src - OpenBSD base system

diff options


context:
space:
mode:

author	Joel Sing <jsing@cvs.openbsd.org>	2014-05-31 10:53:40 +0000
committer	Joel Sing <jsing@cvs.openbsd.org>	2014-05-31 10:53:40 +0000
commit	486d8730c12ea3b5610563e8fce373a8a5afca4a (patch)
tree	67fbfc15f986a7c9ea1bdd64c8dbe0db07c2ac08 /lib
parent	7d33e491ced254b4911a3c223bee944add414f9f (diff)

ECDH and ECDSA will not work overly well if there is no EC, so unifdef

OPENSSL_NO_EC. ok tedu@

Diffstat (limited to 'lib')

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

lib/libssl/ssl_locl.h

-rw-r--r--

lib/libssl/ssl_sess.c

-rw-r--r--

lib/libssl/t1_lib.c

8 files changed, 0 insertions, 50 deletions

diff --git a/lib/libssl/s3_both.c b/lib/libssl/s3_both.c
index 54b73451eb4..2a96c199146 100644
--- a/lib/libssl/s3_both.c
+++ b/lib/libssl/s3_both.c

@@ -550,11 +550,9 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)

} else if (i == EVP_PKEY_DSA) {

ret = SSL_PKEY_DSA_SIGN;

}

-#ifndef OPENSSL_NO_EC

else if (i == EVP_PKEY_EC) {

ret = SSL_PKEY_ECC;

}

-#endif

else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) {

ret = SSL_PKEY_GOST94;

} else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) {

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 72492a33329..9aa72a9c4ee 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c

@@ -151,9 +151,7 @@

#include <stdio.h>

#include <openssl/objects.h>

#include "ssl_locl.h"

-#ifndef OPENSSL_NO_EC

#include "../crypto/ec/ec_lcl.h"

-#endif /* OPENSSL_NO_EC */

#include <openssl/md5.h>

#include <openssl/dh.h>

@@ -2381,9 +2379,7 @@ ssl3_clear(SSL *s)

EC_KEY_free(s->s3->tmp.ecdh);

s->s3->tmp.ecdh = NULL;

}

-#ifndef OPENSSL_NO_EC

s->s3->is_probably_safari = 0;

-#endif /* !OPENSSL_NO_EC */

rp = s->s3->rbuf.buf;

wp = s->s3->wbuf.buf;

@@ -3031,7 +3027,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,

ok = (alg_k & mask_k) && (alg_a & mask_a);

}

-#ifndef OPENSSL_NO_EC

if (

* if we are considering an ECC cipher suite that uses our

@@ -3167,7 +3162,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,

}

ok = ok && ec_ok;

}

-#endif /* OPENSSL_NO_EC */

if (!ok)

continue;

diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index d6f875a7977..fd01ac98064 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h

@@ -505,12 +505,10 @@ struct ssl_session_st {

* efficient and to implement a maximum cache size. */

struct ssl_session_st *prev, *next;

char *tlsext_hostname;

-#ifndef OPENSSL_NO_EC

size_t tlsext_ecpointformatlist_length;

unsigned char *tlsext_ecpointformatlist; /* peer's list */

size_t tlsext_ellipticcurvelist_length;

unsigned char *tlsext_ellipticcurvelist; /* peer's list */

-#endif /* OPENSSL_NO_EC */

/* RFC4507 info */

unsigned char *tlsext_tick; /* Session ticket */

size_t tlsext_ticklen; /* Session ticket length */

@@ -1204,12 +1202,10 @@ struct ssl_st {

/* RFC4507 session ticket expected to be received or sent */

int tlsext_ticket_expected;

-#ifndef OPENSSL_NO_EC

size_t tlsext_ecpointformatlist_length;

unsigned char *tlsext_ecpointformatlist; /* our list */

size_t tlsext_ellipticcurvelist_length;

unsigned char *tlsext_ellipticcurvelist; /* our list */

-#endif /* OPENSSL_NO_EC */

/* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */

void *tlsext_opaque_prf_input;

diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h
index c264422a364..1d2bc2f5c01 100644
--- a/lib/libssl/ssl3.h
+++ b/lib/libssl/ssl3.h

@@ -519,12 +519,10 @@ typedef struct ssl3_state_st {

int next_proto_neg_seen;

#endif

-#ifndef OPENSSL_NO_EC

/* This is set to true if we believe that this is a version of Safari

* running on OS X 10.6 or newer. We wish to know this because Safari

* on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */

char is_probably_safari;

-#endif /* !OPENSSL_NO_EC */

} SSL3_STATE;

#endif

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 262b5a21309..1138ac5a699 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c

@@ -536,10 +536,8 @@ SSL_free(SSL *s)

free(s->tlsext_hostname);

if (s->initial_ctx)

SSL_CTX_free(s->initial_ctx);

-#ifndef OPENSSL_NO_EC

free(s->tlsext_ecpointformatlist);

free(s->tlsext_ellipticcurvelist);

-#endif /* OPENSSL_NO_EC */

free(s->tlsext_opaque_prf_input);

if (s->tlsext_ocsp_exts)

sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,

@@ -2120,7 +2118,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)

#define ku_reject(x, usage) \

(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))

-#ifndef OPENSSL_NO_EC

int

ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)

@@ -2190,7 +2187,6 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)

/* all checks are ok */

}

-#endif

/* THIS NEEDS CLEANING UP */

CERT_PKEY *

diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index ecf108d6a57..4aa2911da70 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h

@@ -448,14 +448,12 @@

#define CERT_PRIVATE_KEY 2

-#ifndef OPENSSL_NO_EC

/* From ECC-TLS draft, used in encoding the curve type in

* ECParameters

#define EXPLICIT_PRIME_CURVE_TYPE 1

#define EXPLICIT_CHAR2_CURVE_TYPE 2

#define NAMED_CURVE_TYPE 3

-#endif /* OPENSSL_NO_EC */

typedef struct cert_pkey_st {

X509 *x509;

@@ -830,10 +828,8 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);

SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);

-#ifndef OPENSSL_NO_EC

int tls1_ec_curve_id2nid(int curve_id);

int tls1_ec_nid2curve_id(int nid);

-#endif /* OPENSSL_NO_EC */

unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p,

unsigned char *limit);

diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c
index de133a72ca5..2900490ad2e 100644
--- a/lib/libssl/ssl_sess.c
+++ b/lib/libssl/ssl_sess.c

@@ -210,12 +210,10 @@ SSL_SESSION_new(void)

ss->compress_meth = 0;

ss->tlsext_hostname = NULL;

-#ifndef OPENSSL_NO_EC

ss->tlsext_ecpointformatlist_length = 0;

ss->tlsext_ecpointformatlist = NULL;

ss->tlsext_ellipticcurvelist_length = 0;

ss->tlsext_ellipticcurvelist = NULL;

-#endif

CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);

#ifndef OPENSSL_NO_PSK

ss->psk_identity_hint = NULL;

@@ -359,7 +357,6 @@ ssl_get_new_session(SSL *s, int session)

return 0;

}

-#ifndef OPENSSL_NO_EC

if (s->tlsext_ecpointformatlist) {

free(ss->tlsext_ecpointformatlist);

if ((ss->tlsext_ecpointformatlist = malloc(s->tlsext_ecpointformatlist_length)) == NULL) {

@@ -380,7 +377,6 @@ ssl_get_new_session(SSL *s, int session)

ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;

memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);

}

-#endif

} else {

ss->session_id_length = 0;

}

@@ -691,12 +687,10 @@ SSL_SESSION_free(SSL_SESSION *ss)

sk_SSL_CIPHER_free(ss->ciphers);

free(ss->tlsext_hostname);

free(ss->tlsext_tick);

-#ifndef OPENSSL_NO_EC

ss->tlsext_ecpointformatlist_length = 0;

free(ss->tlsext_ecpointformatlist);

ss->tlsext_ellipticcurvelist_length = 0;

free(ss->tlsext_ellipticcurvelist);

-#endif /* OPENSSL_NO_EC */

#ifndef OPENSSL_NO_PSK

free(ss->psk_identity_hint);

free(ss->psk_identity);

diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 5d442558ddf..3546a45df12 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c

@@ -209,7 +209,6 @@ tls1_clear(SSL *s)

s->version = s->method->version;

}

-#ifndef OPENSSL_NO_EC

static int nid_list[] = {

NID_sect163k1, /* sect163k1 (1) */

@@ -348,7 +347,6 @@ tls1_ec_nid2curve_id(int nid)

return 0;

}

-#endif /* OPENSSL_NO_EC */

/* List of supported signature algorithms and hashes. Should make this

@@ -460,7 +458,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

}

-#ifndef OPENSSL_NO_EC

if (s->tlsext_ecpointformatlist != NULL &&

s->version != DTLS1_VERSION) {

/* Add TLS extension ECPointFormats to the ClientHello message */

@@ -515,7 +512,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

s->tlsext_ellipticcurvelist_length);

ret += s->tlsext_ellipticcurvelist_length;

}

-#endif /* OPENSSL_NO_EC */

if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {

int ticklen;

@@ -743,7 +739,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

ret += el;

}

-#ifndef OPENSSL_NO_EC

if (s->tlsext_ecpointformatlist != NULL &&

s->version != DTLS1_VERSION) {

/* Add TLS extension ECPointFormats to the ServerHello message */

@@ -770,7 +765,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

}

/* Currently the server should not respond with a SupportedCurves extension */

-#endif /* OPENSSL_NO_EC */

if (s->tlsext_ticket_expected &&

!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {

@@ -875,7 +869,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

return ret;

}

-#ifndef OPENSSL_NO_EC

/* ssl_check_for_safari attempts to fingerprint Safari using OS X

* SecureTransport using the TLS extension block in |d|, of length |n|.

* Safari, since 10.6, sends exactly these extensions, in this order:

@@ -956,7 +949,6 @@ ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d,

s->s3->is_probably_safari = 1;

}

-#endif /* !OPENSSL_NO_EC */

int

ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,

@@ -975,10 +967,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,

s->s3->next_proto_neg_seen = 0;

#endif

-#ifndef OPENSSL_NO_EC

if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)

ssl_check_for_safari(s, data, d, n);

-#endif /* !OPENSSL_NO_EC */

if (data >= (d + n - 2))

goto ri_check;

@@ -1095,7 +1085,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,

}

-#ifndef OPENSSL_NO_EC

else if (type == TLSEXT_TYPE_ec_point_formats &&

s->version != DTLS1_VERSION) {

unsigned char *sdata = data;

@@ -1142,7 +1131,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,

memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);

}

-#endif /* OPENSSL_NO_EC */

#ifdef TLSEXT_TYPE_opaque_prf_input

else if (type == TLSEXT_TYPE_opaque_prf_input &&

s->version != DTLS1_VERSION) {

@@ -1408,7 +1396,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,

tlsext_servername = 1;

}

-#ifndef OPENSSL_NO_EC

else if (type == TLSEXT_TYPE_ec_point_formats &&

s->version != DTLS1_VERSION) {

unsigned char *sdata = data;

@@ -1430,7 +1417,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,

s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;

memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);

}

-#endif /* OPENSSL_NO_EC */

else if (type == TLSEXT_TYPE_session_ticket) {

if (s->tls_session_ticket_ext_cb &&

!s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {

@@ -1576,7 +1562,6 @@ ri_check:

int

ssl_prepare_clienthello_tlsext(SSL *s)

{

-#ifndef OPENSSL_NO_EC

/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats

* and elliptic curves we support.

@@ -1624,7 +1609,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)

s2n(id, j);

}

-#endif /* OPENSSL_NO_EC */

#ifdef TLSEXT_TYPE_opaque_prf_input

{

@@ -1667,7 +1651,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)

int

ssl_prepare_serverhello_tlsext(SSL *s)

{

-#ifndef OPENSSL_NO_EC

/* If we are server and using an ECC cipher suite, send the point formats we support

* if the client sent us an ECPointsFormat extension. Note that the server is not

* supposed to send an EllipticCurves extension.

@@ -1689,7 +1672,6 @@ ssl_prepare_serverhello_tlsext(SSL *s)

s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;

s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;

}

-#endif /* OPENSSL_NO_EC */

return 1;

}

@@ -1700,14 +1682,12 @@ ssl_check_clienthello_tlsext_early(SSL *s)

int ret = SSL_TLSEXT_ERR_NOACK;

int al = SSL_AD_UNRECOGNIZED_NAME;

-#ifndef OPENSSL_NO_EC

/* The handling of the ECPointFormats extension is done elsewhere, namely in

* ssl3_choose_cipher in s3_lib.c.

/* The handling of the EllipticCurves extension is done elsewhere, namely in

* ssl3_choose_cipher in s3_lib.c.

-#endif

if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)

ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);

@@ -1850,7 +1830,6 @@ ssl_check_serverhello_tlsext(SSL *s)

int ret = SSL_TLSEXT_ERR_NOACK;

int al = SSL_AD_UNRECOGNIZED_NAME;

-#ifndef OPENSSL_NO_EC

/* If we are client and using an elliptic curve cryptography cipher

* suite, then if server returns an EC point formats lists extension

* it must contain uncompressed.

@@ -1879,7 +1858,6 @@ ssl_check_serverhello_tlsext(SSL *s)

}

ret = SSL_TLSEXT_ERR_OK;

-#endif /* OPENSSL_NO_EC */

if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)

ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);