Pedro Monreal Gonzalez
6bc57d937f
* SHA-1 is not allowed anymore in FIPS 186-5 for signature verification operations. After 12/31/2030, NIST will disallow SHA-1 for all of its usages. * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch - FIPS: RSA keygen PCT requirements. * Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the self-test requirements are covered by do_rsa_pct() for both RSA-OAEP and RSA signatures [bsc#1221760] * Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753] * Add openssl-3-FIPS-PCT_rsa_keygen.patch - FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode. [bsc#1220523] * Rebase openssl-Force-FIPS.patch - FIPS: Port openssl to use jitterentropy [bsc#1220523] * Set the module in error state if the jitter RNG fails either on initialization or entropy gathering because health tests failed. * Add jitterentropy as a seeding source output also in crypto/info.c * Move the jitter entropy collector and the associated lock out of the header file to avoid redefinitions. * Add the fips_local.cnf symlink to the spec file. This simlink points to the openssl_fips.config file that is provided by the crypto-policies package. * Rebase openssl-3-jitterentropy-3.4.0.patch * Rebase openssl-FIPS-enforce-EMS-support.patch - FIPS: Block non-Approved Elliptic Curves [bsc#1221786] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
271 lines
9.5 KiB
Diff
271 lines
9.5 KiB
Diff
From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
|
|
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
Date: Mon, 21 Aug 2023 11:46:40 +0200
|
|
Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
|
|
|
|
Patch-name: 0011-Remove-EC-curves.patch
|
|
Patch-id: 11
|
|
Patch-status: |
|
|
# remove unsupported EC curves
|
|
---
|
|
apps/speed.c | 8 +---
|
|
crypto/evp/ec_support.c | 87 ------------------------------------
|
|
test/acvp_test.inc | 9 ----
|
|
test/ecdsatest.h | 17 -------
|
|
test/recipes/15-test_genec.t | 27 -----------
|
|
5 files changed, 1 insertion(+), 147 deletions(-)
|
|
|
|
diff --git a/apps/speed.c b/apps/speed.c
|
|
index cace25eda1..d527f12f18 100644
|
|
--- a/apps/speed.c
|
|
+++ b/apps/speed.c
|
|
@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
|
|
#endif /* OPENSSL_NO_DH */
|
|
|
|
enum ec_curves_t {
|
|
- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
|
|
+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
|
|
#ifndef OPENSSL_NO_EC2M
|
|
R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
|
|
R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
|
|
@@ -395,8 +395,6 @@ enum ec_curves_t {
|
|
};
|
|
/* list of ecdsa curves */
|
|
static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
|
|
- {"ecdsap160", R_EC_P160},
|
|
- {"ecdsap192", R_EC_P192},
|
|
{"ecdsap224", R_EC_P224},
|
|
{"ecdsap256", R_EC_P256},
|
|
{"ecdsap384", R_EC_P384},
|
|
@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
|
|
enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM };
|
|
/* list of ecdh curves, extension of |ecdsa_choices| list above */
|
|
static const OPT_PAIR ecdh_choices[EC_NUM] = {
|
|
- {"ecdhp160", R_EC_P160},
|
|
- {"ecdhp192", R_EC_P192},
|
|
{"ecdhp224", R_EC_P224},
|
|
{"ecdhp256", R_EC_P256},
|
|
{"ecdhp384", R_EC_P384},
|
|
@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv)
|
|
*/
|
|
static const EC_CURVE ec_curves[EC_NUM] = {
|
|
/* Prime Curves */
|
|
- {"secp160r1", NID_secp160r1, 160},
|
|
- {"nistp192", NID_X9_62_prime192v1, 192},
|
|
{"nistp224", NID_secp224r1, 224},
|
|
{"nistp256", NID_X9_62_prime256v1, 256},
|
|
{"nistp384", NID_secp384r1, 384},
|
|
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
|
|
index 1ec10143d2..82b95294b4 100644
|
|
--- a/crypto/evp/ec_support.c
|
|
+++ b/crypto/evp/ec_support.c
|
|
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
|
|
static const EC_NAME2NID curve_list[] = {
|
|
/* prime field curves */
|
|
/* secg curves */
|
|
- {"secp112r1", NID_secp112r1 },
|
|
- {"secp112r2", NID_secp112r2 },
|
|
- {"secp128r1", NID_secp128r1 },
|
|
- {"secp128r2", NID_secp128r2 },
|
|
- {"secp160k1", NID_secp160k1 },
|
|
- {"secp160r1", NID_secp160r1 },
|
|
- {"secp160r2", NID_secp160r2 },
|
|
- {"secp192k1", NID_secp192k1 },
|
|
- {"secp224k1", NID_secp224k1 },
|
|
{"secp224r1", NID_secp224r1 },
|
|
{"secp256k1", NID_secp256k1 },
|
|
{"secp384r1", NID_secp384r1 },
|
|
{"secp521r1", NID_secp521r1 },
|
|
/* X9.62 curves */
|
|
- {"prime192v1", NID_X9_62_prime192v1 },
|
|
- {"prime192v2", NID_X9_62_prime192v2 },
|
|
- {"prime192v3", NID_X9_62_prime192v3 },
|
|
- {"prime239v1", NID_X9_62_prime239v1 },
|
|
- {"prime239v2", NID_X9_62_prime239v2 },
|
|
- {"prime239v3", NID_X9_62_prime239v3 },
|
|
{"prime256v1", NID_X9_62_prime256v1 },
|
|
/* characteristic two field curves */
|
|
/* NIST/SECG curves */
|
|
- {"sect113r1", NID_sect113r1 },
|
|
- {"sect113r2", NID_sect113r2 },
|
|
- {"sect131r1", NID_sect131r1 },
|
|
- {"sect131r2", NID_sect131r2 },
|
|
- {"sect163k1", NID_sect163k1 },
|
|
- {"sect163r1", NID_sect163r1 },
|
|
- {"sect163r2", NID_sect163r2 },
|
|
- {"sect193r1", NID_sect193r1 },
|
|
- {"sect193r2", NID_sect193r2 },
|
|
- {"sect233k1", NID_sect233k1 },
|
|
- {"sect233r1", NID_sect233r1 },
|
|
- {"sect239k1", NID_sect239k1 },
|
|
- {"sect283k1", NID_sect283k1 },
|
|
- {"sect283r1", NID_sect283r1 },
|
|
- {"sect409k1", NID_sect409k1 },
|
|
- {"sect409r1", NID_sect409r1 },
|
|
- {"sect571k1", NID_sect571k1 },
|
|
- {"sect571r1", NID_sect571r1 },
|
|
- /* X9.62 curves */
|
|
- {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
|
|
- {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
|
|
- {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
|
|
- {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
|
|
- {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
|
|
- {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
|
|
- {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
|
|
- {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
|
|
- {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
|
|
- {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
|
|
- {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
|
|
- {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
|
|
- {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
|
|
- {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
|
|
- {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
|
|
- {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
|
|
- /*
|
|
- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
|
|
- * from X9.62]
|
|
- */
|
|
- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
|
|
- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
|
|
- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
|
|
- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
|
|
- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
|
|
- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
|
|
- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
|
|
- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
|
|
- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
|
|
- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
|
|
- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
|
|
- /* IPSec curves */
|
|
- {"Oakley-EC2N-3", NID_ipsec3 },
|
|
- {"Oakley-EC2N-4", NID_ipsec4 },
|
|
/* brainpool curves */
|
|
- {"brainpoolP160r1", NID_brainpoolP160r1 },
|
|
- {"brainpoolP160t1", NID_brainpoolP160t1 },
|
|
- {"brainpoolP192r1", NID_brainpoolP192r1 },
|
|
- {"brainpoolP192t1", NID_brainpoolP192t1 },
|
|
- {"brainpoolP224r1", NID_brainpoolP224r1 },
|
|
- {"brainpoolP224t1", NID_brainpoolP224t1 },
|
|
{"brainpoolP256r1", NID_brainpoolP256r1 },
|
|
{"brainpoolP256t1", NID_brainpoolP256t1 },
|
|
{"brainpoolP320r1", NID_brainpoolP320r1 },
|
|
@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
|
|
/* Functions to translate between common NIST curve names and NIDs */
|
|
|
|
static const EC_NAME2NID nist_curves[] = {
|
|
- {"B-163", NID_sect163r2},
|
|
- {"B-233", NID_sect233r1},
|
|
- {"B-283", NID_sect283r1},
|
|
- {"B-409", NID_sect409r1},
|
|
- {"B-571", NID_sect571r1},
|
|
- {"K-163", NID_sect163k1},
|
|
- {"K-233", NID_sect233k1},
|
|
- {"K-283", NID_sect283k1},
|
|
- {"K-409", NID_sect409k1},
|
|
- {"K-571", NID_sect571k1},
|
|
- {"P-192", NID_X9_62_prime192v1},
|
|
{"P-224", NID_secp224r1},
|
|
{"P-256", NID_X9_62_prime256v1},
|
|
{"P-384", NID_secp384r1},
|
|
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
|
index ad11d3ae1e..894a0bff9d 100644
|
|
--- a/test/acvp_test.inc
|
|
+++ b/test/acvp_test.inc
|
|
@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = {
|
|
0xB1, 0xAC,
|
|
};
|
|
static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
|
|
- {
|
|
- "SHA-1",
|
|
- "P-192",
|
|
- ITM(ecdsa_sigver_msg0),
|
|
- ITM(ecdsa_sigver_pub0),
|
|
- ITM(ecdsa_sigver_r0),
|
|
- ITM(ecdsa_sigver_s0),
|
|
- PASS,
|
|
- },
|
|
{
|
|
"SHA2-512",
|
|
"P-521",
|
|
diff --git a/test/ecdsatest.h b/test/ecdsatest.h
|
|
index 63fe319025..06b5c0aac5 100644
|
|
--- a/test/ecdsatest.h
|
|
+++ b/test/ecdsatest.h
|
|
@@ -32,23 +32,6 @@ typedef struct {
|
|
} ecdsa_cavs_kat_t;
|
|
|
|
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
|
|
- /* prime KATs from X9.62 */
|
|
- {NID_X9_62_prime192v1, NID_sha1,
|
|
- "616263", /* "abc" */
|
|
- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
|
|
- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
|
|
- "5ca5c0d69716dfcb3474373902",
|
|
- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
|
|
- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
|
|
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
|
|
- {NID_X9_62_prime239v1, NID_sha1,
|
|
- "616263", /* "abc" */
|
|
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
|
|
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
|
|
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
|
|
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
|
|
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
|
|
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
|
|
/* prime KATs from NIST CAVP */
|
|
{NID_secp224r1, NID_sha224,
|
|
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
|
|
diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
|
|
index 2dfed387ca..c733b68f83 100644
|
|
--- a/test/recipes/15-test_genec.t
|
|
+++ b/test/recipes/15-test_genec.t
|
|
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build"
|
|
if disabled("ec");
|
|
|
|
my @prime_curves = qw(
|
|
- secp112r1
|
|
- secp112r2
|
|
- secp128r1
|
|
- secp128r2
|
|
- secp160k1
|
|
- secp160r1
|
|
- secp160r2
|
|
- secp192k1
|
|
- secp224k1
|
|
secp224r1
|
|
secp256k1
|
|
secp384r1
|
|
secp521r1
|
|
- prime192v1
|
|
- prime192v2
|
|
- prime192v3
|
|
- prime239v1
|
|
- prime239v2
|
|
- prime239v3
|
|
prime256v1
|
|
- wap-wsg-idm-ecid-wtls6
|
|
- wap-wsg-idm-ecid-wtls7
|
|
- wap-wsg-idm-ecid-wtls8
|
|
- wap-wsg-idm-ecid-wtls9
|
|
- wap-wsg-idm-ecid-wtls12
|
|
- brainpoolP160r1
|
|
- brainpoolP160t1
|
|
- brainpoolP192r1
|
|
- brainpoolP192t1
|
|
- brainpoolP224r1
|
|
- brainpoolP224t1
|
|
brainpoolP256r1
|
|
brainpoolP256t1
|
|
brainpoolP320r1
|
|
@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
|
|
if !disabled("sm2");
|
|
|
|
my @curve_aliases = qw(
|
|
- P-192
|
|
P-224
|
|
P-256
|
|
P-384
|
|
--
|
|
2.41.0
|
|
|