_ecdh = 0; + } +else + { + die "Error checking for ECDH support\n"; + } my @smime_pkcs7_tests = ( @@ -507,6 +522,11 @@ sub run_smime_tests { print "$tnam: skipped, EC disabled\n"; next; } + if ($no_ecdh && $tnam =~ /ECDH/) + { + print "$tnam: skipped, ECDH disabled\n"; + next; + } if ($no_ec2m && $tnam =~ /K-283/) { print "$tnam: skipped, EC2M disabled\n"; -- 2.25.1