diff options
-rw-r--r-- | crypto/err/openssl.txt | 1 | ||||
-rw-r--r-- | include/openssl/sslerr.h | 1 | ||||
-rw-r--r-- | ssl/s3_lib.c | 12 | ||||
-rw-r--r-- | ssl/ssl_ciph.c | 11 | ||||
-rw-r--r-- | ssl/ssl_conf.c | 15 | ||||
-rw-r--r-- | ssl/ssl_err.c | 2 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 19 | ||||
-rw-r--r-- | ssl/ssl_local.h | 14 | ||||
-rw-r--r-- | ssl/ssl_rsa.c | 4 | ||||
-rw-r--r-- | ssl/statem/extensions.c | 8 | ||||
-rw-r--r-- | ssl/statem/extensions_clnt.c | 4 | ||||
-rw-r--r-- | ssl/statem/extensions_cust.c | 2 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 4 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 13 | ||||
-rw-r--r-- | ssl/statem/statem_lib.c | 6 | ||||
-rw-r--r-- | ssl/statem/statem_local.h | 8 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 21 | ||||
-rw-r--r-- | ssl/t1_lib.c | 42 | ||||
-rw-r--r-- | ssl/t1_trce.c | 2 |
19 files changed, 22 insertions, 167 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index b8064ea678..c1a0f1d0bd 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1264,6 +1264,7 @@ SSL_R_BLOCK_CIPHER_PAD_IS_WRONG:129:block cipher pad is wrong SSL_R_BN_LIB:130:bn lib SSL_R_CALLBACK_FAILED:234:callback failed SSL_R_CANNOT_CHANGE_CIPHER:109:cannot change cipher +SSL_R_CANNOT_GET_GROUP_NAME:299:cannot get group name SSL_R_CA_DN_LENGTH_MISMATCH:131:ca dn length mismatch SSL_R_CA_KEY_TOO_SMALL:397:ca key too small SSL_R_CA_MD_TOO_WEAK:398:ca md too weak diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index d69055cf3d..7fea8a87b7 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -66,6 +66,7 @@ # define SSL_R_BN_LIB 130 # define SSL_R_CALLBACK_FAILED 234 # define SSL_R_CANNOT_CHANGE_CIPHER 109 +# define SSL_R_CANNOT_GET_GROUP_NAME 299 # define SSL_R_CA_DN_LENGTH_MISMATCH 131 # define SSL_R_CA_KEY_TOO_SMALL 397 # define SSL_R_CA_MD_TOO_WEAK 398 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 4e0eeed028..12876add7f 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3484,7 +3484,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) &s->ext.supportedgroups_len, parg); } -#endif +#endif /* !OPENSSL_NO_DEPRECATED_3_0 */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: /* * This API is only used for a client to set what SNI it will request @@ -3718,7 +3718,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 1; } -#ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { const unsigned char **pformat = parg; @@ -3728,7 +3727,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *pformat = s->ext.peer_ecpointformats; return (int)s->ext.peer_ecpointformats_len; } -#endif default: break; @@ -3801,7 +3799,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) &ctx->ext.supportedgroups_len, parg); } -#endif +#endif /* !OPENSSL_NO_DEPRECATED_3_0 */ case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->ext.servername_arg = parg; break; @@ -4266,14 +4264,12 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, alg_a, mask_k, mask_a, (void *)c, c->name); -#ifndef OPENSSL_NO_EC /* * if we are considering an ECC cipher suite that uses an ephemeral * EC key check it */ if (alg_k & SSL_kECDHE) ok = ok && tls1_check_ec_tmp_key(s, c->id); -#endif /* OPENSSL_NO_EC */ if (!ok) continue; @@ -4284,14 +4280,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, c->strength_bits, 0, (void *)c)) continue; -#if !defined(OPENSSL_NO_EC) + if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) && s->s3.is_probably_safari) { if (!ret) ret = sk_SSL_CIPHER_value(allow, ii); continue; } -#endif + if (prefer_sha256) { const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 398e4616ed..43dcf2d6fe 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1245,7 +1245,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str, return retval; } -#ifndef OPENSSL_NO_EC static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, const char **prule_str) { @@ -1276,7 +1275,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, ERR_raise(ERR_LIB_SSL, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE); return 0; } -# ifndef OPENSSL_NO_EC + switch (suiteb_flags) { case SSL_CERT_FLAG_SUITEB_128_LOS: if (suiteb_comb2) @@ -1293,12 +1292,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, break; } return 1; -# else - ERR_raise(ERR_LIB_SSL, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE); - return 0; -# endif } -#endif static int ciphersuite_cb(const char *elem, int len, void *arg) { @@ -1446,10 +1440,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, */ if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) return NULL; -#ifndef OPENSSL_NO_EC + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) return NULL; -#endif /* * To reduce the work to do we only want to process the compiled diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 09e2ee2e3e..edd3fd7640 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -221,7 +221,6 @@ static int cmd_Curves(SSL_CONF_CTX *cctx, const char *value) return cmd_Groups(cctx, value); } -#ifndef OPENSSL_NO_EC /* ECDH temporary parameters */ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) { @@ -236,20 +235,18 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) strcmp(value, "auto") == 0) return 1; - nid = EC_curve_nist2nid(value); - if (nid == NID_undef) - nid = OBJ_sn2nid(value); - if (nid == 0) + /* ECDHParameters accepts a single group name */ + if (strstr(value, ":") != NULL) return 0; if (cctx->ctx) - rv = SSL_CTX_set1_groups(cctx->ctx, &nid, 1); + rv = SSL_CTX_set1_groups_list(cctx->ctx, value); else if (cctx->ssl) - rv = SSL_set1_groups(cctx->ssl, &nid, 1); + rv = SSL_set1_groups_list(cctx->ssl, value); return rv > 0; } -#endif + static int cmd_CipherString(SSL_CONF_CTX *cctx, const char *value) { int rv = 1; @@ -700,9 +697,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), SSL_CONF_CMD_STRING(Curves, "curves", 0), SSL_CONF_CMD_STRING(Groups, "groups", 0), -#ifndef OPENSSL_NO_EC SSL_CONF_CMD_STRING(ECDHParameters, "named_curve", SSL_CONF_FLAG_SERVER), -#endif SSL_CONF_CMD_STRING(CipherString, "cipher", 0), SSL_CONF_CMD_STRING(Ciphersuites, "ciphersuites", 0), SSL_CONF_CMD_STRING(Protocol, NULL, 0), diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index d6d0c671a2..357cfc7d94 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -74,6 +74,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CALLBACK_FAILED), "callback failed"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_CHANGE_CIPHER), "cannot change cipher"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_GET_GROUP_NAME), + "cannot get group name"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_LENGTH_MISMATCH), "ca dn length mismatch"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_KEY_TOO_SMALL), "ca key too small"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index daba82ebfe..554fc3533d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -768,7 +768,6 @@ SSL *SSL_new(SSL_CTX *ctx) s->ext.ocsp.resp_len = 0; SSL_CTX_up_ref(ctx); s->session_ctx = ctx; -#ifndef OPENSSL_NO_EC if (ctx->ext.ecpointformats) { s->ext.ecpointformats = OPENSSL_memdup(ctx->ext.ecpointformats, @@ -778,7 +777,6 @@ SSL *SSL_new(SSL_CTX *ctx) s->ext.ecpointformats_len = ctx->ext.ecpointformats_len; } -#endif if (ctx->ext.supportedgroups) { s->ext.supportedgroups = OPENSSL_memdup(ctx->ext.supportedgroups, @@ -1212,10 +1210,8 @@ void SSL_free(SSL *s) OPENSSL_free(s->ext.hostname); SSL_CTX_free(s->session_ctx); -#ifndef OPENSSL_NO_EC OPENSSL_free(s->ext.ecpointformats); OPENSSL_free(s->ext.peer_ecpointformats); -#endif /* OPENSSL_NO_EC */ OPENSSL_free(s->ext.supportedgroups); OPENSSL_free(s->ext.peer_supportedgroups); sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free); @@ -3392,9 +3388,7 @@ void SSL_CTX_free(SSL_CTX *a) tls_engine_finish(a->client_cert_engine); #endif -#ifndef OPENSSL_NO_EC OPENSSL_free(a->ext.ecpointformats); -#endif OPENSSL_free(a->ext.supportedgroups); OPENSSL_free(a->ext.supported_groups_default); OPENSSL_free(a->ext.alpn); @@ -3499,9 +3493,8 @@ void ssl_set_masks(SSL *s) uint32_t *pvalid = s->s3.tmp.valid_flags; int rsa_enc, rsa_sign, dh_tmp, dsa_sign; unsigned long mask_k, mask_a; -#ifndef OPENSSL_NO_EC int have_ecc_cert, ecdsa_ok; -#endif + if (c == NULL) return; @@ -3512,9 +3505,7 @@ void ssl_set_masks(SSL *s) rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID; dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_VALID; -#ifndef OPENSSL_NO_EC have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID; -#endif mask_k = 0; mask_a = 0; @@ -3562,7 +3553,6 @@ void ssl_set_masks(SSL *s) * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites * depending on the key usage extension. */ -#ifndef OPENSSL_NO_EC if (have_ecc_cert) { uint32_t ex_kusage; ex_kusage = X509_get_key_usage(c->pkeys[SSL_PKEY_ECC].x509); @@ -3583,11 +3573,8 @@ void ssl_set_masks(SSL *s) && pvalid[SSL_PKEY_ED448] & CERT_PKEY_EXPLICIT_SIGN && TLS1_get_version(s) == TLS1_2_VERSION) mask_a |= SSL_aECDSA; -#endif -#ifndef OPENSSL_NO_EC mask_k |= SSL_kECDHE; -#endif #ifndef OPENSSL_NO_PSK mask_k |= SSL_kPSK; @@ -3604,8 +3591,6 @@ void ssl_set_masks(SSL *s) s->s3.tmp.mask_a = mask_a; } -#ifndef OPENSSL_NO_EC - int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) { @@ -3618,8 +3603,6 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) return 1; /* all checks are ok */ } -#endif - int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, size_t *serverinfo_length) { diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 87a4f428f8..5956b6c834 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1051,11 +1051,9 @@ struct ssl_ctx_st { /* RFC 4366 Maximum Fragment Length Negotiation */ uint8_t max_fragment_len_mode; -# ifndef OPENSSL_NO_EC /* EC extension values inherited by SSL structure */ size_t ecpointformats_len; unsigned char *ecpointformats; -# endif /* OPENSSL_NO_EC */ size_t supportedgroups_len; uint16_t *supportedgroups; @@ -1407,14 +1405,12 @@ struct ssl_st { /* used by the client to know if it actually sent alpn */ int alpn_sent; -# ifndef OPENSSL_NO_EC /* * This is set to true if we believe that this is a version of Safari * running on OS X 10.6 or newer. We wish to know this because Safari on * 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */ char is_probably_safari; -# endif /* !OPENSSL_NO_EC */ /* For clients: peer temporary key */ /* The group_id for the key exchange key */ @@ -1595,7 +1591,6 @@ struct ssl_st { int ticket_expected; /* TLS 1.3 tickets requested by the application. */ int extra_tickets_expected; -# ifndef OPENSSL_NO_EC size_t ecpointformats_len; /* our list */ unsigned char *ecpointformats; @@ -1603,7 +1598,6 @@ struct ssl_st { size_t peer_ecpointformats_len; /* peer's list */ unsigned char *peer_ecpointformats; -# endif /* OPENSSL_NO_EC */ size_t supportedgroups_len; /* our list */ uint16_t *supportedgroups; @@ -1929,14 +1923,12 @@ typedef struct dtls1_state_st { } DTLS1_STATE; -# ifndef OPENSSL_NO_EC /* * From ECC-TLS draft, used in encoding the curve type in ECParameters */ # define EXPLICIT_PRIME_CURVE_TYPE 1 # define EXPLICIT_CHAR2_CURVE_TYPE 2 # define NAMED_CURVE_TYPE 3 -# endif /* OPENSSL_NO_EC */ struct cert_pkey_st { X509 *x509; @@ -2644,9 +2636,7 @@ __owur int tls1_alert_code(int code); __owur int tls13_alert_code(int code); __owur int ssl3_alert_code(int code); -# ifndef OPENSSL_NO_EC __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); -# endif SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); @@ -2663,11 +2653,9 @@ __owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id); __owur int tls_valid_group(SSL *s, uint16_t group_id, int minversion, int maxversion, int isec, int *okfortls13); __owur EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id); -# ifndef OPENSSL_NO_EC void tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *num_formats); __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id); -# endif /* OPENSSL_NO_EC */ __owur int tls_group_allowed(SSL *s, uint16_t curve, int op); void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, @@ -2719,9 +2707,7 @@ __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey); __owur int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd); __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); -# ifndef OPENSSL_NO_EC __owur int tls_check_sigalg_curve(const SSL *s, int curve); -# endif __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey); __owur int ssl_set_client_disabled(SSL *s); __owur int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int echde); diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 7c64a994e8..b78d751818 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -239,12 +239,12 @@ static int ssl_set_cert(CERT *c, X509 *x) ERR_raise(ERR_LIB_SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); return 0; } -#ifndef OPENSSL_NO_EC + if (i == SSL_PKEY_ECC && !EVP_PKEY_can_sign(pkey)) { ERR_raise(ERR_LIB_SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING); return 0; } -#endif + if (c->pkeys[i].privatekey != NULL) { /* * The return code from EVP_PKEY_copy_parameters is deliberately diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 6bd7a69364..13e5f5a8e5 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -17,9 +17,7 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent); static int init_server_name(SSL *s, unsigned int context); static int final_server_name(SSL *s, unsigned int context, int sent); -#ifndef OPENSSL_NO_EC static int final_ec_pt_formats(SSL *s, unsigned int context, int sent); -#endif static int init_session_ticket(SSL *s, unsigned int context); #ifndef OPENSSL_NO_OCSP static int init_status_request(SSL *s, unsigned int context); @@ -151,7 +149,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { #else INVALID_EXTENSION, #endif -#ifndef OPENSSL_NO_EC { TLSEXT_TYPE_ec_point_formats, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO @@ -160,9 +157,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, final_ec_pt_formats }, -#else - INVALID_EXTENSION, -#endif { /* * "supported_groups" is spread across several specifications. @@ -1008,7 +1002,6 @@ static int final_server_name(SSL *s, unsigned int context, int sent) } } -#ifndef OPENSSL_NO_EC static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) { unsigned long alg_k, alg_a; @@ -1046,7 +1039,6 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) return 1; } -#endif static int init_session_ticket(SSL *s, unsigned int context) { diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index cc958aa1b0..3e4353b90e 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -151,7 +151,6 @@ static int use_ecc(SSL *s, int min_version, int max_version) return 0; } -#ifndef OPENSSL_NO_EC EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -182,7 +181,6 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#endif EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, @@ -1312,7 +1310,6 @@ int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, return 1; } -#ifndef OPENSSL_NO_EC int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -1350,7 +1347,6 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, return 1; } -#endif int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index 2bc17db1bf..738051e1da 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -488,11 +488,9 @@ int SSL_extension_supported(unsigned int ext_type) switch (ext_type) { /* Internally supported extensions. */ case TLSEXT_TYPE_application_layer_protocol_negotiation: -#ifndef OPENSSL_NO_EC case TLSEXT_TYPE_ec_point_formats: case TLSEXT_TYPE_supported_groups: case TLSEXT_TYPE_key_share: -#endif #ifndef OPENSSL_NO_NEXTPROTONEG case TLSEXT_TYPE_next_proto_neg: #endif diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 42fd6ee7d3..56fcbd03c1 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -228,7 +228,6 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, } #endif -#ifndef OPENSSL_NO_EC int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -251,7 +250,6 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, return 1; } -#endif /* OPENSSL_NO_EC */ int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -1303,7 +1301,6 @@ EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#ifndef OPENSSL_NO_EC EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -1329,7 +1326,6 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#endif EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index e4007b37de..cff522604f 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2111,7 +2111,6 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) { -#ifndef OPENSSL_NO_EC PACKET encoded_pt; unsigned int curve_type, curve_id; @@ -2164,10 +2163,6 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) /* else anonymous ECDH, so no certificate or pkey. */ return 1; -#else - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; -#endif } MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) @@ -2959,7 +2954,6 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) { -#ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; size_t encoded_pt_len = 0; EVP_PKEY *ckey = NULL, *skey = NULL; @@ -3000,10 +2994,6 @@ static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) OPENSSL_free(encodedPoint); EVP_PKEY_free(ckey); return ret; -#else - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; -#endif } static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) @@ -3550,14 +3540,13 @@ int ssl3_check_cert_and_algorithm(SSL *s) return 0; } -#ifndef OPENSSL_NO_EC if (clu->amask & SSL_aECDSA) { if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) return 1; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT); return 0; } -#endif + if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_RSA_ENCRYPTING_CERT); diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index d5def193a0..6e491c978a 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1521,9 +1521,7 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) static int is_tls13_capable(const SSL *s) { int i; -#ifndef OPENSSL_NO_EC int curve; -#endif if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) return 0; @@ -1557,7 +1555,6 @@ static int is_tls13_capable(const SSL *s) } if (!ssl_has_cert(s, i)) continue; -#ifndef OPENSSL_NO_EC if (i != SSL_PKEY_ECC) return 1; /* @@ -1568,9 +1565,6 @@ static int is_tls13_capable(const SSL *s) curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey); if (tls_check_sigalg_curve(s, curve)) return 1; -#else - return 1; -#endif } return 0; diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index 839a7010c9..c277a8e9c5 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -205,10 +205,8 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, #endif int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#ifndef OPENSSL_NO_EC int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#endif int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidxl); int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, @@ -258,11 +256,9 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#ifndef OPENSSL_NO_EC EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#endif EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); @@ -319,11 +315,9 @@ EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, unsigned int EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); #endif -#ifndef OPENSSL_NO_EC EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#endif EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); @@ -387,10 +381,8 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#ifndef OPENSSL_NO_EC int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#endif int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); #ifndef OPENSSL_NO_OCSP diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 03c4d2ba81..956348613b 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1306,7 +1306,6 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) return 1; } -#ifndef OPENSSL_NO_EC /*- * ssl_check_for_safari attempts to fingerprint Safari using OS X * SecureTransport using the TLS extension block in |hello|. @@ -1368,7 +1367,6 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, ext_len); } -#endif /* !OPENSSL_NO_EC */ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { @@ -1853,10 +1851,8 @@ static int tls_early_post_process_client_hello(SSL *s) goto err; } -#ifndef OPENSSL_NO_EC if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) ssl_check_for_safari(s, clienthello); -#endif /* !OPENSSL_NO_EC */ /* TLS extensions */ if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO, @@ -2420,11 +2416,9 @@ int tls_construct_server_done(SSL *s, WPACKET *pkt) int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) { EVP_PKEY *pkdh = NULL; -#ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; size_t encodedlen = 0; int curve_id = 0; -#endif const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; int i; unsigned long type; @@ -2510,9 +2504,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } - } else -#ifndef OPENSSL_NO_EC - if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { + } else if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { if (s->s3.tmp.pkey != NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -2550,7 +2542,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) r[2] = NULL; r[3] = NULL; } else -#endif /* !OPENSSL_NO_EC */ #ifndef OPENSSL_NO_SRP if (type & SSL_kSRP) { if ((s->srp_ctx.N == NULL) || @@ -2638,7 +2629,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) BN_bn2bin(r[i], binval); } -#ifndef OPENSSL_NO_EC if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { /* * We only support named (not generic) curves. In this situation, the @@ -2656,7 +2646,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) OPENSSL_free(encodedPoint); encodedPoint = NULL; } -#endif /* not anonymous */ if (lu != NULL) { @@ -2717,9 +2706,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ret = 1; err: EVP_PKEY_free(pkdh); -#ifndef OPENSSL_NO_EC OPENSSL_free(encodedPoint); -#endif EVP_MD_CTX_free(md_ctx); if (freer) { BN_free(r[0]); @@ -3004,7 +2991,6 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt) static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) { -#ifndef OPENSSL_NO_EC EVP_PKEY *skey = s->s3.tmp.pkey; EVP_PKEY *ckey = NULL; int ret = 0; @@ -3057,11 +3043,6 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) EVP_PKEY_free(ckey); return ret; -#else - /* Should never happen */ - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; -#endif } static int tls_process_cke_srp(SSL *s, PACKET *pkt) |