diff --git a/apps/s_cb.c b/apps/s_cb.c index 65c3dae0a2..69a50a4599 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -423,7 +423,7 @@ int ssl_print_sigalgs(BIO *out, SSL *s) BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid)); return 1; } - +#ifndef OPENSSL_NO_EC int ssl_print_point_formats(BIO *out, SSL *s) { int i, nformats; @@ -515,7 +515,7 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared) BIO_puts(out, "\n"); return 1; } - +#endif int ssl_print_tmp_key(BIO *out, SSL *s) { EVP_PKEY *key; @@ -531,7 +531,7 @@ int ssl_print_tmp_key(BIO *out, SSL *s) case EVP_PKEY_DH: BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key)); break; - +#ifndef OPENSSL_NO_ECDH case EVP_PKEY_EC: { EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key); @@ -545,6 +545,7 @@ int ssl_print_tmp_key(BIO *out, SSL *s) BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key)); } +#endif } EVP_PKEY_free(key); return 1; @@ -1565,11 +1566,16 @@ void print_ssl_summary(BIO *bio, SSL *s) BIO_puts(bio, "No peer certificate\n"); if (peer) X509_free(peer); +#ifndef OPENSSL_NO_EC ssl_print_point_formats(bio, s); if (SSL_is_server(s)) ssl_print_curves(bio, s, 1); else ssl_print_tmp_key(bio, s); +#else + if (!SSL_is_server(s)) + ssl_print_tmp_key(bio, s); +#endif } int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, diff --git a/apps/s_server.c b/apps/s_server.c index f5c26dc605..1d8b6412bb 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2669,8 +2669,10 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); ssl_print_sigalgs(bio_s_out, con); +#ifndef OPENSSL_NO_EC ssl_print_point_formats(bio_s_out, con); ssl_print_curves(bio_s_out, con, 0); +#endif BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -3013,7 +3015,9 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) BIO_puts(io,"\n"); } ssl_print_sigalgs(io, con); +#ifndef OPENSSL_NO_EC ssl_print_curves(io, con, 0); +#endif BIO_printf(io,(SSL_cache_hit(con) ?"---\nReused, " :"---\nNew, ")); diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 7b294b1d5e..36cc48e625 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -349,6 +349,8 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k) * flags. */ +#ifndef OPENSSL_NO_EC + static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) { const EC_GROUP *grp = NULL; @@ -465,6 +467,20 @@ int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) sign_nid = OBJ_obj2nid(crl->crl->sig_alg->algorithm); return check_suite_b(pk, sign_nid, &flags); } + +#else +int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, + unsigned long flags) + { + return 0; + } + +int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) + { + return 0; + } + +#endif /* Not strictly speaking an "up_ref" as a STACK doesn't have a reference * count but it has the same effect by duping the STACK and upping the ref * of each X509 structure. diff --git a/fips/rand/fips_randtest.c b/fips/rand/fips_randtest.c index 58c1acecf5..9185783d54 100644 --- a/fips/rand/fips_randtest.c +++ b/fips/rand/fips_randtest.c @@ -110,7 +110,6 @@ #include #include #include -#include #include #include @@ -129,6 +128,7 @@ int main(int argc, char *argv[]) #include "fips_utl.h" #include +#include typedef struct { diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 65131358eb..8332512dca 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3428,6 +3428,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) else return ssl_cert_add0_chain_cert(s->cert, (X509 *)parg); +#ifndef OPENSSL_NO_EC case SSL_CTRL_GET_CURVES: { unsigned char *clist; @@ -3470,7 +3471,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_ECDH_AUTO: s->cert->ecdh_tmp_auto = larg; return 1; - +#endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3541,9 +3542,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY *ptmp; int rv = 0; sc = s->session->sess_cert; +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp) return 0; +#endif ptmp = EVP_PKEY_new(); if (!ptmp) return 0; @@ -3568,7 +3571,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY_free(ptmp); return 0; } - +#ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { SSL_SESSION *sess = s->session; @@ -3578,7 +3581,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *pformat = sess->tlsext_ecpointformatlist; return (int)sess->tlsext_ecpointformatlist_length; } - +#endif default: break; } @@ -3848,6 +3851,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; #endif +#ifndef OPENSSL_NO_EC case SSL_CTRL_SET_CURVES: return tls1_set_curves(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, @@ -3860,7 +3864,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_ECDH_AUTO: ctx->cert->ecdh_tmp_auto = larg; return 1; - +#endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -4178,7 +4182,10 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) int ret=0; const unsigned char *sig; size_t i, siglen; - int have_rsa_sign = 0, have_dsa_sign = 0, have_ecdsa_sign = 0; + int have_rsa_sign = 0, have_dsa_sign = 0; +#ifndef OPENSSL_NO_ECDSA + int have_ecdsa_sign = 0; +#endif int nostrict = 1; unsigned long alg_k; @@ -4203,10 +4210,11 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) case TLSEXT_signature_dsa: have_dsa_sign = 1; break; - +#ifndef OPENSSL_NO_ECDSA case TLSEXT_signature_ecdsa: have_ecdsa_sign = 1; break; +#endif } } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index afdc8ff5df..99e6c2f126 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1358,7 +1358,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, return(retval); } - +#ifndef OPENSSL_NO_EC static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, const char **prule_str) { @@ -1417,6 +1417,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, c->ecdh_tmp_auto = 1; return 1; } +#endif STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, @@ -1436,10 +1437,10 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) return NULL; - +#ifndef OPENSSL_NO_EC if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) return NULL; - +#endif /* * To reduce the work to do we only want to process the compiled diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 437f385f05..1f4c4dd153 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -253,7 +253,7 @@ static int cmd_curves(SSL_CONF_CTX *cctx, const char *value) rv = SSL_CTX_set1_curves_list(cctx->ctx, value); return rv > 0; } - +#ifndef OPENSSL_NO_ECDH /* ECDH temporary parameters */ static int cmd_ecdhparam(SSL_CONF_CTX *cctx, const char *value) { @@ -314,7 +314,7 @@ static int cmd_ecdhparam(SSL_CONF_CTX *cctx, const char *value) return rv > 0; } - +#endif static int cmd_cipher_list(SSL_CONF_CTX *cctx, const char *value) { int rv = 1; @@ -378,7 +378,9 @@ static ssl_conf_cmd_tbl ssl_conf_cmds[] = { {cmd_sigalgs, "SignatureAlgorithms", "sigalgs"}, {cmd_client_sigalgs, "ClientSignatureAlgorithms", "client_sigalgs"}, {cmd_curves, "Curves", "curves"}, +#ifndef OPENSSL_NO_ECDH {cmd_ecdhparam, "ECDHParameters", "named_curve"}, +#endif {cmd_cipher_list, "CipherString", "cipher"}, {cmd_protocol, "Protocol", NULL}, {cmd_options, "Options", NULL}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ba9d921275..9f00400654 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1186,8 +1186,10 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) { switch (cmd) { +#ifndef OPENSSL_NO_EC case SSL_CTRL_SET_CURVES_LIST: return tls1_set_curves_list(NULL, NULL, parg); +#endif case SSL_CTRL_SET_SIGALGS_LIST: case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: return tls1_set_sigalgs_list(NULL, parg, 0); @@ -2252,14 +2254,17 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) int rsa_enc_export,dh_rsa_export,dh_dsa_export; int rsa_tmp_export,dh_tmp_export,kl; unsigned long mask_k,mask_a,emask_k,emask_a; - int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; -#ifndef OPENSSL_NO_ECDH - int have_ecdh_tmp; +#ifndef OPENSSL_NO_ECDSA + int have_ecc_cert, ecdsa_ok, ecc_pkey_size; #endif +#ifndef OPENSSL_NO_ECDH + int have_ecdh_tmp, ecdh_ok; +#endif +#ifndef OPENSSL_NO_EC X509 *x = NULL; EVP_PKEY *ecc_pkey = NULL; int signature_nid = 0, pk_nid = 0, md_nid = 0; - +#endif if (c == NULL) return; kl=SSL_C_EXPORT_PKEYLENGTH(cipher); @@ -2297,7 +2302,9 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) dh_dsa= cpk->valid_flags & CERT_PKEY_VALID; dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_ECC]); +#ifndef OPENSSL_NO_EC have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID; +#endif mask_k=0; mask_a=0; emask_k=0; @@ -2377,6 +2384,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) /* An ECC certificate may be usable for ECDH and/or * ECDSA cipher suites depending on the key usage extension. */ +#ifndef OPENSSL_NO_EC if (have_ecc_cert) { cpk = &c->pkeys[SSL_PKEY_ECC]; @@ -2433,6 +2441,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) } #endif } +#endif #ifndef OPENSSL_NO_ECDH if (have_ecdh_tmp) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ee376de545..151e7b8656 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -814,6 +814,13 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) #endif } +#else + +static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) + { + return 1; + } + #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_TLSEXT @@ -861,17 +868,18 @@ static unsigned char tls12_sigalgs[] = { tlsext_sigalg_rsa(TLSEXT_hash_md5) #endif }; - +#ifndef OPENSSL_NO_ECDSA static unsigned char suiteb_sigalgs[] = { tlsext_sigalg_ecdsa(TLSEXT_hash_sha256) tlsext_sigalg_ecdsa(TLSEXT_hash_sha384) }; - +#endif size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) { /* If Suite B mode use Suite B sigalgs only, ignore any other * preferences. */ +#ifndef OPENSSL_NO_EC switch (tls1_suiteb(s)) { case SSL_CERT_FLAG_SUITEB_128_LOS: @@ -886,7 +894,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs) *psigs = suiteb_sigalgs + 2; return 2; } - +#endif /* If server use client authentication sigalgs if not NULL */ if (s->server && s->cert->client_sigalgs) { @@ -928,6 +936,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE); return 0; } +#ifndef OPENSSL_NO_EC if (pkey->type == EVP_PKEY_EC) { unsigned char curve_id[2], comp_id; @@ -968,6 +977,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, } else if (tls1_suiteb(s)) return 0; +#endif /* Check signature matches a type we sent */ sent_sigslen = tls12_get_psigalgs(s, &sent_sigs); @@ -1503,11 +1513,12 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha #ifndef OPENSSL_NO_NEXTPROTONEG int next_proto_neg_seen; #endif +#ifndef OPENSSL_NO_EC unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); - +#endif /* don't add extensions for SSLv3, unless doing secure renegotiation */ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) return p;