Add fips checks for ecdh key agreement

For key agreement only NIST curves that have a security strength of 112 bits or more are allowed.
Fixed tests so they obey these restrictions when testing in fips mode.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12745)

providers/implementations/exchange/ecdh_exch.c

@@ -24,6 +24,7 @@
 #include "prov/provider_ctx.h"
 #include "prov/providercommon.h"
 #include "prov/implementations.h"
+#include "prov/provider_util.h"
 #include "crypto/ec.h" /* ecdh_KDF_X9_63() */
 
 static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx;
@@ -110,7 +111,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh)
     pecdhctx->k = vecdh;
     pecdhctx->cofactor_mode = -1;
     pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
-    return 1;
+    return ossl_prov_ec_check(vecdh, 1);
 }
 
 static
@@ -125,7 +126,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh)
         return 0;
     EC_KEY_free(pecdhctx->peerk);
     pecdhctx->peerk = vecdh;
-    return 1;
+    return ossl_prov_ec_check(vecdh, 1);
 }
 
 static
@@ -253,7 +254,12 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
 
         EVP_MD_free(pectx->kdf_md);
         pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops);
-
+#ifdef FIPS_MODULE
+        if (!ossl_prov_digest_get_approved_nid(pectx->kdf_md, 1)) {
+            EVP_MD_free(pectx->kdf_md);
+            pectx->kdf_md = NULL;
+        }
+#endif
         if (pectx->kdf_md == NULL)
             return 0;
     }

test/recipes/30-test_evp_data/evppkey_kas.txt

@@ -44,12 +44,17 @@ MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEQupt2Zad0qYf6hqsf46Y7cyJbG5V
 hXzA375dfGH6yIsRgRveMo6KDRK/AanSBLUj
 -----END PUBLIC KEY-----
 
-
+Availablein = default
 Derive=KAS-ECC-CDH_P-192_C0
 PeerKey=KAS-ECC-CDH_P-192_C0-Peer-PUBLIC
 Ctrl=ecdh_cofactor_mode:1
 SharedSecret=803d8ab2e5b6e6fca715737c3a82f7ce3c783124f6d51cd0
 
+Availablein = fips
+Derive=KAS-ECC-CDH_P-192_C0
+PeerKey=KAS-ECC-CDH_P-192_C0-Peer-PUBLIC
+Result = DERIVE_SET_PEER_ERROR
+
 PrivateKey=KAS-ECC-CDH_P-192_C1
 -----BEGIN PRIVATE KEY-----
 MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEVTBTAgEBBBhW6FM0nZb+TEQkSNrL

test/ssl-tests/14-curves.cnf

@@ -2,23 +2,23 @@
 
 num_tests = 30
 
-test-0 = 0-curve-sect163k1
-test-1 = 1-curve-sect163r2
-test-2 = 2-curve-sect233k1
-test-3 = 3-curve-sect233r1
-test-4 = 4-curve-sect283k1
-test-5 = 5-curve-sect283r1
-test-6 = 6-curve-sect409k1
-test-7 = 7-curve-sect409r1
-test-8 = 8-curve-sect571k1
-test-9 = 9-curve-sect571r1
-test-10 = 10-curve-prime192v1
-test-11 = 11-curve-secp224r1
-test-12 = 12-curve-prime256v1
-test-13 = 13-curve-secp384r1
-test-14 = 14-curve-secp521r1
-test-15 = 15-curve-X25519
-test-16 = 16-curve-X448
+test-0 = 0-curve-sect233k1
+test-1 = 1-curve-sect233r1
+test-2 = 2-curve-sect283k1
+test-3 = 3-curve-sect283r1
+test-4 = 4-curve-sect409k1
+test-5 = 5-curve-sect409r1
+test-6 = 6-curve-sect571k1
+test-7 = 7-curve-sect571r1
+test-8 = 8-curve-secp224r1
+test-9 = 9-curve-prime256v1
+test-10 = 10-curve-secp384r1
+test-11 = 11-curve-secp521r1
+test-12 = 12-curve-X25519
+test-13 = 13-curve-X448
+test-14 = 14-curve-sect163k1
+test-15 = 15-curve-sect163r2
+test-16 = 16-curve-prime192v1
 test-17 = 17-curve-sect163r1
 test-18 = 18-curve-sect193r1
 test-19 = 19-curve-sect193r2
@@ -34,478 +34,478 @@ test-28 = 28-curve-brainpoolP384r1
 test-29 = 29-curve-brainpoolP512r1
 # ===========================================================
 
-[0-curve-sect163k1]
-ssl_conf = 0-curve-sect163k1-ssl
+[0-curve-sect233k1]
+ssl_conf = 0-curve-sect233k1-ssl
 
-[0-curve-sect163k1-ssl]
-server = 0-curve-sect163k1-server
-client = 0-curve-sect163k1-client
+[0-curve-sect233k1-ssl]
+server = 0-curve-sect233k1-server
+client = 0-curve-sect233k1-client
 
-[0-curve-sect163k1-server]
+[0-curve-sect233k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect163k1
+Curves = sect233k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[0-curve-sect163k1-client]
+[0-curve-sect233k1-client]
 CipherString = ECDHE
-Curves = sect163k1
+Curves = sect233k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-0]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect163k1
+ExpectedTmpKeyType = sect233k1
 
 
 # ===========================================================
 
-[1-curve-sect163r2]
-ssl_conf = 1-curve-sect163r2-ssl
+[1-curve-sect233r1]
+ssl_conf = 1-curve-sect233r1-ssl
 
-[1-curve-sect163r2-ssl]
-server = 1-curve-sect163r2-server
-client = 1-curve-sect163r2-client
+[1-curve-sect233r1-ssl]
+server = 1-curve-sect233r1-server
+client = 1-curve-sect233r1-client
 
-[1-curve-sect163r2-server]
+[1-curve-sect233r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect163r2
+Curves = sect233r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[1-curve-sect163r2-client]
+[1-curve-sect233r1-client]
 CipherString = ECDHE
-Curves = sect163r2
+Curves = sect233r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-1]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect163r2
+ExpectedTmpKeyType = sect233r1
 
 
 # ===========================================================
 
-[2-curve-sect233k1]
-ssl_conf = 2-curve-sect233k1-ssl
+[2-curve-sect283k1]
+ssl_conf = 2-curve-sect283k1-ssl
 
-[2-curve-sect233k1-ssl]
-server = 2-curve-sect233k1-server
-client = 2-curve-sect233k1-client
+[2-curve-sect283k1-ssl]
+server = 2-curve-sect283k1-server
+client = 2-curve-sect283k1-client
 
-[2-curve-sect233k1-server]
+[2-curve-sect283k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect233k1
+Curves = sect283k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[2-curve-sect233k1-client]
+[2-curve-sect283k1-client]
 CipherString = ECDHE
-Curves = sect233k1
+Curves = sect283k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-2]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect233k1
+ExpectedTmpKeyType = sect283k1
 
 
 # ===========================================================
 
-[3-curve-sect233r1]
-ssl_conf = 3-curve-sect233r1-ssl
+[3-curve-sect283r1]
+ssl_conf = 3-curve-sect283r1-ssl
 
-[3-curve-sect233r1-ssl]
-server = 3-curve-sect233r1-server
-client = 3-curve-sect233r1-client
+[3-curve-sect283r1-ssl]
+server = 3-curve-sect283r1-server
+client = 3-curve-sect283r1-client
 
-[3-curve-sect233r1-server]
+[3-curve-sect283r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect233r1
+Curves = sect283r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[3-curve-sect233r1-client]
+[3-curve-sect283r1-client]
 CipherString = ECDHE
-Curves = sect233r1
+Curves = sect283r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-3]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect233r1
+ExpectedTmpKeyType = sect283r1
 
 
 # ===========================================================
 
-[4-curve-sect283k1]
-ssl_conf = 4-curve-sect283k1-ssl
+[4-curve-sect409k1]
+ssl_conf = 4-curve-sect409k1-ssl
 
-[4-curve-sect283k1-ssl]
-server = 4-curve-sect283k1-server
-client = 4-curve-sect283k1-client
+[4-curve-sect409k1-ssl]
+server = 4-curve-sect409k1-server
+client = 4-curve-sect409k1-client
 
-[4-curve-sect283k1-server]
+[4-curve-sect409k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect283k1
+Curves = sect409k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[4-curve-sect283k1-client]
+[4-curve-sect409k1-client]
 CipherString = ECDHE
-Curves = sect283k1
+Curves = sect409k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-4]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect283k1
+ExpectedTmpKeyType = sect409k1
 
 
 # ===========================================================
 
-[5-curve-sect283r1]
-ssl_conf = 5-curve-sect283r1-ssl
+[5-curve-sect409r1]
+ssl_conf = 5-curve-sect409r1-ssl
 
-[5-curve-sect283r1-ssl]
-server = 5-curve-sect283r1-server
-client = 5-curve-sect283r1-client
+[5-curve-sect409r1-ssl]
+server = 5-curve-sect409r1-server
+client = 5-curve-sect409r1-client
 
-[5-curve-sect283r1-server]
+[5-curve-sect409r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect283r1
+Curves = sect409r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[5-curve-sect283r1-client]
+[5-curve-sect409r1-client]
 CipherString = ECDHE
-Curves = sect283r1
+Curves = sect409r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-5]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect283r1
+ExpectedTmpKeyType = sect409r1
 
 
 # ===========================================================
 
-[6-curve-sect409k1]
-ssl_conf = 6-curve-sect409k1-ssl
+[6-curve-sect571k1]
+ssl_conf = 6-curve-sect571k1-ssl
 
-[6-curve-sect409k1-ssl]
-server = 6-curve-sect409k1-server
-client = 6-curve-sect409k1-client
+[6-curve-sect571k1-ssl]
+server = 6-curve-sect571k1-server
+client = 6-curve-sect571k1-client
 
-[6-curve-sect409k1-server]
+[6-curve-sect571k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect409k1
+Curves = sect571k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[6-curve-sect409k1-client]
+[6-curve-sect571k1-client]
 CipherString = ECDHE
-Curves = sect409k1
+Curves = sect571k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-6]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect409k1
+ExpectedTmpKeyType = sect571k1
 
 
 # ===========================================================
 
-[7-curve-sect409r1]
-ssl_conf = 7-curve-sect409r1-ssl
+[7-curve-sect571r1]
+ssl_conf = 7-curve-sect571r1-ssl
 
-[7-curve-sect409r1-ssl]
-server = 7-curve-sect409r1-server
-client = 7-curve-sect409r1-client
+[7-curve-sect571r1-ssl]
+server = 7-curve-sect571r1-server
+client = 7-curve-sect571r1-client
 
-[7-curve-sect409r1-server]
+[7-curve-sect571r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect409r1
+Curves = sect571r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[7-curve-sect409r1-client]
+[7-curve-sect571r1-client]
 CipherString = ECDHE
-Curves = sect409r1
+Curves = sect571r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-7]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect409r1
+ExpectedTmpKeyType = sect571r1
 
 
 # ===========================================================
 
-[8-curve-sect571k1]
-ssl_conf = 8-curve-sect571k1-ssl
+[8-curve-secp224r1]
+ssl_conf = 8-curve-secp224r1-ssl
 
-[8-curve-sect571k1-ssl]
-server = 8-curve-sect571k1-server
-client = 8-curve-sect571k1-client
+[8-curve-secp224r1-ssl]
+server = 8-curve-secp224r1-server
+client = 8-curve-secp224r1-client
 
-[8-curve-sect571k1-server]
+[8-curve-secp224r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect571k1
+Curves = secp224r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[8-curve-sect571k1-client]
+[8-curve-secp224r1-client]
 CipherString = ECDHE
-Curves = sect571k1
+Curves = secp224r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-8]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect571k1
+ExpectedTmpKeyType = secp224r1
 
 
 # ===========================================================
 
-[9-curve-sect571r1]
-ssl_conf = 9-curve-sect571r1-ssl
+[9-curve-prime256v1]
+ssl_conf = 9-curve-prime256v1-ssl
 
-[9-curve-sect571r1-ssl]
-server = 9-curve-sect571r1-server
-client = 9-curve-sect571r1-client
+[9-curve-prime256v1-ssl]
+server = 9-curve-prime256v1-server
+client = 9-curve-prime256v1-client
 
-[9-curve-sect571r1-server]
+[9-curve-prime256v1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = sect571r1
+Curves = prime256v1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[9-curve-sect571r1-client]
+[9-curve-prime256v1-client]
 CipherString = ECDHE
-Curves = sect571r1
+Curves = prime256v1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-9]
 ExpectedResult = Success
-ExpectedTmpKeyType = sect571r1
+ExpectedTmpKeyType = prime256v1
 
 
 # ===========================================================
 
-[10-curve-prime192v1]
-ssl_conf = 10-curve-prime192v1-ssl
+[10-curve-secp384r1]
+ssl_conf = 10-curve-secp384r1-ssl
 
-[10-curve-prime192v1-ssl]
-server = 10-curve-prime192v1-server
-client = 10-curve-prime192v1-client
+[10-curve-secp384r1-ssl]
+server = 10-curve-secp384r1-server
+client = 10-curve-secp384r1-client
 
-[10-curve-prime192v1-server]
+[10-curve-secp384r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = prime192v1
+Curves = secp384r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[10-curve-prime192v1-client]
+[10-curve-secp384r1-client]
 CipherString = ECDHE
-Curves = prime192v1
+Curves = secp384r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-10]
 ExpectedResult = Success
-ExpectedTmpKeyType = prime192v1
+ExpectedTmpKeyType = secp384r1
 
 
 # ===========================================================
 
-[11-curve-secp224r1]
-ssl_conf = 11-curve-secp224r1-ssl
+[11-curve-secp521r1]
+ssl_conf = 11-curve-secp521r1-ssl
 
-[11-curve-secp224r1-ssl]
-server = 11-curve-secp224r1-server
-client = 11-curve-secp224r1-client
+[11-curve-secp521r1-ssl]
+server = 11-curve-secp521r1-server
+client = 11-curve-secp521r1-client
 
-[11-curve-secp224r1-server]
+[11-curve-secp521r1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp224r1
+Curves = secp521r1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[11-curve-secp224r1-client]
+[11-curve-secp521r1-client]
 CipherString = ECDHE
-Curves = secp224r1
+Curves = secp521r1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-11]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp224r1
+ExpectedTmpKeyType = secp521r1
 
 
 # ===========================================================
 
-[12-curve-prime256v1]
-ssl_conf = 12-curve-prime256v1-ssl
+[12-curve-X25519]
+ssl_conf = 12-curve-X25519-ssl
 
-[12-curve-prime256v1-ssl]
-server = 12-curve-prime256v1-server
-client = 12-curve-prime256v1-client
+[12-curve-X25519-ssl]
+server = 12-curve-X25519-server
+client = 12-curve-X25519-client
 
-[12-curve-prime256v1-server]
+[12-curve-X25519-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = prime256v1
+Curves = X25519
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[12-curve-prime256v1-client]
+[12-curve-X25519-client]
 CipherString = ECDHE
-Curves = prime256v1
+Curves = X25519
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-12]
 ExpectedResult = Success
-ExpectedTmpKeyType = prime256v1
+ExpectedTmpKeyType = X25519
 
 
 # ===========================================================
 
-[13-curve-secp384r1]
-ssl_conf = 13-curve-secp384r1-ssl
+[13-curve-X448]
+ssl_conf = 13-curve-X448-ssl
 
-[13-curve-secp384r1-ssl]
-server = 13-curve-secp384r1-server
-client = 13-curve-secp384r1-client
+[13-curve-X448-ssl]
+server = 13-curve-X448-server
+client = 13-curve-X448-client
 
-[13-curve-secp384r1-server]
+[13-curve-X448-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp384r1
+Curves = X448
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[13-curve-secp384r1-client]
+[13-curve-X448-client]
 CipherString = ECDHE
-Curves = secp384r1
+Curves = X448
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-13]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp384r1
+ExpectedTmpKeyType = X448
 
 
 # ===========================================================
 
-[14-curve-secp521r1]
-ssl_conf = 14-curve-secp521r1-ssl
+[14-curve-sect163k1]
+ssl_conf = 14-curve-sect163k1-ssl
 
-[14-curve-secp521r1-ssl]
-server = 14-curve-secp521r1-server
-client = 14-curve-secp521r1-client
+[14-curve-sect163k1-ssl]
+server = 14-curve-sect163k1-server
+client = 14-curve-sect163k1-client
 
-[14-curve-secp521r1-server]
+[14-curve-sect163k1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = secp521r1
+Curves = sect163k1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[14-curve-secp521r1-client]
+[14-curve-sect163k1-client]
 CipherString = ECDHE
-Curves = secp521r1
+Curves = sect163k1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-14]
 ExpectedResult = Success
-ExpectedTmpKeyType = secp521r1
+ExpectedTmpKeyType = sect163k1
 
 
 # ===========================================================
 
-[15-curve-X25519]
-ssl_conf = 15-curve-X25519-ssl
+[15-curve-sect163r2]
+ssl_conf = 15-curve-sect163r2-ssl
 
-[15-curve-X25519-ssl]
-server = 15-curve-X25519-server
-client = 15-curve-X25519-client
+[15-curve-sect163r2-ssl]
+server = 15-curve-sect163r2-server
+client = 15-curve-sect163r2-client
 
-[15-curve-X25519-server]
+[15-curve-sect163r2-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = X25519
+Curves = sect163r2
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[15-curve-X25519-client]
+[15-curve-sect163r2-client]
 CipherString = ECDHE
-Curves = X25519
+Curves = sect163r2
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-15]
 ExpectedResult = Success
-ExpectedTmpKeyType = X25519
+ExpectedTmpKeyType = sect163r2
 
 
 # ===========================================================
 
-[16-curve-X448]
-ssl_conf = 16-curve-X448-ssl
+[16-curve-prime192v1]
+ssl_conf = 16-curve-prime192v1-ssl
 
-[16-curve-X448-ssl]
-server = 16-curve-X448-server
-client = 16-curve-X448-client
+[16-curve-prime192v1-ssl]
+server = 16-curve-prime192v1-server
+client = 16-curve-prime192v1-client
 
-[16-curve-X448-server]
+[16-curve-prime192v1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
-Curves = X448
+Curves = prime192v1
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[16-curve-X448-client]
+[16-curve-prime192v1-client]
 CipherString = ECDHE
-Curves = X448
+Curves = prime192v1
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-16]
 ExpectedResult = Success
-ExpectedTmpKeyType = X448
+ExpectedTmpKeyType = prime192v1
 
 
 # ===========================================================

test/ssl-tests/14-curves.cnf.in

@@ -12,13 +12,14 @@ use OpenSSL::Test::Utils qw(anydisabled);
 
 our $fips_mode;
 
-my @curves = ("sect163k1", "sect163r2", "sect233k1", "sect233r1",
+my @curves = ("sect233k1", "sect233r1",
               "sect283k1", "sect283r1", "sect409k1", "sect409r1",
-              "sect571k1", "sect571r1", "prime192v1", "secp224r1",
+              "sect571k1", "sect571r1", "secp224r1",
               "prime256v1", "secp384r1", "secp521r1", "X25519",
               "X448");
 
-my @curves_non_fips = ("sect163r1", "sect193r1", "sect193r2", "sect239k1",
+my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
+                       "sect163r1", "sect193r1", "sect193r2", "sect239k1",
                        "secp160k1", "secp160r1", "secp160r2", "secp192k1",
                        "secp224k1",  "secp256k1", "brainpoolP256r1",
                        "brainpoolP384r1", "brainpoolP512r1");