Add fips checks for ecdh key agreement

author Shane Lontis <shane.lontis@oracle.com>

Sat, 29 Aug 2020 02:59:04 +0000 (12:59 +1000)

committer Matt Caswell <matt@openssl.org>

Fri, 18 Sep 2020 13:20:38 +0000 (14:20 +0100)
author Shane Lontis <shane.lontis@oracle.com>
Sat, 29 Aug 2020 02:59:04 +0000 (12:59 +1000)
committer Matt Caswell <matt@openssl.org>
Fri, 18 Sep 2020 13:20:38 +0000 (14:20 +0100)
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c

index 8e6cf10dc5681dd9c7715af1922c4ba4a4ad64e9..83d119b02b8eb0e54049e59116c74f3ea46a2bef 100644 (file)
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -24,6 +24,7 @@
  #include "prov/provider_ctx.h"
  #include "prov/providercommon.h"
  #include "prov/implementations.h"
+#include "prov/provider_util.h"
  #include "crypto/ec.h" /* ecdh_KDF_X9_63() */
  
  static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
@@ -110,7 +111,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh)
      pecdhctx->k = vecdh;
      pecdhctx->cofactor_mode = -1;
      pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
-    return 1;
+    return ossl_prov_ec_check(vecdh, 1);
  }
  
  static
@@ -125,7 +126,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
          return 0;
      EC_KEY_free(pecdhctx->peerk);
      pecdhctx->peerk = vecdh;
-    return 1;
+    return ossl_prov_ec_check(vecdh, 1);
  }
  
  static
@@ -253,7 +254,12 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
  
          EVP_MD_free(pectx->kdf_md);
          pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
-
+#ifdef FIPS_MODULE
+        if (!ossl_prov_digest_get_approved_nid(pectx->kdf_md, 1)) {
+            EVP_MD_free(pectx->kdf_md);
+            pectx->kdf_md = NULL;
+        }
+#endif
          if (pectx->kdf_md == NULL)
              return 0;
      }
diff --git a/test/recipes/30-test_evp_data/evppkey_kas.txt b/test/recipes/30-test_evp_data/evppkey_kas.txt

index 44be323f095fe09871dbfcf7997ddc4502b4e4a5..32ffe349d8475faae8397a4cbf44813f0253bf69 100644 (file)
--- a/test/recipes/30-test_evp_data/evppkey_kas.txt
+++ b/test/recipes/30-test_evp_data/evppkey_kas.txt
@@ -44,12 +44,17 @@ MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEQupt2Zad0qYf6hqsf46Y7cyJbG5V
  hXzA375dfGH6yIsRgRveMo6KDRK/AanSBLUj
  -----END PUBLIC KEY-----
  
-
+Availablein = default
  Derive=KAS-ECC-CDH_P-192_C0
  PeerKey=KAS-ECC-CDH_P-192_C0-Peer-PUBLIC
  Ctrl=ecdh_cofactor_mode:1
  SharedSecret=803d8ab2e5b6e6fca715737c3a82f7ce3c783124f6d51cd0
  
+Availablein = fips
+Derive=KAS-ECC-CDH_P-192_C0
+PeerKey=KAS-ECC-CDH_P-192_C0-Peer-PUBLIC
+Result = DERIVE_SET_PEER_ERROR
+
  PrivateKey=KAS-ECC-CDH_P-192_C1
  -----BEGIN PRIVATE KEY-----
  MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEVTBTAgEBBBhW6FM0nZb+TEQkSNrL
diff --git a/test/ssl-tests/14-curves.cnf b/test/ssl-tests/14-curves.cnf

index 26d0949f0d6b9d5682b3fda672e766e96445531a..1982c99db7aba5d3b40c3e98b485acaf15d2e101 100644 (file)
--- a/test/ssl-tests/14-curves.cnf
+++ b/test/ssl-tests/14-curves.cnf
@@ -2,23 +2,23 @@
  
  num_tests = 30
  
-test-0 = 0-curve-sect163k1
-test-1 = 1-curve-sect163r2
-test-2 = 2-curve-sect233k1
-test-3 = 3-curve-sect233r1
-test-4 = 4-curve-sect283k1
-test-5 = 5-curve-sect283r1
-test-6 = 6-curve-sect409k1
-test-7 = 7-curve-sect409r1
-test-8 = 8-curve-sect571k1
-test-9 = 9-curve-sect571r1
-test-10 = 10-curve-prime192v1
-test-11 = 11-curve-secp224r1
-test-12 = 12-curve-prime256v1
-test-13 = 13-curve-secp384r1
-test-14 = 14-curve-secp521r1
-test-15 = 15-curve-X25519
-test-16 = 16-curve-X448
+test-0 = 0-curve-sect233k1
+test-1 = 1-curve-sect233r1
+test-2 = 2-curve-sect283k1
+test-3 = 3-curve-sect283r1
+test-4 = 4-curve-sect409k1
+test-5 = 5-curve-sect409r1
+test-6 = 6-curve-sect571k1
+test-7 = 7-curve-sect571r1
+test-8 = 8-curve-secp224r1
+test-9 = 9-curve-prime256v1
+test-10 = 10-curve-secp384r1
+test-11 = 11-curve-secp521r1
+test-12 = 12-curve-X25519
+test-13 = 13-curve-X448
+test-14 = 14-curve-sect163k1
+test-15 = 15-curve-sect163r2
+test-16 = 16-curve-prime192v1
  test-17 = 17-curve-sect163r1
  test-18 = 18-curve-sect193r1
  test-19 = 19-curve-sect193r2
@@ -34,478 +34,478 @@ test-28 = 28-curve-brainpoolP384r1
  test-29 = 29-curve-brainpoolP512r1
  # ===========================================================
  
-[0-curve-sect163k1]
-ssl_conf = 0-curve-sect163k1-ssl
+[0-curve-sect233k1]
+ssl_conf = 0-curve-sect233k1-ssl
  
-[0-curve-sect163k1-ssl]
-server = 0-curve-sect163k1-server
-client = 0-curve-sect163k1-client
+[0-curve-sect233k1-ssl]
+server = 0-curve-sect233k1-server
+client = 0-curve-sect233k1-client
  
-[0-curve-sect163k1-server]
+[0-curve-sect233k1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect163k1
+Curves = sect233k1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[0-curve-sect163k1-client]
+[0-curve-sect233k1-client]
  CipherString = ECDHE
-Curves = sect163k1
+Curves = sect233k1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-0]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect163k1
+ExpectedTmpKeyType = sect233k1
  
  
  # ===========================================================
  
-[1-curve-sect163r2]
-ssl_conf = 1-curve-sect163r2-ssl
+[1-curve-sect233r1]
+ssl_conf = 1-curve-sect233r1-ssl
  
-[1-curve-sect163r2-ssl]
-server = 1-curve-sect163r2-server
-client = 1-curve-sect163r2-client
+[1-curve-sect233r1-ssl]
+server = 1-curve-sect233r1-server
+client = 1-curve-sect233r1-client
  
-[1-curve-sect163r2-server]
+[1-curve-sect233r1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect163r2
+Curves = sect233r1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[1-curve-sect163r2-client]
+[1-curve-sect233r1-client]
  CipherString = ECDHE
-Curves = sect163r2
+Curves = sect233r1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-1]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect163r2
+ExpectedTmpKeyType = sect233r1
  
  
  # ===========================================================
  
-[2-curve-sect233k1]
-ssl_conf = 2-curve-sect233k1-ssl
+[2-curve-sect283k1]
+ssl_conf = 2-curve-sect283k1-ssl
  
-[2-curve-sect233k1-ssl]
-server = 2-curve-sect233k1-server
-client = 2-curve-sect233k1-client
+[2-curve-sect283k1-ssl]
+server = 2-curve-sect283k1-server
+client = 2-curve-sect283k1-client
  
-[2-curve-sect233k1-server]
+[2-curve-sect283k1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect233k1
+Curves = sect283k1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[2-curve-sect233k1-client]
+[2-curve-sect283k1-client]
  CipherString = ECDHE
-Curves = sect233k1
+Curves = sect283k1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-2]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect233k1
+ExpectedTmpKeyType = sect283k1
  
  
  # ===========================================================
  
-[3-curve-sect233r1]
-ssl_conf = 3-curve-sect233r1-ssl
+[3-curve-sect283r1]
+ssl_conf = 3-curve-sect283r1-ssl
  
-[3-curve-sect233r1-ssl]
-server = 3-curve-sect233r1-server
-client = 3-curve-sect233r1-client
+[3-curve-sect283r1-ssl]
+server = 3-curve-sect283r1-server
+client = 3-curve-sect283r1-client
  
-[3-curve-sect233r1-server]
+[3-curve-sect283r1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect233r1
+Curves = sect283r1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[3-curve-sect233r1-client]
+[3-curve-sect283r1-client]
  CipherString = ECDHE
-Curves = sect233r1
+Curves = sect283r1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-3]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect233r1
+ExpectedTmpKeyType = sect283r1
  
  
  # ===========================================================
  
-[4-curve-sect283k1]
-ssl_conf = 4-curve-sect283k1-ssl
+[4-curve-sect409k1]
+ssl_conf = 4-curve-sect409k1-ssl
  
-[4-curve-sect283k1-ssl]
-server = 4-curve-sect283k1-server
-client = 4-curve-sect283k1-client
+[4-curve-sect409k1-ssl]
+server = 4-curve-sect409k1-server
+client = 4-curve-sect409k1-client
  
-[4-curve-sect283k1-server]
+[4-curve-sect409k1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect283k1
+Curves = sect409k1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[4-curve-sect283k1-client]
+[4-curve-sect409k1-client]
  CipherString = ECDHE
-Curves = sect283k1
+Curves = sect409k1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-4]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect283k1
+ExpectedTmpKeyType = sect409k1
  
  
  # ===========================================================
  
-[5-curve-sect283r1]
-ssl_conf = 5-curve-sect283r1-ssl
+[5-curve-sect409r1]
+ssl_conf = 5-curve-sect409r1-ssl
  
-[5-curve-sect283r1-ssl]
-server = 5-curve-sect283r1-server
-client = 5-curve-sect283r1-client
+[5-curve-sect409r1-ssl]
+server = 5-curve-sect409r1-server
+client = 5-curve-sect409r1-client
  
-[5-curve-sect283r1-server]
+[5-curve-sect409r1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect283r1
+Curves = sect409r1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[5-curve-sect283r1-client]
+[5-curve-sect409r1-client]
  CipherString = ECDHE
-Curves = sect283r1
+Curves = sect409r1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-5]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect283r1
+ExpectedTmpKeyType = sect409r1
  
  
  # ===========================================================
  
-[6-curve-sect409k1]
-ssl_conf = 6-curve-sect409k1-ssl
+[6-curve-sect571k1]
+ssl_conf = 6-curve-sect571k1-ssl
  
-[6-curve-sect409k1-ssl]
-server = 6-curve-sect409k1-server
-client = 6-curve-sect409k1-client
+[6-curve-sect571k1-ssl]
+server = 6-curve-sect571k1-server
+client = 6-curve-sect571k1-client
  
-[6-curve-sect409k1-server]
+[6-curve-sect571k1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect409k1
+Curves = sect571k1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[6-curve-sect409k1-client]
+[6-curve-sect571k1-client]
  CipherString = ECDHE
-Curves = sect409k1
+Curves = sect571k1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-6]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect409k1
+ExpectedTmpKeyType = sect571k1
  
  
  # ===========================================================
  
-[7-curve-sect409r1]
-ssl_conf = 7-curve-sect409r1-ssl
+[7-curve-sect571r1]
+ssl_conf = 7-curve-sect571r1-ssl
  
-[7-curve-sect409r1-ssl]
-server = 7-curve-sect409r1-server
-client = 7-curve-sect409r1-client
+[7-curve-sect571r1-ssl]
+server = 7-curve-sect571r1-server
+client = 7-curve-sect571r1-client
  
-[7-curve-sect409r1-server]
+[7-curve-sect571r1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect409r1
+Curves = sect571r1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[7-curve-sect409r1-client]
+[7-curve-sect571r1-client]
  CipherString = ECDHE
-Curves = sect409r1
+Curves = sect571r1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-7]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect409r1
+ExpectedTmpKeyType = sect571r1
  
  
  # ===========================================================
  
-[8-curve-sect571k1]
-ssl_conf = 8-curve-sect571k1-ssl
+[8-curve-secp224r1]
+ssl_conf = 8-curve-secp224r1-ssl
  
-[8-curve-sect571k1-ssl]
-server = 8-curve-sect571k1-server
-client = 8-curve-sect571k1-client
+[8-curve-secp224r1-ssl]
+server = 8-curve-secp224r1-server
+client = 8-curve-secp224r1-client
  
-[8-curve-sect571k1-server]
+[8-curve-secp224r1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect571k1
+Curves = secp224r1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[8-curve-sect571k1-client]
+[8-curve-secp224r1-client]
  CipherString = ECDHE
-Curves = sect571k1
+Curves = secp224r1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-8]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect571k1
+ExpectedTmpKeyType = secp224r1
  
  
  # ===========================================================
  
-[9-curve-sect571r1]
-ssl_conf = 9-curve-sect571r1-ssl
+[9-curve-prime256v1]
+ssl_conf = 9-curve-prime256v1-ssl
  
-[9-curve-sect571r1-ssl]
-server = 9-curve-sect571r1-server
-client = 9-curve-sect571r1-client
+[9-curve-prime256v1-ssl]
+server = 9-curve-prime256v1-server
+client = 9-curve-prime256v1-client
  
-[9-curve-sect571r1-server]
+[9-curve-prime256v1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = sect571r1
+Curves = prime256v1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[9-curve-sect571r1-client]
+[9-curve-prime256v1-client]
  CipherString = ECDHE
-Curves = sect571r1
+Curves = prime256v1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-9]
  ExpectedResult = Success
-ExpectedTmpKeyType = sect571r1
+ExpectedTmpKeyType = prime256v1
  
  
  # ===========================================================
  
-[10-curve-prime192v1]
-ssl_conf = 10-curve-prime192v1-ssl
+[10-curve-secp384r1]
+ssl_conf = 10-curve-secp384r1-ssl
  
-[10-curve-prime192v1-ssl]
-server = 10-curve-prime192v1-server
-client = 10-curve-prime192v1-client
+[10-curve-secp384r1-ssl]
+server = 10-curve-secp384r1-server
+client = 10-curve-secp384r1-client
  
-[10-curve-prime192v1-server]
+[10-curve-secp384r1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = prime192v1
+Curves = secp384r1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[10-curve-prime192v1-client]
+[10-curve-secp384r1-client]
  CipherString = ECDHE
-Curves = prime192v1
+Curves = secp384r1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-10]
  ExpectedResult = Success
-ExpectedTmpKeyType = prime192v1
+ExpectedTmpKeyType = secp384r1
  
  
  # ===========================================================
  
-[11-curve-secp224r1]
-ssl_conf = 11-curve-secp224r1-ssl
+[11-curve-secp521r1]
+ssl_conf = 11-curve-secp521r1-ssl
  
-[11-curve-secp224r1-ssl]
-server = 11-curve-secp224r1-server
-client = 11-curve-secp224r1-client
+[11-curve-secp521r1-ssl]
+server = 11-curve-secp521r1-server
+client = 11-curve-secp521r1-client
  
-[11-curve-secp224r1-server]
+[11-curve-secp521r1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = secp224r1
+Curves = secp521r1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[11-curve-secp224r1-client]
+[11-curve-secp521r1-client]
  CipherString = ECDHE
-Curves = secp224r1
+Curves = secp521r1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-11]
  ExpectedResult = Success
-ExpectedTmpKeyType = secp224r1
+ExpectedTmpKeyType = secp521r1
  
  
  # ===========================================================
  
-[12-curve-prime256v1]
-ssl_conf = 12-curve-prime256v1-ssl
+[12-curve-X25519]
+ssl_conf = 12-curve-X25519-ssl
  
-[12-curve-prime256v1-ssl]
-server = 12-curve-prime256v1-server
-client = 12-curve-prime256v1-client
+[12-curve-X25519-ssl]
+server = 12-curve-X25519-server
+client = 12-curve-X25519-client
  
-[12-curve-prime256v1-server]
+[12-curve-X25519-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = prime256v1
+Curves = X25519
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[12-curve-prime256v1-client]
+[12-curve-X25519-client]
  CipherString = ECDHE
-Curves = prime256v1
+Curves = X25519
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-12]
  ExpectedResult = Success
-ExpectedTmpKeyType = prime256v1
+ExpectedTmpKeyType = X25519
  
  
  # ===========================================================
  
-[13-curve-secp384r1]
-ssl_conf = 13-curve-secp384r1-ssl
+[13-curve-X448]
+ssl_conf = 13-curve-X448-ssl
  
-[13-curve-secp384r1-ssl]
-server = 13-curve-secp384r1-server
-client = 13-curve-secp384r1-client
+[13-curve-X448-ssl]
+server = 13-curve-X448-server
+client = 13-curve-X448-client
  
-[13-curve-secp384r1-server]
+[13-curve-X448-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = secp384r1
+Curves = X448
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[13-curve-secp384r1-client]
+[13-curve-X448-client]
  CipherString = ECDHE
-Curves = secp384r1
+Curves = X448
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-13]
  ExpectedResult = Success
-ExpectedTmpKeyType = secp384r1
+ExpectedTmpKeyType = X448
  
  
  # ===========================================================
  
-[14-curve-secp521r1]
-ssl_conf = 14-curve-secp521r1-ssl
+[14-curve-sect163k1]
+ssl_conf = 14-curve-sect163k1-ssl
  
-[14-curve-secp521r1-ssl]
-server = 14-curve-secp521r1-server
-client = 14-curve-secp521r1-client
+[14-curve-sect163k1-ssl]
+server = 14-curve-sect163k1-server
+client = 14-curve-sect163k1-client
  
-[14-curve-secp521r1-server]
+[14-curve-sect163k1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = secp521r1
+Curves = sect163k1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[14-curve-secp521r1-client]
+[14-curve-sect163k1-client]
  CipherString = ECDHE
-Curves = secp521r1
+Curves = sect163k1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-14]
  ExpectedResult = Success
-ExpectedTmpKeyType = secp521r1
+ExpectedTmpKeyType = sect163k1
  
  
  # ===========================================================
  
-[15-curve-X25519]
-ssl_conf = 15-curve-X25519-ssl
+[15-curve-sect163r2]
+ssl_conf = 15-curve-sect163r2-ssl
  
-[15-curve-X25519-ssl]
-server = 15-curve-X25519-server
-client = 15-curve-X25519-client
+[15-curve-sect163r2-ssl]
+server = 15-curve-sect163r2-server
+client = 15-curve-sect163r2-client
  
-[15-curve-X25519-server]
+[15-curve-sect163r2-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = X25519
+Curves = sect163r2
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[15-curve-X25519-client]
+[15-curve-sect163r2-client]
  CipherString = ECDHE
-Curves = X25519
+Curves = sect163r2
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-15]
  ExpectedResult = Success
-ExpectedTmpKeyType = X25519
+ExpectedTmpKeyType = sect163r2
  
  
  # ===========================================================
  
-[16-curve-X448]
-ssl_conf = 16-curve-X448-ssl
+[16-curve-prime192v1]
+ssl_conf = 16-curve-prime192v1-ssl
  
-[16-curve-X448-ssl]
-server = 16-curve-X448-server
-client = 16-curve-X448-client
+[16-curve-prime192v1-ssl]
+server = 16-curve-prime192v1-server
+client = 16-curve-prime192v1-client
  
-[16-curve-X448-server]
+[16-curve-prime192v1-server]
  Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
  CipherString = DEFAULT
-Curves = X448
+Curves = prime192v1
  MaxProtocol = TLSv1.2
  PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
  
-[16-curve-X448-client]
+[16-curve-prime192v1-client]
  CipherString = ECDHE
-Curves = X448
+Curves = prime192v1
  MaxProtocol = TLSv1.2
  VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-16]
  ExpectedResult = Success
-ExpectedTmpKeyType = X448
+ExpectedTmpKeyType = prime192v1
  
  
  # ===========================================================
diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in

index d074e561c94c07344ee77ee48bcb47422aa27118..b5ee4d282761ab75d1f08842e92cc4dac616b9ab 100644 (file)
--- a/test/ssl-tests/14-curves.cnf.in
+++ b/test/ssl-tests/14-curves.cnf.in
@@ -12,13 +12,14 @@ use OpenSSL::Test::Utils qw(anydisabled);
  
  our $fips_mode;
  
-my @curves = ("sect163k1", "sect163r2", "sect233k1", "sect233r1",
+my @curves = ("sect233k1", "sect233r1",
                "sect283k1", "sect283r1", "sect409k1", "sect409r1",
-              "sect571k1", "sect571r1", "prime192v1", "secp224r1",
+              "sect571k1", "sect571r1", "secp224r1",
                "prime256v1", "secp384r1", "secp521r1", "X25519",
                "X448");
  
-my @curves_non_fips = ("sect163r1", "sect193r1", "sect193r2", "sect239k1",
+my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
+                       "sect163r1", "sect193r1", "sect193r2", "sect239k1",
                         "secp160k1", "secp160r1", "secp160r2", "secp192k1",
                         "secp224k1",  "secp256k1", "brainpoolP256r1",
                         "brainpoolP384r1", "brainpoolP512r1");
author	Shane Lontis <shane.lontis@oracle.com>
	Sat, 29 Aug 2020 02:59:04 +0000 (12:59 +1000)
committer	Matt Caswell <matt@openssl.org>
	Fri, 18 Sep 2020 13:20:38 +0000 (14:20 +0100)
providers/implementations/exchange/ecdh_exch.c		patch \| blob \| history
test/recipes/30-test_evp_data/evppkey_kas.txt		patch \| blob \| history
test/ssl-tests/14-curves.cnf		patch \| blob \| history
test/ssl-tests/14-curves.cnf.in		patch \| blob \| history