Fix builds that specify both no-dh and no-ec

Various sections of code assumed that at least one of dh or ec would be available. We also now also need to handle cases where a provider has a key exchange algorithm and TLS-GROUP that we don't know about. Fixes #13536 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13549)
author: Matt Caswell <matt@openssl.org> 2020-11-27 09:55:36 +0000
committer: Matt Caswell <matt@openssl.org> 2020-11-30 10:50:13 +0000
commit: cbb85bda0c0849ce962e1cf232689d6351e4a217 (patch)
tree: 34a01fc626584b740ffa0e6b98ae73458992a1d3 /providers
parent: 9327b5c9c9e3a1b18e5b52491dc438d1e28b5e40 (diff)
3 files changed, 47 insertions, 33 deletions
diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c
index 44764fd70a..f935268ab2 100644
--- a/providers/common/capabilities.c
+++ b/providers/common/capabilities.c
@@ -19,6 +19,8 @@
 #include "prov/providercommon.h"
 #include "e_os.h"
 
+/* If neither ec or dh is available then we have no TLS-GROUP capabilities */
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
 typedef struct tls_group_constants_st {
     unsigned int group_id;   /* Group ID */
     unsigned int secbits;    /* Bits of security */
@@ -97,83 +99,87 @@ static const TLS_GROUP_CONSTANTS group_list[35] = {
     }
 
 static const OSSL_PARAM param_group_list[][10] = {
-#ifndef OPENSSL_NO_EC
-# ifndef OPENSSL_NO_EC2M
+# ifndef OPENSSL_NO_EC
+#  ifndef OPENSSL_NO_EC2M
     TLS_GROUP_ENTRY("sect163k1", "sect163k1", "EC", 0),
-# endif
-# ifndef FIPS_MODULE
+#  endif
+#  ifndef FIPS_MODULE
     TLS_GROUP_ENTRY("sect163r1", "sect163r1", "EC", 1),
-# endif
-# ifndef OPENSSL_NO_EC2M
+#  endif
+#  ifndef OPENSSL_NO_EC2M
     TLS_GROUP_ENTRY("sect163r2", "sect163r2", "EC", 2),
-# endif
-# ifndef FIPS_MODULE
+#  endif
+#  ifndef FIPS_MODULE
     TLS_GROUP_ENTRY("sect193r1", "sect193r1", "EC", 3),
     TLS_GROUP_ENTRY("sect193r2", "sect193r2", "EC", 4),
-# endif
-# ifndef OPENSSL_NO_EC2M
+#  endif
+#  ifndef OPENSSL_NO_EC2M
     TLS_GROUP_ENTRY("sect233k1", "sect233k1", "EC", 5),
     TLS_GROUP_ENTRY("sect233r1", "sect233r1", "EC", 6),
-# endif
-# ifndef FIPS_MODULE
+#  endif
+#  ifndef FIPS_MODULE
     TLS_GROUP_ENTRY("sect239k1", "sect239k1", "EC", 7),
-# endif
-# ifndef OPENSSL_NO_EC2M
+#  endif
+#  ifndef OPENSSL_NO_EC2M
     TLS_GROUP_ENTRY("sect283k1", "sect283k1", "EC", 8),
     TLS_GROUP_ENTRY("sect283r1", "sect283r1", "EC", 9),
     TLS_GROUP_ENTRY("sect409k1", "sect409k1", "EC", 10),
     TLS_GROUP_ENTRY("sect409r1", "sect409r1", "EC", 11),
     TLS_GROUP_ENTRY("sect571k1", "sect571k1", "EC", 12),
     TLS_GROUP_ENTRY("sect571r1", "sect571r1", "EC", 13),
-# endif
-# ifndef FIPS_MODULE
+#  endif
+#  ifndef FIPS_MODULE
     TLS_GROUP_ENTRY("secp160k1", "secp160k1", "EC", 14),
     TLS_GROUP_ENTRY("secp160r1", "secp160r1", "EC", 15),
     TLS_GROUP_ENTRY("secp160r2", "secp160r2", "EC", 16),
     TLS_GROUP_ENTRY("secp192k1", "secp192k1", "EC", 17),
-# endif
+#  endif
     TLS_GROUP_ENTRY("secp192r1", "prime192v1", "EC", 18),
-# ifndef FIPS_MODULE
+#  ifndef FIPS_MODULE
     TLS_GROUP_ENTRY("secp224k1", "secp224k1", "EC", 19),
-# endif
+#  endif
     TLS_GROUP_ENTRY("secp224r1", "secp224r1", "EC", 20),
-# ifndef FIPS_MODULE
+#  ifndef FIPS_MODULE
     TLS_GROUP_ENTRY("secp256k1", "secp256k1", "EC", 21),
-# endif
+#  endif
     TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 22),
     TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 23),
     TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 24),
-# ifndef FIPS_MODULE
+#  ifndef FIPS_MODULE
     TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
     TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
     TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
-# endif
+#  endif
     TLS_GROUP_ENTRY("x25519", "x25519", "X25519", 28),
     TLS_GROUP_ENTRY("x448", "x448", "X448", 29),
-#endif /* OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_DH
+# endif /* OPENSSL_NO_EC */
+# ifndef OPENSSL_NO_DH
     /* Security bit values for FFDHE groups are as per RFC 7919 */
     TLS_GROUP_ENTRY("ffdhe2048", "ffdhe2048", "DH", 30),
     TLS_GROUP_ENTRY("ffdhe3072", "ffdhe3072", "DH", 31),
     TLS_GROUP_ENTRY("ffdhe4096", "ffdhe4096", "DH", 32),
     TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 33),
     TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 34),
-#endif
+# endif
 };
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
 
 static int tls_group_capability(OSSL_CALLBACK *cb, void *arg)
 {
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
     size_t i;
 
-#if !defined(OPENSSL_NO_EC) \
+# if !defined(OPENSSL_NO_EC) \
     && !defined(OPENSSL_NO_EC2M) \
     && !defined(OPENSSL_NO_DH) \
     && !defined(FIPS_MODULE)
     assert(OSSL_NELEM(param_group_list) == OSSL_NELEM(group_list));
-#endif
+# endif
+
     for (i = 0; i < OSSL_NELEM(param_group_list); i++)
         if (!cb(param_group_list[i], arg))
             return 0;
+#endif
 
     return 1;
 }
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 8a4b6fcee0..eb8cfb54e0 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -769,9 +769,10 @@ static const unsigned char ecdh_secret_expected[] = {
 };
 #endif /* OPENSSL_NO_EC */
 
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
 static const ST_KAT_KAS st_kat_kas_tests[] =
 {
-#ifndef OPENSSL_NO_DH
+# ifndef OPENSSL_NO_DH
     {
         OSSL_SELF_TEST_DESC_KA_DH,
         "DH",
@@ -780,8 +781,8 @@ static const ST_KAT_KAS st_kat_kas_tests[] =
         dh_peer_key,
         ITM(dh_secret_expected)
     },
-#endif /* OPENSSL_NO_DH */
-#ifndef OPENSSL_NO_EC
+# endif /* OPENSSL_NO_DH */
+# ifndef OPENSSL_NO_EC
     {
         OSSL_SELF_TEST_DESC_KA_ECDH,
         "EC",
@@ -790,8 +791,9 @@ static const ST_KAT_KAS st_kat_kas_tests[] =
         ecdh_peer_key,
         ITM(ecdh_secret_expected)
     },
-#endif /* OPENSSL_NO_EC */
+# endif /* OPENSSL_NO_EC */
 };
+#endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */
 
 #if !defined(OPENSSL_NO_RSA)
 /* RSA key data */
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index c61646aafe..8d4332ee87 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -346,6 +346,7 @@ err:
     return ret;
 }
 
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
 static int self_test_ka(const ST_KAT_KAS *t,
                         OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
 {
@@ -421,6 +422,7 @@ err:
     OSSL_SELF_TEST_onend(st, ret);
     return ret;
 }
+#endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */
 
 static int self_test_sign(const ST_KAT_SIGN *t,
                          OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
@@ -655,12 +657,16 @@ static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
 
 static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
 {
-    int i, ret = 1;
+    int ret = 1;
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
+    int i;
 
     for (i = 0; i < (int)OSSL_NELEM(st_kat_kas_tests); ++i) {
         if (!self_test_ka(&st_kat_kas_tests[i], st, libctx))
             ret = 0;
     }
+#endif
+
     return ret;
 }
author	Matt Caswell <matt@openssl.org>	2020-11-27 09:55:36 +0000
committer	Matt Caswell <matt@openssl.org>	2020-11-30 10:50:13 +0000
commit	cbb85bda0c0849ce962e1cf232689d6351e4a217 (patch)
tree	34a01fc626584b740ffa0e6b98ae73458992a1d3 /providers
parent	9327b5c9c9e3a1b18e5b52491dc438d1e28b5e40 (diff)