Add OPENSSL_NO_ECDH guards

Reviewed-by: Emilia Käsper <emilia@openssl.org>

5 files changed, 18 insertions, 1 deletions

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 51a4ec3e89..0cd08bd4f0 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3810,10 +3810,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 	case SSL_CTRL_GET_SHARED_CURVE:
 		return tls1_shared_curve(s, larg);
 
+#ifndef OPENSSL_NO_ECDH
 	case SSL_CTRL_SET_ECDH_AUTO:
 		s->cert->ecdh_tmp_auto = larg;
 		return 1;
 #endif
+#endif
 	case SSL_CTRL_SET_SIGALGS:
 		return tls1_set_sigalgs(s->cert, parg, larg, 0);
 
@@ -3884,7 +3886,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 			EVP_PKEY *ptmp;
 			int rv = 0;
 			sc = s->session->sess_cert;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDH)
 			if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
 							&& !sc->peer_ecdh_tmp)
 				return 0;
@@ -4237,10 +4239,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 		return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
 					&ctx->tlsext_ellipticcurvelist_length,
 								parg);
+#ifndef OPENSSL_NO_ECDH
 	case SSL_CTRL_SET_ECDH_AUTO:
 		ctx->cert->ecdh_tmp_auto = larg;
 		return 1;
 #endif
+#endif
 	case SSL_CTRL_SET_SIGALGS:
 		return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
 
@@ -4543,10 +4547,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 
 #ifndef OPENSSL_NO_TLSEXT
 #ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDH
 		/* if we are considering an ECC cipher suite that uses
 		 * an ephemeral EC key check it */
 		if (alg_k & SSL_kECDHE)
 			ok = ok && tls1_check_ec_tmp_key(s, c->id);
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 #endif /* OPENSSL_NO_TLSEXT */
 
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 133d9d9b2f..60e5772639 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1436,6 +1436,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 		return 0;
 		}
 
+#ifndef OPENSSL_NO_ECDH
 	switch(suiteb_flags)
 		{
 	case SSL_CERT_FLAG_SUITEB_128_LOS:
@@ -1454,6 +1455,10 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 	/* Set auto ECDH parameter determination */
 	c->ecdh_tmp_auto = 1;
 	return 1;
+#else
+	SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
+	return 0;
+#endif
 	}
 #endif
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a4d565fb4a..ea271fb4f5 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2361,8 +2361,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 		x = cpk->x509;
 		/* This call populates extension flags (ex_flags) */
 		X509_check_purpose(x, -1, 0);
+#ifndef OPENSSL_NO_ECDH
 		ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
 		    (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
+#endif
 		ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
 		    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
 		if (!(cpk->valid_flags & CERT_PKEY_SIGN))
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4e307e44c1..2e598e3ac5 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1250,7 +1250,9 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
 			int *curves, size_t ncurves);
 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
 				const char *str);
+#ifndef OPENSSL_NO_ECDH
 int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_TLSEXT
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8d5fd12903..f0291b115f 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -828,6 +828,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
 		}
 	return rv;
 	}
+#ifndef OPENSSL_NO_ECDH
 /* Check EC temporary key is compatible with client extensions */
 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 	{
@@ -894,6 +895,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 	return tls1_check_ec_key(s, curve_id, NULL);
 #endif
 	}
+#endif /* OPENSSL_NO_ECDH */
 
 #else