Commit 3b1c7fcdba for openssl.org
commit 3b1c7fcdba5f74ffdce674466d9f8b78b79252aa
Author: Tomas Mraz <tomas@openssl.org>
Date: Mon Mar 16 10:51:54 2026 +0100
ECDH and ECDSA cannot be really disabled standalone
We should not pretend it can.
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Tue Mar 17 11:15:59 2026
(Merged from https://github.com/openssl/openssl/pull/30446)
diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml
index c7b2ac233f..2e38038b0e 100644
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -55,8 +55,6 @@ jobs:
no-dtls1_2,
no-dtls1_2-method,
no-dtls1-method,
- no-ecdh,
- no-ecdsa,
enable-ec_nistp_64_gcc_128,
enable-egd,
# enable-external-tests, # Requires extra setup
diff --git a/CHANGES.md b/CHANGES.md
index 95e7f7545b..df79d148be 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -41,6 +41,12 @@ OpenSSL Releases
*Paul Louvel*
+ * Dropped `no-ecdsa` and `no-ecdh` options from `Configure` as these options
+ did not really disable the implementations. Use `no-ec` to disable the
+ elliptic curve support.
+
+ *Tomáš Mráz*
+
### Changes between 3.6 and 4.0 [xx XXX xxxx]
* Added `-expected-rpks` option to the `openssl s_client`
diff --git a/Configure b/Configure
index 4a1002af78..82d6e82a4a 100755
--- a/Configure
+++ b/Configure
@@ -459,8 +459,6 @@ my @disablables_algorithms = (
"hmac-drbg-kdf",
"ec",
"ec2m",
- "ecdh",
- "ecdsa",
"ecx",
"kbkdf",
"krb5kdf",
@@ -681,7 +679,7 @@ my @disable_cascades = (
"zstd" => [ "zstd-dynamic" ],
"des" => [ "mdc2" ],
"deprecated" => [ "tls-deprecated-ec" ],
- "ec" => [ qw(ec2m ec_explicit_curves ecdsa ecdh sm2 gost ecx tls-deprecated-ec) ],
+ "ec" => [ qw(ec2m ec_explicit_curves sm2 gost ecx tls-deprecated-ec) ],
"dgram" => [ "dtls", "quic", "sctp" ],
"sock" => [ "dgram", "tfo" ],
"dtls" => [ @dtls ],
diff --git a/providers/defltprov.c b/providers/defltprov.c
index 1fc097091c..d19d6ece26 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -416,9 +416,7 @@ static const OSSL_ALGORITHM deflt_keyexch[] = {
{ PROV_NAMES_DH, "provider=default", ossl_dh_keyexch_functions },
#endif
#ifndef OPENSSL_NO_EC
-#ifndef OPENSSL_NO_ECDH
{ PROV_NAMES_ECDH, "provider=default", ossl_ecdh_keyexch_functions },
-#endif
#ifndef OPENSSL_NO_ECX
{ PROV_NAMES_X25519, "provider=default", ossl_x25519_keyexch_functions },
{ PROV_NAMES_X448, "provider=default", ossl_x448_keyexch_functions },
@@ -484,7 +482,6 @@ static const OSSL_ALGORITHM deflt_signature[] = {
{ PROV_NAMES_ED448, "provider=default", ossl_ed448_signature_functions },
{ PROV_NAMES_ED448ph, "provider=default", ossl_ed448ph_signature_functions },
#endif
-#ifndef OPENSSL_NO_ECDSA
{ PROV_NAMES_ECDSA, "provider=default", ossl_ecdsa_signature_functions },
{ PROV_NAMES_ECDSA_SHA1, "provider=default", ossl_ecdsa_sha1_signature_functions },
{ PROV_NAMES_ECDSA_SHA224, "provider=default", ossl_ecdsa_sha224_signature_functions },
@@ -495,7 +492,6 @@ static const OSSL_ALGORITHM deflt_signature[] = {
{ PROV_NAMES_ECDSA_SHA3_256, "provider=default", ossl_ecdsa_sha3_256_signature_functions },
{ PROV_NAMES_ECDSA_SHA3_384, "provider=default", ossl_ecdsa_sha3_384_signature_functions },
{ PROV_NAMES_ECDSA_SHA3_512, "provider=default", ossl_ecdsa_sha3_512_signature_functions },
-#endif
#ifndef OPENSSL_NO_SM2
{ PROV_NAMES_SM2, "provider=default", ossl_sm2_signature_functions },
#endif
diff --git a/test/rpktest.c b/test/rpktest.c
index 338c33f80c..98be18b3a6 100644
--- a/test/rpktest.c
+++ b/test/rpktest.c
@@ -152,7 +152,7 @@ static int test_rpk(int idx)
privkey_file = privkey;
other_cert_file = cert2;
break;
-#ifndef OPENSSL_NO_ECDSA
+#ifndef OPENSSL_NO_EC
case 1:
/* use ECDSA */
cert_file = cert2;
@@ -188,7 +188,7 @@ static int test_rpk(int idx)
if (!TEST_ptr(other_x509))
goto end;
other_pkey = X509_get0_pubkey(other_x509);
-#ifdef OPENSSL_NO_ECDSA
+#ifdef OPENSSL_NO_EC
/* Can't get other_key if it's ECDSA */
if (other_pkey == NULL && idx_cert == 0
&& (idx == 4 || idx == 6 || idx == 7 || idx == 16)) {