ECDH and ECDSA cannot be really disabled standalone

author Tomas Mraz <tomas@openssl.org>

Mon, 16 Mar 2026 09:51:54 +0000 (10:51 +0100)

committer Tomas Mraz <tomas@openssl.foundation>

Tue, 17 Mar 2026 11:15:54 +0000 (12:15 +0100)
author Tomas Mraz <tomas@openssl.org>
Mon, 16 Mar 2026 09:51:54 +0000 (10:51 +0100)
committer Tomas Mraz <tomas@openssl.foundation>
Tue, 17 Mar 2026 11:15:54 +0000 (12:15 +0100)
diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml

index c7b2ac233f8844e1f95afa8a0143521c067a25ac..2e38038b0e8ff2893d0927d2edba22172c6e6449 100644 (file)
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -55,8 +55,6 @@ jobs:
            no-dtls1_2,
            no-dtls1_2-method,
            no-dtls1-method,
-          no-ecdh,
-          no-ecdsa,
            enable-ec_nistp_64_gcc_128,
            enable-egd,
  #          enable-external-tests,  # Requires extra setup
diff --git a/CHANGES.md b/CHANGES.md

index 95e7f7545bd01c3d2124304af7fcae2d39c46cbc..df79d148be4b93208d0007f165d29139bfc7ed89 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -41,6 +41,12 @@ OpenSSL Releases
  
     *Paul Louvel*
  
+ * Dropped `no-ecdsa` and `no-ecdh` options from `Configure` as these options
+   did not really disable the implementations. Use `no-ec` to disable the
+   elliptic curve support.
+
+   *Tomáš Mráz*
+
  ### Changes between 3.6 and 4.0 [xx XXX xxxx]
  
   * Added `-expected-rpks` option to the `openssl s_client`
diff --git a/Configure b/Configure

index 4a1002af7855c60609025ceb2c04cfc26d694ed7..82d6e82a4acd9f83c2b898cb8d4da23a2f658b74 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -459,8 +459,6 @@ my @disablables_algorithms = (
      "hmac-drbg-kdf",
      "ec",
      "ec2m",
-    "ecdh",
-    "ecdsa",
      "ecx",
      "kbkdf",
      "krb5kdf",
@@ -681,7 +679,7 @@ my @disable_cascades = (
      "zstd"              => [ "zstd-dynamic" ],
      "des"               => [ "mdc2" ],
      "deprecated"        => [ "tls-deprecated-ec" ],
-    "ec"                => [ qw(ec2m ec_explicit_curves ecdsa ecdh sm2 gost ecx tls-deprecated-ec) ],
+    "ec"                => [ qw(ec2m ec_explicit_curves sm2 gost ecx tls-deprecated-ec) ],
      "dgram"             => [ "dtls", "quic", "sctp" ],
      "sock"              => [ "dgram", "tfo" ],
      "dtls"              => [ @dtls ],
diff --git a/providers/defltprov.c b/providers/defltprov.c

index 1fc097091cb8cf5bb1324363985fbf434b6a0daf..d19d6ece26b74891841bbb81321f570800a765be 100644 (file)
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -416,9 +416,7 @@ static const OSSL_ALGORITHM deflt_keyexch[] = {
      { PROV_NAMES_DH, "provider=default", ossl_dh_keyexch_functions },
  #endif
  #ifndef OPENSSL_NO_EC
-#ifndef OPENSSL_NO_ECDH
      { PROV_NAMES_ECDH, "provider=default", ossl_ecdh_keyexch_functions },
-#endif
  #ifndef OPENSSL_NO_ECX
      { PROV_NAMES_X25519, "provider=default", ossl_x25519_keyexch_functions },
      { PROV_NAMES_X448, "provider=default", ossl_x448_keyexch_functions },
@@ -484,7 +482,6 @@ static const OSSL_ALGORITHM deflt_signature[] = {
      { PROV_NAMES_ED448, "provider=default", ossl_ed448_signature_functions },
      { PROV_NAMES_ED448ph, "provider=default", ossl_ed448ph_signature_functions },
  #endif
-#ifndef OPENSSL_NO_ECDSA
      { PROV_NAMES_ECDSA, "provider=default", ossl_ecdsa_signature_functions },
      { PROV_NAMES_ECDSA_SHA1, "provider=default", ossl_ecdsa_sha1_signature_functions },
      { PROV_NAMES_ECDSA_SHA224, "provider=default", ossl_ecdsa_sha224_signature_functions },
@@ -495,7 +492,6 @@ static const OSSL_ALGORITHM deflt_signature[] = {
      { PROV_NAMES_ECDSA_SHA3_256, "provider=default", ossl_ecdsa_sha3_256_signature_functions },
      { PROV_NAMES_ECDSA_SHA3_384, "provider=default", ossl_ecdsa_sha3_384_signature_functions },
      { PROV_NAMES_ECDSA_SHA3_512, "provider=default", ossl_ecdsa_sha3_512_signature_functions },
-#endif
  #ifndef OPENSSL_NO_SM2
      { PROV_NAMES_SM2, "provider=default", ossl_sm2_signature_functions },
  #endif
diff --git a/test/rpktest.c b/test/rpktest.c

index 338c33f80cb5bbc67c60794ab0629fe47a184ce1..98be18b3a6f797a57a8370e94b7fd43294adcac4 100644 (file)
--- a/test/rpktest.c
+++ b/test/rpktest.c
@@ -152,7 +152,7 @@ static int test_rpk(int idx)
          privkey_file = privkey;
          other_cert_file = cert2;
          break;
-#ifndef OPENSSL_NO_ECDSA
+#ifndef OPENSSL_NO_EC
      case 1:
          /* use ECDSA */
          cert_file = cert2;
@@ -188,7 +188,7 @@ static int test_rpk(int idx)
      if (!TEST_ptr(other_x509))
          goto end;
      other_pkey = X509_get0_pubkey(other_x509);
-#ifdef OPENSSL_NO_ECDSA
+#ifdef OPENSSL_NO_EC
      /* Can't get other_key if it's ECDSA */
      if (other_pkey == NULL && idx_cert == 0
          && (idx == 4 || idx == 6 || idx == 7 || idx == 16)) {
author	Tomas Mraz <tomas@openssl.org>
	Mon, 16 Mar 2026 09:51:54 +0000 (10:51 +0100)
committer	Tomas Mraz <tomas@openssl.foundation>
	Tue, 17 Mar 2026 11:15:54 +0000 (12:15 +0100)
.github/workflows/run-checker-daily.yml		patch \| blob \| blame \| history
CHANGES.md		patch \| blob \| blame \| history
Configure		patch \| blob \| blame \| history
providers/defltprov.c		patch \| blob \| blame \| history
test/rpktest.c		patch \| blob \| blame \| history