generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add OPENSSL_NO_ECDH guards

Browse Source 
Reviewed-by: Emilia Käsper <emilia@openssl.org>
This commit is contained in:
Matt Caswell 2014-11-18 16:54:07 +00:00
parent 55e530265a
commit af6e2d51bf
7 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
crypto/ec/ec_pmeth.c
View File

@ -213,6 +213,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
return ret; return ret;
} }
#ifndef OPENSSL_NO_ECDH
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
{ {
int ret; int ret;
@ -288,6 +289,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
} }
return rv; return rv;
} }
#endif
static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{ {
@ -316,6 +318,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
EC_GROUP_set_asn1_flag(dctx->gen_group, p1); EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
return 1; return 1;
#ifndef OPENSSL_NO_ECDH
case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
if (p1 == -2) if (p1 == -2)
{ {
@ -357,6 +360,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
dctx->co_key = NULL; dctx->co_key = NULL;
} }
return 1; return 1;
#endif
case EVP_PKEY_CTRL_EC_KDF_TYPE: case EVP_PKEY_CTRL_EC_KDF_TYPE:
if (p1 == -2) if (p1 == -2)
@ -556,7 +560,11 @@ const EVP_PKEY_METHOD ec_pkey_meth =
0,0, 0,0,
0, 0,
#ifndef OPENSSL_NO_ECDH
pkey_ec_kdf_derive, pkey_ec_kdf_derive,
#else
0,
#endif
pkey_ec_ctrl, pkey_ec_ctrl,
pkey_ec_ctrl_str pkey_ec_ctrl_str

8
ssl/s3_lib.c
View File

@ -3810,9 +3810,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_GET_SHARED_CURVE: case SSL_CTRL_GET_SHARED_CURVE:
return tls1_shared_curve(s, larg); return tls1_shared_curve(s, larg);
#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_ECDH_AUTO: case SSL_CTRL_SET_ECDH_AUTO:
s->cert->ecdh_tmp_auto = larg; s->cert->ecdh_tmp_auto = larg;
return 1; return 1;
#endif
#endif #endif
case SSL_CTRL_SET_SIGALGS: case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0); return tls1_set_sigalgs(s->cert, parg, larg, 0);
@ -3884,7 +3886,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
EVP_PKEY *ptmp; EVP_PKEY *ptmp;
int rv = 0; int rv = 0;
sc = s->session->sess_cert; sc = s->session->sess_cert;
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDH)
if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
&& !sc->peer_ecdh_tmp) && !sc->peer_ecdh_tmp)
return 0; return 0;
@ -4237,9 +4239,11 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length, &ctx->tlsext_ellipticcurvelist_length,
parg); parg);
#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_ECDH_AUTO: case SSL_CTRL_SET_ECDH_AUTO:
ctx->cert->ecdh_tmp_auto = larg; ctx->cert->ecdh_tmp_auto = larg;
return 1; return 1;
#endif
#endif #endif
case SSL_CTRL_SET_SIGALGS: case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0); return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
@ -4543,10 +4547,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
#ifndef OPENSSL_NO_ECDH
/* if we are considering an ECC cipher suite that uses /* if we are considering an ECC cipher suite that uses
* an ephemeral EC key check it */ * an ephemeral EC key check it */
if (alg_k & SSL_kECDHE) if (alg_k & SSL_kECDHE)
ok = ok && tls1_check_ec_tmp_key(s, c->id); ok = ok && tls1_check_ec_tmp_key(s, c->id);
#endif /* OPENSSL_NO_ECDH */
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
#endif /* OPENSSL_NO_TLSEXT */ #endif /* OPENSSL_NO_TLSEXT */

5
ssl/ssl_ciph.c
View File

@ -1436,6 +1436,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
return 0; return 0;
} }
#ifndef OPENSSL_NO_ECDH
switch(suiteb_flags) switch(suiteb_flags)
{ {
case SSL_CERT_FLAG_SUITEB_128_LOS: case SSL_CERT_FLAG_SUITEB_128_LOS:
@ -1454,6 +1455,10 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
/* Set auto ECDH parameter determination */ /* Set auto ECDH parameter determination */
c->ecdh_tmp_auto = 1; c->ecdh_tmp_auto = 1;
return 1; return 1;
#else
SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
return 0;
#endif
} }
#endif #endif

2
ssl/ssl_lib.c
View File

@ -2361,8 +2361,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
x = cpk->x509; x = cpk->x509;
/* This call populates extension flags (ex_flags) */ /* This call populates extension flags (ex_flags) */
X509_check_purpose(x, -1, 0); X509_check_purpose(x, -1, 0);
#ifndef OPENSSL_NO_ECDH
ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
(x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
#endif
ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
if (!(cpk->valid_flags & CERT_PKEY_SIGN)) if (!(cpk->valid_flags & CERT_PKEY_SIGN))

2
ssl/ssl_locl.h
View File

@ -1250,7 +1250,9 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
int *curves, size_t ncurves); int *curves, size_t ncurves);
int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
const char *str); const char *str);
#ifndef OPENSSL_NO_ECDH
int tls1_check_ec_tmp_key(SSL *s, unsigned long id); int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
#endif /* OPENSSL_NO_ECDH */
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT

2
ssl/t1_lib.c
View File

@ -828,6 +828,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
} }
return rv; return rv;
} }
#ifndef OPENSSL_NO_ECDH
/* Check EC temporary key is compatible with client extensions */ /* Check EC temporary key is compatible with client extensions */
int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
{ {
@ -894,6 +895,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
return tls1_check_ec_key(s, curve_id, NULL); return tls1_check_ec_key(s, curve_id, NULL);
#endif #endif
} }
#endif /* OPENSSL_NO_ECDH */
#else #else

20
test/cms-test.pl
View File

@ -84,6 +84,7 @@ my $halt_err = 1;
my $badcmd = 0; my $badcmd = 0;
my $no_ec; my $no_ec;
my $no_ec2m; my $no_ec2m;
my $no_ecdh;
my $ossl8 = `$ossl_path version -v` =~ /0\.9\.8/; my $ossl8 = `$ossl_path version -v` =~ /0\.9\.8/;
system ("$ossl_path no-ec >/dev/null"); system ("$ossl_path no-ec >/dev/null");
@ -113,6 +114,20 @@ else
{ {
die "Error checking for EC2M support\n"; die "Error checking for EC2M support\n";
} }
system ("$ossl_path no-ecdh >/dev/null");
if ($? == 0)
{
$no_ecdh = 1;
}
elsif ($? == 256)
{
$no_ecdh = 0;
}
else
{
die "Error checking for ECDH support\n";
}
my @smime_pkcs7_tests = ( my @smime_pkcs7_tests = (
@ -507,6 +522,11 @@ sub run_smime_tests {
print "$tnam: skipped, EC disabled\n"; print "$tnam: skipped, EC disabled\n";
next; next;
} }
if ($no_ecdh && $tnam =~ /ECDH/)
{
print "$tnam: skipped, ECDH disabled\n";
next;
}
if ($no_ec2m && $tnam =~ /K-283/) if ($no_ec2m && $tnam =~ /K-283/)
{ {
print "$tnam: skipped, EC2M disabled\n"; print "$tnam: skipped, EC2M disabled\n";