no-unit-test,
enable-weak-ssl-ciphers,
enable-zlib,
+ no-ecx,
]
runs-on: ubuntu-latest
steps:
"ec_nistp_64_gcc_128",
"ecdh",
"ecdsa",
+ "ecx",
"egd",
"engine",
"err",
"brotli" => [ "brotli-dynamic" ],
"zstd" => [ "zstd-dynamic" ],
"des" => [ "mdc2" ],
- "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ],
+ "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost", "ecx" ],
"dgram" => [ "dtls", "quic", "sctp" ],
"sock" => [ "dgram", "tfo" ],
"dtls" => [ @dtls ],
#ifdef OPENSSL_NO_EC
BIO_puts(bio_out, "EC\n");
#endif
+#ifdef OPENSSL_NO_ECX
+ BIO_puts(bio_out, "ECX\n");
+#endif
#ifdef OPENSSL_NO_EC2M
BIO_puts(bio_out, "EC2M\n");
#endif
{"ecdsabrp512r1", R_EC_BRP512R1},
{"ecdsabrp512t1", R_EC_BRP512T1}
};
-enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM };
+enum {
+#ifndef OPENSSL_NO_ECX
+ R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM
+#else
+ EC_NUM = ECDSA_NUM
+#endif
+};
/* list of ecdh curves, extension of |ecdsa_choices| list above */
static const OPT_PAIR ecdh_choices[EC_NUM] = {
{"ecdhp160", R_EC_P160},
{"ecdhbrp384t1", R_EC_BRP384T1},
{"ecdhbrp512r1", R_EC_BRP512R1},
{"ecdhbrp512t1", R_EC_BRP512T1},
+#ifndef OPENSSL_NO_ECX
{"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448}
+#endif
};
static double ecdh_results[EC_NUM][1]; /* 1 op: derivation */
static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */
+#ifndef OPENSSL_NO_ECX
enum { R_EC_Ed25519, R_EC_Ed448, EdDSA_NUM };
static const OPT_PAIR eddsa_choices[EdDSA_NUM] = {
{"ed25519", R_EC_Ed25519},
};
static double eddsa_results[EdDSA_NUM][2]; /* 2 ops: sign then verify */
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
enum { R_EC_CURVESM2, SM2_NUM };
EVP_PKEY_CTX *ecdsa_sign_ctx[ECDSA_NUM];
EVP_PKEY_CTX *ecdsa_verify_ctx[ECDSA_NUM];
EVP_PKEY_CTX *ecdh_ctx[EC_NUM];
+#ifndef OPENSSL_NO_ECX
EVP_MD_CTX *eddsa_ctx[EdDSA_NUM];
EVP_MD_CTX *eddsa_ctx2[EdDSA_NUM];
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
EVP_MD_CTX *sm2_ctx[SM2_NUM];
EVP_MD_CTX *sm2_vfy_ctx[SM2_NUM];
return count;
}
+#ifndef OPENSSL_NO_ECX
static int EdDSA_sign_loop(void *args)
{
loopargs_t *tempargs = *(loopargs_t **) args;
}
return count;
}
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
static int SM2_sign_loop(void *args)
{"brainpoolP384t1", NID_brainpoolP384t1, 384},
{"brainpoolP512r1", NID_brainpoolP512r1, 512},
{"brainpoolP512t1", NID_brainpoolP512t1, 512},
+#ifndef OPENSSL_NO_ECX
/* Other and ECDH only ones */
{"X25519", NID_X25519, 253},
{"X448", NID_X448, 448}
+#endif
};
+#ifndef OPENSSL_NO_ECX
static const EC_CURVE ed_curves[EdDSA_NUM] = {
/* EdDSA */
{"Ed25519", NID_ED25519, 253, 64},
{"Ed448", NID_ED448, 456, 114}
};
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
static const EC_CURVE sm2_curves[SM2_NUM] = {
/* SM2 */
#endif
uint8_t ecdsa_doit[ECDSA_NUM] = { 0 };
uint8_t ecdh_doit[EC_NUM] = { 0 };
+#ifndef OPENSSL_NO_ECX
uint8_t eddsa_doit[EdDSA_NUM] = { 0 };
+#endif /* OPENSSL_NO_ECX */
uint8_t kems_doit[MAX_KEM_NUM] = { 0 };
uint8_t sigs_doit[MAX_SIG_NUM] = { 0 };
uint8_t do_sigs = 0;
/* checks declared curves against choices list. */
+#ifndef OPENSSL_NO_ECX
OPENSSL_assert(ed_curves[EdDSA_NUM - 1].nid == NID_ED448);
OPENSSL_assert(strcmp(eddsa_choices[EdDSA_NUM - 1].name, "ed448") == 0);
OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1);
OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0);
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
OPENSSL_assert(sm2_curves[SM2_NUM - 1].nid == NID_sm2);
algo_found = 1;
}
}
+#ifndef OPENSSL_NO_ECX
if (strcmp(algo, "eddsa") == 0) {
memset(eddsa_doit, 1, sizeof(eddsa_doit));
algo_found = 1;
eddsa_doit[i] = 2;
algo_found = 1;
}
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
if (strcmp(algo, "sm2") == 0) {
memset(sm2_doit, 1, sizeof(sm2_doit));
memset(ffdh_doit, 1, sizeof(ffdh_doit));
#endif
memset(dsa_doit, 1, sizeof(dsa_doit));
+#ifndef OPENSSL_NO_ECX
memset(ecdsa_doit, 1, sizeof(ecdsa_doit));
memset(ecdh_doit, 1, sizeof(ecdh_doit));
memset(eddsa_doit, 1, sizeof(eddsa_doit));
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
memset(sm2_doit, 1, sizeof(sm2_doit));
#endif
}
}
+#ifndef OPENSSL_NO_ECX
for (testnum = 0; testnum < EdDSA_NUM; testnum++) {
int st = 1;
EVP_PKEY *ed_pkey = NULL;
}
}
}
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
for (testnum = 0; testnum < SM2_NUM; testnum++) {
1.0 / ecdh_results[k][0], ecdh_results[k][0]);
}
+#ifndef OPENSSL_NO_ECX
testnum = 1;
for (k = 0; k < OSSL_NELEM(eddsa_doit); k++) {
if (!eddsa_doit[k])
1.0 / eddsa_results[k][0], 1.0 / eddsa_results[k][1],
eddsa_results[k][0], eddsa_results[k][1]);
}
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
testnum = 1;
}
for (k = 0; k < EC_NUM; k++)
EVP_PKEY_CTX_free(loopargs[i].ecdh_ctx[k]);
+#ifndef OPENSSL_NO_ECX
for (k = 0; k < EdDSA_NUM; k++) {
EVP_MD_CTX_free(loopargs[i].eddsa_ctx[k]);
EVP_MD_CTX_free(loopargs[i].eddsa_ctx2[k]);
}
+#endif /* OPENSSL_NO_ECX */
#ifndef OPENSSL_NO_SM2
for (k = 0; k < SM2_NUM; k++) {
EVP_PKEY_CTX *pctx = NULL;
d = atof(sstrsep(&p, sep));
ecdh_results[k][0] += d;
}
+# ifndef OPENSSL_NO_ECX
} else if (CHECK_AND_SKIP_PREFIX(p, "+F6:")) {
tk = sstrsep(&p, sep);
if (strtoint(tk, 0, OSSL_NELEM(eddsa_results), &k)) {
d = atof(sstrsep(&p, sep));
eddsa_results[k][1] += d;
}
+# endif /* OPENSSL_NO_ECX */
# ifndef OPENSSL_NO_SM2
} else if (CHECK_AND_SKIP_PREFIX(p, "+F7:")) {
tk = sstrsep(&p, sep);
#ifndef OPENSSL_NO_DH
&ossl_dhx_asn1_meth,
#endif
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECX
&ossl_ecx25519_asn1_meth,
&ossl_ecx448_asn1_meth,
-#endif
-#ifndef OPENSSL_NO_EC
&ossl_ed25519_asn1_meth,
&ossl_ed448_asn1_meth,
#endif
$ECASM_x86=ecp_nistz256.c ecp_nistz256-x86.S
$ECDEF_x86=ECP_NISTZ256_ASM
- $ECASM_x86_64=ecp_nistz256.c ecp_nistz256-x86_64.s x25519-x86_64.s
- $ECDEF_x86_64=ECP_NISTZ256_ASM X25519_ASM
-
+ $ECASM_x86_64=ecp_nistz256.c ecp_nistz256-x86_64.s
+ $ECDEF_x86_64=ECP_NISTZ256_ASM
+ IF[{- !$disabled{'ecx'} -}]
+ $ECASM_x86_64=$ECASM_x86_64 x25519-x86_64.s
+ $ECDEF_x86_64=$ECDEF_x86_64 X25519_ASM
+ ENDIF
$ECASM_ia64=
$ECASM_sparcv9=ecp_nistz256.c ecp_nistz256-sparcv9.S
$ECASM_mips32=
$ECASM_mips64=
- $ECASM_s390x=ecp_s390x_nistp.c ecx_s390x.c
+ $ECASM_s390x=ecp_s390x_nistp.c
+ IF[{- !$disabled{'ecx'} -}]
+ $ECASM_s390x=$ECASM_s390x ecx_s390x.c
+ ENDIF
$ECDEF_s390x=S390X_EC_ASM
$ECASM_armv4=ecp_nistz256.c ecp_nistz256-armv4.S
$ECASM_parisc20_64=
$ECASM_ppc32=
- $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s
- $ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM
+ $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s
+ $ECDEF_ppc64=ECP_NISTZ256_ASM
IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}]
$ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s
$ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM
INCLUDE[ecp_nistp521.o]=..
ENDIF
+ IF[{- !$disabled{'ecx'} -}]
+ $ECASM_ppc64=$ECASM_ppc64 x25519-ppc64.s
+ $ECDEF_ppc64=$ECDEF_ppc64 X25519_ASM
+ INCLUDE[ecx_s390x.o]=..
+ ENDIF
$ECASM_c64xplus=
ENDIF
$COMMON=ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c \
- ec_curve.c ec_check.c ec_key.c ec_kmeth.c ecx_key.c ec_asn1.c \
+ ec_curve.c ec_check.c ec_key.c ec_kmeth.c ec_asn1.c \
ec2_smpl.c \
ecp_oct.c ec2_oct.c ec_oct.c ecdh_ossl.c \
- ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c curve25519.c \
- curve448/f_generic.c curve448/scalar.c \
- curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \
- $ECASM ec_backend.c ecx_backend.c ecdh_kdf.c curve448/arch_64/f_impl64.c \
- curve448/arch_32/f_impl32.c
+ ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c \
+ $ECASM ec_backend.c ecdh_kdf.c
+
+IF[{- !$disabled{'ecx'} -}]
+ $COMMON=$COMMON curve25519.c curve448/f_generic.c curve448/scalar.c \
+ curve448/arch_64/f_impl64.c ecx_backend.c curve448/arch_32/f_impl32.c \
+ curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \
+ ecx_key.c
+ENDIF
IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}]
$COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c
ENDIF
-SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c ecx_meth.c \
+SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c \
ec_err.c eck_prn.c \
ec_deprecated.c ec_print.c
+IF[{- !$disabled{'ecx'} -}]
+ SOURCE[../../libcrypto]=ecx_meth.c
+ENDIF
SOURCE[../../providers/libfips.a]=$COMMON
# Implementations are now spread across several libraries, so the defines
INCLUDE[ecp_nistz256-sparcv9.o]=..
INCLUDE[ecp_s390x_nistp.o]=..
-INCLUDE[ecx_s390x.o]=..
-INCLUDE[ecx_meth.o]=..
-INCLUDE[ecx_key.o]=..
+IF[{- !$disabled{'ecx'} -}]
+ INCLUDE[ecx_meth.o]=..
+ INCLUDE[ecx_key.o]=..
+ENDIF
GENERATE[ecp_nistz256-armv4.S]=asm/ecp_nistz256-armv4.pl
INCLUDE[ecp_nistz256-armv4.o]=..
GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl
+IF[{- !$disabled{'ecx'} -}]
GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl
GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl
+ENDIF
}
# endif /* OPENSSL_NO_DSA */
-# ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
static const ECX_KEY *evp_pkey_get0_ECX_KEY(const EVP_PKEY *pkey, int type)
{
if (EVP_PKEY_get_base_id(pkey) != type) {
IMPLEMENT_ECX_VARIANT(ED25519)
IMPLEMENT_ECX_VARIANT(ED448)
-# endif
+# endif /* OPENSSL_NO_ECX */
# if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
# ifndef OPENSSL_NO_DH
ossl_dhx_pkey_method,
# endif
-# ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
ossl_ecx25519_pkey_method,
ossl_ecx448_pkey_method,
-# endif
-# ifndef OPENSSL_NO_EC
ossl_ed25519_pkey_method,
ossl_ed448_pkey_method,
# endif
LN_sha384, SHA384_DIGEST_LENGTH, 97, 97, 48, 0xFF },
{ OSSL_HPKE_KEM_ID_P521, "EC", OSSL_HPKE_KEMSTR_P521,
LN_sha512, SHA512_DIGEST_LENGTH, 133, 133, 66, 0x01 },
+# ifndef OPENSSL_NO_ECX
{ OSSL_HPKE_KEM_ID_X25519, OSSL_HPKE_KEMSTR_X25519, NULL,
LN_sha256, SHA256_DIGEST_LENGTH,
X25519_KEYLEN, X25519_KEYLEN, X25519_KEYLEN, 0x00 },
{ OSSL_HPKE_KEM_ID_X448, OSSL_HPKE_KEMSTR_X448, NULL,
LN_sha512, SHA512_DIGEST_LENGTH,
X448_KEYLEN, X448_KEYLEN, X448_KEYLEN, 0x00 }
+# endif
#else
{ OSSL_HPKE_KEM_ID_RESERVED, NULL, NULL, NULL, 0, 0, 0, 0, 0x00 }
#endif
{OSSL_HPKE_KEMSTR_P384, "0x11", "0x11", "17" }},
{OSSL_HPKE_KEM_ID_P521,
{OSSL_HPKE_KEMSTR_P521, "0x12", "0x12", "18" }},
+# ifndef OPENSSL_NO_ECX
{OSSL_HPKE_KEM_ID_X25519,
{OSSL_HPKE_KEMSTR_X25519, "0x20", "0x20", "32" }},
{OSSL_HPKE_KEM_ID_X448,
{OSSL_HPKE_KEMSTR_X448, "0x21", "0x21", "33" }}
+# endif
};
static const synonymttab_t kdfstrtab[] = {
{OSSL_HPKE_KDF_ID_HKDF_SHA256,
return ret;
}
+# ifndef OPENSSL_NO_ECX
ECX_KEY *ossl_d2i_ED25519_PUBKEY(ECX_KEY **a,
const unsigned char **pp, long length)
{
return ret;
}
+# endif /* OPENSSL_NO_ECX */
#endif
void X509_PUBKEY_set0_public_key(X509_PUBKEY *pub,
# include <openssl/opensslconf.h>
-# ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
# include <openssl/core.h>
# include <openssl/e_os2.h>
ECX_KEY *ossl_evp_pkey_get1_X448(EVP_PKEY *pkey);
ECX_KEY *ossl_evp_pkey_get1_ED25519(EVP_PKEY *pkey);
ECX_KEY *ossl_evp_pkey_get1_ED448(EVP_PKEY *pkey);
-# endif /* OPENSSL_NO_EC */
+# endif /* OPENSSL_NO_ECX */
#endif
# endif
# ifndef OPENSSL_NO_EC
struct ec_key_st *ec; /* ECC */
+# ifndef OPENSSL_NO_ECX
ECX_KEY *ecx; /* X25519, X448, Ed25519, Ed448 */
+# endif
# endif
};
* Suite constants, use this like:
* OSSL_HPKE_SUITE myvar = OSSL_HPKE_SUITE_DEFAULT;
*/
-# define OSSL_HPKE_SUITE_DEFAULT \
+# ifndef OPENSSL_NO_ECX
+# define OSSL_HPKE_SUITE_DEFAULT \
{\
OSSL_HPKE_KEM_ID_X25519, \
OSSL_HPKE_KDF_ID_HKDF_SHA256, \
OSSL_HPKE_AEAD_ID_AES_GCM_128 \
}
+# else
+# define OSSL_HPKE_SUITE_DEFAULT \
+ {\
+ OSSL_HPKE_KEM_ID_P256, \
+ OSSL_HPKE_KDF_ID_HKDF_SHA256, \
+ OSSL_HPKE_AEAD_ID_AES_GCM_128 \
+ }
+#endif
typedef struct ossl_hpke_ctx_st OSSL_HPKE_CTX;
ENDIF
#----- ECX
-IF[{- !$disabled{ec} -}]
+IF[{- !$disabled{ecx} -}]
$DER_ECX_H=$INCDIR/der_ecx.h
$DER_ECX_GEN=der_ecx_gen.c
$DER_ECX_AUX=der_ecx_key.c
IF[{- !$disabled{ec} -}]
$COMMON = $COMMON $DER_EC_GEN $DER_EC_AUX
- $COMMON = $COMMON $DER_ECX_GEN $DER_ECX_AUX
+ IF[{- !$disabled{ecx} -}]
+ $COMMON = $COMMON $DER_ECX_GEN $DER_ECX_AUX
+ ENDIF
ENDIF
IF[{- !$disabled{sm2} -}]
DECODER_w_structure("EC", der, SubjectPublicKeyInfo, ec, yes),
DECODER_w_structure("EC", der, type_specific_no_pub, ec, yes),
DECODER_w_structure("EC", der, EC, ec, yes),
+# ifndef OPENSSL_NO_ECX
DECODER_w_structure("ED25519", der, PrivateKeyInfo, ed25519, yes),
DECODER_w_structure("ED25519", der, SubjectPublicKeyInfo, ed25519, yes),
DECODER_w_structure("ED448", der, PrivateKeyInfo, ed448, yes),
DECODER_w_structure("X25519", der, SubjectPublicKeyInfo, x25519, yes),
DECODER_w_structure("X448", der, PrivateKeyInfo, x448, yes),
DECODER_w_structure("X448", der, SubjectPublicKeyInfo, x448, yes),
+# endif
# ifndef OPENSSL_NO_SM2
DECODER_w_structure("SM2", der, PrivateKeyInfo, sm2, no),
DECODER_w_structure("SM2", der, SubjectPublicKeyInfo, sm2, no),
#endif
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_ECDH, "provider=default", ossl_ecdh_keyexch_functions },
+# ifndef OPENSSL_NO_ECX
{ PROV_NAMES_X25519, "provider=default", ossl_x25519_keyexch_functions },
{ PROV_NAMES_X448, "provider=default", ossl_x448_keyexch_functions },
+# endif
#endif
{ PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_keyexch_functions },
{ PROV_NAMES_HKDF, "provider=default", ossl_kdf_hkdf_keyexch_functions },
#endif
{ PROV_NAMES_RSA, "provider=default", ossl_rsa_signature_functions },
#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
{ PROV_NAMES_ED25519, "provider=default", ossl_ed25519_signature_functions },
{ PROV_NAMES_ED448, "provider=default", ossl_ed448_signature_functions },
+# endif
{ PROV_NAMES_ECDSA, "provider=default", ossl_ecdsa_signature_functions },
# ifndef OPENSSL_NO_SM2
{ PROV_NAMES_SM2, "provider=default", ossl_sm2_signature_functions },
static const OSSL_ALGORITHM deflt_asym_kem[] = {
{ PROV_NAMES_RSA, "provider=default", ossl_rsa_asym_kem_functions },
#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
{ PROV_NAMES_X25519, "provider=default", ossl_ecx_asym_kem_functions },
{ PROV_NAMES_X448, "provider=default", ossl_ecx_asym_kem_functions },
+# endif
{ PROV_NAMES_EC, "provider=default", ossl_ec_asym_kem_functions },
#endif
{ NULL, NULL, NULL }
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_EC, "provider=default", ossl_ec_keymgmt_functions,
PROV_DESCS_EC },
+# ifndef OPENSSL_NO_ECX
{ PROV_NAMES_X25519, "provider=default", ossl_x25519_keymgmt_functions,
PROV_DESCS_X25519 },
{ PROV_NAMES_X448, "provider=default", ossl_x448_keymgmt_functions,
PROV_DESCS_ED25519 },
{ PROV_NAMES_ED448, "provider=default", ossl_ed448_keymgmt_functions,
PROV_DESCS_ED448 },
+# endif
#endif
{ PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_keymgmt_functions,
PROV_DESCS_TLS1_PRF_SIGN },
#endif
#ifndef OPENSSL_NO_EC
ENCODER_TEXT("EC", ec, yes),
+# ifndef OPENSSL_NO_ECX
ENCODER_TEXT("ED25519", ed25519, yes),
ENCODER_TEXT("ED448", ed448, yes),
ENCODER_TEXT("X25519", x25519, yes),
ENCODER_TEXT("X448", x448, yes),
+# endif
# ifndef OPENSSL_NO_SM2
ENCODER_TEXT("SM2", sm2, no),
# endif
ENCODER_w_structure("EC", ec, yes, der, SubjectPublicKeyInfo),
ENCODER_w_structure("EC", ec, yes, pem, SubjectPublicKeyInfo),
+#ifndef OPENSSL_NO_ECX
ENCODER_w_structure("X25519", x25519, yes, der, EncryptedPrivateKeyInfo),
ENCODER_w_structure("X25519", x25519, yes, pem, EncryptedPrivateKeyInfo),
ENCODER_w_structure("X25519", x25519, yes, der, PrivateKeyInfo),
ENCODER_w_structure("ED448", ed448, yes, pem, PrivateKeyInfo),
ENCODER_w_structure("ED448", ed448, yes, der, SubjectPublicKeyInfo),
ENCODER_w_structure("ED448", ed448, yes, pem, SubjectPublicKeyInfo),
+# endif
# ifndef OPENSSL_NO_SM2
ENCODER_w_structure("SM2", sm2, no, der, EncryptedPrivateKeyInfo),
#endif
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
+# ifndef OPENSSL_NO_ECX
{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
+# endif
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
ossl_kdf_tls1_prf_keyexch_functions },
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
{ PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
ossl_ed25519_signature_functions },
{ PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
+# endif
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
#endif
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
PROV_DESCS_EC },
+# ifndef OPENSSL_NO_ECX
{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
PROV_DESCS_X25519 },
{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
PROV_DESCS_ED25519 },
{ PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
PROV_DESCS_ED448 },
+# endif
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
PROV_DESCS_TLS1_PRF_SIGN },
ossl_ec_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx));
}
+# ifndef OPENSSL_NO_ECX
/*
* ED25519, ED448, X25519, X448 only implement PKCS#8 and SubjectPublicKeyInfo,
* so no d2i functions to be had.
ossl_ecx_key_set0_libctx(key, PROV_LIBCTX_OF(ctx->provctx));
}
-# define ed25519_evp_type EVP_PKEY_ED25519
-# define ed25519_d2i_private_key NULL
-# define ed25519_d2i_public_key NULL
-# define ed25519_d2i_key_params NULL
-# define ed25519_d2i_PKCS8 ecx_d2i_PKCS8
-# define ed25519_d2i_PUBKEY (d2i_of_void *)ossl_d2i_ED25519_PUBKEY
-# define ed25519_free (free_key_fn *)ossl_ecx_key_free
-# define ed25519_check NULL
-# define ed25519_adjust ecx_key_adjust
-
-# define ed448_evp_type EVP_PKEY_ED448
-# define ed448_d2i_private_key NULL
-# define ed448_d2i_public_key NULL
-# define ed448_d2i_key_params NULL
-# define ed448_d2i_PKCS8 ecx_d2i_PKCS8
-# define ed448_d2i_PUBKEY (d2i_of_void *)ossl_d2i_ED448_PUBKEY
-# define ed448_free (free_key_fn *)ossl_ecx_key_free
-# define ed448_check NULL
-# define ed448_adjust ecx_key_adjust
-
-# define x25519_evp_type EVP_PKEY_X25519
-# define x25519_d2i_private_key NULL
-# define x25519_d2i_public_key NULL
-# define x25519_d2i_key_params NULL
-# define x25519_d2i_PKCS8 ecx_d2i_PKCS8
-# define x25519_d2i_PUBKEY (d2i_of_void *)ossl_d2i_X25519_PUBKEY
-# define x25519_free (free_key_fn *)ossl_ecx_key_free
-# define x25519_check NULL
-# define x25519_adjust ecx_key_adjust
-
-# define x448_evp_type EVP_PKEY_X448
-# define x448_d2i_private_key NULL
-# define x448_d2i_public_key NULL
-# define x448_d2i_key_params NULL
-# define x448_d2i_PKCS8 ecx_d2i_PKCS8
-# define x448_d2i_PUBKEY (d2i_of_void *)ossl_d2i_X448_PUBKEY
-# define x448_free (free_key_fn *)ossl_ecx_key_free
-# define x448_check NULL
-# define x448_adjust ecx_key_adjust
+# define ed25519_evp_type EVP_PKEY_ED25519
+# define ed25519_d2i_private_key NULL
+# define ed25519_d2i_public_key NULL
+# define ed25519_d2i_key_params NULL
+# define ed25519_d2i_PKCS8 ecx_d2i_PKCS8
+# define ed25519_d2i_PUBKEY (d2i_of_void *)ossl_d2i_ED25519_PUBKEY
+# define ed25519_free (free_key_fn *)ossl_ecx_key_free
+# define ed25519_check NULL
+# define ed25519_adjust ecx_key_adjust
+
+# define ed448_evp_type EVP_PKEY_ED448
+# define ed448_d2i_private_key NULL
+# define ed448_d2i_public_key NULL
+# define ed448_d2i_key_params NULL
+# define ed448_d2i_PKCS8 ecx_d2i_PKCS8
+# define ed448_d2i_PUBKEY (d2i_of_void *)ossl_d2i_ED448_PUBKEY
+# define ed448_free (free_key_fn *)ossl_ecx_key_free
+# define ed448_check NULL
+# define ed448_adjust ecx_key_adjust
+
+# define x25519_evp_type EVP_PKEY_X25519
+# define x25519_d2i_private_key NULL
+# define x25519_d2i_public_key NULL
+# define x25519_d2i_key_params NULL
+# define x25519_d2i_PKCS8 ecx_d2i_PKCS8
+# define x25519_d2i_PUBKEY (d2i_of_void *)ossl_d2i_X25519_PUBKEY
+# define x25519_free (free_key_fn *)ossl_ecx_key_free
+# define x25519_check NULL
+# define x25519_adjust ecx_key_adjust
+
+# define x448_evp_type EVP_PKEY_X448
+# define x448_d2i_private_key NULL
+# define x448_d2i_public_key NULL
+# define x448_d2i_key_params NULL
+# define x448_d2i_PKCS8 ecx_d2i_PKCS8
+# define x448_d2i_PUBKEY (d2i_of_void *)ossl_d2i_X448_PUBKEY
+# define x448_free (free_key_fn *)ossl_ecx_key_free
+# define x448_check NULL
+# define x448_adjust ecx_key_adjust
+# endif /* OPENSSL_NO_ECX */
# ifndef OPENSSL_NO_SM2
# define sm2_evp_type EVP_PKEY_SM2
MAKE_DECODER("EC", ec, ec, SubjectPublicKeyInfo);
MAKE_DECODER("EC", ec, ec, type_specific_no_pub);
MAKE_DECODER("EC", ec, ec, EC);
+# ifndef OPENSSL_NO_ECX
MAKE_DECODER("X25519", x25519, ecx, PrivateKeyInfo);
MAKE_DECODER("X25519", x25519, ecx, SubjectPublicKeyInfo);
MAKE_DECODER("X448", x448, ecx, PrivateKeyInfo);
MAKE_DECODER("ED25519", ed25519, ecx, SubjectPublicKeyInfo);
MAKE_DECODER("ED448", ed448, ecx, PrivateKeyInfo);
MAKE_DECODER("ED448", ed448, ecx, SubjectPublicKeyInfo);
+# endif
# ifndef OPENSSL_NO_SM2
MAKE_DECODER("SM2", sm2, ec, PrivateKeyInfo);
MAKE_DECODER("SM2", sm2, ec, SubjectPublicKeyInfo);
/* ---------------------------------------------------------------------- */
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECX
# define prepare_ecx_params NULL
static int ecx_spki_pub_to_der(const void *vecxkey, unsigned char **pder)
MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, der);
MAKE_ENCODER(sm2, ec, EVP_PKEY_EC, SubjectPublicKeyInfo, pem);
# endif
+# ifndef OPENSSL_NO_ECX
MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, EncryptedPrivateKeyInfo, der);
MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, EncryptedPrivateKeyInfo, pem);
MAKE_ENCODER(ed25519, ecx, EVP_PKEY_ED25519, PrivateKeyInfo, der);
MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, PrivateKeyInfo, pem);
MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, SubjectPublicKeyInfo, der);
MAKE_ENCODER(x448, ecx, EVP_PKEY_ED448, SubjectPublicKeyInfo, pem);
+# endif
#endif
/*
/* ---------------------------------------------------------------------- */
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECX
static int ecx_to_text(BIO *out, const void *key, int selection)
{
const ECX_KEY *ecx = key;
# ifndef OPENSSL_NO_SM2
MAKE_TEXT_ENCODER(sm2, ec);
# endif
+# ifndef OPENSSL_NO_ECX
MAKE_TEXT_ENCODER(ed25519, ecx);
MAKE_TEXT_ENCODER(ed448, ecx);
MAKE_TEXT_ENCODER(x25519, ecx);
MAKE_TEXT_ENCODER(x448, ecx);
+# endif
#endif
MAKE_TEXT_ENCODER(rsa, rsa);
MAKE_TEXT_ENCODER(rsapss, rsa);
ENDIF
IF[{- !$disabled{ec} -}]
- SOURCE[$ECX_GOAL]=ecx_exch.c
- DEFINE[$ECX_GOAL]=$ECDEF
+ IF[{- !$disabled{ecx} -}]
+ SOURCE[$ECX_GOAL]=ecx_exch.c
+ DEFINE[$ECX_GOAL]=$ECDEF
+ ENDIF
SOURCE[$ECDH_GOAL]=ecdh_exch.c
ENDIF
extern const OSSL_DISPATCH ossl_dsa_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_rsa_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_rsapss_keymgmt_functions[];
+#ifndef OPENSSL_NO_ECX
extern const OSSL_DISPATCH ossl_x25519_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_x448_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_ed25519_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_ed448_keymgmt_functions[];
+#endif
extern const OSSL_DISPATCH ossl_ec_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_kdf_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_mac_legacy_keymgmt_functions[];
SOURCE[$RSA_KEM_GOAL]=rsa_kem.c
IF[{- !$disabled{ec} -}]
- SOURCE[$EC_KEM_GOAL]=ecx_kem.c kem_util.c ec_kem.c
+ SOURCE[$EC_KEM_GOAL]=kem_util.c ec_kem.c
+ IF[{- !$disabled{ecx} -}]
+ SOURCE[$EC_KEM_GOAL]=ecx_kem.c
+ ENDIF
ENDIF
ENDIF
IF[{- !$disabled{ec} -}]
- SOURCE[$ECX_GOAL]=ecx_kmgmt.c
- DEFINE[$ECX_GOAL]=$ECDEF
+ IF[{- !$disabled{ecx} -}]
+ SOURCE[$ECX_GOAL]=ecx_kmgmt.c
+ DEFINE[$ECX_GOAL]=$ECDEF
+ ENDIF
ENDIF
SOURCE[$RSA_GOAL]=rsa_kmgmt.c
ENDIF
IF[{- !$disabled{ec} -}]
- SOURCE[$EC_GOAL]=eddsa_sig.c ecdsa_sig.c
+ SOURCE[$EC_GOAL]=ecdsa_sig.c
+ IF[{- !$disabled{ecx} -}]
+ SOURCE[$EC_GOAL]=eddsa_sig.c
+ ENDIF
ENDIF
IF[{- !$disabled{sm2} -}]
PROGRAMS{noinst}=sm4_internal_test
ENDIF
IF[{- !$disabled{ec} -}]
- PROGRAMS{noinst}=ectest ec_internal_test curve448_internal_test \
- evp_pkey_dhkem_test
+ PROGRAMS{noinst}=ectest ec_internal_test evp_pkey_dhkem_test
+ ENDIF
+ IF[{- !$disabled{ecx} -}]
+ PROGRAMS{noinst}=curve448_internal_test
ENDIF
IF[{- !$disabled{cmac} -}]
PROGRAMS{noinst}=cmactest
INCLUDE[ec_internal_test]=../include ../crypto/ec ../apps/include
DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a
- SOURCE[curve448_internal_test]=curve448_internal_test.c
- INCLUDE[curve448_internal_test]=.. ../include ../apps/include ../crypto/ec/curve448
- DEPEND[curve448_internal_test]=../libcrypto.a libtestutil.a
+ IF[{- !$disabled{ecx} -}]
+ SOURCE[curve448_internal_test]=curve448_internal_test.c
+ INCLUDE[curve448_internal_test]=.. ../include ../apps/include ../crypto/ec/curve448
+ DEPEND[curve448_internal_test]=../libcrypto.a libtestutil.a
+ ENDIF
SOURCE[rc4test]=rc4test.c
INCLUDE[rc4test]=../include ../apps/include
"P-256",
"P-384",
"P-521",
+#ifndef OPENSSL_NO_ECX
"X25519",
- "X448"
+ "X448",
+#endif
};
/* TEST vectors extracted from RFC 9180 */
/* Base test values */
+#ifndef OPENSSL_NO_ECX
static const unsigned char x25519_ikme[] = {
0x72, 0x68, 0x60, 0x0d, 0x40, 0x3f, 0xce, 0x43,
0x15, 0x61, 0xae, 0xf5, 0x83, 0xee, 0x16, 0x13,
0xe4, 0x4e, 0x2b, 0xeb, 0xc8, 0x1f, 0x84, 0x60,
0x86, 0x77, 0x95, 0x8c, 0x0d, 0x44, 0x48, 0xa7
};
+#endif
static const unsigned char p256_ikme[] = {
0x42, 0x70, 0xe5, 0x4f, 0xfd, 0x08, 0xd7, 0x9d,
p256_expected_enc, sizeof(p256_expected_enc),
p256_expected_secret, sizeof(p256_expected_secret),
},
+#ifndef OPENSSL_NO_ECX
{
"X25519",
x25519_ikme, sizeof(x25519_ikme),
x25519_expected_enc, sizeof(x25519_expected_enc),
x25519_expected_secret, sizeof(x25519_expected_secret),
},
+#endif
{
"P-521",
p521_ikme, sizeof(p521_ikme),
p521_auth_ikms_pub, sizeof(p521_auth_ikms_pub),
p521_auth_ikms_priv, sizeof(p521_auth_ikms_priv)
},
+#ifndef OPENSSL_NO_ECX
{
"X25519",
x25519_auth_ikme, sizeof(x25519_auth_ikme),
x25519_auth_spub, sizeof(x25519_auth_spub),
x25519_auth_spriv, sizeof(x25519_auth_spriv)
}
+#endif
};
/* Test vector from https://github.com/cfrg/draft-irtf-cfrg-hpke */
+#ifndef OPENSSL_NO_ECX
static const unsigned char x448_ikmr[] = {
0xd4, 0x5d, 0x16, 0x52, 0xdf, 0x74, 0x92, 0x0a,
0xbf, 0x94, 0xa2, 0x88, 0x3c, 0x83, 0x05, 0x0f,
x448_ikmr_priv, sizeof(x448_ikmr_priv)
},
};
+#endif
/*
* Helper function to create a EC or ECX private key from bytes.
0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
};
+# ifndef OPENSSL_NO_ECX
static const unsigned char kExampleED25519KeyDER[] = {
0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
0x04, 0x22, 0x04, 0x20, 0xba, 0x7b, 0xba, 0x20, 0x1b, 0x02, 0x75, 0x3a,
0x7b, 0x96, 0x0b, 0xd4, 0x8f, 0xd1, 0xee, 0x67, 0xf2, 0x9b, 0x88, 0xac,
0x50, 0xce, 0x97, 0x36, 0xdd, 0xaf, 0x25, 0xf6, 0x10, 0x34, 0x96, 0x6e
};
+# endif
# endif
#endif
1, 1},
{pExampleECParamDER, sizeof(pExampleECParamDER), "EC", EVP_PKEY_EC, 0, 0, 1,
2},
+# ifndef OPENSSL_NO_ECX
{kExampleED25519KeyDER, sizeof(kExampleED25519KeyDER), "ED25519",
EVP_PKEY_ED25519, 1, 1, 1, 0},
{kExampleED25519PubKeyDER, sizeof(kExampleED25519PubKeyDER), "ED25519",
EVP_PKEY_ED25519, 0, 1, 1, 1},
+# endif
#endif
};
}
# endif
-# ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
static EVP_PKEY *load_example_ed25519_key(void)
{
return load_example_key("ED25519", kExampleED25519KeyDER,
EVP_PKEY_SIPHASH, "0123456789012345", NULL
#endif
},
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECX
{
EVP_PKEY_X25519, "01234567890123456789012345678901",
"abcdefghijklmnopqrstuvwxyzabcdef"
# endif
case 3:
case 9:
-# ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
id = EVP_PKEY_ED25519;
md = NULL;
pkey = load_example_ed25519_key();
# endif
case 5:
case 11:
-# ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
id = EVP_PKEY_X25519;
doderive = 1;
pkey = load_example_x25519_key();
if (tst <= 1)
return 1;
# endif
+# ifdef OPENSSL_NO_ECX
+ /* Skip ECX tests in a no-ecx build */
+ if (tst == 2)
+ return 1;
+# endif
if (!TEST_ptr(e = ENGINE_by_id(engine_id)))
return 0;
# endif /* OPENSSL_NO_DYNAMIC_ENGINE */
#endif /* OPENSSL_NO_DEPRECATED_3_0 */
+#ifndef OPENSSL_NO_ECX
static int ecxnids[] = {
NID_X25519,
NID_X448,
return 1;
}
+#endif
typedef enum OPTION_choice {
OPT_ERR = -1,
return options;
}
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECX
/* Test that trying to sign with a public key errors out gracefully */
static int test_ecx_not_private_key(int tst)
{
return testresult;
}
-#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_ECX */
static int test_sign_continuation(void)
{
# endif
#endif
+#ifndef OPENSSL_NO_ECX
ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids));
-
-#ifndef OPENSSL_NO_EC
ADD_ALL_TESTS(test_ecx_not_private_key, OSSL_NELEM(keys));
#endif
0x96, 0x69, 0xE0, 0x04, 0xCB, 0x89, 0x0B, 0x42
};
+# ifndef OPENSSL_NO_ECX
static const unsigned char kExampleECXKey2DER[] = {
0x30, 0x2E, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e,
0x04, 0x22, 0x04, 0x20, 0xc8, 0xa9, 0xd5, 0xa9, 0x10, 0x91, 0xad, 0x85,
0x1c, 0x66, 0x8b, 0x07, 0x36, 0xc1, 0xc9, 0xa0, 0x29, 0x36, 0xc0, 0xd3,
0xad, 0x62, 0x67, 0x08, 0x58, 0x08, 0x80, 0x47, 0xba, 0x05, 0x74, 0x75
};
+# endif
#endif
typedef struct APK_DATA_st {
{kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), EVP_PKEY_RSA},
{kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), EVP_PKEY_RSA},
#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
{kExampleECXKey2DER, sizeof(kExampleECXKey2DER), EVP_PKEY_X25519},
+# endif
{kExampleECKeyDER, sizeof(kExampleECKeyDER), EVP_PKEY_EC},
{kExampleECKey2DER, sizeof(kExampleECKey2DER), EVP_PKEY_EC},
#endif
return ret;
}
+# ifndef OPENSSL_NO_ECX
static int test_ecx_tofrom_data_select(void)
{
int ret;
EVP_PKEY_free(key);
return ret;
}
+# endif
#endif
#ifndef OPENSSL_NO_SM2
#ifndef OPENSSL_NO_EC
ADD_ALL_TESTS(test_d2i_PrivateKey_ex, 2);
ADD_TEST(test_ec_tofrom_data_select);
+# ifndef OPENSSL_NO_ECX
ADD_TEST(test_ecx_tofrom_data_select);
+# endif
ADD_TEST(test_ec_d2i_i2d_pubkey);
#else
ADD_ALL_TESTS(test_d2i_PrivateKey_ex, 1);
enc, t->expected_enclen), 0);
}
+#ifndef OPENSSL_NO_ECX
/* ECX specific tests */
/* Perform ECX DHKEM KATs */
EVP_PKEY_CTX_free(ctx);
return ret;
}
+#endif
int setup_tests(void)
{
if (!TEST_ptr(rkey[TEST_KEYTYPE_P256] = EVP_PKEY_Q_keygen(libctx, NULL,
"EC", "P-256")))
goto err;
+#ifndef OPENSSL_NO_ECX
if (!TEST_ptr(rkey[TEST_KEYTYPE_X25519] = EVP_PKEY_Q_keygen(libctx, NULL,
"X25519")))
goto err;
+#endif
if (!TEST_ptr(rctx[TEST_KEYTYPE_P256] =
EVP_PKEY_CTX_new_from_pkey(libctx,
rkey[TEST_KEYTYPE_P256], NULL)))
goto err;
+#ifndef OPENSSL_NO_ECX
if (!TEST_ptr(rctx[TEST_KEYTYPE_X25519] =
EVP_PKEY_CTX_new_from_pkey(libctx,
rkey[TEST_KEYTYPE_X25519], NULL)))
goto err;
+#endif
ADD_ALL_TESTS(test_dhkem_encapsulate, OSSL_NELEM(ec_encapdata));
ADD_ALL_TESTS(test_dhkem_decapsulate, OSSL_NELEM(ec_encapdata));
+#ifndef OPENSSL_NO_ECX
ADD_ALL_TESTS(test_settables, TEST_KEYTYPES_P256_X25519);
ADD_ALL_TESTS(test_init_multiple, TEST_KEYTYPES_P256_X25519);
TEST_KEM_ENCAP_DECAP * TEST_KEYTYPES_P256_X25519);
ADD_ALL_TESTS(test_noauthpublic,
TEST_KEM_ENCAP_DECAP * TEST_KEYTYPES_P256_X25519);
-
+#else
+ ADD_ALL_TESTS(test_settables, TEST_KEYTYPE_P256);
+ ADD_ALL_TESTS(test_init_multiple, TEST_KEYTYPE_P256);
+
+ ADD_ALL_TESTS(test_auth_key_type_mismatch, TEST_KEYTYPE_P256);
+ ADD_ALL_TESTS(test_no_operation_set, TEST_KEYTYPE_P256);
+ ADD_ALL_TESTS(test_ikm_small, TEST_KEYTYPE_P256);
+ ADD_ALL_TESTS(test_input_size_small, TEST_KEYTYPE_P256);
+ ADD_ALL_TESTS(test_null_params, TEST_KEYTYPE_P256);
+ ADD_ALL_TESTS(test_set_params, TEST_KEYTYPE_P256);
+ ADD_ALL_TESTS(test_nopublic,
+ TEST_KEM_ENCAP_DECAP * TEST_KEYTYPE_P256);
+ ADD_ALL_TESTS(test_noauthpublic,
+ TEST_KEM_ENCAP_DECAP * TEST_KEYTYPE_P256);
+#endif
/* EC Specific tests */
ADD_ALL_TESTS(test_ec_dhkem_derivekey, OSSL_NELEM(ec_derivekey_data));
ADD_ALL_TESTS(test_ec_noikme,
ADD_ALL_TESTS(test_ec_badauth, TEST_KEM_ENCAP_DECAP);
/* ECX specific tests */
+#ifndef OPENSSL_NO_ECX
ADD_ALL_TESTS(test_ecx_dhkem_derivekey, OSSL_NELEM(ecx_derivekey_data));
ADD_TEST(test_ecx_auth_key_curve_mismatch);
ADD_TEST(test_ed_curve_unsupported);
+#endif
return 1;
err:
return 0;
return ret;
}
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECX
static int test_print_key_using_encoder_public(const char *alg,
const EVP_PKEY *pk)
{
#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
/* Array indexes used in test_fromdata_ecx */
# define PRIV_KEY 0
# define PUB_KEY 1
return ret;
}
+# endif /* OPENSSL_NO_ECX */
static int test_fromdata_ec(void)
{
ADD_TEST(test_fromdata_dsa_fips186_4);
#endif
#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_ECX
ADD_ALL_TESTS(test_fromdata_ecx, 4 * 3);
+# endif
ADD_TEST(test_fromdata_ec);
ADD_TEST(test_ec_dup_no_operation);
ADD_TEST(test_ec_dup_keygen_operation);
0x20, 0x47, 0x72, 0x65, 0x63, 0x69, 0x61, 0x6e,
0x20, 0x55, 0x72, 0x6e
};
+#ifndef OPENSSL_NO_ECX
/*
* static const char *pskid = "Ennyn Durin aran Moria";
*/
return do_testhpke(&basedata, aeaddata, OSSL_NELEM(aeaddata),
exportdata, OSSL_NELEM(exportdata));
}
+#endif
static const unsigned char third_ikme[] = {
0x42, 0x70, 0xe5, 0x4f, 0xfd, 0x08, 0xd7, 0x9d,
exportdata, OSSL_NELEM(exportdata));
}
+#ifndef OPENSSL_NO_ECX
static const unsigned char fourth_ikme[] = {
0x55, 0xbc, 0x24, 0x5e, 0xe4, 0xef, 0xda, 0x25,
0xd3, 0x8f, 0x2d, 0x54, 0xd5, 0xbb, 0x66, 0x65,
return do_testhpke(&basedata, NULL, 0,
exportdata, OSSL_NELEM(exportdata));
}
+#endif
/*
* Randomly toss a coin
OSSL_HPKE_KEM_ID_P256,
OSSL_HPKE_KEM_ID_P384,
OSSL_HPKE_KEM_ID_P521,
+#ifndef OPENSSL_NO_ECX
OSSL_HPKE_KEM_ID_X25519,
OSSL_HPKE_KEM_ID_X448
+#endif
};
static uint16_t hpke_kdf_list[] = {
OSSL_HPKE_KDF_ID_HKDF_SHA256,
"base", "psk", "auth", "pskauth"
};
static const char *kem_str_list[] = {
+#ifndef OPENSSL_NO_ECX
"P-256", "P-384", "P-521", "x25519", "x448",
"0x10", "0x11", "0x12", "0x20", "0x21",
"16", "17", "18", "32", "33"
+#else
+ "P-256", "P-384", "P-521",
+ "0x10", "0x11", "0x12",
+ "16", "17", "18"
+#endif
};
static const char *kdf_str_list[] = {
"hkdf-sha256", "hkdf-sha384", "hkdf-sha512",
return erv;
}
+#ifndef OPENSSL_NO_ECX
/* from RFC 9180 Appendix A.1.1 */
static const unsigned char ikm25519[] = {
0x72, 0x68, 0x60, 0x0d, 0x40, 0x3f, 0xce, 0x43,
0x1d, 0x12, 0x53, 0xb6, 0xd4, 0xea, 0x6d, 0x44,
0xc1, 0x50, 0xf7, 0x41, 0xf1, 0xbf, 0x44, 0x31
};
+#endif
/* from RFC9180 Appendix A.3.1 */
static const unsigned char ikmp256[] = {
{
int res = 1;
+#ifndef OPENSSL_NO_ECX
res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_X25519,
ikm25519, sizeof(ikm25519),
pub25519, sizeof(pub25519));
if (res != 1)
return res;
+#endif
res = test_hpke_one_ikm_gen(OSSL_HPKE_KEM_ID_P521,
ikmp521, sizeof(ikmp521),
if (!test_get_libctx(&testctx, &nullprov, NULL, &deflprov, "default"))
return 0;
+#ifndef OPENSSL_NO_ECX
+ ADD_TEST(export_only_test);
ADD_TEST(x25519kdfsha256_hkdfsha256_aes128gcm_base_test);
ADD_TEST(x25519kdfsha256_hkdfsha256_aes128gcm_psk_test);
+#endif
ADD_TEST(P256kdfsha256_hkdfsha256_aes128gcm_base_test);
- ADD_TEST(export_only_test);
ADD_TEST(test_hpke_export);
ADD_TEST(test_hpke_modes_suites);
ADD_TEST(test_hpke_suite_strs);
setup("test_internal_curve448");
-plan skip_all => "This test is unsupported in a no-ec build"
- if disabled("ec");
+plan skip_all => "This test is unsupported in a no-ecx build"
+ if disabled("ecx");
simple_test("test_internal_curve448", "curve448_internal_test");
(
'testrsapub',
disabled('dsa') ? () : 'testdsapub',
- disabled('ec') ? () : qw(testecpub-p256 tested25519pub tested448pub)
+ disabled('ec') ? () : qw(testecpub-p256),
+ disabled('ecx') ? () : qw(tested25519pub tested448pub)
);
my @certs = sort keys %certs_info;
-args => [ "pkey", "-pubin", "-pubout" ] );
};
-subtest 'Ed25519 conversions -- private key' => sub {
- tconversion( -type => "pkey", -prefix => "ed25519-pkey-priv",
- -in => srctop_file("test", "tested25519.pem") );
-};
-subtest 'Ed25519 conversions -- private key PKCS#8' => sub {
- tconversion( -type => "pkey", -prefix => "ed25519-pkey-pkcs8",
- -in => srctop_file("test", "tested25519.pem"),
- -args => ["pkey"] );
-};
-subtest 'Ed25519 conversions -- public key' => sub {
- tconversion( -type => "pkey", -prefix => "ed25519-pkey-pub",
- -in => srctop_file("test", "tested25519pub.pem"),
- -args => ["pkey", "-pubin", "-pubout"] );
-};
-subtest 'Ed448 conversions -- private key' => sub {
- tconversion( -type => "pkey", -prefix => "ed448-pkey-priv",
- -in => srctop_file("test", "tested448.pem") );
-};
-subtest 'Ed448 conversions -- private key PKCS#8' => sub {
- tconversion( -type => "pkey", -prefix => "ed448-pkey-pkcs8",
- -in => srctop_file("test", "tested448.pem"),
- -args => ["pkey"] );
-};
-subtest 'Ed448 conversions -- public key' => sub {
- tconversion( -type => "pkey", -prefix => "ed448-pkey-pub",
- -in => srctop_file("test", "tested448pub.pem"),
- -args => ["pkey", "-pubin", "-pubout"] );
-};
+SKIP: {
+ skip "ECX is not supported by this OpenSSL build", 6
+ if disabled("ecx");
+ subtest 'Ed25519 conversions -- private key' => sub {
+ tconversion( -type => "pkey", -prefix => "ed25519-pkey-priv",
+ -in => srctop_file("test", "tested25519.pem") );
+ };
+ subtest 'Ed25519 conversions -- private key PKCS#8' => sub {
+ tconversion( -type => "pkey", -prefix => "ed25519-pkey-pkcs8",
+ -in => srctop_file("test", "tested25519.pem"),
+ -args => ["pkey"] );
+ };
+ subtest 'Ed25519 conversions -- public key' => sub {
+ tconversion( -type => "pkey", -prefix => "ed25519-pkey-pub",
+ -in => srctop_file("test", "tested25519pub.pem"),
+ -args => ["pkey", "-pubin", "-pubout"] );
+ };
+ subtest 'Ed448 conversions -- private key' => sub {
+ tconversion( -type => "pkey", -prefix => "ed448-pkey-priv",
+ -in => srctop_file("test", "tested448.pem") );
+ };
+ subtest 'Ed448 conversions -- private key PKCS#8' => sub {
+ tconversion( -type => "pkey", -prefix => "ed448-pkey-pkcs8",
+ -in => srctop_file("test", "tested448.pem"),
+ -args => ["pkey"] );
+ };
+ subtest 'Ed448 conversions -- public key' => sub {
+ tconversion( -type => "pkey", -prefix => "ed448-pkey-pub",
+ -in => srctop_file("test", "tested448pub.pem"),
+ -args => ["pkey", "-pubin", "-pubout"] );
+ };
+}
subtest 'Check loading of fips and non-fips keys' => sub {
plan skip_all => "FIPS is disabled"
push @algs, qw(RSA) unless disabled("rsa");
push @algs, qw(DSA) unless disabled("dsa");
push @algs, qw(DH DHX) unless disabled("dh");
-push @algs, qw(EC X25519 X448) unless disabled("ec");
+push @algs, qw(EC) unless disabled("ec");
+push @algs, qw(X25519 X448) unless disabled("ecx");
push @algs, qw(SM2) unless disabled("sm2");
plan tests => scalar(@algs);
SKIP: {
skip "EdDSA is not supported by this OpenSSL build", 2
- if disabled("ec");
+ if disabled("ecx");
skip "EdDSA is not supported with `dgst` CLI", 2;
}
SKIP: {
- skip "Skipping tests that require EC", 4
- if disabled("ec");
+ skip "Skipping tests that require ECX", 4
+ if disabled("ecx");
# Ed25519
ok(run(app(([ 'openssl', 'pkeyutl', '-sign', '-in',
SKIP: {
skip "EdDSA is not supported by this OpenSSL build", 2
- if disabled("ec");
+ if disabled("ecx");
subtest "Ed2559 CLI signature generation and verification" => sub {
tsignverify("Ed25519",
SKIP: {
skip "Ed25519 is not supported by this OpenSSL build", 2
- if disabled("ec");
+ if disabled("ecx");
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
SKIP: {
skip "Ed448 is not supported by this OpenSSL build", 2
- if disabled("ec");
+ if disabled("ecx");
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
SKIP: {
skip "Ed25519 is not supported by this OpenSSL build", 6
- if disabled("ec");
+ if disabled("ecx");
# ED25519 certificate from draft-ietf-curdle-pkix-04
ok(verify("ee-ed25519", "", ["root-ed25519"], []),
my $no_dh = disabled("dh");
my $no_dsa = disabled("dsa");
my $no_ec = disabled("ec");
+my $no_ecx = disabled("ecx");
my $no_ec2m = disabled("ec2m");
my $no_sm2 = disabled("sm2");
my $no_siv = disabled("siv");
evpmac_cmac_des.txt
) unless $no_des;
push @files, qw(evppkey_dsa.txt) unless $no_dsa;
-push @files, qw(evppkey_ecx.txt) unless $no_ec;
+push @files, qw(
+ evppkey_ecx.txt
+ evppkey_mismatch_ecx.txt
+ ) unless $no_ecx;
push @files, qw(
evppkey_ecc.txt
evppkey_ecdh.txt
# Public / Private keys from other tests used for keypair testing.
-PrivateKey=Alice-25519
------BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VuBCIEIHcHbQpzGKV9PBbBclGyZkXfTC+H68CZKrF3+6UduSwq
------END PRIVATE KEY-----
-
-PrivateKey=Alice-448
------BEGIN PRIVATE KEY-----
-MEYCAQAwBQYDK2VvBDoEOJqPSSXRUZ9Xdc9GsEtYANTunui66LxVZdSYwo3Zybr1
-dKlBl0SJc5EAY4Km8SerHZrC2MClmHJr
------END PRIVATE KEY-----
-
PublicKey=P-256-PUBLIC
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUPQpznDyFsJSz14GLOH2Oc1dFl
Title = Test keypair mismatches
-PrivPubKeyPair = Alice-25519:P-256-PUBLIC
-Result = KEYPAIR_TYPE_MISMATCH
-
-PrivPubKeyPair = Alice-448:P-256-PUBLIC
-Result = KEYPAIR_TYPE_MISMATCH
-
PrivPubKeyPair = RSA-2048:P-256-PUBLIC
Result = KEYPAIR_TYPE_MISMATCH
PrivPubKeyPair = RSA-2048:KAS-ECC-CDH_K-163_C0-PUBLIC
Result = KEYPAIR_TYPE_MISMATCH
-
-PrivPubKeyPair = Alice-25519:KAS-ECC-CDH_K-163_C0-PUBLIC
-Result = KEYPAIR_TYPE_MISMATCH
--- /dev/null
+#
+# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+# Tests start with one of these keywords
+# Cipher Decrypt Derive Digest Encoding KDF MAC PBE
+# PrivPubKeyPair Sign Verify VerifyRecover
+# and continue until a blank line. Lines starting with a pound sign are ignored.
+
+
+# Public / Private keys from other tests used for keypair testing.
+
+PrivateKey=Alice-25519
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VuBCIEIHcHbQpzGKV9PBbBclGyZkXfTC+H68CZKrF3+6UduSwq
+-----END PRIVATE KEY-----
+
+PrivateKey=Alice-448
+-----BEGIN PRIVATE KEY-----
+MEYCAQAwBQYDK2VvBDoEOJqPSSXRUZ9Xdc9GsEtYANTunui66LxVZdSYwo3Zybr1
+dKlBl0SJc5EAY4Km8SerHZrC2MClmHJr
+-----END PRIVATE KEY-----
+
+PublicKey=P-256-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUPQpznDyFsJSz14GLOH2Oc1dFl
+x/iUJAcsJxl9eLM7kg6VzbZk6ZDc8M/qDZTiqOavnQ5YBW5lMQSSW5/myQ==
+-----END PUBLIC KEY-----
+
+PublicKey=KAS-ECC-CDH_K-163_C0-PUBLIC
+-----BEGIN PUBLIC KEY-----
+MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBx+LKHfWAn2cGt5CRPLeoSaS7yPVBcFe
+53YiHHK4SzR844PzgGe4nD6a
+-----END PUBLIC KEY-----
+
+PrivateKey = RSA-2048
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNAIHqeyrh6gbV
+n3xz2f+5SglhXC5Lp8Y2zvCN01M+wxhVJbAVx2m5mnfWclv5w1Mqm25fZifV+4UW
+B2jT3anL01l0URcX3D0wnS/EfuQfl+Mq23+d2GShxHZ6Zm7NcbwarPXnUX9LOFlP
+6psF5C1a2pkSAIAT5FMWpNm7jtCGuI0odYusr5ItRqhotIXSOcm66w4rZFknEPQr
+LR6gpLSALAvsqzKPimiwBzvbVG/uqYCdKEmRKzkMFTK8finHZY+BdfrkbzQzL/h7
+yrPkBkm5hXeGnaDqcYNT8HInVIhpE2SHYNEivmduD8SD3SD/wxvalqMZZsmqLnWt
+A95H4cRPAgMBAAECggEAYCl6x5kbFnoG1rJHWLjL4gi+ubLZ7Jc4vYD5Ci41AF3X
+ziktnim6iFvTFv7x8gkTvArJDWsICLJBTYIQREHYYkozzgIzyPeApIs3Wv8C12cS
+IopwJITbP56+zM+77hcJ26GCgA2Unp5CFuC/81WDiPi9kNo3Oh2CdD7D+90UJ/0W
+glplejFpEuhpU2URfKL4RckJQF/KxV+JX8FdIDhsJu54yemQdQKaF4psHkzwwgDo
+qc+yfp0Vb4bmwq3CKxqEoc1cpbJ5CHXXlAfISzUjlcuBzD/tW7BDtp7eDAcgRVAC
+XO6MX0QBcLYSC7SOD3R7zY9SIRCFDfBDxCjf0YcFMQKBgQD2+WG0fLwDXTrt68fe
+hQqVa2Xs25z2B2QGPxWqSFU8WNly/mZ1BW413f3De/O58vYi7icTNyVoScm+8hdv
+6PfD+LuRujdN1TuvPeyBTSvewQwf3IjN0Wh28mse36PwlBl+301C/x+ylxEDuJjK
+hZxCcocIaoQqtBC7ac8tNa9r4wKBgQDUfnJKf/QQSLJwwlJKQQGHi3MVm7c9PbwY
+eyIOY1s1NPluJDoYTZP4YLa/u2txwe2aHh9FhYMCPDAelqaSwaCLU9DsnKkQEA2A
+RR47fcagG6xK7O+N95iEa8I1oIy7os9MBoBMwRIZ6VYIxxTj8UMNSR+tu6MqV1Gg
+T5d0WDTJpQKBgCHyRSu5uV39AoyRS/eZ8cp36JqV1Q08FtOE+EVfi9evnrPfo9WR
+2YQt7yNfdjCo5IwIj/ZkLhAXlFNakz4el2+oUJ/HKLLaDEoaCNf883q6rh/zABrK
+HcG7sF2d/7qhoJ9/se7zgjfZ68zHIrkzhDbd5xGREnmMJoCcGo3sQyBhAoGAH3UQ
+qmLC2N5KPFMoJ4H0HgLQ6LQCrnhDLkScSBEBYaEUA/AtAYgKjcyTgVLXlyGkcRpg
+esRHHr+WSBD5W+R6ReYEmeKfTJdzyDdzQE9gZjdyjC0DUbsDwybIu3OnIef6VEDq
+IXK7oUZfzDDcsNn4mTDoFaoff5cpqFfgDgM43VkCgYBNHw11b+d+AQmaZS9QqIt7
+aF3FvwCYHV0jdv0Mb+Kc1bY4c0R5MFpzrTwVmdOerjuuA1+9b+0Hwo3nBZM4eaBu
+SOamA2hu2OJWCl9q8fLCT69KqWDjghhvFe7c6aJJGucwaA3Uz3eLcPqoaCarMiNH
+fMkTd7GabVourqIZdgvu1Q==
+-----END PRIVATE KEY-----
+
+Title = Test keypair mismatches
+
+PrivPubKeyPair = Alice-25519:P-256-PUBLIC
+Result = KEYPAIR_TYPE_MISMATCH
+
+PrivPubKeyPair = Alice-448:P-256-PUBLIC
+Result = KEYPAIR_TYPE_MISMATCH
+
+PrivPubKeyPair = RSA-2048:P-256-PUBLIC
+Result = KEYPAIR_TYPE_MISMATCH
+
+PrivPubKeyPair = RSA-2048:KAS-ECC-CDH_K-163_C0-PUBLIC
+Result = KEYPAIR_TYPE_MISMATCH
+
+PrivPubKeyPair = Alice-25519:KAS-ECC-CDH_K-163_C0-PUBLIC
+Result = KEYPAIR_TYPE_MISMATCH
if (disabled("ec")) {
$proxy->serverflags("-groups ffdhe3072");
} else {
- $proxy->serverflags("-groups P-256");
+ $proxy->serverflags("-groups P-384");
}
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 23;
if (disabled("ec")) {
$proxy->clientflags("-groups ffdhe3072:ffdhe2048");
} else {
- $proxy->clientflags("-groups P-256:X25519");
+ $proxy->clientflags("-groups P-256:P-384");
}
$proxy->start();
if (disabled("ec")) {
#Test 14: Multiple acceptable key_shares - we choose the first one (part 2)
$proxy->clear();
-if (disabled("ec")) {
+if (disabled("ecx")) {
$proxy->clientflags("-curves ffdhe2048:ffdhe3072");
} else {
$proxy->clientflags("-curves X25519:P-256");
}
$proxy->start();
-if (disabled("ec")) {
+if (disabled("ecx")) {
ok(TLSProxy::Message->success() && ($selectedgroupid == FFDHE2048),
"Multiple acceptable key_shares (part 2)");
} else {
#Test 15: Server sends key_share that wasn't offered should fail
$proxy->clear();
$testtype = SELECT_X25519;
-if (disabled("ec")) {
+if (disabled("ecx")) {
$proxy->clientflags("-groups ffdhe3072");
} else {
$proxy->clientflags("-groups P-256");
$proxy->clear();
$direction = SERVER_TO_CLIENT;
$testtype = NO_KEY_SHARES_IN_HRR;
-if (disabled("ec")) {
+if (disabled("ecx")) {
$proxy->serverflags("-groups ffdhe2048");
} else {
$proxy->serverflags("-groups X25519");
#Test 23: Trailing data on key_share in ServerHello should fail
$proxy->clear();
$direction = CLIENT_TO_SERVER;
- $proxy->clientflags("-groups secp192r1:P-256:X25519");
+ if (disabled("ecx")) {
+ $proxy->clientflags("-groups secp192r1:P-256:P-384");
+ } else {
+ $proxy->clientflags("-groups secp192r1:P-256:X25519");
+ }
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$testtype = NON_TLS1_3_KEY_SHARE;
$proxy->start();
if ($testtype != NON_TLS1_3_KEY_SHARE) {
#Setup supported groups to include some unrecognised groups
- $suppgroups = pack "C8",
- 0x00, 0x06, #List Length
- 0xff, 0xfe, #Non existing group 1
- 0xff, 0xff, #Non existing group 2
- 0x00, 0x1d; #x25519
+ if (disabled("ecx")) {
+ $suppgroups = pack "C8",
+ 0x00, 0x06, #List Length
+ 0xff, 0xfe, #Non existing group 1
+ 0xff, 0xff, #Non existing group 2
+ 0x00, 0x17; #P-256
+ } else {
+ $suppgroups = pack "C8",
+ 0x00, 0x06, #List Length
+ 0xff, 0xfe, #Non existing group 1
+ 0xff, 0xff, #Non existing group 2
+ 0x00, 0x1d; #X25519
+ }
} else {
- $suppgroups = pack "C6",
- 0x00, 0x04, #List Length
- 0x00, 0x13,
- 0x00, 0x1d; #x25519
+ if (disabled("ecx")) {
+ $suppgroups = pack "C6",
+ 0x00, 0x04, #List Length
+ 0x00, 0x13,
+ 0x00, 0x18; #P-384
+ } else {
+ $suppgroups = pack "C6",
+ 0x00, 0x04, #List Length
+ 0x00, 0x13,
+ 0x00, 0x1d; #X25519
+ }
}
if ($testtype == EMPTY_EXTENSION) {
0xff, 0xff, #Non existing group 2
0x00, 0x01, 0xff; #key_exchange data
} elsif ($testtype == ACCEPTABLE_AT_END) {
- $ext = pack "C11H64",
- 0x00, 0x29, #List Length
- 0xff, 0xfe, #Non existing group 1
- 0x00, 0x01, 0xff, #key_exchange data
- 0x00, 0x1d, #x25519
- 0x00, 0x20, #key_exchange data length
- "155155B95269ED5C87EAA99C2EF5A593".
- "EDF83495E80380089F831B94D14B1421"; #key_exchange data
+ if (disabled("ecx")) {
+ $ext = pack "C11H130",
+ 0x00, 0x4A, #List Length
+ 0xff, 0xfe, #Non existing group 1
+ 0x00, 0x01, 0xff, #key_exchange data
+ 0x00, 0x17, #P-256
+ 0x00, 0x41, #key_exchange data length
+ "04A798ACF80B2991A0A53D084F4F649A46BE49D061EB5B8CFF9C8EC6AE792507B6".
+ "F77FE6E446AF3645FD86BB7CFFD2644E45CC00183343C5CEAD67BB017B082007"; #key_exchange data
+ } else {
+ $ext = pack "C11H64",
+ 0x00, 0x29, #List Length
+ 0xff, 0xfe, #Non existing group 1
+ 0x00, 0x01, 0xff, #key_exchange data
+ 0x00, 0x1d, #x25519
+ 0x00, 0x20, #key_exchange data length
+ "155155B95269ED5C87EAA99C2EF5A593".
+ "EDF83495E80380089F831B94D14B1421"; #key_exchange data
+ }
} elsif ($testtype == NOT_IN_SUPPORTED_GROUPS) {
$suppgroups = pack "C4",
0x00, 0x02, #List Length
#Test 1: Inserting a cookie into an HRR should see it echoed in the ClientHello
$testtype = COOKIE_ONLY;
$proxy->filter(\&cookie_filter);
-$proxy->serverflags("-curves X25519") if !disabled("ec");
+$proxy->serverflags("-curves X25519") if !disabled("ecx");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 2;
SKIP: {
- skip "EC disabled", 1, if disabled("ec");
+ skip "ECX disabled", 1, if (disabled("ecx"));
ok(TLSProxy::Message->success() && $cookieseen == 1, "Cookie seen");
}
# required
$testtype = COOKIE_AND_KEY_SHARE;
$proxy->clear();
-if (disabled("ec")) {
+if (disabled("ecx")) {
$proxy->clientflags("-curves ffdhe3072:ffdhe2048");
$proxy->serverflags("-curves ffdhe2048");
} else {
if (disabled("ec")) {
$proxy->serverflags("-curves ffdhe3072");
} else {
- $proxy->serverflags("-curves P-256");
+ $proxy->serverflags("-curves P-384");
}
$proxy->ciphersuitess("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384");
$testtype = CHANGE_CH1_CIPHERSUITE;
# initial key_share. Should resume with a key_share following an HRR
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
-$proxy->serverflags("-no_rx_cert_comp -curves P-256");
+$proxy->serverflags("-no_rx_cert_comp -curves P-384");
$testtype = BOTH_KEX_MODES;
$proxy->start();
checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
# key_share. Should resume with a key_share following an HRR
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
-$proxy->serverflags("-no_rx_cert_comp -curves P-256");
+$proxy->serverflags("-no_rx_cert_comp -curves P-384");
$testtype = DHE_KEX_MODE_ONLY;
$proxy->start();
checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
#Test 15: HRR Handshake
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp");
-$proxy->serverflags("-no_rx_cert_comp -curves P-256");
+$proxy->serverflags("-no_rx_cert_comp -curves P-384");
$proxy->start();
checkhandshake($proxy, checkhandshake::HRR_HANDSHAKE,
checkhandshake::DEFAULT_EXTENSIONS
#Test 16: Resumption handshake with HRR
$proxy->clear();
$proxy->clientflags("-no_rx_cert_comp -sess_in ".$session);
-$proxy->serverflags("-no_rx_cert_comp -curves P-256");
+$proxy->serverflags("-no_rx_cert_comp -curves P-384");
$proxy->start();
checkhandshake($proxy, checkhandshake::HRR_RESUME_HANDSHAKE,
(checkhandshake::DEFAULT_EXTENSIONS
#Test 17: Acceptable but non preferred key_share
$proxy->clear();
-$proxy->clientflags("-no_rx_cert_comp -curves P-256");
+$proxy->clientflags("-no_rx_cert_comp -curves P-384");
$proxy->start();
checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
checkhandshake::DEFAULT_EXTENSIONS
if (disabled("ec")) {
$proxy->serverflags("-curves ffdhe3072");
} else {
- $proxy->serverflags("-curves P-256");
+ $proxy->serverflags("-curves P-384");
}
$proxy->filter(undef);
$proxy->start();
if (disabled("ec")) {
$proxy->serverflags("-curves ffdhe3072");
} else {
- $proxy->serverflags("-curves P-256");
+ $proxy->serverflags("-curves P-384");
}
$proxy->ciphersuitesc("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384");
$proxy->ciphersuitess("TLS_AES_256_GCM_SHA384");
my $no_npn = disabled("nextprotoneg");
my $no_ct = disabled("ct");
my $no_ec = disabled("ec");
+my $no_ecx = disabled("ecx");
my $no_dh = disabled("dh");
my $no_dsa = disabled("dsa");
my $no_ec2m = disabled("ec2m");
"22-compression.cnf" => !$is_default_tls,
"25-cipher.cnf" => disabled("poly1305") || disabled("chacha"),
"27-ticket-appdata.cnf" => !$is_default_tls,
- "28-seclevel.cnf" => disabled("tls1_2") || $no_ec,
+ "28-seclevel.cnf" => disabled("tls1_2") || $no_ecx,
"30-extended-master-secret.cnf" => disabled("tls1_2"),
"32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"),
);
# TODO(TLS 1.3): We should review this once we have TLS 1.3.
"13-fragmentation.cnf" => disabled("tls1_2"),
"14-curves.cnf" => disabled("tls1_2") || disabled("tls1_3")
- || $no_ec || $no_ec2m,
+ || $no_ec2m || $no_ecx,
"15-certstatus.cnf" => $no_tls || $no_ocsp,
"16-dtls-certstatus.cnf" => $no_dtls || $no_ocsp,
"17-renegotiate.cnf" => $no_tls_below1_3,
"18-dtls-renegotiate.cnf" => $no_dtls,
"19-mac-then-encrypt.cnf" => $no_pre_tls1_3,
- "20-cert-select.cnf" => disabled("tls1_2") || $no_ec,
+ "20-cert-select.cnf" => disabled("tls1_2") || $no_ecx,
"21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"22-compression.cnf" => disabled("zlib") || $no_tls,
"23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1")
privkey_file = privkey2;
other_cert_file = cert;
break;
+# ifndef OPENSSL_NO_ECX
case 2:
/* use Ed448 */
cert_file = cert448;
privkey_file = privkey25519;
other_cert_file = cert;
break;
+# endif
#endif
default:
testresult = TEST_skip("EDCSA disabled");
},
);
-push @tests, @tests_ec unless disabled("ec");
-push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
+push @tests, @tests_ec unless disabled("ecx");
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ecx");
if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
goto end;
#else
- if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
+ if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
goto end;
#endif
} else if (idx == 2) {
*/
# ifndef OPENSSL_NO_EC
static int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1,
- NID_secp521r1, NID_X25519, NID_X448};
+ NID_secp521r1,
+# ifndef OPENSSL_NO_ECX
+ NID_X25519, NID_X448
+# endif
+ };
# endif
# ifndef OPENSSL_NO_DH
static int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
kexch_alg = NID_secp521r1;
kexch_name0 = "secp521r1";
break;
+# ifndef OPENSSL_NO_ECX
case 4:
kexch_alg = NID_X25519;
kexch_name0 = "x25519";
kexch_alg = NID_X448;
kexch_name0 = "x448";
break;
+# endif
# endif
# ifndef OPENSSL_NO_DH
# ifndef OPENSSL_NO_TLS1_2
if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
goto end;
#else
- if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
+ if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
goto end;
#endif
} else {
if (!TEST_true(filter_provider_set_filter(OSSL_OP_SIGNATURE,
"ECDSA"))
+# ifdef OPENSSL_NO_ECX
+ || !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT, "EC"))
+# else
|| !TEST_true(filter_provider_set_filter(OSSL_OP_KEYMGMT,
- "EC:X25519:X448")))
+ "EC:X25519:X448"))
+# endif
+ )
goto end;
}
goto err;
# endif
#else
- if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "P-256")))
+ if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "P-384")))
goto err;
#endif
}