From: Yi Li Date: Mon, 17 Apr 2023 08:20:31 +0000 (+0800) Subject: configure: introduce no-ecx to remove ECX related feature X-Git-Tag: openssl-3.2.0-alpha1~652 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=4032cd9a1434610e4dc2bbde01f98d04faa615e5 configure: introduce no-ecx to remove ECX related feature This can effectively reduce the binary size for platforms that don't need ECX feature(~100KB). Signed-off-by: Yi Li Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/20781) --- diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 9d9c89a434..779dfd390e 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -29,6 +29,7 @@ jobs: no-unit-test, enable-weak-ssl-ciphers, enable-zlib, + no-ecx, ] runs-on: ubuntu-latest steps: diff --git a/Configure b/Configure index ae16aafcea..ba9ef7662c 100755 --- a/Configure +++ b/Configure @@ -449,6 +449,7 @@ my @disablables = ( "ec_nistp_64_gcc_128", "ecdh", "ecdsa", + "ecx", "egd", "engine", "err", @@ -611,7 +612,7 @@ my @disable_cascades = ( "brotli" => [ "brotli-dynamic" ], "zstd" => [ "zstd-dynamic" ], "des" => [ "mdc2" ], - "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ], + "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "ecx" ], "dgram" => [ "dtls", "quic", "sctp" ], "sock" => [ "dgram", "tfo" ], "dtls" => [ @dtls ], diff --git a/apps/list.c b/apps/list.c index 2ccd41277a..56b0917d11 100644 --- a/apps/list.c +++ b/apps/list.c @@ -1337,6 +1337,9 @@ static void list_disabled(void) #ifdef OPENSSL_NO_EC BIO_puts(bio_out, "EC\n"); #endif +#ifdef OPENSSL_NO_ECX + BIO_puts(bio_out, "ECX\n"); +#endif #ifdef OPENSSL_NO_EC2M BIO_puts(bio_out, "EC2M\n"); #endif diff --git a/apps/speed.c b/apps/speed.c index 1d8304f105..de4f9994db 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -436,7 +436,13 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { {"ecdsabrp512r1", R_EC_BRP512R1}, {"ecdsabrp512t1", R_EC_BRP512T1} }; -enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; +enum { +#ifndef OPENSSL_NO_ECX + R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM +#else + EC_NUM = ECDSA_NUM +#endif +}; /* list of ecdh curves, extension of |ecdsa_choices| list above */ static const OPT_PAIR ecdh_choices[EC_NUM] = { {"ecdhp160", R_EC_P160}, @@ -463,13 +469,16 @@ static const OPT_PAIR ecdh_choices[EC_NUM] = { {"ecdhbrp384t1", R_EC_BRP384T1}, {"ecdhbrp512r1", R_EC_BRP512R1}, {"ecdhbrp512t1", R_EC_BRP512T1}, +#ifndef OPENSSL_NO_ECX {"ecdhx25519", R_EC_X25519}, {"ecdhx448", R_EC_X448} +#endif }; static double ecdh_results[EC_NUM][1]; /* 1 op: derivation */ static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */ +#ifndef OPENSSL_NO_ECX enum { R_EC_Ed25519, R_EC_Ed448, EdDSA_NUM }; static const OPT_PAIR eddsa_choices[EdDSA_NUM] = { {"ed25519", R_EC_Ed25519}, @@ -477,6 +486,7 @@ static const OPT_PAIR eddsa_choices[EdDSA_NUM] = { }; static double eddsa_results[EdDSA_NUM][2]; /* 2 ops: sign then verify */ +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 enum { R_EC_CURVESM2, SM2_NUM }; @@ -518,8 +528,10 @@ typedef struct loopargs_st { EVP_PKEY_CTX *ecdsa_sign_ctx[ECDSA_NUM]; EVP_PKEY_CTX *ecdsa_verify_ctx[ECDSA_NUM]; EVP_PKEY_CTX *ecdh_ctx[EC_NUM]; +#ifndef OPENSSL_NO_ECX EVP_MD_CTX *eddsa_ctx[EdDSA_NUM]; EVP_MD_CTX *eddsa_ctx2[EdDSA_NUM]; +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 EVP_MD_CTX *sm2_ctx[SM2_NUM]; EVP_MD_CTX *sm2_vfy_ctx[SM2_NUM]; @@ -1054,6 +1066,7 @@ static int ECDH_EVP_derive_key_loop(void *args) return count; } +#ifndef OPENSSL_NO_ECX static int EdDSA_sign_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; @@ -1095,6 +1108,7 @@ static int EdDSA_verify_loop(void *args) } return count; } +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 static int SM2_sign_loop(void *args) @@ -1726,15 +1740,19 @@ int speed_main(int argc, char **argv) {"brainpoolP384t1", NID_brainpoolP384t1, 384}, {"brainpoolP512r1", NID_brainpoolP512r1, 512}, {"brainpoolP512t1", NID_brainpoolP512t1, 512}, +#ifndef OPENSSL_NO_ECX /* Other and ECDH only ones */ {"X25519", NID_X25519, 253}, {"X448", NID_X448, 448} +#endif }; +#ifndef OPENSSL_NO_ECX static const EC_CURVE ed_curves[EdDSA_NUM] = { /* EdDSA */ {"Ed25519", NID_ED25519, 253, 64}, {"Ed448", NID_ED448, 456, 114} }; +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 static const EC_CURVE sm2_curves[SM2_NUM] = { /* SM2 */ @@ -1744,7 +1762,9 @@ int speed_main(int argc, char **argv) #endif uint8_t ecdsa_doit[ECDSA_NUM] = { 0 }; uint8_t ecdh_doit[EC_NUM] = { 0 }; +#ifndef OPENSSL_NO_ECX uint8_t eddsa_doit[EdDSA_NUM] = { 0 }; +#endif /* OPENSSL_NO_ECX */ uint8_t kems_doit[MAX_KEM_NUM] = { 0 }; uint8_t sigs_doit[MAX_SIG_NUM] = { 0 }; @@ -1753,6 +1773,7 @@ int speed_main(int argc, char **argv) uint8_t do_sigs = 0; /* checks declared curves against choices list. */ +#ifndef OPENSSL_NO_ECX OPENSSL_assert(ed_curves[EdDSA_NUM - 1].nid == NID_ED448); OPENSSL_assert(strcmp(eddsa_choices[EdDSA_NUM - 1].name, "ed448") == 0); @@ -1761,6 +1782,7 @@ int speed_main(int argc, char **argv) OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1); OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0); +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 OPENSSL_assert(sm2_curves[SM2_NUM - 1].nid == NID_sm2); @@ -2106,6 +2128,7 @@ int speed_main(int argc, char **argv) algo_found = 1; } } +#ifndef OPENSSL_NO_ECX if (strcmp(algo, "eddsa") == 0) { memset(eddsa_doit, 1, sizeof(eddsa_doit)); algo_found = 1; @@ -2114,6 +2137,7 @@ int speed_main(int argc, char **argv) eddsa_doit[i] = 2; algo_found = 1; } +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 if (strcmp(algo, "sm2") == 0) { memset(sm2_doit, 1, sizeof(sm2_doit)); @@ -2294,9 +2318,11 @@ int speed_main(int argc, char **argv) memset(ffdh_doit, 1, sizeof(ffdh_doit)); #endif memset(dsa_doit, 1, sizeof(dsa_doit)); +#ifndef OPENSSL_NO_ECX memset(ecdsa_doit, 1, sizeof(ecdsa_doit)); memset(ecdh_doit, 1, sizeof(ecdh_doit)); memset(eddsa_doit, 1, sizeof(eddsa_doit)); +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 memset(sm2_doit, 1, sizeof(sm2_doit)); #endif @@ -3106,6 +3132,7 @@ skip_hmac: } } +#ifndef OPENSSL_NO_ECX for (testnum = 0; testnum < EdDSA_NUM; testnum++) { int st = 1; EVP_PKEY *ed_pkey = NULL; @@ -3218,6 +3245,7 @@ skip_hmac: } } } +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 for (testnum = 0; testnum < SM2_NUM; testnum++) { @@ -4008,6 +4036,7 @@ skip_hmac: 1.0 / ecdh_results[k][0], ecdh_results[k][0]); } +#ifndef OPENSSL_NO_ECX testnum = 1; for (k = 0; k < OSSL_NELEM(eddsa_doit); k++) { if (!eddsa_doit[k]) @@ -4027,6 +4056,7 @@ skip_hmac: 1.0 / eddsa_results[k][0], 1.0 / eddsa_results[k][1], eddsa_results[k][0], eddsa_results[k][1]); } +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 testnum = 1; @@ -4142,10 +4172,12 @@ skip_hmac: } for (k = 0; k < EC_NUM; k++) EVP_PKEY_CTX_free(loopargs[i].ecdh_ctx[k]); +#ifndef OPENSSL_NO_ECX for (k = 0; k < EdDSA_NUM; k++) { EVP_MD_CTX_free(loopargs[i].eddsa_ctx[k]); EVP_MD_CTX_free(loopargs[i].eddsa_ctx2[k]); } +#endif /* OPENSSL_NO_ECX */ #ifndef OPENSSL_NO_SM2 for (k = 0; k < SM2_NUM; k++) { EVP_PKEY_CTX *pctx = NULL; @@ -4402,6 +4434,7 @@ static int do_multi(int multi, int size_num) d = atof(sstrsep(&p, sep)); ecdh_results[k][0] += d; } +# ifndef OPENSSL_NO_ECX } else if (CHECK_AND_SKIP_PREFIX(p, "+F6:")) { tk = sstrsep(&p, sep); if (strtoint(tk, 0, OSSL_NELEM(eddsa_results), &k)) { @@ -4414,6 +4447,7 @@ static int do_multi(int multi, int size_num) d = atof(sstrsep(&p, sep)); eddsa_results[k][1] += d; } +# endif /* OPENSSL_NO_ECX */ # ifndef OPENSSL_NO_SM2 } else if (CHECK_AND_SKIP_PREFIX(p, "+F7:")) { tk = sstrsep(&p, sep); diff --git a/crypto/asn1/standard_methods.h b/crypto/asn1/standard_methods.h index 0b0c7ef686..0e2cdbd50e 100644 --- a/crypto/asn1/standard_methods.h +++ b/crypto/asn1/standard_methods.h @@ -32,11 +32,9 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { #ifndef OPENSSL_NO_DH &ossl_dhx_asn1_meth, #endif -#ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECX &ossl_ecx25519_asn1_meth, &ossl_ecx448_asn1_meth, -#endif -#ifndef OPENSSL_NO_EC &ossl_ed25519_asn1_meth, &ossl_ed448_asn1_meth, #endif diff --git a/crypto/ec/build.info b/crypto/ec/build.info index e4799ad37a..6fd73e4573 100644 --- a/crypto/ec/build.info +++ b/crypto/ec/build.info @@ -3,9 +3,12 @@ IF[{- !$disabled{asm} -}] $ECASM_x86=ecp_nistz256.c ecp_nistz256-x86.S $ECDEF_x86=ECP_NISTZ256_ASM - $ECASM_x86_64=ecp_nistz256.c ecp_nistz256-x86_64.s x25519-x86_64.s - $ECDEF_x86_64=ECP_NISTZ256_ASM X25519_ASM - + $ECASM_x86_64=ecp_nistz256.c ecp_nistz256-x86_64.s + $ECDEF_x86_64=ECP_NISTZ256_ASM + IF[{- !$disabled{'ecx'} -}] + $ECASM_x86_64=$ECASM_x86_64 x25519-x86_64.s + $ECDEF_x86_64=$ECDEF_x86_64 X25519_ASM + ENDIF $ECASM_ia64= $ECASM_sparcv9=ecp_nistz256.c ecp_nistz256-sparcv9.S @@ -18,7 +21,10 @@ IF[{- !$disabled{asm} -}] $ECASM_mips32= $ECASM_mips64= - $ECASM_s390x=ecp_s390x_nistp.c ecx_s390x.c + $ECASM_s390x=ecp_s390x_nistp.c + IF[{- !$disabled{'ecx'} -}] + $ECASM_s390x=$ECASM_s390x ecx_s390x.c + ENDIF $ECDEF_s390x=S390X_EC_ASM $ECASM_armv4=ecp_nistz256.c ecp_nistz256-armv4.S @@ -30,13 +36,18 @@ IF[{- !$disabled{asm} -}] $ECASM_parisc20_64= $ECASM_ppc32= - $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s - $ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM + $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s + $ECDEF_ppc64=ECP_NISTZ256_ASM IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM INCLUDE[ecp_nistp521.o]=.. ENDIF + IF[{- !$disabled{'ecx'} -}] + $ECASM_ppc64=$ECASM_ppc64 x25519-ppc64.s + $ECDEF_ppc64=$ECDEF_ppc64 X25519_ASM + INCLUDE[ecx_s390x.o]=.. + ENDIF $ECASM_c64xplus= @@ -49,22 +60,29 @@ IF[{- !$disabled{asm} -}] ENDIF $COMMON=ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c \ - ec_curve.c ec_check.c ec_key.c ec_kmeth.c ecx_key.c ec_asn1.c \ + ec_curve.c ec_check.c ec_key.c ec_kmeth.c ec_asn1.c \ ec2_smpl.c \ ecp_oct.c ec2_oct.c ec_oct.c ecdh_ossl.c \ - ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c curve25519.c \ - curve448/f_generic.c curve448/scalar.c \ - curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \ - $ECASM ec_backend.c ecx_backend.c ecdh_kdf.c curve448/arch_64/f_impl64.c \ - curve448/arch_32/f_impl32.c + ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c \ + $ECASM ec_backend.c ecdh_kdf.c + +IF[{- !$disabled{'ecx'} -}] + $COMMON=$COMMON curve25519.c curve448/f_generic.c curve448/scalar.c \ + curve448/arch_64/f_impl64.c ecx_backend.c curve448/arch_32/f_impl32.c \ + curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \ + ecx_key.c +ENDIF IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] $COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c ENDIF -SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c ecx_meth.c \ +SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c \ ec_err.c eck_prn.c \ ec_deprecated.c ec_print.c +IF[{- !$disabled{'ecx'} -}] + SOURCE[../../libcrypto]=ecx_meth.c +ENDIF SOURCE[../../providers/libfips.a]=$COMMON # Implementations are now spread across several libraries, so the defines @@ -90,9 +108,10 @@ GENERATE[ecp_nistz256-sparcv9.S]=asm/ecp_nistz256-sparcv9.pl INCLUDE[ecp_nistz256-sparcv9.o]=.. INCLUDE[ecp_s390x_nistp.o]=.. -INCLUDE[ecx_s390x.o]=.. -INCLUDE[ecx_meth.o]=.. -INCLUDE[ecx_key.o]=.. +IF[{- !$disabled{'ecx'} -}] + INCLUDE[ecx_meth.o]=.. + INCLUDE[ecx_key.o]=.. +ENDIF GENERATE[ecp_nistz256-armv4.S]=asm/ecp_nistz256-armv4.pl INCLUDE[ecp_nistz256-armv4.o]=.. @@ -102,5 +121,7 @@ GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl +IF[{- !$disabled{'ecx'} -}] GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl +ENDIF diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index d0a7fde1e6..b26b606505 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -872,7 +872,7 @@ DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey) } # endif /* OPENSSL_NO_DSA */ -# ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX static const ECX_KEY *evp_pkey_get0_ECX_KEY(const EVP_PKEY *pkey, int type) { if (EVP_PKEY_get_base_id(pkey) != type) { @@ -901,7 +901,7 @@ IMPLEMENT_ECX_VARIANT(X448) IMPLEMENT_ECX_VARIANT(ED25519) IMPLEMENT_ECX_VARIANT(ED448) -# endif +# endif /* OPENSSL_NO_ECX */ # if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index caf10b2d5c..4b5225e439 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -66,11 +66,9 @@ static pmeth_fn standard_methods[] = { # ifndef OPENSSL_NO_DH ossl_dhx_pkey_method, # endif -# ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX ossl_ecx25519_pkey_method, ossl_ecx448_pkey_method, -# endif -# ifndef OPENSSL_NO_EC ossl_ed25519_pkey_method, ossl_ed448_pkey_method, # endif diff --git a/crypto/hpke/hpke_util.c b/crypto/hpke/hpke_util.c index 2591ff6c75..b7a40b1591 100644 --- a/crypto/hpke/hpke_util.c +++ b/crypto/hpke/hpke_util.c @@ -66,12 +66,14 @@ static const OSSL_HPKE_KEM_INFO hpke_kem_tab[] = { LN_sha384, SHA384_DIGEST_LENGTH, 97, 97, 48, 0xFF }, { OSSL_HPKE_KEM_ID_P521, "EC", OSSL_HPKE_KEMSTR_P521, LN_sha512, SHA512_DIGEST_LENGTH, 133, 133, 66, 0x01 }, +# ifndef OPENSSL_NO_ECX { OSSL_HPKE_KEM_ID_X25519, OSSL_HPKE_KEMSTR_X25519, NULL, LN_sha256, SHA256_DIGEST_LENGTH, X25519_KEYLEN, X25519_KEYLEN, X25519_KEYLEN, 0x00 }, { OSSL_HPKE_KEM_ID_X448, OSSL_HPKE_KEMSTR_X448, NULL, LN_sha512, SHA512_DIGEST_LENGTH, X448_KEYLEN, X448_KEYLEN, X448_KEYLEN, 0x00 } +# endif #else { OSSL_HPKE_KEM_ID_RESERVED, NULL, NULL, NULL, 0, 0, 0, 0, 0x00 } #endif @@ -122,10 +124,12 @@ static const synonymttab_t kemstrtab[] = { {OSSL_HPKE_KEMSTR_P384, "0x11", "0x11", "17" }}, {OSSL_HPKE_KEM_ID_P521, {OSSL_HPKE_KEMSTR_P521, "0x12", "0x12", "18" }}, +# ifndef OPENSSL_NO_ECX {OSSL_HPKE_KEM_ID_X25519, {OSSL_HPKE_KEMSTR_X25519, "0x20", "0x20", "32" }}, {OSSL_HPKE_KEM_ID_X448, {OSSL_HPKE_KEMSTR_X448, "0x21", "0x21", "33" }} +# endif }; static const synonymttab_t kdfstrtab[] = { {OSSL_HPKE_KDF_ID_HKDF_SHA256, diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index 6726cac857..ec7d74af5f 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -835,6 +835,7 @@ int i2d_EC_PUBKEY(const EC_KEY *a, unsigned char **pp) return ret; } +# ifndef OPENSSL_NO_ECX ECX_KEY *ossl_d2i_ED25519_PUBKEY(ECX_KEY **a, const unsigned char **pp, long length) { @@ -1002,6 +1003,7 @@ int ossl_i2d_X448_PUBKEY(const ECX_KEY *a, unsigned char **pp) return ret; } +# endif /* OPENSSL_NO_ECX */ #endif void X509_PUBKEY_set0_public_key(X509_PUBKEY *pub, diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index e6b61b5a79..5ae38d7c9c 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -15,7 +15,7 @@ # include -# ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX # include # include @@ -155,5 +155,5 @@ ECX_KEY *ossl_evp_pkey_get1_X25519(EVP_PKEY *pkey); ECX_KEY *ossl_evp_pkey_get1_X448(EVP_PKEY *pkey); ECX_KEY *ossl_evp_pkey_get1_ED25519(EVP_PKEY *pkey); ECX_KEY *ossl_evp_pkey_get1_ED448(EVP_PKEY *pkey); -# endif /* OPENSSL_NO_EC */ +# endif /* OPENSSL_NO_ECX */ #endif diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 4e9cf7bb6d..30c5aa2b1d 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -647,7 +647,9 @@ union legacy_pkey_st { # endif # ifndef OPENSSL_NO_EC struct ec_key_st *ec; /* ECC */ +# ifndef OPENSSL_NO_ECX ECX_KEY *ecx; /* X25519, X448, Ed25519, Ed448 */ +# endif # endif }; diff --git a/include/openssl/hpke.h b/include/openssl/hpke.h index 26149b0ac1..8f615edbdc 100644 --- a/include/openssl/hpke.h +++ b/include/openssl/hpke.h @@ -82,12 +82,21 @@ typedef struct { * Suite constants, use this like: * OSSL_HPKE_SUITE myvar = OSSL_HPKE_SUITE_DEFAULT; */ -# define OSSL_HPKE_SUITE_DEFAULT \ +# ifndef OPENSSL_NO_ECX +# define OSSL_HPKE_SUITE_DEFAULT \ {\ OSSL_HPKE_KEM_ID_X25519, \ OSSL_HPKE_KDF_ID_HKDF_SHA256, \ OSSL_HPKE_AEAD_ID_AES_GCM_128 \ } +# else +# define OSSL_HPKE_SUITE_DEFAULT \ + {\ + OSSL_HPKE_KEM_ID_P256, \ + OSSL_HPKE_KDF_ID_HKDF_SHA256, \ + OSSL_HPKE_AEAD_ID_AES_GCM_128 \ + } +#endif typedef struct ossl_hpke_ctx_st OSSL_HPKE_CTX; diff --git a/providers/common/der/build.info b/providers/common/der/build.info index b81413e11b..764bff539e 100644 --- a/providers/common/der/build.info +++ b/providers/common/der/build.info @@ -57,7 +57,7 @@ IF[{- !$disabled{ec} -}] ENDIF #----- ECX -IF[{- !$disabled{ec} -}] +IF[{- !$disabled{ecx} -}] $DER_ECX_H=$INCDIR/der_ecx.h $DER_ECX_GEN=der_ecx_gen.c $DER_ECX_AUX=der_ecx_key.c @@ -107,7 +107,9 @@ ENDIF IF[{- !$disabled{ec} -}] $COMMON = $COMMON $DER_EC_GEN $DER_EC_AUX - $COMMON = $COMMON $DER_ECX_GEN $DER_ECX_AUX + IF[{- !$disabled{ecx} -}] + $COMMON = $COMMON $DER_ECX_GEN $DER_ECX_AUX + ENDIF ENDIF IF[{- !$disabled{sm2} -}] diff --git a/providers/decoders.inc b/providers/decoders.inc index edca39ea36..f0bbad807c 100644 --- a/providers/decoders.inc +++ b/providers/decoders.inc @@ -58,6 +58,7 @@ DECODER_w_structure("EC", der, PrivateKeyInfo, ec, yes), DECODER_w_structure("EC", der, SubjectPublicKeyInfo, ec, yes), DECODER_w_structure("EC", der, type_specific_no_pub, ec, yes), DECODER_w_structure("EC", der, EC, ec, yes), +# ifndef OPENSSL_NO_ECX DECODER_w_structure("ED25519", der, PrivateKeyInfo, ed25519, yes), DECODER_w_structure("ED25519", der, SubjectPublicKeyInfo, ed25519, yes), DECODER_w_structure("ED448", der, PrivateKeyInfo, ed448, yes), @@ -66,6 +67,7 @@ DECODER_w_structure("X25519", der, PrivateKeyInfo, x25519, yes), DECODER_w_structure("X25519", der, SubjectPublicKeyInfo, x25519, yes), DECODER_w_structure("X448", der, PrivateKeyInfo, x448, yes), DECODER_w_structure("X448", der, SubjectPublicKeyInfo, x448, yes), +# endif # ifndef OPENSSL_NO_SM2 DECODER_w_structure("SM2", der, PrivateKeyInfo, sm2, no), DECODER_w_structure("SM2", der, SubjectPublicKeyInfo, sm2, no), diff --git a/providers/defltprov.c b/providers/defltprov.c index 4f8921f80a..8b2ae6bfbf 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -369,8 +369,10 @@ static const OSSL_ALGORITHM deflt_keyexch[] = { #endif #ifndef OPENSSL_NO_EC { PROV_NAMES_ECDH, "provider=default", ossl_ecdh_keyexch_functions }, +# ifndef OPENSSL_NO_ECX { PROV_NAMES_X25519, "provider=default", ossl_x25519_keyexch_functions }, { PROV_NAMES_X448, "provider=default", ossl_x448_keyexch_functions }, +# endif #endif { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_keyexch_functions }, { PROV_NAMES_HKDF, "provider=default", ossl_kdf_hkdf_keyexch_functions }, @@ -394,8 +396,10 @@ static const OSSL_ALGORITHM deflt_signature[] = { #endif { PROV_NAMES_RSA, "provider=default", ossl_rsa_signature_functions }, #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX { PROV_NAMES_ED25519, "provider=default", ossl_ed25519_signature_functions }, { PROV_NAMES_ED448, "provider=default", ossl_ed448_signature_functions }, +# endif { PROV_NAMES_ECDSA, "provider=default", ossl_ecdsa_signature_functions }, # ifndef OPENSSL_NO_SM2 { PROV_NAMES_SM2, "provider=default", ossl_sm2_signature_functions }, @@ -425,8 +429,10 @@ static const OSSL_ALGORITHM deflt_asym_cipher[] = { static const OSSL_ALGORITHM deflt_asym_kem[] = { { PROV_NAMES_RSA, "provider=default", ossl_rsa_asym_kem_functions }, #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX { PROV_NAMES_X25519, "provider=default", ossl_ecx_asym_kem_functions }, { PROV_NAMES_X448, "provider=default", ossl_ecx_asym_kem_functions }, +# endif { PROV_NAMES_EC, "provider=default", ossl_ec_asym_kem_functions }, #endif { NULL, NULL, NULL } @@ -450,6 +456,7 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = { #ifndef OPENSSL_NO_EC { PROV_NAMES_EC, "provider=default", ossl_ec_keymgmt_functions, PROV_DESCS_EC }, +# ifndef OPENSSL_NO_ECX { PROV_NAMES_X25519, "provider=default", ossl_x25519_keymgmt_functions, PROV_DESCS_X25519 }, { PROV_NAMES_X448, "provider=default", ossl_x448_keymgmt_functions, @@ -458,6 +465,7 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = { PROV_DESCS_ED25519 }, { PROV_NAMES_ED448, "provider=default", ossl_ed448_keymgmt_functions, PROV_DESCS_ED448 }, +# endif #endif { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_keymgmt_functions, PROV_DESCS_TLS1_PRF_SIGN }, diff --git a/providers/encoders.inc b/providers/encoders.inc index 95e287c8b9..e36b99957f 100644 --- a/providers/encoders.inc +++ b/providers/encoders.inc @@ -57,10 +57,12 @@ ENCODER_TEXT("DSA", dsa, yes), #endif #ifndef OPENSSL_NO_EC ENCODER_TEXT("EC", ec, yes), +# ifndef OPENSSL_NO_ECX ENCODER_TEXT("ED25519", ed25519, yes), ENCODER_TEXT("ED448", ed448, yes), ENCODER_TEXT("X25519", x25519, yes), ENCODER_TEXT("X448", x448, yes), +# endif # ifndef OPENSSL_NO_SM2 ENCODER_TEXT("SM2", sm2, no), # endif @@ -181,6 +183,7 @@ ENCODER_w_structure("EC", ec, yes, pem, PrivateKeyInfo), ENCODER_w_structure("EC", ec, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("EC", ec, yes, pem, SubjectPublicKeyInfo), +#ifndef OPENSSL_NO_ECX ENCODER_w_structure("X25519", x25519, yes, der, EncryptedPrivateKeyInfo), ENCODER_w_structure("X25519", x25519, yes, pem, EncryptedPrivateKeyInfo), ENCODER_w_structure("X25519", x25519, yes, der, PrivateKeyInfo), @@ -208,6 +211,7 @@ ENCODER_w_structure("ED448", ed448, yes, der, PrivateKeyInfo), ENCODER_w_structure("ED448", ed448, yes, pem, PrivateKeyInfo), ENCODER_w_structure("ED448", ed448, yes, der, SubjectPublicKeyInfo), ENCODER_w_structure("ED448", ed448, yes, pem, SubjectPublicKeyInfo), +# endif # ifndef OPENSSL_NO_SM2 ENCODER_w_structure("SM2", sm2, no, der, EncryptedPrivateKeyInfo), diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index cac97b7bc9..fb64633b7e 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -409,8 +409,10 @@ static const OSSL_ALGORITHM fips_keyexch[] = { #endif #ifndef OPENSSL_NO_EC { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, +# ifndef OPENSSL_NO_ECX { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, +# endif #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_tls1_prf_keyexch_functions }, @@ -424,9 +426,11 @@ static const OSSL_ALGORITHM fips_signature[] = { #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_signature_functions }, { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, +# endif { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, #endif { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, @@ -466,6 +470,7 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { #ifndef OPENSSL_NO_EC { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, PROV_DESCS_EC }, +# ifndef OPENSSL_NO_ECX { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, PROV_DESCS_X25519 }, { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, @@ -474,6 +479,7 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { PROV_DESCS_ED25519 }, { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, PROV_DESCS_ED448 }, +# endif #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, PROV_DESCS_TLS1_PRF_SIGN }, diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index d8231fdbc3..2657760a62 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -417,6 +417,7 @@ static void ec_adjust(void *key, struct der2key_ctx_st *ctx) ossl_ec_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); } +# ifndef OPENSSL_NO_ECX /* * ED25519, ED448, X25519, X448 only implement PKCS#8 and SubjectPublicKeyInfo, * so no d2i functions to be had. @@ -434,45 +435,46 @@ static void ecx_key_adjust(void *key, struct der2key_ctx_st *ctx) ossl_ecx_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx)); } -# define ed25519_evp_type EVP_PKEY_ED25519 -# define ed25519_d2i_private_key NULL -# define ed25519_d2i_public_key NULL -# define ed25519_d2i_key_params NULL -# define ed25519_d2i_PKCS8 ecx_d2i_PKCS8 -# define ed25519_d2i_PUBKEY (d2i_of_void *)ossl_d2i_ED25519_PUBKEY -# define ed25519_free (free_key_fn *)ossl_ecx_key_free -# define ed25519_check NULL -# define ed25519_adjust ecx_key_adjust - -# define ed448_evp_type EVP_PKEY_ED448 -# define ed448_d2i_private_key NULL -# define ed448_d2i_public_key NULL -# define ed448_d2i_key_params NULL -# define ed448_d2i_PKCS8 ecx_d2i_PKCS8 -# define ed448_d2i_PUBKEY (d2i_of_void *)ossl_d2i_ED448_PUBKEY -# define ed448_free (free_key_fn *)ossl_ecx_key_free -# define ed448_check NULL -# define ed448_adjust ecx_key_adjust - -# define x25519_evp_type EVP_PKEY_X25519 -# define x25519_d2i_private_key NULL -# define x25519_d2i_public_key NULL -# define x25519_d2i_key_params NULL -# define x25519_d2i_PKCS8 ecx_d2i_PKCS8 -# define x25519_d2i_PUBKEY (d2i_of_void *)ossl_d2i_X25519_PUBKEY -# define x25519_free (free_key_fn *)ossl_ecx_key_free -# define x25519_check NULL -# define x25519_adjust ecx_key_adjust - -# define x448_evp_type EVP_PKEY_X448 -# define x448_d2i_private_key NULL -# define x448_d2i_public_key NULL -# define x448_d2i_key_params NULL -# define x448_d2i_PKCS8 ecx_d2i_PKCS8 -# define x448_d2i_PUBKEY (d2i_of_void *)ossl_d2i_X448_PUBKEY -# define x448_free (free_key_fn *)ossl_ecx_key_free -# define x448_check NULL -# define x448_adjust ecx_key_adjust +# define ed25519_evp_type EVP_PKEY_ED25519 +# define ed25519_d2i_private_key NULL +# define ed25519_d2i_public_key NULL +# define ed25519_d2i_key_params NULL +# define ed25519_d2i_PKCS8 ecx_d2i_PKCS8 +# define ed25519_d2i_PUBKEY (d2i_of_void *)ossl_d2i_ED25519_PUBKEY +# define ed25519_free (free_key_fn *)ossl_ecx_key_free +# define ed25519_check NULL +# define ed25519_adjust ecx_key_adjust + +# define ed448_evp_type EVP_PKEY_ED448 +# define ed448_d2i_private_key NULL +# define ed448_d2i_public_key NULL +# define ed448_d2i_key_params NULL +# define ed448_d2i_PKCS8 ecx_d2i_PKCS8 +# define ed448_d2i_PUBKEY (d2i_of_void *)ossl_d2i_ED448_PUBKEY +# define ed448_free (free_key_fn *)ossl_ecx_key_free +# define ed448_check NULL +# define ed448_adjust ecx_key_adjust + +# define x25519_evp_type EVP_PKEY_X25519 +# define x25519_d2i_private_key NULL +# define x25519_d2i_public_key NULL +# define x25519_d2i_key_params NULL +# define x25519_d2i_PKCS8 ecx_d2i_PKCS8 +# define x25519_d2i_PUBKEY (d2i_of_void *)ossl_d2i_X25519_PUBKEY +# define x25519_free (free_key_fn *)ossl_ecx_key_free +# define x25519_check NULL +# define x25519_adjust ecx_key_adjust + +# define x448_evp_type EVP_PKEY_X448 +# define x448_d2i_private_key NULL +# define x448_d2i_public_key NULL +# define x448_d2i_key_params NULL +# define x448_d2i_PKCS8 ecx_d2i_PKCS8 +# define x448_d2i_PUBKEY (d2i_of_void *)ossl_d2i_X448_PUBKEY +# define x448_free (free_key_fn *)ossl_ecx_key_free +# define x448_check NULL +# define x448_adjust ecx_key_adjust +# endif /* OPENSSL_NO_ECX */ # ifndef OPENSSL_NO_SM2 # define sm2_evp_type EVP_PKEY_SM2 @@ -773,6 +775,7 @@ MAKE_DECODER("EC", ec, ec, PrivateKeyInfo); MAKE_DECODER("EC", ec, ec, SubjectPublicKeyInfo); MAKE_DECODER("EC", ec, ec, type_specific_no_pub); MAKE_DECODER("EC", ec, ec, EC); +# ifndef OPENSSL_NO_ECX MAKE_DECODER("X25519", x25519, ecx, PrivateKeyInfo); MAKE_DECODER("X25519", x25519, ecx, SubjectPublicKeyInfo); MAKE_DECODER("X448", x448, ecx, PrivateKeyInfo); @@ -781,6 +784,7 @@ MAKE_DECODER("ED25519", ed25519, ecx, PrivateKeyInfo); MAKE_DECODER("ED25519", ed25519, ecx, SubjectPublicKeyInfo); MAKE_DECODER("ED448", ed448, ecx, PrivateKeyInfo); MAKE_DECODER("ED448", ed448, ecx, SubjectPublicKeyInfo); +# endif # ifndef OPENSSL_NO_SM2 MAKE_DECODER("SM2", sm2, ec, PrivateKeyInfo); MAKE_DECODER("SM2", sm2, ec, SubjectPublicKeyInfo); diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index 55b2b56766..df0b0fd608 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -748,7 +748,7 @@ static int ec_pki_priv_to_der(const void *veckey, unsigned char **pder) /* ---------------------------------------------------------------------- */ -#ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECX # define prepare_ecx_params NULL static int ecx_spki_pub_to_der(const void *vecxkey, unsigned char **pder) @@ -1391,6 +1391,7 @@ MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, PrivateKeyInfo, pem); MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, der); MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, pem); # endif +# ifndef OPENSSL_NO_ECX MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, EncryptedPrivateKeyInfo, der); MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, EncryptedPrivateKeyInfo, pem); MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, PrivateKeyInfo, der); @@ -1415,6 +1416,7 @@ MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, PrivateKeyInfo, der); MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, PrivateKeyInfo, pem); MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, SubjectPublicKeyInfo, der); MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, SubjectPublicKeyInfo, pem); +# endif #endif /* diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c index ff4de1926f..1692c1da64 100644 --- a/providers/implementations/encode_decode/encode_key2text.c +++ b/providers/implementations/encode_decode/encode_key2text.c @@ -566,7 +566,7 @@ err: /* ---------------------------------------------------------------------- */ -#ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECX static int ecx_to_text(BIO *out, const void *key, int selection) { const ECX_KEY *ecx = key; @@ -882,10 +882,12 @@ MAKE_TEXT_ENCODER(ec, ec); # ifndef OPENSSL_NO_SM2 MAKE_TEXT_ENCODER(sm2, ec); # endif +# ifndef OPENSSL_NO_ECX MAKE_TEXT_ENCODER(ed25519, ecx); MAKE_TEXT_ENCODER(ed448, ecx); MAKE_TEXT_ENCODER(x25519, ecx); MAKE_TEXT_ENCODER(x448, ecx); +# endif #endif MAKE_TEXT_ENCODER(rsa, rsa); MAKE_TEXT_ENCODER(rsapss, rsa); diff --git a/providers/implementations/exchange/build.info b/providers/implementations/exchange/build.info index 3c1e5c58f1..0333c9f49c 100644 --- a/providers/implementations/exchange/build.info +++ b/providers/implementations/exchange/build.info @@ -21,8 +21,10 @@ IF[{- !$disabled{asm} -}] ENDIF IF[{- !$disabled{ec} -}] - SOURCE[$ECX_GOAL]=ecx_exch.c - DEFINE[$ECX_GOAL]=$ECDEF + IF[{- !$disabled{ecx} -}] + SOURCE[$ECX_GOAL]=ecx_exch.c + DEFINE[$ECX_GOAL]=$ECDEF + ENDIF SOURCE[$ECDH_GOAL]=ecdh_exch.c ENDIF diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 804763159a..2c3c54155f 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -300,10 +300,12 @@ extern const OSSL_DISPATCH ossl_dhx_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_dsa_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_rsa_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_rsapss_keymgmt_functions[]; +#ifndef OPENSSL_NO_ECX extern const OSSL_DISPATCH ossl_x25519_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_x448_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_ed25519_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_ed448_keymgmt_functions[]; +#endif extern const OSSL_DISPATCH ossl_ec_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_kdf_keymgmt_functions[]; extern const OSSL_DISPATCH ossl_mac_legacy_keymgmt_functions[]; diff --git a/providers/implementations/kem/build.info b/providers/implementations/kem/build.info index 6addb9b2c7..d6a6698da1 100644 --- a/providers/implementations/kem/build.info +++ b/providers/implementations/kem/build.info @@ -7,5 +7,8 @@ $EC_KEM_GOAL=../../libdefault.a SOURCE[$RSA_KEM_GOAL]=rsa_kem.c IF[{- !$disabled{ec} -}] - SOURCE[$EC_KEM_GOAL]=ecx_kem.c kem_util.c ec_kem.c + SOURCE[$EC_KEM_GOAL]=kem_util.c ec_kem.c + IF[{- !$disabled{ecx} -}] + SOURCE[$EC_KEM_GOAL]=ecx_kem.c + ENDIF ENDIF diff --git a/providers/implementations/keymgmt/build.info b/providers/implementations/keymgmt/build.info index 0d86907aed..6fb506b5a9 100644 --- a/providers/implementations/keymgmt/build.info +++ b/providers/implementations/keymgmt/build.info @@ -30,8 +30,10 @@ IF[{- !$disabled{asm} -}] ENDIF IF[{- !$disabled{ec} -}] - SOURCE[$ECX_GOAL]=ecx_kmgmt.c - DEFINE[$ECX_GOAL]=$ECDEF + IF[{- !$disabled{ecx} -}] + SOURCE[$ECX_GOAL]=ecx_kmgmt.c + DEFINE[$ECX_GOAL]=$ECDEF + ENDIF ENDIF SOURCE[$RSA_GOAL]=rsa_kmgmt.c diff --git a/providers/implementations/signature/build.info b/providers/implementations/signature/build.info index fd3be7f3b9..6987a12250 100644 --- a/providers/implementations/signature/build.info +++ b/providers/implementations/signature/build.info @@ -12,7 +12,10 @@ IF[{- !$disabled{dsa} -}] ENDIF IF[{- !$disabled{ec} -}] - SOURCE[$EC_GOAL]=eddsa_sig.c ecdsa_sig.c + SOURCE[$EC_GOAL]=ecdsa_sig.c + IF[{- !$disabled{ecx} -}] + SOURCE[$EC_GOAL]=eddsa_sig.c + ENDIF ENDIF IF[{- !$disabled{sm2} -}] diff --git a/test/build.info b/test/build.info index 13f81226ba..b02b8de817 100644 --- a/test/build.info +++ b/test/build.info @@ -738,8 +738,10 @@ IF[{- !$disabled{tests} -}] PROGRAMS{noinst}=sm4_internal_test ENDIF IF[{- !$disabled{ec} -}] - PROGRAMS{noinst}=ectest ec_internal_test curve448_internal_test \ - evp_pkey_dhkem_test + PROGRAMS{noinst}=ectest ec_internal_test evp_pkey_dhkem_test + ENDIF + IF[{- !$disabled{ecx} -}] + PROGRAMS{noinst}=curve448_internal_test ENDIF IF[{- !$disabled{cmac} -}] PROGRAMS{noinst}=cmactest @@ -885,9 +887,11 @@ IF[{- !$disabled{tests} -}] INCLUDE[ec_internal_test]=../include ../crypto/ec ../apps/include DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a - SOURCE[curve448_internal_test]=curve448_internal_test.c - INCLUDE[curve448_internal_test]=.. ../include ../apps/include ../crypto/ec/curve448 - DEPEND[curve448_internal_test]=../libcrypto.a libtestutil.a + IF[{- !$disabled{ecx} -}] + SOURCE[curve448_internal_test]=curve448_internal_test.c + INCLUDE[curve448_internal_test]=.. ../include ../apps/include ../crypto/ec/curve448 + DEPEND[curve448_internal_test]=../libcrypto.a libtestutil.a + ENDIF SOURCE[rc4test]=rc4test.c INCLUDE[rc4test]=../include ../apps/include diff --git a/test/dhkem_test.inc b/test/dhkem_test.inc index 51eb9dc4cd..b9562c8879 100644 --- a/test/dhkem_test.inc +++ b/test/dhkem_test.inc @@ -47,13 +47,16 @@ static const char *dhkem_supported_curves[] = { "P-256", "P-384", "P-521", +#ifndef OPENSSL_NO_ECX "X25519", - "X448" + "X448", +#endif }; /* TEST vectors extracted from RFC 9180 */ /* Base test values */ +#ifndef OPENSSL_NO_ECX static const unsigned char x25519_ikme[] = { 0x72, 0x68, 0x60, 0x0d, 0x40, 0x3f, 0xce, 0x43, 0x15, 0x61, 0xae, 0xf5, 0x83, 0xee, 0x16, 0x13, @@ -139,6 +142,7 @@ static const unsigned char x25519_auth_expected_secret[] = { 0xe4, 0x4e, 0x2b, 0xeb, 0xc8, 0x1f, 0x84, 0x60, 0x86, 0x77, 0x95, 0x8c, 0x0d, 0x44, 0x48, 0xa7 }; +#endif static const unsigned char p256_ikme[] = { 0x42, 0x70, 0xe5, 0x4f, 0xfd, 0x08, 0xd7, 0x9d, @@ -451,6 +455,7 @@ static const TEST_ENCAPDATA ec_encapdata[] = { p256_expected_enc, sizeof(p256_expected_enc), p256_expected_secret, sizeof(p256_expected_secret), }, +#ifndef OPENSSL_NO_ECX { "X25519", x25519_ikme, sizeof(x25519_ikme), @@ -459,6 +464,7 @@ static const TEST_ENCAPDATA ec_encapdata[] = { x25519_expected_enc, sizeof(x25519_expected_enc), x25519_expected_secret, sizeof(x25519_expected_secret), }, +#endif { "P-521", p521_ikme, sizeof(p521_ikme), @@ -477,6 +483,7 @@ static const TEST_ENCAPDATA ec_encapdata[] = { p521_auth_ikms_pub, sizeof(p521_auth_ikms_pub), p521_auth_ikms_priv, sizeof(p521_auth_ikms_priv) }, +#ifndef OPENSSL_NO_ECX { "X25519", x25519_auth_ikme, sizeof(x25519_auth_ikme), @@ -487,9 +494,11 @@ static const TEST_ENCAPDATA ec_encapdata[] = { x25519_auth_spub, sizeof(x25519_auth_spub), x25519_auth_spriv, sizeof(x25519_auth_spriv) } +#endif }; /* Test vector from https://github.com/cfrg/draft-irtf-cfrg-hpke */ +#ifndef OPENSSL_NO_ECX static const unsigned char x448_ikmr[] = { 0xd4, 0x5d, 0x16, 0x52, 0xdf, 0x74, 0x92, 0x0a, 0xbf, 0x94, 0xa2, 0x88, 0x3c, 0x83, 0x05, 0x0f, @@ -532,6 +541,7 @@ static const TEST_DERIVEKEY_DATA ecx_derivekey_data[] = { x448_ikmr_priv, sizeof(x448_ikmr_priv) }, }; +#endif /* * Helper function to create a EC or ECX private key from bytes. diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 72a6305d89..0b61d5c9e8 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -398,6 +398,7 @@ static const unsigned char pExampleECParamDER[] = { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }; +# ifndef OPENSSL_NO_ECX static const unsigned char kExampleED25519KeyDER[] = { 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20, 0xba, 0x7b, 0xba, 0x20, 0x1b, 0x02, 0x75, 0x3a, @@ -419,6 +420,7 @@ static const unsigned char kExampleX25519KeyDER[] = { 0x7b, 0x96, 0x0b, 0xd4, 0x8f, 0xd1, 0xee, 0x67, 0xf2, 0x9b, 0x88, 0xac, 0x50, 0xce, 0x97, 0x36, 0xdd, 0xaf, 0x25, 0xf6, 0x10, 0x34, 0x96, 0x6e }; +# endif # endif #endif @@ -577,10 +579,12 @@ static APK_DATA keycheckdata[] = { 1, 1}, {pExampleECParamDER, sizeof(pExampleECParamDER), "EC", EVP_PKEY_EC, 0, 0, 1, 2}, +# ifndef OPENSSL_NO_ECX {kExampleED25519KeyDER, sizeof(kExampleED25519KeyDER), "ED25519", EVP_PKEY_ED25519, 1, 1, 1, 0}, {kExampleED25519PubKeyDER, sizeof(kExampleED25519PubKeyDER), "ED25519", EVP_PKEY_ED25519, 0, 1, 1, 1}, +# endif #endif }; @@ -630,7 +634,7 @@ static EVP_PKEY *load_example_dh_key(void) } # endif -# ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX static EVP_PKEY *load_example_ed25519_key(void) { return load_example_key("ED25519", kExampleED25519KeyDER, @@ -2261,7 +2265,7 @@ static struct keys_st { EVP_PKEY_SIPHASH, "0123456789012345", NULL #endif }, -#ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECX { EVP_PKEY_X25519, "01234567890123456789012345678901", "abcdefghijklmnopqrstuvwxyzabcdef" @@ -4304,7 +4308,7 @@ static int test_custom_pmeth(int idx) # endif case 3: case 9: -# ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX id = EVP_PKEY_ED25519; md = NULL; pkey = load_example_ed25519_key(); @@ -4324,7 +4328,7 @@ static int test_custom_pmeth(int idx) # endif case 5: case 11: -# ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX id = EVP_PKEY_X25519; doderive = 1; pkey = load_example_x25519_key(); @@ -4648,6 +4652,11 @@ static int test_signatures_with_engine(int tst) if (tst <= 1) return 1; # endif +# ifdef OPENSSL_NO_ECX + /* Skip ECX tests in a no-ecx build */ + if (tst == 2) + return 1; +# endif if (!TEST_ptr(e = ENGINE_by_id(engine_id))) return 0; @@ -4761,6 +4770,7 @@ static int test_cipher_with_engine(void) # endif /* OPENSSL_NO_DYNAMIC_ENGINE */ #endif /* OPENSSL_NO_DEPRECATED_3_0 */ +#ifndef OPENSSL_NO_ECX static int ecxnids[] = { NID_X25519, NID_X448, @@ -4784,6 +4794,7 @@ static int test_ecx_short_keys(int tst) return 1; } +#endif typedef enum OPTION_choice { OPT_ERR = -1, @@ -4802,7 +4813,7 @@ const OPTIONS *test_get_options(void) return options; } -#ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECX /* Test that trying to sign with a public key errors out gracefully */ static int test_ecx_not_private_key(int tst) { @@ -4867,7 +4878,7 @@ static int test_ecx_not_private_key(int tst) return testresult; } -#endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_ECX */ static int test_sign_continuation(void) { @@ -5065,9 +5076,8 @@ int setup_tests(void) # endif #endif +#ifndef OPENSSL_NO_ECX ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids)); - -#ifndef OPENSSL_NO_EC ADD_ALL_TESTS(test_ecx_not_private_key, OSSL_NELEM(keys)); #endif diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c index b37ed8e105..db33ead3ee 100644 --- a/test/evp_extra_test2.c +++ b/test/evp_extra_test2.c @@ -231,12 +231,14 @@ static const unsigned char kExampleECKey2DER[] = { 0x96, 0x69, 0xE0, 0x04, 0xCB, 0x89, 0x0B, 0x42 }; +# ifndef OPENSSL_NO_ECX static const unsigned char kExampleECXKey2DER[] = { 0x30, 0x2E, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e, 0x04, 0x22, 0x04, 0x20, 0xc8, 0xa9, 0xd5, 0xa9, 0x10, 0x91, 0xad, 0x85, 0x1c, 0x66, 0x8b, 0x07, 0x36, 0xc1, 0xc9, 0xa0, 0x29, 0x36, 0xc0, 0xd3, 0xad, 0x62, 0x67, 0x08, 0x58, 0x08, 0x80, 0x47, 0xba, 0x05, 0x74, 0x75 }; +# endif #endif typedef struct APK_DATA_st { @@ -249,7 +251,9 @@ static APK_DATA keydata[] = { {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), EVP_PKEY_RSA}, {kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), EVP_PKEY_RSA}, #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX {kExampleECXKey2DER, sizeof(kExampleECXKey2DER), EVP_PKEY_X25519}, +# endif {kExampleECKeyDER, sizeof(kExampleECKeyDER), EVP_PKEY_EC}, {kExampleECKey2DER, sizeof(kExampleECKey2DER), EVP_PKEY_EC}, #endif @@ -487,6 +491,7 @@ static int test_ec_tofrom_data_select(void) return ret; } +# ifndef OPENSSL_NO_ECX static int test_ecx_tofrom_data_select(void) { int ret; @@ -497,6 +502,7 @@ static int test_ecx_tofrom_data_select(void) EVP_PKEY_free(key); return ret; } +# endif #endif #ifndef OPENSSL_NO_SM2 @@ -1333,7 +1339,9 @@ int setup_tests(void) #ifndef OPENSSL_NO_EC ADD_ALL_TESTS(test_d2i_PrivateKey_ex, 2); ADD_TEST(test_ec_tofrom_data_select); +# ifndef OPENSSL_NO_ECX ADD_TEST(test_ecx_tofrom_data_select); +# endif ADD_TEST(test_ec_d2i_i2d_pubkey); #else ADD_ALL_TESTS(test_d2i_PrivateKey_ex, 1); diff --git a/test/evp_pkey_dhkem_test.c b/test/evp_pkey_dhkem_test.c index 95fcf8fa5f..a99b6b913b 100644 --- a/test/evp_pkey_dhkem_test.c +++ b/test/evp_pkey_dhkem_test.c @@ -699,6 +699,7 @@ static int test_ec_invalid_decap_enc_buffer(void) enc, t->expected_enclen), 0); } +#ifndef OPENSSL_NO_ECX /* ECX specific tests */ /* Perform ECX DHKEM KATs */ @@ -780,6 +781,7 @@ static int test_ed_curve_unsupported(void) EVP_PKEY_CTX_free(ctx); return ret; } +#endif int setup_tests(void) { @@ -797,20 +799,25 @@ int setup_tests(void) if (!TEST_ptr(rkey[TEST_KEYTYPE_P256] = EVP_PKEY_Q_keygen(libctx, NULL, "EC", "P-256"))) goto err; +#ifndef OPENSSL_NO_ECX if (!TEST_ptr(rkey[TEST_KEYTYPE_X25519] = EVP_PKEY_Q_keygen(libctx, NULL, "X25519"))) goto err; +#endif if (!TEST_ptr(rctx[TEST_KEYTYPE_P256] = EVP_PKEY_CTX_new_from_pkey(libctx, rkey[TEST_KEYTYPE_P256], NULL))) goto err; +#ifndef OPENSSL_NO_ECX if (!TEST_ptr(rctx[TEST_KEYTYPE_X25519] = EVP_PKEY_CTX_new_from_pkey(libctx, rkey[TEST_KEYTYPE_X25519], NULL))) goto err; +#endif ADD_ALL_TESTS(test_dhkem_encapsulate, OSSL_NELEM(ec_encapdata)); ADD_ALL_TESTS(test_dhkem_decapsulate, OSSL_NELEM(ec_encapdata)); +#ifndef OPENSSL_NO_ECX ADD_ALL_TESTS(test_settables, TEST_KEYTYPES_P256_X25519); ADD_ALL_TESTS(test_init_multiple, TEST_KEYTYPES_P256_X25519); @@ -824,7 +831,21 @@ int setup_tests(void) TEST_KEM_ENCAP_DECAP * TEST_KEYTYPES_P256_X25519); ADD_ALL_TESTS(test_noauthpublic, TEST_KEM_ENCAP_DECAP * TEST_KEYTYPES_P256_X25519); - +#else + ADD_ALL_TESTS(test_settables, TEST_KEYTYPE_P256); + ADD_ALL_TESTS(test_init_multiple, TEST_KEYTYPE_P256); + + ADD_ALL_TESTS(test_auth_key_type_mismatch, TEST_KEYTYPE_P256); + ADD_ALL_TESTS(test_no_operation_set, TEST_KEYTYPE_P256); + ADD_ALL_TESTS(test_ikm_small, TEST_KEYTYPE_P256); + ADD_ALL_TESTS(test_input_size_small, TEST_KEYTYPE_P256); + ADD_ALL_TESTS(test_null_params, TEST_KEYTYPE_P256); + ADD_ALL_TESTS(test_set_params, TEST_KEYTYPE_P256); + ADD_ALL_TESTS(test_nopublic, + TEST_KEM_ENCAP_DECAP * TEST_KEYTYPE_P256); + ADD_ALL_TESTS(test_noauthpublic, + TEST_KEM_ENCAP_DECAP * TEST_KEYTYPE_P256); +#endif /* EC Specific tests */ ADD_ALL_TESTS(test_ec_dhkem_derivekey, OSSL_NELEM(ec_derivekey_data)); ADD_ALL_TESTS(test_ec_noikme, @@ -840,9 +861,11 @@ int setup_tests(void) ADD_ALL_TESTS(test_ec_badauth, TEST_KEM_ENCAP_DECAP); /* ECX specific tests */ +#ifndef OPENSSL_NO_ECX ADD_ALL_TESTS(test_ecx_dhkem_derivekey, OSSL_NELEM(ecx_derivekey_data)); ADD_TEST(test_ecx_auth_key_curve_mismatch); ADD_TEST(test_ed_curve_unsupported); +#endif return 1; err: return 0; diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 3f490954ab..47363e0bfd 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -322,7 +322,7 @@ static int test_print_key_using_encoder(const char *alg, const EVP_PKEY *pk) return ret; } -#ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECX static int test_print_key_using_encoder_public(const char *alg, const EVP_PKEY *pk) { @@ -888,6 +888,7 @@ err: #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX /* Array indexes used in test_fromdata_ecx */ # define PRIV_KEY 0 # define PUB_KEY 1 @@ -1156,6 +1157,7 @@ err: return ret; } +# endif /* OPENSSL_NO_ECX */ static int test_fromdata_ec(void) { @@ -1772,7 +1774,9 @@ int setup_tests(void) ADD_TEST(test_fromdata_dsa_fips186_4); #endif #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_ECX ADD_ALL_TESTS(test_fromdata_ecx, 4 * 3); +# endif ADD_TEST(test_fromdata_ec); ADD_TEST(test_ec_dup_no_operation); ADD_TEST(test_ec_dup_keygen_operation); diff --git a/test/hpke_test.c b/test/hpke_test.c index 1b0bc23082..891560d2dc 100644 --- a/test/hpke_test.c +++ b/test/hpke_test.c @@ -259,6 +259,7 @@ static const unsigned char ksinfo[] = { 0x20, 0x47, 0x72, 0x65, 0x63, 0x69, 0x61, 0x6e, 0x20, 0x55, 0x72, 0x6e }; +#ifndef OPENSSL_NO_ECX /* * static const char *pskid = "Ennyn Durin aran Moria"; */ @@ -544,6 +545,7 @@ static int x25519kdfsha256_hkdfsha256_aes128gcm_base_test(void) return do_testhpke(&basedata, aeaddata, OSSL_NELEM(aeaddata), exportdata, OSSL_NELEM(exportdata)); } +#endif static const unsigned char third_ikme[] = { 0x42, 0x70, 0xe5, 0x4f, 0xfd, 0x08, 0xd7, 0x9d, @@ -681,6 +683,7 @@ static int P256kdfsha256_hkdfsha256_aes128gcm_base_test(void) exportdata, OSSL_NELEM(exportdata)); } +#ifndef OPENSSL_NO_ECX static const unsigned char fourth_ikme[] = { 0x55, 0xbc, 0x24, 0x5e, 0xe4, 0xef, 0xda, 0x25, 0xd3, 0x8f, 0x2d, 0x54, 0xd5, 0xbb, 0x66, 0x65, @@ -771,6 +774,7 @@ static int export_only_test(void) return do_testhpke(&basedata, NULL, 0, exportdata, OSSL_NELEM(exportdata)); } +#endif /* * Randomly toss a coin @@ -788,8 +792,10 @@ static uint16_t hpke_kem_list[] = { OSSL_HPKE_KEM_ID_P256, OSSL_HPKE_KEM_ID_P384, OSSL_HPKE_KEM_ID_P521, +#ifndef OPENSSL_NO_ECX OSSL_HPKE_KEM_ID_X25519, OSSL_HPKE_KEM_ID_X448 +#endif }; static uint16_t hpke_kdf_list[] = { OSSL_HPKE_KDF_ID_HKDF_SHA256, @@ -817,9 +823,15 @@ static const char *mode_str_list[] = { "base", "psk", "auth", "pskauth" }; static const char *kem_str_list[] = { +#ifndef OPENSSL_NO_ECX "P-256", "P-384", "P-521", "x25519", "x448", "0x10", "0x11", "0x12", "0x20", "0x21", "16", "17", "18", "32", "33" +#else + "P-256", "P-384", "P-521", + "0x10", "0x11", "0x12", + "16", "17", "18" +#endif }; static const char *kdf_str_list[] = { "hkdf-sha256", "hkdf-sha384", "hkdf-sha512", @@ -1532,6 +1544,7 @@ end: return erv; } +#ifndef OPENSSL_NO_ECX /* from RFC 9180 Appendix A.1.1 */ static const unsigned char ikm25519[] = { 0x72, 0x68, 0x60, 0x0d, 0x40, 0x3f, 0xce, 0x43, @@ -1545,6 +1558,7 @@ static const unsigned char pub25519[] = { 0x1d, 0x12, 0x53, 0xb6, 0xd4, 0xea, 0x6d, 0x44, 0xc1, 0x50, 0xf7, 0x41, 0xf1, 0xbf, 0x44, 0x31 }; +#endif /* from RFC9180 Appendix A.3.1 */ static const unsigned char ikmp256[] = { @@ -1736,11 +1750,13 @@ static int test_hpke_ikms(void) { int res = 1; +#ifndef OPENSSL_NO_ECX res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_X25519, ikm25519, sizeof(ikm25519), pub25519, sizeof(pub25519)); if (res != 1) return res; +#endif res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_P521, ikmp521, sizeof(ikmp521), @@ -1957,10 +1973,12 @@ int setup_tests(void) if (!test_get_libctx(&testctx, &nullprov, NULL, &deflprov, "default")) return 0; +#ifndef OPENSSL_NO_ECX + ADD_TEST(export_only_test); ADD_TEST(x25519kdfsha256_hkdfsha256_aes128gcm_base_test); ADD_TEST(x25519kdfsha256_hkdfsha256_aes128gcm_psk_test); +#endif ADD_TEST(P256kdfsha256_hkdfsha256_aes128gcm_base_test); - ADD_TEST(export_only_test); ADD_TEST(test_hpke_export); ADD_TEST(test_hpke_modes_suites); ADD_TEST(test_hpke_suite_strs); diff --git a/test/recipes/03-test_internal_curve448.t b/test/recipes/03-test_internal_curve448.t index 01ca5ad38c..a67a419a2c 100644 --- a/test/recipes/03-test_internal_curve448.t +++ b/test/recipes/03-test_internal_curve448.t @@ -13,7 +13,7 @@ use OpenSSL::Test::Utils; setup("test_internal_curve448"); -plan skip_all => "This test is unsupported in a no-ec build" - if disabled("ec"); +plan skip_all => "This test is unsupported in a no-ecx build" + if disabled("ecx"); simple_test("test_internal_curve448", "curve448_internal_test"); diff --git a/test/recipes/06-test_algorithmid.t b/test/recipes/06-test_algorithmid.t index 8b98efe909..0a8fe44ed6 100644 --- a/test/recipes/06-test_algorithmid.t +++ b/test/recipes/06-test_algorithmid.t @@ -41,7 +41,8 @@ my @pubkeys = ( 'testrsapub', disabled('dsa') ? () : 'testdsapub', - disabled('ec') ? () : qw(testecpub-p256 tested25519pub tested448pub) + disabled('ec') ? () : qw(testecpub-p256), + disabled('ecx') ? () : qw(tested25519pub tested448pub) ); my @certs = sort keys %certs_info; diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t index 354c360362..a7a7caadd3 100644 --- a/test/recipes/15-test_ec.t +++ b/test/recipes/15-test_ec.t @@ -59,34 +59,38 @@ subtest 'PKEY conversions -- public key' => sub { -args => [ "pkey", "-pubin", "-pubout" ] ); }; -subtest 'Ed25519 conversions -- private key' => sub { - tconversion( -type => "pkey", -prefix => "ed25519-pkey-priv", - -in => srctop_file("test", "tested25519.pem") ); -}; -subtest 'Ed25519 conversions -- private key PKCS#8' => sub { - tconversion( -type => "pkey", -prefix => "ed25519-pkey-pkcs8", - -in => srctop_file("test", "tested25519.pem"), - -args => ["pkey"] ); -}; -subtest 'Ed25519 conversions -- public key' => sub { - tconversion( -type => "pkey", -prefix => "ed25519-pkey-pub", - -in => srctop_file("test", "tested25519pub.pem"), - -args => ["pkey", "-pubin", "-pubout"] ); -}; -subtest 'Ed448 conversions -- private key' => sub { - tconversion( -type => "pkey", -prefix => "ed448-pkey-priv", - -in => srctop_file("test", "tested448.pem") ); -}; -subtest 'Ed448 conversions -- private key PKCS#8' => sub { - tconversion( -type => "pkey", -prefix => "ed448-pkey-pkcs8", - -in => srctop_file("test", "tested448.pem"), - -args => ["pkey"] ); -}; -subtest 'Ed448 conversions -- public key' => sub { - tconversion( -type => "pkey", -prefix => "ed448-pkey-pub", - -in => srctop_file("test", "tested448pub.pem"), - -args => ["pkey", "-pubin", "-pubout"] ); -}; +SKIP: { + skip "ECX is not supported by this OpenSSL build", 6 + if disabled("ecx"); + subtest 'Ed25519 conversions -- private key' => sub { + tconversion( -type => "pkey", -prefix => "ed25519-pkey-priv", + -in => srctop_file("test", "tested25519.pem") ); + }; + subtest 'Ed25519 conversions -- private key PKCS#8' => sub { + tconversion( -type => "pkey", -prefix => "ed25519-pkey-pkcs8", + -in => srctop_file("test", "tested25519.pem"), + -args => ["pkey"] ); + }; + subtest 'Ed25519 conversions -- public key' => sub { + tconversion( -type => "pkey", -prefix => "ed25519-pkey-pub", + -in => srctop_file("test", "tested25519pub.pem"), + -args => ["pkey", "-pubin", "-pubout"] ); + }; + subtest 'Ed448 conversions -- private key' => sub { + tconversion( -type => "pkey", -prefix => "ed448-pkey-priv", + -in => srctop_file("test", "tested448.pem") ); + }; + subtest 'Ed448 conversions -- private key PKCS#8' => sub { + tconversion( -type => "pkey", -prefix => "ed448-pkey-pkcs8", + -in => srctop_file("test", "tested448.pem"), + -args => ["pkey"] ); + }; + subtest 'Ed448 conversions -- public key' => sub { + tconversion( -type => "pkey", -prefix => "ed448-pkey-pub", + -in => srctop_file("test", "tested448pub.pem"), + -args => ["pkey", "-pubin", "-pubout"] ); + }; +} subtest 'Check loading of fips and non-fips keys' => sub { plan skip_all => "FIPS is disabled" diff --git a/test/recipes/15-test_genpkey.t b/test/recipes/15-test_genpkey.t index 6df2df5855..866d6e977e 100644 --- a/test/recipes/15-test_genpkey.t +++ b/test/recipes/15-test_genpkey.t @@ -18,7 +18,8 @@ my @algs = (); push @algs, qw(RSA) unless disabled("rsa"); push @algs, qw(DSA) unless disabled("dsa"); push @algs, qw(DH DHX) unless disabled("dh"); -push @algs, qw(EC X25519 X448) unless disabled("ec"); +push @algs, qw(EC) unless disabled("ec"); +push @algs, qw(X25519 X448) unless disabled("ecx"); push @algs, qw(SM2) unless disabled("sm2"); plan tests => scalar(@algs); diff --git a/test/recipes/20-test_dgst.t b/test/recipes/20-test_dgst.t index 96744b3741..cf5e20d223 100644 --- a/test/recipes/20-test_dgst.t +++ b/test/recipes/20-test_dgst.t @@ -129,7 +129,7 @@ SKIP: { SKIP: { skip "EdDSA is not supported by this OpenSSL build", 2 - if disabled("ec"); + if disabled("ecx"); skip "EdDSA is not supported with `dgst` CLI", 2; diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t index 5492baa551..6dacdd295a 100644 --- a/test/recipes/20-test_pkeyutl.t +++ b/test/recipes/20-test_pkeyutl.t @@ -41,8 +41,8 @@ SKIP: { } SKIP: { - skip "Skipping tests that require EC", 4 - if disabled("ec"); + skip "Skipping tests that require ECX", 4 + if disabled("ecx"); # Ed25519 ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in', @@ -171,7 +171,7 @@ SKIP: { SKIP: { skip "EdDSA is not supported by this OpenSSL build", 2 - if disabled("ec"); + if disabled("ecx"); subtest "Ed2559 CLI signature generation and verification" => sub { tsignverify("Ed25519", diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 1487fa70be..c65c21d317 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -264,7 +264,7 @@ subtest "generating certificate requests with Ed25519" => sub { SKIP: { skip "Ed25519 is not supported by this OpenSSL build", 2 - if disabled("ec"); + if disabled("ecx"); ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), @@ -284,7 +284,7 @@ subtest "generating certificate requests with Ed448" => sub { SKIP: { skip "Ed448 is not supported by this OpenSSL build", 2 - if disabled("ec"); + if disabled("ecx"); ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 58f9de410f..7d3d758ac7 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -495,7 +495,7 @@ ok(verify("ee-ss-with-keyCertSign", "", ["ee-ss-with-keyCertSign"], []), SKIP: { skip "Ed25519 is not supported by this OpenSSL build", 6 - if disabled("ec"); + if disabled("ecx"); # ED25519 certificate from draft-ietf-curdle-pkix-04 ok(verify("ee-ed25519", "", ["root-ed25519"], []), diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index d262dbfd05..a745e729ea 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -26,6 +26,7 @@ my $no_des = disabled("des"); my $no_dh = disabled("dh"); my $no_dsa = disabled("dsa"); my $no_ec = disabled("ec"); +my $no_ecx = disabled("ecx"); my $no_ec2m = disabled("ec2m"); my $no_sm2 = disabled("sm2"); my $no_siv = disabled("siv"); @@ -73,7 +74,10 @@ push @files, qw( evpmac_cmac_des.txt ) unless $no_des; push @files, qw(evppkey_dsa.txt) unless $no_dsa; -push @files, qw(evppkey_ecx.txt) unless $no_ec; +push @files, qw( + evppkey_ecx.txt + evppkey_mismatch_ecx.txt + ) unless $no_ecx; push @files, qw( evppkey_ecc.txt evppkey_ecdh.txt diff --git a/test/recipes/30-test_evp_data/evppkey_mismatch.txt b/test/recipes/30-test_evp_data/evppkey_mismatch.txt index ebbd4d4b39..10d8db3427 100644 --- a/test/recipes/30-test_evp_data/evppkey_mismatch.txt +++ b/test/recipes/30-test_evp_data/evppkey_mismatch.txt @@ -14,17 +14,6 @@ # Public / Private keys from other tests used for keypair testing. -PrivateKey=Alice-25519 ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VuBCIEIHcHbQpzGKV9PBbBclGyZkXfTC+H68CZKrF3+6UduSwq ------END PRIVATE KEY----- - -PrivateKey=Alice-448 ------BEGIN PRIVATE KEY----- -MEYCAQAwBQYDK2VvBDoEOJqPSSXRUZ9Xdc9GsEtYANTunui66LxVZdSYwo3Zybr1 -dKlBl0SJc5EAY4Km8SerHZrC2MClmHJr ------END PRIVATE KEY----- - PublicKey=P-256-PUBLIC -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUPQpznDyFsJSz14GLOH2Oc1dFl @@ -69,17 +58,8 @@ fMkTd7GabVourqIZdgvu1Q== Title = Test keypair mismatches -PrivPubKeyPair = Alice-25519:P-256-PUBLIC -Result = KEYPAIR_TYPE_MISMATCH - -PrivPubKeyPair = Alice-448:P-256-PUBLIC -Result = KEYPAIR_TYPE_MISMATCH - PrivPubKeyPair = RSA-2048:P-256-PUBLIC Result = KEYPAIR_TYPE_MISMATCH PrivPubKeyPair = RSA-2048:KAS-ECC-CDH_K-163_C0-PUBLIC Result = KEYPAIR_TYPE_MISMATCH - -PrivPubKeyPair = Alice-25519:KAS-ECC-CDH_K-163_C0-PUBLIC -Result = KEYPAIR_TYPE_MISMATCH diff --git a/test/recipes/30-test_evp_data/evppkey_mismatch_ecx.txt b/test/recipes/30-test_evp_data/evppkey_mismatch_ecx.txt new file mode 100644 index 0000000000..ebbd4d4b39 --- /dev/null +++ b/test/recipes/30-test_evp_data/evppkey_mismatch_ecx.txt @@ -0,0 +1,85 @@ +# +# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# Tests start with one of these keywords +# Cipher Decrypt Derive Digest Encoding KDF MAC PBE +# PrivPubKeyPair Sign Verify VerifyRecover +# and continue until a blank line. Lines starting with a pound sign are ignored. + + +# Public / Private keys from other tests used for keypair testing. + +PrivateKey=Alice-25519 +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VuBCIEIHcHbQpzGKV9PBbBclGyZkXfTC+H68CZKrF3+6UduSwq +-----END PRIVATE KEY----- + +PrivateKey=Alice-448 +-----BEGIN PRIVATE KEY----- +MEYCAQAwBQYDK2VvBDoEOJqPSSXRUZ9Xdc9GsEtYANTunui66LxVZdSYwo3Zybr1 +dKlBl0SJc5EAY4Km8SerHZrC2MClmHJr +-----END PRIVATE KEY----- + +PublicKey=P-256-PUBLIC +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUPQpznDyFsJSz14GLOH2Oc1dFl +x/iUJAcsJxl9eLM7kg6VzbZk6ZDc8M/qDZTiqOavnQ5YBW5lMQSSW5/myQ== +-----END PUBLIC KEY----- + +PublicKey=KAS-ECC-CDH_K-163_C0-PUBLIC +-----BEGIN PUBLIC KEY----- +MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBx+LKHfWAn2cGt5CRPLeoSaS7yPVBcFe +53YiHHK4SzR844PzgGe4nD6a +-----END PUBLIC KEY----- + +PrivateKey = RSA-2048 +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNAIHqeyrh6gbV +n3xz2f+5SglhXC5Lp8Y2zvCN01M+wxhVJbAVx2m5mnfWclv5w1Mqm25fZifV+4UW +B2jT3anL01l0URcX3D0wnS/EfuQfl+Mq23+d2GShxHZ6Zm7NcbwarPXnUX9LOFlP +6psF5C1a2pkSAIAT5FMWpNm7jtCGuI0odYusr5ItRqhotIXSOcm66w4rZFknEPQr +LR6gpLSALAvsqzKPimiwBzvbVG/uqYCdKEmRKzkMFTK8finHZY+BdfrkbzQzL/h7 +yrPkBkm5hXeGnaDqcYNT8HInVIhpE2SHYNEivmduD8SD3SD/wxvalqMZZsmqLnWt +A95H4cRPAgMBAAECggEAYCl6x5kbFnoG1rJHWLjL4gi+ubLZ7Jc4vYD5Ci41AF3X +ziktnim6iFvTFv7x8gkTvArJDWsICLJBTYIQREHYYkozzgIzyPeApIs3Wv8C12cS +IopwJITbP56+zM+77hcJ26GCgA2Unp5CFuC/81WDiPi9kNo3Oh2CdD7D+90UJ/0W +glplejFpEuhpU2URfKL4RckJQF/KxV+JX8FdIDhsJu54yemQdQKaF4psHkzwwgDo +qc+yfp0Vb4bmwq3CKxqEoc1cpbJ5CHXXlAfISzUjlcuBzD/tW7BDtp7eDAcgRVAC +XO6MX0QBcLYSC7SOD3R7zY9SIRCFDfBDxCjf0YcFMQKBgQD2+WG0fLwDXTrt68fe +hQqVa2Xs25z2B2QGPxWqSFU8WNly/mZ1BW413f3De/O58vYi7icTNyVoScm+8hdv +6PfD+LuRujdN1TuvPeyBTSvewQwf3IjN0Wh28mse36PwlBl+301C/x+ylxEDuJjK +hZxCcocIaoQqtBC7ac8tNa9r4wKBgQDUfnJKf/QQSLJwwlJKQQGHi3MVm7c9PbwY +eyIOY1s1NPluJDoYTZP4YLa/u2txwe2aHh9FhYMCPDAelqaSwaCLU9DsnKkQEA2A +RR47fcagG6xK7O+N95iEa8I1oIy7os9MBoBMwRIZ6VYIxxTj8UMNSR+tu6MqV1Gg +T5d0WDTJpQKBgCHyRSu5uV39AoyRS/eZ8cp36JqV1Q08FtOE+EVfi9evnrPfo9WR +2YQt7yNfdjCo5IwIj/ZkLhAXlFNakz4el2+oUJ/HKLLaDEoaCNf883q6rh/zABrK +HcG7sF2d/7qhoJ9/se7zgjfZ68zHIrkzhDbd5xGREnmMJoCcGo3sQyBhAoGAH3UQ +qmLC2N5KPFMoJ4H0HgLQ6LQCrnhDLkScSBEBYaEUA/AtAYgKjcyTgVLXlyGkcRpg +esRHHr+WSBD5W+R6ReYEmeKfTJdzyDdzQE9gZjdyjC0DUbsDwybIu3OnIef6VEDq +IXK7oUZfzDDcsNn4mTDoFaoff5cpqFfgDgM43VkCgYBNHw11b+d+AQmaZS9QqIt7 +aF3FvwCYHV0jdv0Mb+Kc1bY4c0R5MFpzrTwVmdOerjuuA1+9b+0Hwo3nBZM4eaBu +SOamA2hu2OJWCl9q8fLCT69KqWDjghhvFe7c6aJJGucwaA3Uz3eLcPqoaCarMiNH +fMkTd7GabVourqIZdgvu1Q== +-----END PRIVATE KEY----- + +Title = Test keypair mismatches + +PrivPubKeyPair = Alice-25519:P-256-PUBLIC +Result = KEYPAIR_TYPE_MISMATCH + +PrivPubKeyPair = Alice-448:P-256-PUBLIC +Result = KEYPAIR_TYPE_MISMATCH + +PrivPubKeyPair = RSA-2048:P-256-PUBLIC +Result = KEYPAIR_TYPE_MISMATCH + +PrivPubKeyPair = RSA-2048:KAS-ECC-CDH_K-163_C0-PUBLIC +Result = KEYPAIR_TYPE_MISMATCH + +PrivPubKeyPair = Alice-25519:KAS-ECC-CDH_K-163_C0-PUBLIC +Result = KEYPAIR_TYPE_MISMATCH diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index 2e8385d43b..2c2527ca5c 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -81,7 +81,7 @@ $proxy->filter(\&modify_key_shares_filter); if (disabled("ec")) { $proxy->serverflags("-groups ffdhe3072"); } else { - $proxy->serverflags("-groups P-256"); + $proxy->serverflags("-groups P-384"); } $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 23; @@ -189,7 +189,7 @@ $selectedgroupid = 0; if (disabled("ec")) { $proxy->clientflags("-groups ffdhe3072:ffdhe2048"); } else { - $proxy->clientflags("-groups P-256:X25519"); + $proxy->clientflags("-groups P-256:P-384"); } $proxy->start(); if (disabled("ec")) { @@ -202,13 +202,13 @@ if (disabled("ec")) { #Test 14: Multiple acceptable key_shares - we choose the first one (part 2) $proxy->clear(); -if (disabled("ec")) { +if (disabled("ecx")) { $proxy->clientflags("-curves ffdhe2048:ffdhe3072"); } else { $proxy->clientflags("-curves X25519:P-256"); } $proxy->start(); -if (disabled("ec")) { +if (disabled("ecx")) { ok(TLSProxy::Message->success() && ($selectedgroupid == FFDHE2048), "Multiple acceptable key_shares (part 2)"); } else { @@ -219,7 +219,7 @@ if (disabled("ec")) { #Test 15: Server sends key_share that wasn't offered should fail $proxy->clear(); $testtype = SELECT_X25519; -if (disabled("ec")) { +if (disabled("ecx")) { $proxy->clientflags("-groups ffdhe3072"); } else { $proxy->clientflags("-groups P-256"); @@ -281,7 +281,7 @@ SKIP: { $proxy->clear(); $direction = SERVER_TO_CLIENT; $testtype = NO_KEY_SHARES_IN_HRR; -if (disabled("ec")) { +if (disabled("ecx")) { $proxy->serverflags("-groups ffdhe2048"); } else { $proxy->serverflags("-groups X25519"); @@ -294,7 +294,11 @@ SKIP: { #Test 23: Trailing data on key_share in ServerHello should fail $proxy->clear(); $direction = CLIENT_TO_SERVER; - $proxy->clientflags("-groups secp192r1:P-256:X25519"); + if (disabled("ecx")) { + $proxy->clientflags("-groups secp192r1:P-256:P-384"); + } else { + $proxy->clientflags("-groups secp192r1:P-256:X25519"); + } $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $testtype = NON_TLS1_3_KEY_SHARE; $proxy->start(); @@ -324,16 +328,31 @@ sub modify_key_shares_filter if ($testtype != NON_TLS1_3_KEY_SHARE) { #Setup supported groups to include some unrecognised groups - $suppgroups = pack "C8", - 0x00, 0x06, #List Length - 0xff, 0xfe, #Non existing group 1 - 0xff, 0xff, #Non existing group 2 - 0x00, 0x1d; #x25519 + if (disabled("ecx")) { + $suppgroups = pack "C8", + 0x00, 0x06, #List Length + 0xff, 0xfe, #Non existing group 1 + 0xff, 0xff, #Non existing group 2 + 0x00, 0x17; #P-256 + } else { + $suppgroups = pack "C8", + 0x00, 0x06, #List Length + 0xff, 0xfe, #Non existing group 1 + 0xff, 0xff, #Non existing group 2 + 0x00, 0x1d; #X25519 + } } else { - $suppgroups = pack "C6", - 0x00, 0x04, #List Length - 0x00, 0x13, - 0x00, 0x1d; #x25519 + if (disabled("ecx")) { + $suppgroups = pack "C6", + 0x00, 0x04, #List Length + 0x00, 0x13, + 0x00, 0x18; #P-384 + } else { + $suppgroups = pack "C6", + 0x00, 0x04, #List Length + 0x00, 0x13, + 0x00, 0x1d; #X25519 + } } if ($testtype == EMPTY_EXTENSION) { @@ -347,14 +366,25 @@ sub modify_key_shares_filter 0xff, 0xff, #Non existing group 2 0x00, 0x01, 0xff; #key_exchange data } elsif ($testtype == ACCEPTABLE_AT_END) { - $ext = pack "C11H64", - 0x00, 0x29, #List Length - 0xff, 0xfe, #Non existing group 1 - 0x00, 0x01, 0xff, #key_exchange data - 0x00, 0x1d, #x25519 - 0x00, 0x20, #key_exchange data length - "155155B95269ED5C87EAA99C2EF5A593". - "EDF83495E80380089F831B94D14B1421"; #key_exchange data + if (disabled("ecx")) { + $ext = pack "C11H130", + 0x00, 0x4A, #List Length + 0xff, 0xfe, #Non existing group 1 + 0x00, 0x01, 0xff, #key_exchange data + 0x00, 0x17, #P-256 + 0x00, 0x41, #key_exchange data length + "04A798ACF80B2991A0A53D084F4F649A46BE49D061EB5B8CFF9C8EC6AE792507B6". + "F77FE6E446AF3645FD86BB7CFFD2644E45CC00183343C5CEAD67BB017B082007"; #key_exchange data + } else { + $ext = pack "C11H64", + 0x00, 0x29, #List Length + 0xff, 0xfe, #Non existing group 1 + 0x00, 0x01, 0xff, #key_exchange data + 0x00, 0x1d, #x25519 + 0x00, 0x20, #key_exchange data length + "155155B95269ED5C87EAA99C2EF5A593". + "EDF83495E80380089F831B94D14B1421"; #key_exchange data + } } elsif ($testtype == NOT_IN_SUPPORTED_GROUPS) { $suppgroups = pack "C4", 0x00, 0x02, #List Length diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t index cc0cfd3aff..ead0f37cf8 100644 --- a/test/recipes/70-test_tls13cookie.t +++ b/test/recipes/70-test_tls13cookie.t @@ -44,11 +44,11 @@ my $testtype; #Test 1: Inserting a cookie into an HRR should see it echoed in the ClientHello $testtype = COOKIE_ONLY; $proxy->filter(\&cookie_filter); -$proxy->serverflags("-curves X25519") if !disabled("ec"); +$proxy->serverflags("-curves X25519") if !disabled("ecx"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 2; SKIP: { - skip "EC disabled", 1, if disabled("ec"); + skip "ECX disabled", 1, if (disabled("ecx")); ok(TLSProxy::Message->success() && $cookieseen == 1, "Cookie seen"); } @@ -58,7 +58,7 @@ SKIP: { # required $testtype = COOKIE_AND_KEY_SHARE; $proxy->clear(); -if (disabled("ec")) { +if (disabled("ecx")) { $proxy->clientflags("-curves ffdhe3072:ffdhe2048"); $proxy->serverflags("-curves ffdhe2048"); } else { diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index 77daccae90..5892159414 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -58,7 +58,7 @@ $proxy->clear(); if (disabled("ec")) { $proxy->serverflags("-curves ffdhe3072"); } else { - $proxy->serverflags("-curves P-256"); + $proxy->serverflags("-curves P-384"); } $proxy->ciphersuitess("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); $testtype = CHANGE_CH1_CIPHERSUITE; diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t index 1c2c18cc11..ea61a01f82 100644 --- a/test/recipes/70-test_tls13kexmodes.t +++ b/test/recipes/70-test_tls13kexmodes.t @@ -269,7 +269,7 @@ checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, # initial key_share. Should resume with a key_share following an HRR $proxy->clear(); $proxy->clientflags("-no_rx_cert_comp -sess_in ".$session); -$proxy->serverflags("-no_rx_cert_comp -curves P-256"); +$proxy->serverflags("-no_rx_cert_comp -curves P-384"); $testtype = BOTH_KEX_MODES; $proxy->start(); checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, @@ -285,7 +285,7 @@ checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, # key_share. Should resume with a key_share following an HRR $proxy->clear(); $proxy->clientflags("-no_rx_cert_comp -sess_in ".$session); -$proxy->serverflags("-no_rx_cert_comp -curves P-256"); +$proxy->serverflags("-no_rx_cert_comp -curves P-384"); $testtype = DHE_KEX_MODE_ONLY; $proxy->start(); checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t index b2f9819f02..4fa56d59ba 100644 --- a/test/recipes/70-test_tls13messages.t +++ b/test/recipes/70-test_tls13messages.t @@ -362,7 +362,7 @@ SKIP: { #Test 15: HRR Handshake $proxy->clear(); $proxy->clientflags("-no_rx_cert_comp"); -$proxy->serverflags("-no_rx_cert_comp -curves P-256"); +$proxy->serverflags("-no_rx_cert_comp -curves P-384"); $proxy->start(); checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE, checkhandshake::DEFAULT_EXTENSIONS @@ -372,7 +372,7 @@ checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE, #Test 16: Resumption handshake with HRR $proxy->clear(); $proxy->clientflags("-no_rx_cert_comp -sess_in ".$session); -$proxy->serverflags("-no_rx_cert_comp -curves P-256"); +$proxy->serverflags("-no_rx_cert_comp -curves P-384"); $proxy->start(); checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, (checkhandshake::DEFAULT_EXTENSIONS @@ -383,7 +383,7 @@ checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE, #Test 17: Acceptable but non preferred key_share $proxy->clear(); -$proxy->clientflags("-no_rx_cert_comp -curves P-256"); +$proxy->clientflags("-no_rx_cert_comp -curves P-384"); $proxy->start(); checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, checkhandshake::DEFAULT_EXTENSIONS diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index f36468de97..d352bc18bf 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -66,7 +66,7 @@ $proxy->clientflags("-sess_in ".$session); if (disabled("ec")) { $proxy->serverflags("-curves ffdhe3072"); } else { - $proxy->serverflags("-curves P-256"); + $proxy->serverflags("-curves P-384"); } $proxy->filter(undef); $proxy->start(); @@ -85,7 +85,7 @@ $proxy->filter(\&modify_psk_filter); if (disabled("ec")) { $proxy->serverflags("-curves ffdhe3072"); } else { - $proxy->serverflags("-curves P-256"); + $proxy->serverflags("-curves P-384"); } $proxy->ciphersuitesc("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); $proxy->ciphersuitess("TLS_AES_256_GCM_SHA384"); diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 7dcf203b15..8c5d8fc093 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -68,6 +68,7 @@ my $no_quic = disabled("quic"); my $no_npn = disabled("nextprotoneg"); my $no_ct = disabled("ct"); my $no_ec = disabled("ec"); +my $no_ecx = disabled("ecx"); my $no_dh = disabled("dh"); my $no_dsa = disabled("dsa"); my $no_ec2m = disabled("ec2m"); @@ -91,7 +92,7 @@ my %conf_dependent_tests = ( "22-compression.cnf" => !$is_default_tls, "25-cipher.cnf" => disabled("poly1305") || disabled("chacha"), "27-ticket-appdata.cnf" => !$is_default_tls, - "28-seclevel.cnf" => disabled("tls1_2") || $no_ec, + "28-seclevel.cnf" => disabled("tls1_2") || $no_ecx, "30-extended-master-secret.cnf" => disabled("tls1_2"), "32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"), ); @@ -113,13 +114,13 @@ my %skip = ( # TODO(TLS 1.3): We should review this once we have TLS 1.3. "13-fragmentation.cnf" => disabled("tls1_2"), "14-curves.cnf" => disabled("tls1_2") || disabled("tls1_3") - || $no_ec || $no_ec2m, + || $no_ec2m || $no_ecx, "15-certstatus.cnf" => $no_tls || $no_ocsp, "16-dtls-certstatus.cnf" => $no_dtls || $no_ocsp, "17-renegotiate.cnf" => $no_tls_below1_3, "18-dtls-renegotiate.cnf" => $no_dtls, "19-mac-then-encrypt.cnf" => $no_pre_tls1_3, - "20-cert-select.cnf" => disabled("tls1_2") || $no_ec, + "20-cert-select.cnf" => disabled("tls1_2") || $no_ecx, "21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "22-compression.cnf" => disabled("zlib") || $no_tls, "23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1") diff --git a/test/rpktest.c b/test/rpktest.c index 89e1fcf638..ac824798f1 100644 --- a/test/rpktest.c +++ b/test/rpktest.c @@ -156,6 +156,7 @@ static int test_rpk(int idx) privkey_file = privkey2; other_cert_file = cert; break; +# ifndef OPENSSL_NO_ECX case 2: /* use Ed448 */ cert_file = cert448; @@ -168,6 +169,7 @@ static int test_rpk(int idx) privkey_file = privkey25519; other_cert_file = cert; break; +# endif #endif default: testresult = TEST_skip("EDCSA disabled"); diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index a1d44a534a..3fc301eb14 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -81,5 +81,5 @@ our @tests_tls1_2 = ( }, ); -push @tests, @tests_ec unless disabled("ec"); -push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec"); +push @tests, @tests_ec unless disabled("ecx"); +push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ecx"); diff --git a/test/sslapitest.c b/test/sslapitest.c index d2c6c774f5..42417918c8 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -3969,7 +3969,7 @@ static int early_data_skip_helper(int testtype, int cipher, int idx) if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072"))) goto end; #else - if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) + if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384"))) goto end; #endif } else if (idx == 2) { @@ -4892,7 +4892,11 @@ static int test_ciphersuite_change(void) */ # ifndef OPENSSL_NO_EC static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, - NID_secp521r1, NID_X25519, NID_X448}; + NID_secp521r1, +# ifndef OPENSSL_NO_ECX + NID_X25519, NID_X448 +# endif + }; # endif # ifndef OPENSSL_NO_DH static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096, @@ -4933,6 +4937,7 @@ static int test_key_exchange(int idx) kexch_alg = NID_secp521r1; kexch_name0 = "secp521r1"; break; +# ifndef OPENSSL_NO_ECX case 4: kexch_alg = NID_X25519; kexch_name0 = "x25519"; @@ -4941,6 +4946,7 @@ static int test_key_exchange(int idx) kexch_alg = NID_X448; kexch_name0 = "x448"; break; +# endif # endif # ifndef OPENSSL_NO_DH # ifndef OPENSSL_NO_TLS1_2 @@ -5584,7 +5590,7 @@ static int test_tls13_psk(int idx) if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072"))) goto end; #else - if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) + if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384"))) goto end; #endif @@ -9350,8 +9356,13 @@ static int test_sigalgs_available(int idx) } else { if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE, "ECDSA")) +# ifdef OPENSSL_NO_ECX + || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC")) +# else || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, - "EC:X25519:X448"))) + "EC:X25519:X448")) +# endif + ) goto end; } diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c index 1ec2ee2b1e..fe44d90fbc 100644 --- a/test/tls13ccstest.c +++ b/test/tls13ccstest.c @@ -321,7 +321,7 @@ static int test_tls13ccs(int tst) goto err; # endif #else - if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "P-256"))) + if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "P-384"))) goto err; #endif }