[openssl-commits] [openssl] OpenSSL source code branch master updated. db812f2d70f0695fd53b386fe5e870bef8ca3c22
Matt Caswell
matt at openssl.org
Tue Dec 16 14:22:56 UTC 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".
The branch, master has been updated
via db812f2d70f0695fd53b386fe5e870bef8ca3c22 (commit)
via ad500fdc494cc8b988b567371eef60824a78b070 (commit)
via fd86c2b153de991362a98771bc6d3deb2ee579bd (commit)
via af6e2d51bfeabbae827030d4c9d58a8f7477c4a0 (commit)
from 55e530265a7ea8f264717a4e37338cc04eca2007 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit db812f2d70f0695fd53b386fe5e870bef8ca3c22
Author: Matt Caswell <matt at openssl.org>
Date: Tue Dec 16 10:53:36 2014 +0000
Add more meaningful OPENSSL_NO_ECDH error message for suite b mode
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit ad500fdc494cc8b988b567371eef60824a78b070
Author: Matt Caswell <matt at openssl.org>
Date: Wed Nov 19 14:07:36 2014 +0000
Rename gost2814789t.c to gost2814789test.c. The old name caused problems
for dummytest if gost is compiled out, since the name of the test is not
standard (dummytest segfaults). Also the old name caused problems for git
because the executable was not in the .gitignore file
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit fd86c2b153de991362a98771bc6d3deb2ee579bd
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 18 17:16:57 2014 +0000
Add missing OPENSSL_NO_EC guards
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit af6e2d51bfeabbae827030d4c9d58a8f7477c4a0
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 18 16:54:07 2014 +0000
Add OPENSSL_NO_ECDH guards
Reviewed-by: Emilia Käsper <emilia at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/s_cb.c | 2 ++
crypto/ec/ec_pmeth.c | 8 +++++
engines/ccgost/Makefile | 2 +-
.../ccgost/{gost2814789t.c => gost2814789test.c} | 0
ssl/s3_lib.c | 8 ++++-
ssl/ssl.h | 1 +
ssl/ssl_ciph.c | 5 ++++
ssl/ssl_err.c | 1 +
ssl/ssl_lib.c | 2 ++
ssl/ssl_locl.h | 2 ++
ssl/t1_lib.c | 2 ++
test/Makefile | 31 ++++++++++----------
test/cms-test.pl | 20 +++++++++++++
13 files changed, 67 insertions(+), 17 deletions(-)
rename engines/ccgost/{gost2814789t.c => gost2814789test.c} (100%)
diff --git a/apps/s_cb.c b/apps/s_cb.c
index f3892f9..0a6d0ce 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1816,6 +1816,7 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
BIO_puts(sdb->out, SSL_CIPHER_get_name(other));
break;
+#ifndef OPENSSL_NO_EC
case SSL_SECOP_OTHER_CURVE:
{
const char *cname;
@@ -1825,6 +1826,7 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
BIO_puts(sdb->out, cname);
}
break;
+#endif
case SSL_SECOP_OTHER_DH:
{
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index 2975299..ad68139 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -213,6 +213,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
return ret;
}
+#ifndef OPENSSL_NO_ECDH
static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
{
int ret;
@@ -288,6 +289,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
}
return rv;
}
+#endif
static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
{
@@ -316,6 +318,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
return 1;
+#ifndef OPENSSL_NO_ECDH
case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
if (p1 == -2)
{
@@ -357,6 +360,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
dctx->co_key = NULL;
}
return 1;
+#endif
case EVP_PKEY_CTRL_EC_KDF_TYPE:
if (p1 == -2)
@@ -556,7 +560,11 @@ const EVP_PKEY_METHOD ec_pkey_meth =
0,0,
0,
+#ifndef OPENSSL_NO_ECDH
pkey_ec_kdf_derive,
+#else
+ 0,
+#endif
pkey_ec_ctrl,
pkey_ec_ctrl_str
diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile
index bcb82e3..be9a134 100644
--- a/engines/ccgost/Makefile
+++ b/engines/ccgost/Makefile
@@ -8,7 +8,7 @@ AR= ar r
CFLAGS= $(INCLUDES) $(CFLAG)
LIB=$(TOP)/libcrypto.a
-TEST=gost2814789t.c
+TEST=gost2814789test.c
LIBSRC= gost2001.c gost2001_keyx.c gost89.c gost94_keyx.c gost_ameth.c gost_asn1.c gost_crypt.c gost_ctl.c gost_eng.c gosthash.c gost_keywrap.c gost_md.c gost_params.c gost_pmeth.c gost_sign.c
diff --git a/engines/ccgost/gost2814789t.c b/engines/ccgost/gost2814789test.c
similarity index 100%
rename from engines/ccgost/gost2814789t.c
rename to engines/ccgost/gost2814789test.c
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 51a4ec3..0cd08bd 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3810,10 +3810,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_GET_SHARED_CURVE:
return tls1_shared_curve(s, larg);
+#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_ECDH_AUTO:
s->cert->ecdh_tmp_auto = larg;
return 1;
#endif
+#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0);
@@ -3884,7 +3886,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
EVP_PKEY *ptmp;
int rv = 0;
sc = s->session->sess_cert;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDH)
if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
&& !sc->peer_ecdh_tmp)
return 0;
@@ -4237,10 +4239,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length,
parg);
+#ifndef OPENSSL_NO_ECDH
case SSL_CTRL_SET_ECDH_AUTO:
ctx->cert->ecdh_tmp_auto = larg;
return 1;
#endif
+#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
@@ -4543,10 +4547,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDH
/* if we are considering an ECC cipher suite that uses
* an ephemeral EC key check it */
if (alg_k & SSL_kECDHE)
ok = ok && tls1_check_ec_tmp_key(s, c->id);
+#endif /* OPENSSL_NO_ECDH */
#endif /* OPENSSL_NO_EC */
#endif /* OPENSSL_NO_TLSEXT */
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 51b8df0..02c53c7 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2811,6 +2811,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 318
#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322
#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323
+#define SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE 374
#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
#define SSL_R_EE_KEY_TOO_SMALL 399
#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 133d9d9..4a673ec 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1436,6 +1436,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
return 0;
}
+#ifndef OPENSSL_NO_ECDH
switch(suiteb_flags)
{
case SSL_CERT_FLAG_SUITEB_128_LOS:
@@ -1454,6 +1455,10 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
/* Set auto ECDH parameter determination */
c->ecdh_tmp_auto = 1;
return 1;
+#else
+ SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE);
+ return 0;
+#endif
}
#endif
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 5f8c075..4ec771c 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -355,6 +355,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING),"ecc cert not for signing"},
{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE),"ecc cert should have rsa signature"},
{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE),"ecc cert should have sha1 signature"},
+{ERR_REASON(SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE),"ecdh required for suiteb mode"},
{ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
{ERR_REASON(SSL_R_EE_KEY_TOO_SMALL) ,"ee key too small"},
{ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),"empty srtp protection profile list"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a4d565f..ea271fb 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2361,8 +2361,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
x = cpk->x509;
/* This call populates extension flags (ex_flags) */
X509_check_purpose(x, -1, 0);
+#ifndef OPENSSL_NO_ECDH
ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
(x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
+#endif
ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
if (!(cpk->valid_flags & CERT_PKEY_SIGN))
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4e307e4..2e598e3 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1250,7 +1250,9 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
int *curves, size_t ncurves);
int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
const char *str);
+#ifndef OPENSSL_NO_ECDH
int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
+#endif /* OPENSSL_NO_ECDH */
#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_TLSEXT
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8d5fd12..f0291b1 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -828,6 +828,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
}
return rv;
}
+#ifndef OPENSSL_NO_ECDH
/* Check EC temporary key is compatible with client extensions */
int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
{
@@ -894,6 +895,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
return tls1_check_ec_key(s, curve_id, NULL);
#endif
}
+#endif /* OPENSSL_NO_ECDH */
#else
diff --git a/test/Makefile b/test/Makefile
index 2f5d205..3eb551c 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -53,7 +53,7 @@ RC5TEST= rc5test
BFTEST= bftest
CASTTEST= casttest
DESTEST= destest
-GOST2814789TEST=gost2814789t
+GOST2814789TEST=gost2814789test
RANDTEST= randtest
DHTEST= dhtest
DSATEST= dsatest
@@ -664,20 +664,21 @@ exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
exptest.o: ../include/openssl/symhacks.h exptest.c
-gost2814789t.o: ../engines/ccgost/gost89.h ../include/openssl/asn1.h
-gost2814789t.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-gost2814789t.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-gost2814789t.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-gost2814789t.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-gost2814789t.o: ../include/openssl/engine.h ../include/openssl/err.h
-gost2814789t.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-gost2814789t.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-gost2814789t.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-gost2814789t.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-gost2814789t.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-gost2814789t.o: ../include/openssl/sha.h ../include/openssl/stack.h
-gost2814789t.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-gost2814789t.o: ../include/openssl/x509_vfy.h gost2814789t.c
+gost2814789test.o: ../engines/ccgost/gost89.h ../include/openssl/asn1.h
+gost2814789test.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+gost2814789test.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+gost2814789test.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+gost2814789test.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+gost2814789test.o: ../include/openssl/engine.h ../include/openssl/err.h
+gost2814789test.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+gost2814789test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+gost2814789test.o: ../include/openssl/objects.h
+gost2814789test.o: ../include/openssl/opensslconf.h
+gost2814789test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+gost2814789test.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+gost2814789test.o: ../include/openssl/sha.h ../include/openssl/stack.h
+gost2814789test.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+gost2814789test.o: ../include/openssl/x509_vfy.h gost2814789test.c
heartbeat_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
heartbeat_test.o: ../include/openssl/buffer.h ../include/openssl/comp.h
heartbeat_test.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
diff --git a/test/cms-test.pl b/test/cms-test.pl
index 595ab48..7d4ca29 100644
--- a/test/cms-test.pl
+++ b/test/cms-test.pl
@@ -84,6 +84,7 @@ my $halt_err = 1;
my $badcmd = 0;
my $no_ec;
my $no_ec2m;
+my $no_ecdh;
my $ossl8 = `$ossl_path version -v` =~ /0\.9\.8/;
system ("$ossl_path no-ec >/dev/null");
@@ -113,6 +114,20 @@ else
{
die "Error checking for EC2M support\n";
}
+
+system ("$ossl_path no-ecdh >/dev/null");
+if ($? == 0)
+ {
+ $no_ecdh = 1;
+ }
+elsif ($? == 256)
+ {
+ $no_ecdh = 0;
+ }
+else
+ {
+ die "Error checking for ECDH support\n";
+ }
my @smime_pkcs7_tests = (
@@ -507,6 +522,11 @@ sub run_smime_tests {
print "$tnam: skipped, EC disabled\n";
next;
}
+ if ($no_ecdh && $tnam =~ /ECDH/)
+ {
+ print "$tnam: skipped, ECDH disabled\n";
+ next;
+ }
if ($no_ec2m && $tnam =~ /K-283/)
{
print "$tnam: skipped, EC2M disabled\n";
hooks/post-receive
--
OpenSSL source code
More information about the openssl-commits
mailing list