From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 16 Mar 2026 09:51:54 +0000 (+0100)
Subject: ECDH and ECDSA cannot be really disabled standalone
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b1c7fcdba5f74ffdce674466d9f8b78b79252aa;p=thirdparty%2Fopenssl.git

ECDH and ECDSA cannot be really disabled standalone

We should not pretend it can.

Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 17 11:15:59 2026
(Merged from https://github.com/openssl/openssl/pull/30446)
---

diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml
index c7b2ac233f8..2e38038b0e8 100644
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -55,8 +55,6 @@ jobs:
           no-dtls1_2,
           no-dtls1_2-method,
           no-dtls1-method,
-          no-ecdh,
-          no-ecdsa,
           enable-ec_nistp_64_gcc_128,
           enable-egd,
 #          enable-external-tests,  # Requires extra setup
diff --git a/CHANGES.md b/CHANGES.md
index 95e7f7545bd..df79d148be4 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -41,6 +41,12 @@ OpenSSL Releases
 
    *Paul Louvel*
 
+ * Dropped `no-ecdsa` and `no-ecdh` options from `Configure` as these options
+   did not really disable the implementations. Use `no-ec` to disable the
+   elliptic curve support.
+
+   *Tomáš Mráz*
+
 ### Changes between 3.6 and 4.0 [xx XXX xxxx]
 
  * Added `-expected-rpks` option to the `openssl s_client`
diff --git a/Configure b/Configure
index 4a1002af785..82d6e82a4ac 100755
--- a/Configure
+++ b/Configure
@@ -459,8 +459,6 @@ my @disablables_algorithms = (
     "hmac-drbg-kdf",
     "ec",
     "ec2m",
-    "ecdh",
-    "ecdsa",
     "ecx",
     "kbkdf",
     "krb5kdf",
@@ -681,7 +679,7 @@ my @disable_cascades = (
     "zstd"              => [ "zstd-dynamic" ],
     "des"               => [ "mdc2" ],
     "deprecated"        => [ "tls-deprecated-ec" ],
-    "ec"                => [ qw(ec2m ec_explicit_curves ecdsa ecdh sm2 gost ecx tls-deprecated-ec) ],
+    "ec"                => [ qw(ec2m ec_explicit_curves sm2 gost ecx tls-deprecated-ec) ],
     "dgram"             => [ "dtls", "quic", "sctp" ],
     "sock"              => [ "dgram", "tfo" ],
     "dtls"              => [ @dtls ],
diff --git a/providers/defltprov.c b/providers/defltprov.c
index 1fc097091cb..d19d6ece26b 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -416,9 +416,7 @@ static const OSSL_ALGORITHM deflt_keyexch[] = {
     { PROV_NAMES_DH, "provider=default", ossl_dh_keyexch_functions },
 #endif
 #ifndef OPENSSL_NO_EC
-#ifndef OPENSSL_NO_ECDH
     { PROV_NAMES_ECDH, "provider=default", ossl_ecdh_keyexch_functions },
-#endif
 #ifndef OPENSSL_NO_ECX
     { PROV_NAMES_X25519, "provider=default", ossl_x25519_keyexch_functions },
     { PROV_NAMES_X448, "provider=default", ossl_x448_keyexch_functions },
@@ -484,7 +482,6 @@ static const OSSL_ALGORITHM deflt_signature[] = {
     { PROV_NAMES_ED448, "provider=default", ossl_ed448_signature_functions },
     { PROV_NAMES_ED448ph, "provider=default", ossl_ed448ph_signature_functions },
 #endif
-#ifndef OPENSSL_NO_ECDSA
     { PROV_NAMES_ECDSA, "provider=default", ossl_ecdsa_signature_functions },
     { PROV_NAMES_ECDSA_SHA1, "provider=default", ossl_ecdsa_sha1_signature_functions },
     { PROV_NAMES_ECDSA_SHA224, "provider=default", ossl_ecdsa_sha224_signature_functions },
@@ -495,7 +492,6 @@ static const OSSL_ALGORITHM deflt_signature[] = {
     { PROV_NAMES_ECDSA_SHA3_256, "provider=default", ossl_ecdsa_sha3_256_signature_functions },
     { PROV_NAMES_ECDSA_SHA3_384, "provider=default", ossl_ecdsa_sha3_384_signature_functions },
     { PROV_NAMES_ECDSA_SHA3_512, "provider=default", ossl_ecdsa_sha3_512_signature_functions },
-#endif
 #ifndef OPENSSL_NO_SM2
     { PROV_NAMES_SM2, "provider=default", ossl_sm2_signature_functions },
 #endif
diff --git a/test/rpktest.c b/test/rpktest.c
index 338c33f80cb..98be18b3a6f 100644
--- a/test/rpktest.c
+++ b/test/rpktest.c
@@ -152,7 +152,7 @@ static int test_rpk(int idx)
         privkey_file = privkey;
         other_cert_file = cert2;
         break;
-#ifndef OPENSSL_NO_ECDSA
+#ifndef OPENSSL_NO_EC
     case 1:
         /* use ECDSA */
         cert_file = cert2;
@@ -188,7 +188,7 @@ static int test_rpk(int idx)
     if (!TEST_ptr(other_x509))
         goto end;
     other_pkey = X509_get0_pubkey(other_x509);
-#ifdef OPENSSL_NO_ECDSA
+#ifdef OPENSSL_NO_EC
     /* Can't get other_key if it's ECDSA */
     if (other_pkey == NULL && idx_cert == 0
         && (idx == 4 || idx == 6 || idx == 7 || idx == 16)) {