[gnutls-devel] --disable-ecdhe does not take out all ecdh

Ann Lai ann.lai at oracle.com
Sat May 30 04:00:24 CEST 2015


Hi,

It looks like with this flag --disable-ecdhe on in configure, there are 
still ecdh code in /./lib/nettle/pk.c.  The code failed to compiled when 
this flag is enabled.

I made a fix by adding ifdef around the ecdhe parts in file pk.c below:
--- ORIGINAL/./lib/nettle/pk.c  2015-05-21 16:21:09.544206257 -0700
+++ gnutls-3.4.1/./lib/nettle/pk.c      2015-05-21 16:42:37.914953878 -0700
@@ -45,13 +45,17 @@
  #include <nettle/rsa.h>
  #include <gnutls/crypto.h>
  #include <nettle/bignum.h>
+#if defined(ENABLE_ECDHE)
  #include <nettle/ecc.h>
  #include <nettle/ecdsa.h>
  #include <nettle/ecc-curve.h>
+#endif
  #include <gnettle.h>
  #include <fips.h>

+#if defined(ENABLE_ECDHE)
  static inline const struct ecc_curve *get_supported_curve(int curve);
+#endif

  static void rnd_func(void *_ctx, size_t length, uint8_t * data)
  {
@@ -64,6 +68,7 @@
         }
  }

+#if defined(ENABLE_ECDHE)
  static void
  ecc_scalar_zclear (struct ecc_scalar *s)
  {
@@ -77,6 +82,7 @@
          zeroize_key(p->p, ecc_size_a(p->ecc)*sizeof(mp_limb_t));
          ecc_point_clear(p);
  }
+#endif

  static void
  _dsa_params_get(const gnutls_pk_params_st * pk_params,
@@ -113,6 +119,7 @@
         pub->size = nettle_mpz_sizeinbase_256_u(pub->n);
  }

+#if defined(ENABLE_ECDHE)
  static int
  _ecc_params_to_privkey(const gnutls_pk_params_st * pk_params,
                        struct ecc_scalar *priv,
@@ -161,6 +168,7 @@

         return;
  }
+#endif

  #define MAX_DH_BITS DEFAULT_MAX_VERIFY_BITS
  /* This is used when we have no idea on the structure
@@ -245,6 +253,7 @@

                 break;
         }
+#if defined(ENABLE_ECDHE)
         case GNUTLS_PK_EC:
                 {
                         struct ecc_scalar ecc_priv;
@@ -290,6 +299,7 @@
                                 goto cleanup;
                         break;
                 }
+#endif
         default:
                 gnutls_assert();
                 ret = GNUTLS_E_INTERNAL_ERROR;
@@ -447,6 +457,7 @@
         const mac_entry_st *me;

         switch (algo) {
+#if defined(ENABLE_ECDHE)
         case GNUTLS_PK_EC:      /* we do ECDSA */
                 {
                         struct ecc_scalar priv;
@@ -495,6 +506,7 @@
                         }
                         break;
                 }
+#endif
         case GNUTLS_PK_DSA:
                 {
                         struct dsa_params pub;
@@ -601,6 +613,7 @@
         bigint_t tmp[2] = { NULL, NULL };

         switch (algo) {
+#if defined(ENABLE_ECDHE)
         case GNUTLS_PK_EC:      /* ECDSA */
                 {
                         struct ecc_point pub;
@@ -647,6 +660,7 @@
                         ecc_point_clear(&pub);
                         break;
                 }
+#endif
         case GNUTLS_PK_DSA:
                 {
                         struct dsa_params pub;
@@ -726,6 +740,7 @@
         return ret;
  }

+#if defined(ENABLE_ECDHE)
  static inline const struct ecc_curve *get_supported_curve(int curve)
  {
         switch (curve) {
@@ -750,6 +765,7 @@
  {
         return ((get_supported_curve(curve)!=NULL)?1:0);
  }
+#endif

  /* Generates algorithm's parameters. That is:
   *  For DSA: p, q, and g are generated.
@@ -854,9 +870,11 @@
                         break;
                 }
         case GNUTLS_PK_RSA:
+#if defined(ENABLE_ECDHE)
         case GNUTLS_PK_EC:
                 ret = 0;
                 break;
+#endif
         default:
                 gnutls_assert();
                 return GNUTLS_E_INVALID_REQUEST;
@@ -884,6 +902,7 @@
                            const gnutls_datum_t *priv_key, const 
gnutls_datum_t *pu
b_key,
                            const gnutls_datum_t *peer_key, 
gnutls_datum_t *Z);

+#if defined(ENABLE_ECDHE)
  int _gnutls_ecdh_compute_key(gnutls_ecc_curve_t curve,
                            const gnutls_datum_t *x, const 
gnutls_datum_t *y,
                            const gnutls_datum_t *k,
@@ -893,6 +912,7 @@
  int _gnutls_ecdh_generate_key(gnutls_ecc_curve_t curve,
                               gnutls_datum_t *x, gnutls_datum_t *y,
                               gnutls_datum_t *k);
+#endif


  int _gnutls_dh_generate_key(gnutls_dh_params_t dh_params,
@@ -988,6 +1008,7 @@
         return ret;
  }

+#if defined(ENABLE_ECDHE)
  int _gnutls_ecdh_generate_key(gnutls_ecc_curve_t curve,
                               gnutls_datum_t *x, gnutls_datum_t *y,
                               gnutls_datum_t *k)
@@ -1116,6 +1137,7 @@
         gnutls_pk_params_clear(&priv);
         return ret;
  }
+#endif /*ENABLE_ECDHE*/
  #endif


@@ -1308,6 +1330,7 @@

                         break;
                 }
+#if defined(ENABLE_ECDHE)
         case GNUTLS_PK_EC:
                 {
                         struct ecc_scalar key;
@@ -1350,6 +1373,7 @@

                         break;
                 }
+#endif
         default:
                 gnutls_assert();
                 return GNUTLS_E_INVALID_REQUEST;
@@ -1494,6 +1518,7 @@
                 }

                 break;
+#if defined(ENABLE_ECDHE)
         case GNUTLS_PK_EC:
                 {
                         struct ecc_point r, pub;
@@ -1567,6 +1592,7 @@
                         mpz_clear(y2);
                 }
                 break;
+#endif
         default:
                 ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
         }
@@ -1584,6 +1610,7 @@
         case GNUTLS_PK_RSA:
         case GNUTLS_PK_DSA:
                 return 0;
+#if defined(ENABLE_ECDHE)
         case GNUTLS_PK_EC:
                 {
                         /* just verify that x and y lie on the curve */
@@ -1624,6 +1651,7 @@
                         ecc_point_clear(&pub);
                 }
                 break;
+#endif
         default:
                 ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
         }
@@ -1725,5 +1753,7 @@
         .generate_keys = wrap_nettle_pk_generate_keys,
         .pk_fixup_private_params = wrap_nettle_pk_fixup,
         .derive = _wrap_nettle_pk_derive,
+#if defined(ENABLE_ECDHE)
         .curve_exists = _wrap_nettle_pk_curve_exists,
+#endif
  };

Thanks,
Ann



More information about the Gnutls-devel mailing list