[openssl-commits] [openssl] OpenSSL source code branch OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-105-gf74f5c8

Matt Caswell matt at openssl.org
Tue Dec 16 14:22:48 UTC 2014 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  f74f5c8586b2bd30738f0bd45aec1f9e95d5945f (commit)
       via  a38ae11c48761ab468296e8960210f041b93dfde (commit)
      from  4ca0e95b92811f7dac9fff213350c248619a135c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f74f5c8586b2bd30738f0bd45aec1f9e95d5945f
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Dec 16 10:53:36 2014 +0000

    Add more meaningful OPENSSL_NO_ECDH error message for suite b mode
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>
    (cherry picked from commit db812f2d70f0695fd53b386fe5e870bef8ca3c22)

commit a38ae11c48761ab468296e8960210f041b93dfde
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Nov 18 16:54:07 2014 +0000

    Add OPENSSL_NO_ECDH guards
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>
    (cherry picked from commit af6e2d51bfeabbae827030d4c9d58a8f7477c4a0)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_pmeth.c |    8 ++++++++
 ssl/s3_lib.c         |    8 +++++++-
 ssl/ssl.h            |    1 +
 ssl/ssl_ciph.c       |    5 +++++
 ssl/ssl_err.c        |    1 +
 ssl/ssl_lib.c        |    2 ++
 ssl/ssl_locl.h       |    2 ++
 ssl/t1_lib.c         |    2 ++
 test/cms-test.pl     |   20 ++++++++++++++++++++
 9 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index e66e690..aea1d5b 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -213,6 +213,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
 	return ret;
 	}
 
+#ifndef OPENSSL_NO_ECDH
 static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	{
 	int ret;
@@ -288,6 +289,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
 		}
 	return rv;
 	}
+#endif
 
 static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 	{
@@ -316,6 +318,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 		EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
 		return 1;
 
+#ifndef OPENSSL_NO_ECDH
 		case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
 		if (p1 == -2)
 			{
@@ -357,6 +360,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 			dctx->co_key = NULL;
 			}
 		return 1;
+#endif
 
 		case EVP_PKEY_CTRL_EC_KDF_TYPE:
 		if (p1 == -2)
@@ -556,7 +560,11 @@ const EVP_PKEY_METHOD ec_pkey_meth =
 	0,0,
 
 	0,
+#ifndef OPENSSL_NO_ECDH
 	pkey_ec_kdf_derive,
+#else
+	0,
+#endif
 
 	pkey_ec_ctrl,
 	pkey_ec_ctrl_str
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 361f295..713de72 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3484,10 +3484,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 	case SSL_CTRL_GET_SHARED_CURVE:
 		return tls1_shared_curve(s, larg);
 
+#ifndef OPENSSL_NO_ECDH
 	case SSL_CTRL_SET_ECDH_AUTO:
 		s->cert->ecdh_tmp_auto = larg;
 		return 1;
 #endif
+#endif
 	case SSL_CTRL_SET_SIGALGS:
 		return tls1_set_sigalgs(s->cert, parg, larg, 0);
 
@@ -3558,7 +3560,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 			EVP_PKEY *ptmp;
 			int rv = 0;
 			sc = s->session->sess_cert;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDH)
 			if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
 							&& !sc->peer_ecdh_tmp)
 				return 0;
@@ -3899,10 +3901,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 		return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
 					&ctx->tlsext_ellipticcurvelist_length,
 								parg);
+#ifndef OPENSSL_NO_ECDH
 	case SSL_CTRL_SET_ECDH_AUTO:
 		ctx->cert->ecdh_tmp_auto = larg;
 		return 1;
 #endif
+#endif
 	case SSL_CTRL_SET_SIGALGS:
 		return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
 
@@ -4200,10 +4204,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 
 #ifndef OPENSSL_NO_TLSEXT
 #ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDH
 		/* if we are considering an ECC cipher suite that uses
 		 * an ephemeral EC key check it */
 		if (alg_k & SSL_kEECDH)
 			ok = ok && tls1_check_ec_tmp_key(s, c->id);
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 #endif /* OPENSSL_NO_TLSEXT */
 
diff --git a/ssl/ssl.h b/ssl/ssl.h
index a5af6fc..d51ae38 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2778,6 +2778,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_ECC_CERT_NOT_FOR_SIGNING			 318
 #define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE	 322
 #define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE	 323
+#define SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE		 374
 #define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER		 310
 #define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST	 354
 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 150
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index d961903..0ad11dd 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1420,6 +1420,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 		return 0;
 		}
 
+#ifndef OPENSSL_NO_ECDH
 	switch(suiteb_flags)
 		{
 	case SSL_CERT_FLAG_SUITEB_128_LOS:
@@ -1438,6 +1439,10 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 	/* Set auto ECDH parameter determination */
 	c->ecdh_tmp_auto = 1;
 	return 1;
+#else
+	SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE);
+	return 0;
+#endif
 	}
 #endif
 
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index fd63d37..8fca51b 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -385,6 +385,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING),"ecc cert not for signing"},
 {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE),"ecc cert should have rsa signature"},
 {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE),"ecc cert should have sha1 signature"},
+{ERR_REASON(SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE),"ecdh required for suiteb mode"},
 {ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
 {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),"empty srtp protection profile list"},
 {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8f49a6f..8c269c4 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2355,8 +2355,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 		x = cpk->x509;
 		/* This call populates extension flags (ex_flags) */
 		X509_check_purpose(x, -1, 0);
+#ifndef OPENSSL_NO_ECDH
 		ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
 		    (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
+#endif
 		ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
 		    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
 		if (!(cpk->valid_flags & CERT_PKEY_SIGN))
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index ebcb5a2..7bc839c 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1301,7 +1301,9 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
 			int *curves, size_t ncurves);
 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
 				const char *str);
+#ifndef OPENSSL_NO_ECDH
 int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_TLSEXT
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2dea518..962861d 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -887,6 +887,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
 		}
 	return rv;
 	}
+#ifndef OPENSSL_NO_ECDH
 /* Check EC temporary key is compatible with client extensions */
 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 	{
@@ -953,6 +954,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 	return tls1_check_ec_key(s, curve_id, NULL);
 #endif
 	}
+#endif /* OPENSSL_NO_ECDH */
 
 #else
 
diff --git a/test/cms-test.pl b/test/cms-test.pl
index b5145ad..acd9315 100644
--- a/test/cms-test.pl
+++ b/test/cms-test.pl
@@ -89,6 +89,7 @@ my $halt_err = 1;
 my $badcmd = 0;
 my $no_ec;
 my $no_ec2m;
+my $no_ecdh;
 my $ossl8 = `$ossl_path version -v` =~ /0\.9\.8/;
 
 system ("$ossl_path no-ec > $null_path");
@@ -118,6 +119,20 @@ else
 	{
 	die "Error checking for EC2M support\n";
 	}
+
+system ("$ossl_path no-ecdh >/dev/null");
+if ($? == 0)
+	{
+	$no_ecdh = 1;
+	}
+elsif ($? == 256)
+	{
+	$no_ecdh = 0;
+	}
+else
+	{
+	die "Error checking for ECDH support\n";
+	}
     
 my @smime_pkcs7_tests = (
 
@@ -512,6 +527,11 @@ sub run_smime_tests {
 		print "$tnam: skipped, EC disabled\n";
 		next;
 		}
+	if ($no_ecdh && $tnam =~ /ECDH/)
+		{
+		print "$tnam: skipped, ECDH disabled\n";
+		next;
+		}
 	if ($no_ec2m && $tnam =~ /K-283/)
 		{
 		print "$tnam: skipped, EC2M disabled\n";


hooks/post-receive
-- 
OpenSSL source code

More information about the openssl-commits mailing list