[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

matthias.st.pierre at ncp-e.com matthias.st.pierre at ncp-e.com
Fri Nov 9 23:45:52 UTC 2018


The branch OpenSSL_1_0_2-stable has been updated
       via  59b9c67fcaf1c1e2c0e30de6facca85910ac361a (commit)
      from  f1e5009c1c95b708b9ba21c23693f95468089419 (commit)


- Log -----------------------------------------------------------------
commit 59b9c67fcaf1c1e2c0e30de6facca85910ac361a
Author: Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
Date:   Fri Nov 9 21:37:38 2018 +0100

    Fix 'no-ecdh' build
    
    Fixes #3302
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/7606)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_ciph.c | 8 +++++++-
 ssl/ssl_lib.c  | 8 +++++---
 ssl/t1_lib.c   | 6 +++++-
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index ccdf00f..e5a500d 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1406,11 +1406,17 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
                                     const char **prule_str)
 {
-    unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
+    unsigned int suiteb_flags = 0;
+# ifndef OPENSSL_NO_ECDH
+    unsigned int suiteb_comb2 = 0;
+#endif
+
     if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) {
         suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
     } else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) {
+# ifndef OPENSSL_NO_ECDH
         suiteb_comb2 = 1;
+# endif
         suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
     } else if (strncmp(*prule_str, "SUITEB128", 9) == 0) {
         suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index aa0cbdb..cfcfe76 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2259,10 +2259,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
     int rsa_tmp_export, dh_tmp_export, kl;
     unsigned long mask_k, mask_a, emask_k, emask_a;
 #ifndef OPENSSL_NO_ECDSA
-    int have_ecc_cert, ecdsa_ok, ecc_pkey_size;
+    int have_ecc_cert, ecdsa_ok;
 #endif
 #ifndef OPENSSL_NO_ECDH
-    int have_ecdh_tmp, ecdh_ok;
+    int have_ecdh_tmp, ecdh_ok, ecc_pkey_size;
 #endif
 #ifndef OPENSSL_NO_EC
     X509 *x = NULL;
@@ -2405,7 +2405,9 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
         if (!(cpk->valid_flags & CERT_PKEY_SIGN))
             ecdsa_ok = 0;
         ecc_pkey = X509_get_pubkey(x);
+# ifndef OPENSSL_NO_ECDH
         ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0;
+# endif
         EVP_PKEY_free(ecc_pkey);
         if ((x->sig_alg) && (x->sig_alg->algorithm)) {
             signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
@@ -2467,7 +2469,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 #define ku_reject(x, usage) \
         (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
 
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDH
 
 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 {
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8cb8816..55f918d 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -500,7 +500,11 @@ static int tls1_get_curvelist(SSL *s, int sess,
             } else
 # endif
             {
-                if (!s->server || s->cert->ecdh_tmp_auto) {
+                if (!s->server
+# ifndef OPENSSL_NO_ECDH
+                        || s->cert->ecdh_tmp_auto
+# endif
+                    ) {
                     *pcurves = eccurves_auto;
                     pcurveslen = sizeof(eccurves_auto);
                 } else {


More information about the openssl-commits mailing list