Make no-ec compilation work.
authorDr. Stephen Henson <steve@openssl.org>
Sat, 17 Aug 2013 16:40:08 +0000 (17:40 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Sat, 17 Aug 2013 16:41:13 +0000 (17:41 +0100)
apps/s_cb.c
apps/s_server.c
crypto/x509/x509_cmp.c
fips/rand/fips_randtest.c
ssl/s3_lib.c
ssl/ssl_ciph.c
ssl/ssl_conf.c
ssl/ssl_lib.c
ssl/t1_lib.c

index 65c3dae..69a50a4 100644 (file)
@@ -423,7 +423,7 @@ int ssl_print_sigalgs(BIO *out, SSL *s)
                BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
        return 1;
        }
-
+#ifndef OPENSSL_NO_EC
 int ssl_print_point_formats(BIO *out, SSL *s)
        {
        int i, nformats;
@@ -515,7 +515,7 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared)
        BIO_puts(out, "\n");
        return 1;
        }
-
+#endif
 int ssl_print_tmp_key(BIO *out, SSL *s)
        {
        EVP_PKEY *key;
@@ -531,7 +531,7 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
        case EVP_PKEY_DH:
                BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
                break;
-
+#ifndef OPENSSL_NO_ECDH
        case EVP_PKEY_EC:
                        {
                        EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
@@ -545,6 +545,7 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
                        BIO_printf(out, "ECDH, %s, %d bits\n",
                                                cname, EVP_PKEY_bits(key));
                        }
+#endif
                }
        EVP_PKEY_free(key);
        return 1;
@@ -1565,11 +1566,16 @@ void print_ssl_summary(BIO *bio, SSL *s)
                BIO_puts(bio, "No peer certificate\n");
        if (peer)
                X509_free(peer);
+#ifndef OPENSSL_NO_EC
        ssl_print_point_formats(bio, s);
        if (SSL_is_server(s))
                ssl_print_curves(bio, s, 1);
        else
                ssl_print_tmp_key(bio, s);
+#else
+       if (!SSL_is_server(s))
+               ssl_print_tmp_key(bio, s);
+#endif
        }
 
 int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
index f5c26dc..1d8b641 100644 (file)
@@ -2669,8 +2669,10 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        ssl_print_sigalgs(bio_s_out, con);
+#ifndef OPENSSL_NO_EC
        ssl_print_point_formats(bio_s_out, con);
        ssl_print_curves(bio_s_out, con, 0);
+#endif
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
 
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
@@ -3013,7 +3015,9 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
                                BIO_puts(io,"\n");
                                }
                        ssl_print_sigalgs(io, con);
+#ifndef OPENSSL_NO_EC
                        ssl_print_curves(io, con, 0);
+#endif
                        BIO_printf(io,(SSL_cache_hit(con)
                                ?"---\nReused, "
                                :"---\nNew, "));
index 7b294b1..36cc48e 100644 (file)
@@ -349,6 +349,8 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
  * flags.
  */
 
+#ifndef OPENSSL_NO_EC
+
 static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags)
        {
        const EC_GROUP *grp = NULL;
@@ -465,6 +467,20 @@ int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags)
        sign_nid = OBJ_obj2nid(crl->crl->sig_alg->algorithm);
        return check_suite_b(pk, sign_nid, &flags);
        }
+
+#else
+int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
+                                                       unsigned long flags)
+       {
+       return 0;
+       }
+
+int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags)
+       {
+       return 0;
+       }
+
+#endif
 /* Not strictly speaking an "up_ref" as a STACK doesn't have a reference
  * count but it has the same effect by duping the STACK and upping the ref
  * of each X509 structure.
index 58c1ace..9185783 100644 (file)
 #include <string.h>
 #include <ctype.h>
 #include <openssl/rand.h>
-#include <openssl/fips_rand.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
 
@@ -129,6 +128,7 @@ int main(int argc, char *argv[])
 
 #include "fips_utl.h"
 #include <openssl/fips.h>
+#include <openssl/fips_rand.h>
 
 typedef struct
        {
index 6513135..8332512 100644 (file)
@@ -3428,6 +3428,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                else
                        return ssl_cert_add0_chain_cert(s->cert, (X509 *)parg);
 
+#ifndef OPENSSL_NO_EC
        case SSL_CTRL_GET_CURVES:
                {
                unsigned char *clist;
@@ -3470,7 +3471,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        case SSL_CTRL_SET_ECDH_AUTO:
                s->cert->ecdh_tmp_auto = larg;
                return 1;
-
+#endif
        case SSL_CTRL_SET_SIGALGS:
                return tls1_set_sigalgs(s->cert, parg, larg, 0);
 
@@ -3541,9 +3542,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                        EVP_PKEY *ptmp;
                        int rv = 0;
                        sc = s->session->sess_cert;
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
                        if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
                                                        && !sc->peer_ecdh_tmp)
                                return 0;
+#endif
                        ptmp = EVP_PKEY_new();
                        if (!ptmp)
                                return 0;
@@ -3568,7 +3571,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                        EVP_PKEY_free(ptmp);
                        return 0;
                        }
-
+#ifndef OPENSSL_NO_EC
        case SSL_CTRL_GET_EC_POINT_FORMATS:
                {
                SSL_SESSION *sess = s->session;
@@ -3578,7 +3581,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                *pformat = sess->tlsext_ecpointformatlist;
                return (int)sess->tlsext_ecpointformatlist_length;
                }
-
+#endif
        default:
                break;
                }
@@ -3848,6 +3851,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                break;
 #endif
 
+#ifndef OPENSSL_NO_EC
        case SSL_CTRL_SET_CURVES:
                return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
                                        &ctx->tlsext_ellipticcurvelist_length,
@@ -3860,7 +3864,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
        case SSL_CTRL_SET_ECDH_AUTO:
                ctx->cert->ecdh_tmp_auto = larg;
                return 1;
-
+#endif
        case SSL_CTRL_SET_SIGALGS:
                return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
 
@@ -4178,7 +4182,10 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
        int ret=0;
        const unsigned char *sig;
        size_t i, siglen;
-       int have_rsa_sign = 0, have_dsa_sign = 0, have_ecdsa_sign = 0;
+       int have_rsa_sign = 0, have_dsa_sign = 0;
+#ifndef OPENSSL_NO_ECDSA
+       int have_ecdsa_sign = 0;
+#endif
        int nostrict = 1;
        unsigned long alg_k;
 
@@ -4203,10 +4210,11 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
                case TLSEXT_signature_dsa:
                        have_dsa_sign = 1;
                        break;
-
+#ifndef OPENSSL_NO_ECDSA
                case TLSEXT_signature_ecdsa:
                        have_ecdsa_sign = 1;
                        break;
+#endif
                        }
                }
 
index afdc8ff..99e6c2f 100644 (file)
@@ -1358,7 +1358,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 
        return(retval);
        }
-
+#ifndef OPENSSL_NO_EC
 static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                                        const char **prule_str)
        {
@@ -1417,6 +1417,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
        c->ecdh_tmp_auto = 1;
        return 1;
        }
+#endif
 
 
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
@@ -1436,10 +1437,10 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
                return NULL;
-
+#ifndef OPENSSL_NO_EC
        if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
                return NULL;
-
+#endif
 
        /*
         * To reduce the work to do we only want to process the compiled
index 437f385..1f4c4dd 100644 (file)
@@ -253,7 +253,7 @@ static int cmd_curves(SSL_CONF_CTX *cctx, const char *value)
                rv = SSL_CTX_set1_curves_list(cctx->ctx, value);
        return rv > 0;
        }
-
+#ifndef OPENSSL_NO_ECDH
 /* ECDH temporary parameters */
 static int cmd_ecdhparam(SSL_CONF_CTX *cctx, const char *value)
        {
@@ -314,7 +314,7 @@ static int cmd_ecdhparam(SSL_CONF_CTX *cctx, const char *value)
 
        return rv > 0;
        }
-
+#endif
 static int cmd_cipher_list(SSL_CONF_CTX *cctx, const char *value)
        {
        int rv = 1;
@@ -378,7 +378,9 @@ static ssl_conf_cmd_tbl ssl_conf_cmds[] = {
        {cmd_sigalgs,           "SignatureAlgorithms", "sigalgs"},
        {cmd_client_sigalgs,    "ClientSignatureAlgorithms", "client_sigalgs"},
        {cmd_curves,            "Curves", "curves"},
+#ifndef OPENSSL_NO_ECDH
        {cmd_ecdhparam,         "ECDHParameters", "named_curve"},
+#endif
        {cmd_cipher_list,       "CipherString", "cipher"},
        {cmd_protocol,          "Protocol", NULL},
        {cmd_options,           "Options", NULL},
index ba9d921..9f00400 100644 (file)
@@ -1186,8 +1186,10 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
                {
                switch (cmd)
                        {
+#ifndef OPENSSL_NO_EC
                case SSL_CTRL_SET_CURVES_LIST:
                        return tls1_set_curves_list(NULL, NULL, parg);
+#endif
                case SSL_CTRL_SET_SIGALGS_LIST:
                case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
                        return tls1_set_sigalgs_list(NULL, parg, 0);
@@ -2252,14 +2254,17 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        int rsa_enc_export,dh_rsa_export,dh_dsa_export;
        int rsa_tmp_export,dh_tmp_export,kl;
        unsigned long mask_k,mask_a,emask_k,emask_a;
-       int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
+#ifndef OPENSSL_NO_ECDSA
+       int have_ecc_cert, ecdsa_ok, ecc_pkey_size;
+#endif
 #ifndef OPENSSL_NO_ECDH
-       int have_ecdh_tmp;
+       int have_ecdh_tmp, ecdh_ok;
 #endif
+#ifndef OPENSSL_NO_EC
        X509 *x = NULL;
        EVP_PKEY *ecc_pkey = NULL;
        int signature_nid = 0, pk_nid = 0, md_nid = 0;
-
+#endif
        if (c == NULL) return;
 
        kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
@@ -2297,7 +2302,9 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        dh_dsa=  cpk->valid_flags & CERT_PKEY_VALID;
        dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_ECC]);
+#ifndef OPENSSL_NO_EC
        have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID;
+#endif
        mask_k=0;
        mask_a=0;
        emask_k=0;
@@ -2377,6 +2384,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        /* An ECC certificate may be usable for ECDH and/or
         * ECDSA cipher suites depending on the key usage extension.
         */
+#ifndef OPENSSL_NO_EC
        if (have_ecc_cert)
                {
                cpk = &c->pkeys[SSL_PKEY_ECC];
@@ -2433,6 +2441,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
                        }
 #endif
                }
+#endif
 
 #ifndef OPENSSL_NO_ECDH
        if (have_ecdh_tmp)
index ee376de..151e7b8 100644 (file)
@@ -814,6 +814,13 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 #endif
        }
 
+#else
+
+static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
+       {
+       return 1;
+       }
+
 #endif /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_TLSEXT
@@ -861,17 +868,18 @@ static unsigned char tls12_sigalgs[] = {
        tlsext_sigalg_rsa(TLSEXT_hash_md5)
 #endif
 };
-
+#ifndef OPENSSL_NO_ECDSA
 static unsigned char suiteb_sigalgs[] = {
        tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
        tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
 };
-
+#endif
 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
        {
        /* If Suite B mode use Suite B sigalgs only, ignore any other
         * preferences.
         */
+#ifndef OPENSSL_NO_EC
        switch (tls1_suiteb(s))
                {
        case SSL_CERT_FLAG_SUITEB_128_LOS:
@@ -886,7 +894,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
                *psigs = suiteb_sigalgs + 2;
                return 2;
                }
-
+#endif
        /* If server use client authentication sigalgs if not NULL */
        if (s->server && s->cert->client_sigalgs)
                {
@@ -928,6 +936,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
                SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
                return 0;
                }
+#ifndef OPENSSL_NO_EC
        if (pkey->type == EVP_PKEY_EC)
                {
                unsigned char curve_id[2], comp_id;
@@ -968,6 +977,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
                }
        else if (tls1_suiteb(s))
                return 0;
+#endif
 
        /* Check signature matches a type we sent */
        sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
@@ -1503,11 +1513,12 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
 #ifndef OPENSSL_NO_NEXTPROTONEG
        int next_proto_neg_seen;
 #endif
+#ifndef OPENSSL_NO_EC
        unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
        unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
        int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
        using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
-
+#endif
        /* don't add extensions for SSLv3, unless doing secure renegotiation */
        if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
                return p;