From 341c3e7f28072e3c3cfb072233aa7d68abc73d0a Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Sat, 29 Aug 2020 12:59:04 +1000 Subject: [PATCH] Add fips checks for ecdh key agreement For key agreement only NIST curves that have a security strength of 112 bits or more are allowed. Fixed tests so they obey these restrictions when testing in fips mode. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12745) --- .../implementations/exchange/ecdh_exch.c | 12 +- test/recipes/30-test_evp_data/evppkey_kas.txt | 7 +- test/ssl-tests/14-curves.cnf | 374 +++++++++--------- test/ssl-tests/14-curves.cnf.in | 7 +- 4 files changed, 206 insertions(+), 194 deletions(-) diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index 8e6cf10dc5..83d119b02b 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -24,6 +24,7 @@ #include "prov/provider_ctx.h" #include "prov/providercommon.h" #include "prov/implementations.h" +#include "prov/provider_util.h" #include "crypto/ec.h" /* ecdh_KDF_X9_63() */ static OSSL_FUNC_keyexch_newctx_fn ecdh_newctx; @@ -110,7 +111,7 @@ int ecdh_init(void *vpecdhctx, void *vecdh) pecdhctx->k = vecdh; pecdhctx->cofactor_mode = -1; pecdhctx->kdf_type = PROV_ECDH_KDF_NONE; - return 1; + return ossl_prov_ec_check(vecdh, 1); } static @@ -125,7 +126,7 @@ int ecdh_set_peer(void *vpecdhctx, void *vecdh) return 0; EC_KEY_free(pecdhctx->peerk); pecdhctx->peerk = vecdh; - return 1; + return ossl_prov_ec_check(vecdh, 1); } static @@ -253,7 +254,12 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) EVP_MD_free(pectx->kdf_md); pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); - +#ifdef FIPS_MODULE + if (!ossl_prov_digest_get_approved_nid(pectx->kdf_md, 1)) { + EVP_MD_free(pectx->kdf_md); + pectx->kdf_md = NULL; + } +#endif if (pectx->kdf_md == NULL) return 0; } diff --git a/test/recipes/30-test_evp_data/evppkey_kas.txt b/test/recipes/30-test_evp_data/evppkey_kas.txt index 44be323f09..32ffe349d8 100644 --- a/test/recipes/30-test_evp_data/evppkey_kas.txt +++ b/test/recipes/30-test_evp_data/evppkey_kas.txt @@ -44,12 +44,17 @@ MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEQupt2Zad0qYf6hqsf46Y7cyJbG5V hXzA375dfGH6yIsRgRveMo6KDRK/AanSBLUj -----END PUBLIC KEY----- - +Availablein = default Derive=KAS-ECC-CDH_P-192_C0 PeerKey=KAS-ECC-CDH_P-192_C0-Peer-PUBLIC Ctrl=ecdh_cofactor_mode:1 SharedSecret=803d8ab2e5b6e6fca715737c3a82f7ce3c783124f6d51cd0 +Availablein = fips +Derive=KAS-ECC-CDH_P-192_C0 +PeerKey=KAS-ECC-CDH_P-192_C0-Peer-PUBLIC +Result = DERIVE_SET_PEER_ERROR + PrivateKey=KAS-ECC-CDH_P-192_C1 -----BEGIN PRIVATE KEY----- MG8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEVTBTAgEBBBhW6FM0nZb+TEQkSNrL diff --git a/test/ssl-tests/14-curves.cnf b/test/ssl-tests/14-curves.cnf index 26d0949f0d..1982c99db7 100644 --- a/test/ssl-tests/14-curves.cnf +++ b/test/ssl-tests/14-curves.cnf @@ -2,23 +2,23 @@ num_tests = 30 -test-0 = 0-curve-sect163k1 -test-1 = 1-curve-sect163r2 -test-2 = 2-curve-sect233k1 -test-3 = 3-curve-sect233r1 -test-4 = 4-curve-sect283k1 -test-5 = 5-curve-sect283r1 -test-6 = 6-curve-sect409k1 -test-7 = 7-curve-sect409r1 -test-8 = 8-curve-sect571k1 -test-9 = 9-curve-sect571r1 -test-10 = 10-curve-prime192v1 -test-11 = 11-curve-secp224r1 -test-12 = 12-curve-prime256v1 -test-13 = 13-curve-secp384r1 -test-14 = 14-curve-secp521r1 -test-15 = 15-curve-X25519 -test-16 = 16-curve-X448 +test-0 = 0-curve-sect233k1 +test-1 = 1-curve-sect233r1 +test-2 = 2-curve-sect283k1 +test-3 = 3-curve-sect283r1 +test-4 = 4-curve-sect409k1 +test-5 = 5-curve-sect409r1 +test-6 = 6-curve-sect571k1 +test-7 = 7-curve-sect571r1 +test-8 = 8-curve-secp224r1 +test-9 = 9-curve-prime256v1 +test-10 = 10-curve-secp384r1 +test-11 = 11-curve-secp521r1 +test-12 = 12-curve-X25519 +test-13 = 13-curve-X448 +test-14 = 14-curve-sect163k1 +test-15 = 15-curve-sect163r2 +test-16 = 16-curve-prime192v1 test-17 = 17-curve-sect163r1 test-18 = 18-curve-sect193r1 test-19 = 19-curve-sect193r2 @@ -34,478 +34,478 @@ test-28 = 28-curve-brainpoolP384r1 test-29 = 29-curve-brainpoolP512r1 # =========================================================== -[0-curve-sect163k1] -ssl_conf = 0-curve-sect163k1-ssl +[0-curve-sect233k1] +ssl_conf = 0-curve-sect233k1-ssl -[0-curve-sect163k1-ssl] -server = 0-curve-sect163k1-server -client = 0-curve-sect163k1-client +[0-curve-sect233k1-ssl] +server = 0-curve-sect233k1-server +client = 0-curve-sect233k1-client -[0-curve-sect163k1-server] +[0-curve-sect233k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect163k1 +Curves = sect233k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[0-curve-sect163k1-client] +[0-curve-sect233k1-client] CipherString = ECDHE -Curves = sect163k1 +Curves = sect233k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-0] ExpectedResult = Success -ExpectedTmpKeyType = sect163k1 +ExpectedTmpKeyType = sect233k1 # =========================================================== -[1-curve-sect163r2] -ssl_conf = 1-curve-sect163r2-ssl +[1-curve-sect233r1] +ssl_conf = 1-curve-sect233r1-ssl -[1-curve-sect163r2-ssl] -server = 1-curve-sect163r2-server -client = 1-curve-sect163r2-client +[1-curve-sect233r1-ssl] +server = 1-curve-sect233r1-server +client = 1-curve-sect233r1-client -[1-curve-sect163r2-server] +[1-curve-sect233r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect163r2 +Curves = sect233r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[1-curve-sect163r2-client] +[1-curve-sect233r1-client] CipherString = ECDHE -Curves = sect163r2 +Curves = sect233r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-1] ExpectedResult = Success -ExpectedTmpKeyType = sect163r2 +ExpectedTmpKeyType = sect233r1 # =========================================================== -[2-curve-sect233k1] -ssl_conf = 2-curve-sect233k1-ssl +[2-curve-sect283k1] +ssl_conf = 2-curve-sect283k1-ssl -[2-curve-sect233k1-ssl] -server = 2-curve-sect233k1-server -client = 2-curve-sect233k1-client +[2-curve-sect283k1-ssl] +server = 2-curve-sect283k1-server +client = 2-curve-sect283k1-client -[2-curve-sect233k1-server] +[2-curve-sect283k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect233k1 +Curves = sect283k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[2-curve-sect233k1-client] +[2-curve-sect283k1-client] CipherString = ECDHE -Curves = sect233k1 +Curves = sect283k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-2] ExpectedResult = Success -ExpectedTmpKeyType = sect233k1 +ExpectedTmpKeyType = sect283k1 # =========================================================== -[3-curve-sect233r1] -ssl_conf = 3-curve-sect233r1-ssl +[3-curve-sect283r1] +ssl_conf = 3-curve-sect283r1-ssl -[3-curve-sect233r1-ssl] -server = 3-curve-sect233r1-server -client = 3-curve-sect233r1-client +[3-curve-sect283r1-ssl] +server = 3-curve-sect283r1-server +client = 3-curve-sect283r1-client -[3-curve-sect233r1-server] +[3-curve-sect283r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect233r1 +Curves = sect283r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[3-curve-sect233r1-client] +[3-curve-sect283r1-client] CipherString = ECDHE -Curves = sect233r1 +Curves = sect283r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-3] ExpectedResult = Success -ExpectedTmpKeyType = sect233r1 +ExpectedTmpKeyType = sect283r1 # =========================================================== -[4-curve-sect283k1] -ssl_conf = 4-curve-sect283k1-ssl +[4-curve-sect409k1] +ssl_conf = 4-curve-sect409k1-ssl -[4-curve-sect283k1-ssl] -server = 4-curve-sect283k1-server -client = 4-curve-sect283k1-client +[4-curve-sect409k1-ssl] +server = 4-curve-sect409k1-server +client = 4-curve-sect409k1-client -[4-curve-sect283k1-server] +[4-curve-sect409k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect283k1 +Curves = sect409k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[4-curve-sect283k1-client] +[4-curve-sect409k1-client] CipherString = ECDHE -Curves = sect283k1 +Curves = sect409k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-4] ExpectedResult = Success -ExpectedTmpKeyType = sect283k1 +ExpectedTmpKeyType = sect409k1 # =========================================================== -[5-curve-sect283r1] -ssl_conf = 5-curve-sect283r1-ssl +[5-curve-sect409r1] +ssl_conf = 5-curve-sect409r1-ssl -[5-curve-sect283r1-ssl] -server = 5-curve-sect283r1-server -client = 5-curve-sect283r1-client +[5-curve-sect409r1-ssl] +server = 5-curve-sect409r1-server +client = 5-curve-sect409r1-client -[5-curve-sect283r1-server] +[5-curve-sect409r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect283r1 +Curves = sect409r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-curve-sect283r1-client] +[5-curve-sect409r1-client] CipherString = ECDHE -Curves = sect283r1 +Curves = sect409r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-5] ExpectedResult = Success -ExpectedTmpKeyType = sect283r1 +ExpectedTmpKeyType = sect409r1 # =========================================================== -[6-curve-sect409k1] -ssl_conf = 6-curve-sect409k1-ssl +[6-curve-sect571k1] +ssl_conf = 6-curve-sect571k1-ssl -[6-curve-sect409k1-ssl] -server = 6-curve-sect409k1-server -client = 6-curve-sect409k1-client +[6-curve-sect571k1-ssl] +server = 6-curve-sect571k1-server +client = 6-curve-sect571k1-client -[6-curve-sect409k1-server] +[6-curve-sect571k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect409k1 +Curves = sect571k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-curve-sect409k1-client] +[6-curve-sect571k1-client] CipherString = ECDHE -Curves = sect409k1 +Curves = sect571k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-6] ExpectedResult = Success -ExpectedTmpKeyType = sect409k1 +ExpectedTmpKeyType = sect571k1 # =========================================================== -[7-curve-sect409r1] -ssl_conf = 7-curve-sect409r1-ssl +[7-curve-sect571r1] +ssl_conf = 7-curve-sect571r1-ssl -[7-curve-sect409r1-ssl] -server = 7-curve-sect409r1-server -client = 7-curve-sect409r1-client +[7-curve-sect571r1-ssl] +server = 7-curve-sect571r1-server +client = 7-curve-sect571r1-client -[7-curve-sect409r1-server] +[7-curve-sect571r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect409r1 +Curves = sect571r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-curve-sect409r1-client] +[7-curve-sect571r1-client] CipherString = ECDHE -Curves = sect409r1 +Curves = sect571r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-7] ExpectedResult = Success -ExpectedTmpKeyType = sect409r1 +ExpectedTmpKeyType = sect571r1 # =========================================================== -[8-curve-sect571k1] -ssl_conf = 8-curve-sect571k1-ssl +[8-curve-secp224r1] +ssl_conf = 8-curve-secp224r1-ssl -[8-curve-sect571k1-ssl] -server = 8-curve-sect571k1-server -client = 8-curve-sect571k1-client +[8-curve-secp224r1-ssl] +server = 8-curve-secp224r1-server +client = 8-curve-secp224r1-client -[8-curve-sect571k1-server] +[8-curve-secp224r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect571k1 +Curves = secp224r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-curve-sect571k1-client] +[8-curve-secp224r1-client] CipherString = ECDHE -Curves = sect571k1 +Curves = secp224r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-8] ExpectedResult = Success -ExpectedTmpKeyType = sect571k1 +ExpectedTmpKeyType = secp224r1 # =========================================================== -[9-curve-sect571r1] -ssl_conf = 9-curve-sect571r1-ssl +[9-curve-prime256v1] +ssl_conf = 9-curve-prime256v1-ssl -[9-curve-sect571r1-ssl] -server = 9-curve-sect571r1-server -client = 9-curve-sect571r1-client +[9-curve-prime256v1-ssl] +server = 9-curve-prime256v1-server +client = 9-curve-prime256v1-client -[9-curve-sect571r1-server] +[9-curve-prime256v1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect571r1 +Curves = prime256v1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-curve-sect571r1-client] +[9-curve-prime256v1-client] CipherString = ECDHE -Curves = sect571r1 +Curves = prime256v1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-9] ExpectedResult = Success -ExpectedTmpKeyType = sect571r1 +ExpectedTmpKeyType = prime256v1 # =========================================================== -[10-curve-prime192v1] -ssl_conf = 10-curve-prime192v1-ssl +[10-curve-secp384r1] +ssl_conf = 10-curve-secp384r1-ssl -[10-curve-prime192v1-ssl] -server = 10-curve-prime192v1-server -client = 10-curve-prime192v1-client +[10-curve-secp384r1-ssl] +server = 10-curve-secp384r1-server +client = 10-curve-secp384r1-client -[10-curve-prime192v1-server] +[10-curve-secp384r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = prime192v1 +Curves = secp384r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-curve-prime192v1-client] +[10-curve-secp384r1-client] CipherString = ECDHE -Curves = prime192v1 +Curves = secp384r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-10] ExpectedResult = Success -ExpectedTmpKeyType = prime192v1 +ExpectedTmpKeyType = secp384r1 # =========================================================== -[11-curve-secp224r1] -ssl_conf = 11-curve-secp224r1-ssl +[11-curve-secp521r1] +ssl_conf = 11-curve-secp521r1-ssl -[11-curve-secp224r1-ssl] -server = 11-curve-secp224r1-server -client = 11-curve-secp224r1-client +[11-curve-secp521r1-ssl] +server = 11-curve-secp521r1-server +client = 11-curve-secp521r1-client -[11-curve-secp224r1-server] +[11-curve-secp521r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp224r1 +Curves = secp521r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-curve-secp224r1-client] +[11-curve-secp521r1-client] CipherString = ECDHE -Curves = secp224r1 +Curves = secp521r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-11] ExpectedResult = Success -ExpectedTmpKeyType = secp224r1 +ExpectedTmpKeyType = secp521r1 # =========================================================== -[12-curve-prime256v1] -ssl_conf = 12-curve-prime256v1-ssl +[12-curve-X25519] +ssl_conf = 12-curve-X25519-ssl -[12-curve-prime256v1-ssl] -server = 12-curve-prime256v1-server -client = 12-curve-prime256v1-client +[12-curve-X25519-ssl] +server = 12-curve-X25519-server +client = 12-curve-X25519-client -[12-curve-prime256v1-server] +[12-curve-X25519-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = prime256v1 +Curves = X25519 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-curve-prime256v1-client] +[12-curve-X25519-client] CipherString = ECDHE -Curves = prime256v1 +Curves = X25519 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-12] ExpectedResult = Success -ExpectedTmpKeyType = prime256v1 +ExpectedTmpKeyType = X25519 # =========================================================== -[13-curve-secp384r1] -ssl_conf = 13-curve-secp384r1-ssl +[13-curve-X448] +ssl_conf = 13-curve-X448-ssl -[13-curve-secp384r1-ssl] -server = 13-curve-secp384r1-server -client = 13-curve-secp384r1-client +[13-curve-X448-ssl] +server = 13-curve-X448-server +client = 13-curve-X448-client -[13-curve-secp384r1-server] +[13-curve-X448-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp384r1 +Curves = X448 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[13-curve-secp384r1-client] +[13-curve-X448-client] CipherString = ECDHE -Curves = secp384r1 +Curves = X448 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-13] ExpectedResult = Success -ExpectedTmpKeyType = secp384r1 +ExpectedTmpKeyType = X448 # =========================================================== -[14-curve-secp521r1] -ssl_conf = 14-curve-secp521r1-ssl +[14-curve-sect163k1] +ssl_conf = 14-curve-sect163k1-ssl -[14-curve-secp521r1-ssl] -server = 14-curve-secp521r1-server -client = 14-curve-secp521r1-client +[14-curve-sect163k1-ssl] +server = 14-curve-sect163k1-server +client = 14-curve-sect163k1-client -[14-curve-secp521r1-server] +[14-curve-sect163k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp521r1 +Curves = sect163k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[14-curve-secp521r1-client] +[14-curve-sect163k1-client] CipherString = ECDHE -Curves = secp521r1 +Curves = sect163k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-14] ExpectedResult = Success -ExpectedTmpKeyType = secp521r1 +ExpectedTmpKeyType = sect163k1 # =========================================================== -[15-curve-X25519] -ssl_conf = 15-curve-X25519-ssl +[15-curve-sect163r2] +ssl_conf = 15-curve-sect163r2-ssl -[15-curve-X25519-ssl] -server = 15-curve-X25519-server -client = 15-curve-X25519-client +[15-curve-sect163r2-ssl] +server = 15-curve-sect163r2-server +client = 15-curve-sect163r2-client -[15-curve-X25519-server] +[15-curve-sect163r2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = X25519 +Curves = sect163r2 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[15-curve-X25519-client] +[15-curve-sect163r2-client] CipherString = ECDHE -Curves = X25519 +Curves = sect163r2 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-15] ExpectedResult = Success -ExpectedTmpKeyType = X25519 +ExpectedTmpKeyType = sect163r2 # =========================================================== -[16-curve-X448] -ssl_conf = 16-curve-X448-ssl +[16-curve-prime192v1] +ssl_conf = 16-curve-prime192v1-ssl -[16-curve-X448-ssl] -server = 16-curve-X448-server -client = 16-curve-X448-client +[16-curve-prime192v1-ssl] +server = 16-curve-prime192v1-server +client = 16-curve-prime192v1-client -[16-curve-X448-server] +[16-curve-prime192v1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = X448 +Curves = prime192v1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[16-curve-X448-client] +[16-curve-prime192v1-client] CipherString = ECDHE -Curves = X448 +Curves = prime192v1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-16] ExpectedResult = Success -ExpectedTmpKeyType = X448 +ExpectedTmpKeyType = prime192v1 # =========================================================== diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in index d074e561c9..b5ee4d2827 100644 --- a/test/ssl-tests/14-curves.cnf.in +++ b/test/ssl-tests/14-curves.cnf.in @@ -12,13 +12,14 @@ use OpenSSL::Test::Utils qw(anydisabled); our $fips_mode; -my @curves = ("sect163k1", "sect163r2", "sect233k1", "sect233r1", +my @curves = ("sect233k1", "sect233r1", "sect283k1", "sect283r1", "sect409k1", "sect409r1", - "sect571k1", "sect571r1", "prime192v1", "secp224r1", + "sect571k1", "sect571r1", "secp224r1", "prime256v1", "secp384r1", "secp521r1", "X25519", "X448"); -my @curves_non_fips = ("sect163r1", "sect193r1", "sect193r2", "sect239k1", +my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1", + "sect163r1", "sect193r1", "sect193r2", "sect239k1", "secp160k1", "secp160r1", "secp160r2", "secp192k1", "secp224k1", "secp256k1", "brainpoolP256r1", "brainpoolP384r1", "brainpoolP512r1");